Key Information Affected Product Product Name: WukongCRM Vulnerability Type Vulnerability Type: CSRF (Cross-Site Request Forgery) Affected Versions Version: v9.0 Vulnerable File File: AdminRoleController.java Root Cause The application fails to validate the identity of requests from untrusted accounts, allowing attackers to trick logged-in users into submitting forged requests. Impact Attackers can modify permissions for any user, including granting administrator privileges to regular users. Successful exploitation may lead to: - Unauthorized account access or data manipulation. - Privilege escalation or unauthorized actions. - Potential data loss or unauthorized data disclosure. Vulnerability Location and POC Location: AdminRoleController.java Payload Example: Recommended Remediation 1. Anti-CSRF Tokens - Implement and use CSRF tokens in all forms or actions that change state. 2. SameSite Cookies - Ensure cookies have the SameSite attribute set to Strict or Lax. 3. Double Submit Cookies - Use a CSRF token stored alongside the form and validate its value matches upon form submission.