Key Information Summary Vulnerability Description Vulnerability Type: CSRF (Cross-Site Request Forgery) Affected Product: Pet Grooming Management Software 1.0 Vulnerability Discoverer: Camilla Flocco Product Vendor: SourceCodester Exploitation Conditions User must be logged in to the Pet Grooming management backend via browser (active session cookie) User must visit a webpage controlled by the attacker (or trigger the request) while remaining logged in Target endpoint accepts unauthenticated POST requests for password change without additional confirmation Application does not validate or header information for state-changing requests; session Cookie is automatically sent by the browser Exploitation Steps 1. Log in to the application using default credentials - Email: mdkhaimar92@gmail.com - Password: admin 2. Access the management backend interface 3. Create a malicious HTML file that sends a password change request - Example: Use a button to trigger the request, or use a blank page for automation 4. Open the malicious HTML page while logged in 5. Password has been changed 6. Check the database to confirm password was changed without authorization 7. Attempt to log in using the new password 8. Login successful Affected Components Administrator password change form Path: Password update functionality Server-side session handling Attack Type Remote Impact Code Execution: Affected Privilege Escalation: Affected Information Disclosure: Affected Attack Vector Attacker can create a malicious HTML page that, when accessed by an authenticated user, automatically submits a password change request, leveraging the user’s session information to change the administrator password without authorization References SourceCodester - Pet Grooming Management Software