Ghostxbh Uzy-SSM-Mall Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Ghostxbh Uzy-SSM-Mall version 1.0.0. The issue arises in the '/mall/user/update' interface, which lacks proper CSRF protection, such as token validation or user authentication checks. This vulnerability allows attackers to craft malicious requests that can trick logged-in users into unintentionally altering their personal information.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user personal information by exploiting the absence of CSRF protection on the affected interface.

Reproduction

To reproduce this vulnerability, create a CSRF proof of concept (PoC) by crafting a malicious request that targets the '/mall/user/update' endpoint. This request should include the necessary data fields to update user information, such as nickname, real name, password, gender, birthday, and address. Once the PoC is created, host it on a webpage and send the link to a logged-in user. When the user opens the link, the crafted request will be automatically submitted, resulting in the unauthorized modification of their personal information.