SourceCodester Medicine Tracker System Password Change cross-site request forgery
Description
A vulnerability was found in SourceCodester Medicine Tracker System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /classes/Users.php?f=save_user of the component Password Change Handler. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-272806 is the identifier assigned to this vulnerability.
Affected products
2= 1.0+ 1 more
- (no CPE)range: = 1.0
- (no CPE)range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection and lack of original-password verification in the password change handler allows an attacker to forge a password-change request on behalf of an authenticated administrator."
Attack vector
An attacker crafts a malicious HTML form that submits a POST request to `/php-mts/classes/Users.php?f=save_user` with parameters including `id=1`, `username=admin`, and a new `password` value [ref_id=1]. The attacker then tricks an authenticated administrator into visiting a page containing this form (e.g., via social engineering or embedding in a trusted site). Because the endpoint does not verify the original password or include a CSRF token, the administrator's browser automatically submits the request with the victim's session cookies, changing the admin password without the administrator's consent [ref_id=1].
Affected code
The vulnerability is in `/php-mts/classes/Users.php?f=save_user` of the Medicine Tracker System 1.0 [ref_id=1]. This endpoint handles password changes for the administrator account.
What the fix does
The advisory states that the password change handler does not verify the original password or include a random verification code (CSRF token), which allows cross-site request forgery [ref_id=1]. To remediate, the application should implement CSRF protection — such as a unique, per-session token validated on every state-changing request — and should require the current password before allowing a password change. No patch has been published by the vendor as of the advisory date.
Preconditions
- authThe administrator must be logged into Medicine Tracker System and have an active session.
- inputThe attacker must trick the administrator into visiting a page containing the crafted CSRF form (e.g., via phishing or embedding in another site).
- networkThe target application must be accessible at the URL used in the CSRF form (default: http://localhost/php-mts/).
Reproduction
1. Log in to Medicine Tracker System as an administrator. 2. Create an HTML file containing the CSRF PoC form from the advisory [ref_id=1]: `
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/Xu-Mingming/cve/blob/main/CSRF2.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entry
News mentions
0No linked articles in our index yet.