# Exploit Title: Employee Leaves Management System 2.0 Cross-Site Request Forgery # Date: 22-01-2020 # Author: Priyanka Samak # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/employee-leaves-management-system-elms/ # Software: Employee Leaves Management System # Version : 2.0 # Tested on Windows 10 # Vulnerability Type: Cross-Site Request Forgery #Cross-site Request Forgery is an attack whereby an attacker tricks a victim into performing actions on their behalf. #*1. Description* #The vulnerability exists due to failure in the "/managedepartments.php" script to properly verify the source of HTTP request. #This Cross-Site Request Forgery (CSRF) allows an attacker to execute arbitrary code by sending a malicious request to a logged-in user. #*2. Proof of Concept:* This example sends HTTP GET crafted request in order to delete the specified department. Click Me!