07FLYCMS Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in 07FLYCMS version 1.3.9. The issue resides in the OaWorkReport component, specifically within the add.html page. This vulnerability allows an attacker to trick a user into submitting a request that could potentially manipulate data or perform actions on their behalf.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can perform actions on behalf of a user without their consent.

Reproduction

To reproduce this vulnerability, a CSRF proof of concept can be created by generating a form that submits to the OaWorkReport add.html page. The form should include hidden input fields with values that correspond to the application's expected data, such as report names, dates, user IDs, and content. Once the form is submitted, the application will process the request as if it were initiated by the user, thereby exploiting the CSRF vulnerability.