PHPJabbers Cinema Booking System Cross-Site Request Forgery Vulnerability Privilege Escalation

A cross-site request forgery (CSRF) vulnerability has been identified in PHPJabbers Cinema Booking System version 2.0. This vulnerability allows remote attackers to escalate privileges by tricking an authenticated admin into submitting an unauthorized request. The issue arises in the 'pjActionUpdate' function, where attackers can forge requests that, if successful, could lead to unauthorized changes in admin user roles or passwords.

Impact

Exploitation of this vulnerability could result in unauthorized actions being performed on behalf of the admin, such as changing the admin's password or elevating the attacker's privileges to admin by updating their user role.

Reproduction

To reproduce this vulnerability, create an HTML form that submits a POST request to the 'pjActionUpdate' endpoint with the necessary parameters to update an admin user's details. This form can be hosted on a server and must be crafted to include the attacker's desired changes, such as a new email, password, and role ID. Once the form is submitted, the admin's account will be updated with the provided information, effectively granting the attacker access with elevated privileges.