Benner ModernaNet Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Benner ModernaNet versions prior to 1.2.1. The issue resides in an unknown function of the file '/DadosPessoais/SG_Gravar', where the manipulation of the 'idItAg' argument allows for unauthorized actions to be performed on behalf of authenticated users. This vulnerability can be exploited remotely, potentially leading to account takeover by allowing attackers to modify sensitive personal information such as names, emails, and contact details for any logged-in user.

Impact

Exploitation of this vulnerability allows for unauthorized modification of personal data for logged-in users, which could result in identity theft and unauthorized changes to user accounts.

Reproduction

To reproduce this vulnerability, a malicious page can be created that includes a form targeting the '/DadosPessoais/SG_Gravar' endpoint. The form should be pre-filled with the victim's personal information, such as name, email, CPF, address, and other relevant details. Once the victim visits the page, the form will automatically submit, applying the changes as if the user had done it themselves.

Remediation

Users are advised to upgrade to Benner ModernaNet version 1.2.1 or later to address this vulnerability.