CVE-2020-25950

Vulnerability

Advanced Webhost Billing System version 3.7.0 is affected by a Cross-Site Request Forgery (CSRF) vulnerability on the My Additional Contact page. The application does not properly validate anti-CSRF tokens when processing delete contact requests, allowing unauthorized actions to be executed in the context of an authenticated user. The vulnerability is present in all installations of version 3.7.0.

Exploitation

An attacker must first create a crafted HTML page containing a CSRF payload that targets the delete contact action. The attacker then needs to trick an authenticated victim into visiting this crafted page, for example via social engineering or by embedding it in a malicious link. When the victim, while logged into the application, opens the crafted page, a script automatically sends a request to delete one of the victim's contacts. The request uses the victim's active session and accepts a blank token value, which the server treats as valid due to missing token validation. The attacker does not need to know the victim's credentials but must ensure the victim has at least one contact in their list to be deleted.

Impact

A successful attack results in the unauthorized deletion of a contact from the victim's My Additional Contact page. This is a low-severity integrity impact, as the attacker cannot modify other data or gain access to sensitive information. The deletion is irreversible through this attack alone, though the victim may manually re-add the contact.

Mitigation

No fixed version has been disclosed in the available references. Users should upgrade to a patched version once released by the vendor. As a workaround, implement additional CSRF protections such as requiring a valid token for all state-changing requests. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]