SourceCodester Leads Manager Tool Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in SourceCodester Leads Manager Tool version 1.0. The application lacks adequate CSRF protection, such as anti-CSRF tokens or same-origin verification, for critical endpoints. This vulnerability allows unauthorized users to perform state-changing operations by sending forged requests. The issue can be exploited remotely when a user with an active session on the Leads Manager Tool visits a malicious webpage that automatically submits requests to add, update, or delete leads.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of lead data, including adding, updating, or deleting entries, which could disrupt the application's data integrity and management functions.

Reproduction

To reproduce this vulnerability, first, access the Leads Manager Tool without authentication. Then, create a malicious HTML page that sends automated requests to the application's endpoints for adding, updating, or deleting leads. Finally, open this page in a browser session where the Leads Manager Tool is active. The forged requests will be executed automatically, performing the intended lead management operations without the user's consent.