Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney

Reported on Jul 6th 2021

✍️ Description

The /<project_id>/delete/<int:bill_id> end point lacks CSRF protection. This could be exploited by attackers to make the admin delete records from database.

🕵️‍♂️ Proof of Concept

For the attack to work, a logged in user should click the link (could be performed with JavaScript).

<a href="<projectname>/delete/<id>">Click here</a>

💥 Impact

This vulnerability is capable of deleting records from the database without the knowledge of user.

Ziding Zhang
19 days ago


Hey Yadhu, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 19 days ago
spiral-project/ihatemoney maintainer confirmed that a fix has been merged on 109d7f 9 days ago
The fix bounty has been dropped