JhumanJ OpnForm Cross-Site Request Forgery Vulnerability in API Endpoint

A cross-site request forgery (CSRF) vulnerability has been identified in JhumanJ OpnForm versions through 1.9.3. The issue resides in an unknown function within the API Endpoint component. Although the vendor requires authentication via Authorization Bearer Tokens for API calls, which typically mitigates CSRF risks, this vulnerability can be exploited. An attacker would need to obtain a valid JSON Web Token (JWT), potentially through cross-site scripting (XSS) vulnerabilities that have been addressed, preventing initial access.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, where an attacker can trick a user into making unintended requests, potentially leading to unauthorized actions being performed on their behalf.

Reproduction

To reproduce this vulnerability, an attacker must first obtain a valid JWT. This could be attempted through XSS, although such vulnerabilities have been mitigated. Once a JWT is acquired, the attacker can initiate a CSRF attack by sending a request to the API endpoint while including the JWT in the Authorization header.