Cross Site Request Forgery in Admin area leads to deletion of repositories and users in ikus060/rdiffweb
Sep 16th 2022
Server accepts the GET request for deleting repositories and users which can lead to CSRF attack on repositories'.
Proof of Concept
Open the below URL after logging in to the admin account in demo site.
For deleting Repository : Replace "replace-here" with a repo name
For deleting User