# Exploit Title: Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF) # Date: 18-10-2021 # Exploit Author: Aniket Anil Deshmane # Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip # Version: 1 # Tested on: Windows 10,XAMPP Detail: The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using a crafted post request. CSRF POC:-