Joomla JoomOCShop Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in the Joomla JoomOCShop extension version 1.0. This vulnerability allows attackers to perform unauthorized actions on behalf of authenticated users. By crafting malicious HTML forms that target specific account endpoints, such as the user information edit route, attackers can modify user details or reset passwords without the user's consent.

Impact

Exploitation of this vulnerability allows for unauthorized actions to be performed on behalf of users, potentially leading to unauthorized changes in user information or password resets.

Reproduction

To exploit this vulnerability, create a malicious HTML form that includes the necessary fields for the targeted account endpoint. For example, to change user information, the form should be directed to the account edit route and include fields such as firstname, lastname, email, telephone, and fax. Once the form is prepared, it can be submitted automatically using a script.