Mindskip xzs-mysql 学之思开源考试系统 cross-site request forgery
Description
Mindskip xzs-mysql 3.9.0 lacks CSRF protection on multiple endpoints, allowing attackers to perform unauthorized actions via crafted requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mindskip xzs-mysql 3.9.0 lacks CSRF protection on multiple endpoints, allowing attackers to perform unauthorized actions via crafted requests.
Vulnerability
Mindskip xzs-mysql (学之思开源考试系统) version 3.9.0 is vulnerable to cross-site request forgery (CSRF) due to the absence of CSRF tokens or other anti-forgery mechanisms on multiple endpoints, including /api/student/exampaper/answer/answerSubmit [1]. This affects all authenticated users.
Exploitation
An attacker can craft a malicious HTML page that sends a POST request to the vulnerable endpoint using the victim's authenticated session (via credentials: 'include'). The victim need only visit the crafted page while logged into the application; no further interaction is required [1].
Impact
Successful exploitation enables unauthorized state modifications, such as submitting exam answers, modifying data, or updating user profiles. This compromises data integrity and can lead to user impersonation [1].
Mitigation
The vendor was contacted but did not respond. As of the publication date (2025-02-06), no patch or workaround is available. Users should implement generic CSRF protections, such as anti-CSRF tokens or same-site cookie attributes, until an official fix is released.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mindskip/xzs-mysql 学之思开源考试系统v5Range: 3.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application lacks anti-CSRF tokens on state-changing endpoints, allowing an attacker to forge authenticated requests."
Attack vector
An attacker crafts a malicious HTML page that sends a cross-origin POST request to an authenticated endpoint (e.g., `/api/student/exampaper/answer/answerSubmit`) [ref_id=1]. Because the application does not validate a CSRF token, the victim's browser automatically includes the session cookie (`credentials: "include"`), and the server processes the forged request as legitimate [ref_id=1]. The attack is launched remotely by tricking an authenticated user into visiting the attacker's page [ref_id=1].
Affected code
Multiple endpoints lack CSRF protection, including but not limited to `/api/student/exampaper/answer/answerSubmit` [ref_id=1]. The advisory does not specify the exact server-side handler files, but the entire application is described as lacking CSRF tokens throughout [ref_id=1].
What the fix does
No patch has been published by the vendor [ref_id=1]. The advisory recommends implementing anti-CSRF tokens (e.g., synchronizer token patterns or SameSite cookies) on all state-modifying endpoints to ensure that requests originate from the application's own UI rather than from an external site [ref_id=1].
Preconditions
- authThe victim must be authenticated in the xzs-mysql application (active session cookie)
- inputThe attacker must trick the victim into visiting a malicious HTML page while the session is active
- networkThe target application must be reachable from the victim's browser (e.g., http://localhost:8000)
Reproduction
1. Ensure the victim is authenticated in the Mindskip xzs application (e.g., logged into http://localhost:8000). 2. Craft a malicious HTML page containing a fetch POST to `http://localhost:8000/api/student/exampaper/answer/answerSubmit` with `credentials: "include"` and a JSON body containing exam answer data (questionId, doTime, answerItems, id). 3. Trick the victim into opening the malicious page. 4. The request is sent under the victim's session, submitting exam answers without their consent [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/cydtseng/Vulnerability-Research/blob/main/xzs-mysql/CrossSiteRequestForgery-Multiple.mdmitreexploit
- vuldb.commitrethird-party-advisory
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entry
News mentions
0No linked articles in our index yet.