WuKongOpenSource WukongCRM Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in WuKongOpenSource WukongCRM version 9.0. The issue resides in the AdminUserController.java file, specifically within the /system/user/updataPassword endpoint. This vulnerability allows attackers to manipulate authenticated users into performing actions such as changing passwords or modifying account settings without their consent. The application fails to verify the authenticity of requests that alter user-sensitive data, enabling attackers to exploit this weakness remotely.

Impact

Exploitation of this vulnerability could lead to unauthorized password changes, profile updates, or other account modifications, all performed without the user's consent.

Reproduction

To reproduce this vulnerability, send a POST request to the /system/user/updataPassword endpoint. Include the old password and the new password in the request. The absence of a Referer header does not invalidate the request, allowing the CSRF attack to succeed.

Remediation

It is recommended to implement anti-CSRF tokens in all state-changing forms, ensure cookies have the SameSite attribute set to Strict or Lax, validate the Referer header for sensitive actions, and use a double submit cookie approach. Integrating these measures can significantly reduce the risk of CSRF attacks.