Impact
The flaw allows an attacker to forge a state‑changing request that is accepted by CodeAstro Human Resource Management System, enabling the execution of privileged operations on behalf of an authenticated user. In the publicly‑available proof‑of‑concept, the exploit targets a department‑deletion endpoint, resulting in loss of data integrity and potential disruption of business processes. The weakness is identified as CWE‑352 and further compounded by an insufficient authentication check (CWE‑862).
Affected Systems
CodeAstro Human Resource Management System version 1.0 is the affected product. Although the specific function is undocumented, external evidence points to an endpoint used for department deletion that does not enforce adequate CSRF protection.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity. No EPSS value is available, so the exact likelihood of exploitation is unclear, but the fact that the exploit code has been released publicly makes the risk non‑negligible. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to launch the flaw by luring an authenticated user to a malicious site or link that submits a GET or POST request to the vulnerable endpoint; successful exploitation would allow deletion of organizational data without the user’s intent.
OpenCVE Enrichment