| Title | SourceCodester Computer Laboratory Management System (PHP LMS) 1.0 Cross-Site Request Forgery |
|---|
| Description | A Cross-Site Request Forgery (CSRF) vulnerability exists in the PHP LMS application.
The application does not implement CSRF protection on state-changing requests handled by the save_users function in classes/Users.php.
The endpoint POST /classes/Users.php?f=save processes account modification requests without validating a CSRF token or verifying request origin.
An attacker can craft a malicious webpage that, when visited by an authenticated administrator, triggers unauthorized administrator account modification.
This can lead to administrative account takeover and full compromise of the application. |
|---|
| Source | ⚠️ https://gist.github.com/richardaugustine/618db4846b5ea60344721c716ef31b4e |
|---|
| User | Richardaugustine (UID 95966) |
|---|
| Submission | 02/27/2026 06:14 (1 month ago) |
|---|
| Moderation | 03/07/2026 21:57 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 349748 [SourceCodester Computer Laboratory Management System 1.0 cross-site request forgery] |
|---|
| Points | 20 |
|---|