CVE-2023-33409

MEDIUM

minical 1.0.0 - Cross-Site Request Forgery via Company Settings Controller

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-33409. PoCs published by Thirukrishnan.

AI-analyzed exploit summary This repository provides a writeup and proof-of-concept for CVE-2023-33409, a CSRF vulnerability in Minical 1.0.0. It describes how the lack of CSRF protection allows attackers to perform actions like adding, deleting, or editing users via crafted HTTP requests.

Description

Minical 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF) via minical/public/application/controllers/settings/company.php.

Exploits (1)

nomisec WRITEUP

by Thirukrishnan · poc

https://github.com/Thirukrishnan/CVE-2023-33409

View Code ZIP pw:eip

This repository provides a writeup and proof-of-concept for CVE-2023-33409, a CSRF vulnerability in Minical 1.0.0. It describes how the lack of CSRF protection allows attackers to perform actions like adding, deleting, or editing users via crafted HTTP requests.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Minical 1.0.0

No auth needed

Prerequisites: Victim must be authenticated and tricked into visiting a malicious page

MITRE ATT&CK

T1134 - Access Token Manipulation T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/Thirukrishnan/CVE-2023-33409

Product

https://github.com/minical/minical

Scores

CVSS v3 6.5

EPSS 0.0039

EPSS Percentile 31.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (1)

minical/minical 1.0.0

Published Jun 05, 2023

Tracked Since Feb 18, 2026