| Titel | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| Beschreibung | A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the administrator profile name update endpoint:
Endpoint: POST /admin/profile/name (or the HTTP method used by the application)
Affected function: update administrator profile “name” field
Authentication model: cookie-based session (administrator stays logged-in in the browser)
The endpoint performs a state-changing action (updates administrator account profile information) without any effective CSRF protection. Specifically:
No CSRF token is required or validated in the request (no hidden token field, no X-CSRF-Token header verification, no synchronizer token or double-submit cookie strategy).
The application accepts cross-site requests as long as the victim’s browser automatically includes the administrator session cookies.
The application configuration does not enforce CSRF defense at framework level (e.g., missing CSRF middleware / missing SameSite hardening), allowing requests originating from an attacker-controlled site to succeed.
As a result, an attacker can trick a logged-in administrator into visiting a malicious webpage, which will silently submit a request to /admin/profile/name and update the administrator’s profile name without the victim’s knowledge or consent.
Impact
Unauthorized modification of administrator account profile data (at minimum: name field).
This can be used for:
Account integrity manipulation (changing displayed admin identity).
Social engineering / audit confusion, especially if logs display the modified name.
If the “name” field is rendered elsewhere without proper output encoding, it may also become a stepping stone for UI spoofing or other chained attacks (depends on actual rendering).
Preconditions / Attack Scenario
Victim is an authenticated administrator in the same browser session.
Victim visits an attacker-controlled page (phishing link, malicious ad, embedded iframe, etc.).
Browser automatically sends session cookies to the target application (typical for cookie-based auth).
Root Cause
The endpoint implements a sensitive state-changing operation but lacks CSRF defenses. In addition, the server does not enforce common browser-side mitigations (e.g., strict SameSite cookie policy) robustly enough to prevent cross-site form submissions. |
|---|
| Quelle | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/106 |
|---|
| Benutzer | flashzyc (UID 92850) |
|---|
| Einreichung | 05.02.2026 11:47 (vor 4 Monaten) |
|---|
| Moderieren | 18.02.2026 07:55 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 346456 [newbee-ltd newbee-mall bis a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints Cross Site Request Forgery] |
|---|
| Punkte | 20 |
|---|