Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney

Valid

Reported on

Jul 6th 2021


✍️ Description

The /<project_id>/delete/<int:bill_id> end point lacks CSRF protection. This could be exploited by attackers to make the admin delete records from database.

🕵️‍♂️ Proof of Concept

For the attack to work, a logged in user should click the link (could be performed with JavaScript).

<html>
<body>
<a href="https://ihatemoney.org/<projectname>/delete/<id>">Click here</a>
</body>
</html>

💥 Impact

This vulnerability is capable of deleting records from the database without the knowledge of user.

Occurrences

References

Z-Old
2 years ago

Admin


Hey Yadhu, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 2 years ago
spiral-project/ihatemoney maintainer marked this as fixed with commit 109d7f 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation