HRSALE Cross-Site Request Forgery Vulnerability Allowing Unauthorized Admin User Creation

A cross-site request forgery (CSRF) vulnerability exists in HRSALE version 1.1.8. This vulnerability allows attackers to add unauthorized administrative users through the employee registration form. By crafting a malicious HTML page with hidden form fields, attackers can deceive authenticated administrators into creating new user accounts with elevated privileges.

Impact

Exploitation of this vulnerability allows for the unauthorized addition of administrative users, potentially leading to misuse of elevated privileges.

Reproduction

To exploit this vulnerability, a CSRF attack can be performed by sending an authenticated administrator a crafted HTML page that includes a form. This form should be set to submit to the employee registration endpoint with the necessary fields populated, including the 'csrf_hrsale' token to bypass CSRF protection. Once the administrator submits the form, the new user account with admin privileges will be created.