# Exploit Title: Warehouse Inventory System - Cross-Site Request Forgery (CSRF) - Change Admin Password # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: August 9th, 2020 # Vendor Homepage: https://oswapp.com # Software Link: https://github.com/siamon123/warehouse-inventory-system/archive/master.zip # Version: 1.0 # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # CWE-352: Cross-Site Request Forgery (CSRF) # CVSS Base Score: 7.5 # Impact Subscore: 5.9 # Exploitability Subscore: 1.6 # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in 'edit_user.php' webpage of OSWAPP's # Warehouuse Inventory System v1.0 allows remote attackers to change the admins password # via authenticated admin visiting a third-party site.