Cross Site Request Forgery in Admin area leads to deletion of repositories and users in ikus060/rdiffweb


Reported on

Sep 16th 2022


Server accepts the GET request for deleting repositories and users which can lead to CSRF attack on repositories'.

Proof of Concept

Open the below URL after logging in to the admin account in demo site.
For deleting Repository : Replace "replace-here" with a repo name
For deleting User


Deletion of repositories and users
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 7 days ago
Ambadi MP modified the report
7 days ago
Ambadi MP modified the report
7 days ago
Patrik Dufresne validated this vulnerability 7 days ago

I confirm the vulnerability.

Ambadi MP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
7 days ago


@admin could we get an CVE for this repport. Thanks

Jamie Slome
7 days ago


Sorted :)

Patrik Dufresne confirmed that a fix has been merged on 422791 7 days ago
Patrik Dufresne has been awarded the fix bounty has been validated
to join this conversation