CVE-2021-38705

Vulnerability

ClinicCases 7.3.3 is affected by Cross-Site Request Forgery (CSRF). The application does not implement anti-CSRF tokens or other mechanisms to verify the legitimacy of requests, allowing an attacker to craft malicious requests that are executed in the context of an authenticated user [1].

Exploitation

An attacker must trick an authenticated user into following a malicious link (e.g., via email or a compromised page). The link contains crafted HTTP requests that leverage the victim's active session to perform actions such as changing settings or creating new user accounts. No additional authentication or privilege is required beyond the victim's existing session.

Impact

Successful exploitation allows the attacker to perform arbitrary actions with the privileges of the targeted user. This includes creating a secondary administrator account, which grants persistent unauthorized access to the application and its data.

Mitigation

No official fix has been released for this vulnerability. The repository has been archived and is read-only as of August 2024, indicating no further updates are expected. Workarounds include implementing CSRF tokens, verifying request origin headers, or using browser extensions that prevent CSRF attacks. Users should consider migrating to an alternative solution if possible.