Product Information - Vendor Homepage: https://www.bdtask.com - Software Link: https://codecanyon.net/item/erp-business-erp-solution-product-shop-company-management/19314578 - Demo URL: https://saleserplatestd.bdtask-demo.com/ - Affected Version: Latest version as of 2025-10-16 - BUG Author: 4m3rr0r Vulnerability Details - Type: Cross-Site Request Forgery (CSRF) - Affected URL: /dashboard/home/update_profile - Vulnerable Component: The user profile update functionality. Vulnerability Type - Cross-Site Request Forgery - CWE ID: CWE-352 - Severity Level: HIGH - CVSS Score: 8.8 (High) Root Cause - The application's form for updating user profile information does not implement any anti-CSRF protection, such as a unique, per-session token. This allows an attacker to create a malicious webpage that forges and submits a request to the /dashboard/home/update_profile endpoint. If an authenticated user visits the attacker's page, their browser will automatically submit the forged request along with their active session cookie, leading the server to process the unauthorized changes. Impact - An attacker can trick a logged-in user, such as an administrator, into visiting a malicious website. This will force the user's browser to silently send a request to change their profile details. The primary impact is account takeover. By changing the administrator's email address to one they control, the attacker can then use the "Forgot Password" functionality to reset the password and gain full control of the admin account. Proof of Concept (PoC) - The following HTML page demonstrates the CSRF vulnerability. When an authenticated user opens this page, it will automatically submit a form to change their email address to hackby@gmail.com. Suggested Remediation - Implement Anti-CSRF Tokens: The primary defense against CSRF is the Synchronizer Token Pattern. The application should generate a unique, random token for each user session and embed it as a hidden field in every state-changing form. When the form is submitted, the server must validate that the token received matches the one stored in the user's session. - Use SameSite Cookies: Set the SameSite attribute on session cookies to Strict or Lax. This instructs the browser not to send the cookie along with cross-site requests, which mitigates most CSRF attacks. References - OWASP Cross-Site Request Forgery (CSRF) - CWE-352: Cross-Site Request Forgery (CSRF)