Minical 1.0.0 is vulnerable to Cross-Site Request Forgery.
Vendor: https://github.com/minical/minical
Demo Application: https://demo.minical.io/
The application does not have any CSRF protection, hence a specially crafted HTTP request can be used to,
- Add New User
- Delete Existing User
- Edit the existing User’s Email Address and other sensitive information.
The payloads for different attacks can be generated using the Generate CSRF POC tool in BurpSuite.
Example:
Add New User:
