Cross-Site Request Forgery Vulnerability in FrontAccounting by the Vendor
CVE-2018-7176

8.8HIGH

Key Information:

Vendor: Frontaccounting
Status: Frontaccounting
Vendor: CVE Published:; 16 February 2018

🔔 Create Frontaccounting Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2018-7176?

FrontAccounting version 2.4.3 contains a vulnerability that allows attackers to exploit a Cross-Site Request Forgery (CSRF) flaw. This vulnerability is found in the admin/users.php add user feature, enabling unauthorized users to create new accounts on the platform without proper authentication. By tricking an authenticated administrator into executing a request, attackers can gain unauthorized access and manipulate user permissions, potentially compromising the integrity of the system.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-7176 - Proof of Concept

References

https://www.exploit-db.com/exploits/44137/

exploitx_refsource_EXPLOIT-DB

https://securitywarrior9.blogspot.in/2018/02/cross-site-r...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 16, 2018
👾
Exploit known to exist
Feb 16, 2018
Vulnerability published
Feb 16, 2018
Vulnerability Reserved
Feb 15, 2018

CVE-2018-7176 Data

JSON