Precurio Intranet Portal Cross-Site Request Forgery Vulnerability Allowing Unauthorized Admin Account Creation

A cross-site request forgery (CSRF) vulnerability has been identified in Precurio Intranet Portal version 2.0. This vulnerability allows unauthenticated attackers to create administrative user accounts by sending crafted POST requests to the '/public/admin/user/submitnew' endpoint. The vulnerability arises because the application does not require CSRF tokens or user interaction for account creation, enabling attackers to forge requests with user creation parameters and add new admin accounts.

Impact

Exploitation of this vulnerability allows for the unauthorized creation of administrative user accounts, potentially leading to unauthorized access and privileges within the application.

Reproduction

To reproduce this vulnerability, send a POST request to the '/public/admin/user/submitnew' endpoint without a CSRF token. Include the necessary user creation parameters, such as 'first_name', 'last_name', 'email', 'password', 'department_id', and 'location_id'. The absence of a CSRF token and the ability to send the request without user interaction are key factors in exploiting this vulnerability.