Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney


Reported on

Jul 6th 2021

✍️ Description

The /<project_id>/delete/<int:bill_id> end point lacks CSRF protection. This could be exploited by attackers to make the admin delete records from database.

🕵️‍♂️ Proof of Concept

For the attack to work, a logged in user should click the link (could be performed with JavaScript).

<a href="<projectname>/delete/<id>">Click here</a>

💥 Impact

This vulnerability is capable of deleting records from the database without the knowledge of user.



2 years ago


Hey Yadhu, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 2 years ago
spiral-project/ihatemoney maintainer marked this as fixed with commit 109d7f 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation