PHPGurukul Complaint Management System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in PHPGurukul Complaint Management System version 2.0. This vulnerability arises from the absence of CSRF protections, such as tokens or HTTP Referer validation, allowing remote attacks. If exploited against an administrator or privileged user, it could lead to complete control over the application, including unauthorized data deletion or modification. The vulnerability's existence and details have been publicly disclosed.

Impact

Exploitation of this vulnerability could allow an attacker to perform actions on behalf of an authenticated user, potentially leading to unauthorized data changes or deletions, especially if the affected user has administrative privileges.

Reproduction

To reproduce this vulnerability, send a request to 'admin/manage-users.php' with the 'uid' parameter set to the user ID of the account to be deleted and the 'action' parameter set to 'del'. This can be done using a crafted HTML form that submits these values, effectively performing a CSRF attack by exploiting the lack of proper request validation.