Bdtask Wholesale Inventory Control and Inventory Management System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Bdtask's Wholesale Inventory Control and Inventory Management System, affecting versions prior to 20250320. The vulnerability arises because the application does not implement adequate anti-CSRF protections in the user profile update feature. This flaw allows attackers to forge requests that modify profile information, such as email addresses, potentially leading to unauthorized account access.

Impact

Exploitation of this vulnerability can result in account takeover. By changing the email address of an administrator to one controlled by the attacker, the attacker can use the password reset feature to gain full access to the admin account.

Reproduction

To reproduce this vulnerability, an attacker can create a malicious webpage that sends a POST request to the '/Admin_dashboard/update_profile' endpoint. This request must include the profile update details, such as the new email address. When an authenticated user visits the page, their browser will automatically submit the request, including their session cookies, thereby executing the unauthorized profile change.

Remediation

It is recommended to implement anti-CSRF tokens in the application. Each user session should have a unique token that is included in state-changing forms. The server must validate this token upon form submission. Additionally, setting the SameSite attribute on session cookies can help prevent CSRF attacks by restricting cookie transmission with cross-site requests.