CVE-2023-40362

MEDIUM

CentralSquare Click2Gov Building Permit - Unauthenticated Arbitrary Contractor Deletion

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-40362. PoCs published by ally-petitt.

AI-analyzed exploit summary The repository provides a functional proof-of-concept for CVE-2023-40362, an access control vulnerability in Click2Gov BP. It includes a detailed HTTP POST request that demonstrates how an authenticated user can delete contractors from other users' accounts due to insufficient authorization checks.

Description

An issue was discovered in CentralSquare Click2Gov Building Permit before October 2023. Lack of access control protections allows remote attackers to arbitrarily delete the contractors from any user's account when the user ID and contractor information is known.

Exploits (1)

nomisec WORKING POC 1 stars
by ally-petitt · poc
https://github.com/ally-petitt/CVE-2023-40362

The repository provides a functional proof-of-concept for CVE-2023-40362, an access control vulnerability in Click2Gov BP. It includes a detailed HTTP POST request that demonstrates how an authenticated user can delete contractors from other users' accounts due to insufficient authorization checks.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Click2Gov Building Permits (BP) versions before October 2023
Auth required
Prerequisites: Valid session (JSESSIONID) · Valid CSRF token (OWASP_CSRFTOKEN) · Authenticated user access
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 4.3
EPSS 0.0067
EPSS Percentile 47.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
centralsquare/click2gov_building_permit
Published Jan 12, 2024
Tracked Since Feb 18, 2026