Primary

Context

dazhouda lecms Cross-Site Request Forgery Vulnerability in Password Change Handler

Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in dazhouda lecms version 3.0.3. The issue resides in the password change handler, specifically within the file '/index.php?my-password-ajax-1'. This vulnerability allows remote attackers to initiate password change requests on behalf of users without their consent.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to account takeover.

Reproduction

To reproduce this vulnerability, first register an account and log in. Then, navigate to the 'Personal Center' and select 'Change Password'. Capture the password change request using Burp Suite. Save this request as a CSRF proof of concept (POC) and host it on a web server. Finally, visit the hosted POC file to execute the password change request.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

dazhouda lecms Cross-Site Request Forgery Vulnerability in Password Change Handler

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating