Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoneyValid
/<project_id>/delete/<int:bill_id> end point lacks CSRF protection. This could be exploited by attackers to make the admin delete records from database.
🕵️♂️ Proof of Concept
<html> <body> <a href="https://ihatemoney.org/<projectname>/delete/<id>">Click here</a> </body> </html>
This vulnerability is capable of deleting records from the database without the knowledge of user.