CVE-2024-40476

Name of the Vulnerable Software and Affected Versions SourceCodester Best House Rental Management System version 1.0

Description A Cross-Site Request Forgery (CSRF) issue was found in the system. This could lead to an attacker tricking the administrator into adding, modifying, or deleting valid tenant data via a crafted HTML page, as demonstrated by a Delete Tenant action at the "/rental/ajax.php?action=delete tenant" endpoint. The action parameter is used in this exploit, specifically with the value delete tenant.

Recommendations For SourceCodester Best House Rental Management System version 1.0, consider implementing proper CSRF protection mechanisms, such as token-based validation, to prevent unauthorized actions. As a temporary workaround, restrict access to the "/rental/ajax.php" endpoint to minimize the risk of exploitation. Avoid using the action parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.