PT-2021-18608 · Unknown · Web-School Erp

0Xrayan

Published

2021-04-08

Updated

2021-04-13

CVE-2021-30114

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Web-School ERP version 5.0

Description The issue allows a remote attacker to create a voucher payment request through the "module/accounting/voucher/create" API endpoint. This is possible because the application fails to validate the CSRF token for a POST request when using admin privilege.

Recommendations For Web-School ERP version 5.0, consider disabling the "module/accounting/voucher/create" endpoint until a patch is available to prevent exploitation. Restrict access to admin privileges to minimize the risk of unauthorized voucher payment requests. Avoid using the admin privilege for POST requests to the "module/accounting/voucher/create" endpoint until the issue is resolved.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2021-30114

Affected Products

Web-School Erp

PT-2021-18608 · Unknown · Web-School Erp

CVE-2021-30114

Weakness Enumeration

Related Identifiers

Affected Products

References · 6