SourceCodester CET Automated Grading System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0. The vulnerability arises because the application fails to properly validate authenticated POST requests, allowing remote attackers to perform unauthorized actions on behalf of users.

Impact

Exploitation of this vulnerability allows remote attackers to manipulate grading data or create unauthorized subjects by tricking authenticated users into submitting crafted requests.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/index.php?action=manage_subjects' or '/index.php?action=add_grade' without proper validation. This can be automated with a script that submits these requests using the victim's authenticated session.

Remediation

To address this vulnerability, implement anti-CSRF tokens, validate Origin and Referer headers, use SameSite cookie protections, and require server-side request validation for sensitive actions.