# Exploit Title: Stock Management System v1.0 - Cross-Site Request Forgery (Change Username) # Exploit Author: Bobby Cooke # Date: 2020-08-01 # Vendor Homepage: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip # Version: 1.0 # CWE-352: Cross-Site Request Forgery (CSRF) # CVSS Base Score: 5.9 | Impact Subscore: 4.2 | Exploitability Subscore: 1.6 # CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in 'changeUsername.php' webpage of SourceCodesters # Stock Management System v1.0 allows remote attackers to deny future logins via changing the # authenticated victims username when they visit a third-party site.