xxl-api Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in xxl-api versions through 1.3.0. This vulnerability allows attackers to arbitrarily add users to the management module by sending a crafted GET request. The issue arises because the application interfaces for adding, deleting, and modifying users accept GET requests, which can be exploited to perform unauthorized actions.

Impact

Exploitation of this vulnerability allows for unauthorized user creation in the management module.

Reproduction

To reproduce this vulnerability, first deploy the application and ensure it is running. Then, use a tool like Burp Suite to intercept a request to add a new user in the user management module. Modify the intercepted request to use the GET method instead of the default POST method. After adjusting the request, send it through the proxy. Finally, check the user management module to confirm that a new user has been added, indicating that the CSRF attack was successful.