Cross-Site Request Forgery (CSRF) in francoisjacquet/rosariosis


Reported on

Dec 11th 2021


An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="submit" value="Submit request" />


This vulnerability is capable of forging users to unintentional logout.

More details

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.


While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
a year ago


Hi @admin,

It's 2 days and I do not see the notification that you contact the maintainer team and waiting to hear back like the normal process.

Jamie Slome
a year ago


@khanhchauminh - we are still waiting for the maintainers to create a with a contactable e-mail at this stage.

Once they have done this, we will be able to send them further details.

KhanhCM modified the report
a year ago
François Jacquet validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 9.0 with commit a67623 a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
index.php#L16-L32 has been validated
to join this conversation