Cross-Site Request Forgery (CSRF) in laravelio/laravel.io
Dec 14th 2021
This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread.
Proof of Concept
One way GET could be abused here is that a person placed an image tag with src=" https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly subscribed to a thread. Same can be done with a URL shortener or alike. This is a state changing route and thus should be a POST with a @csrf token.
@admin All occurrences have been validated and fixed by the maintainer
Commit SHA e22474e401d209963651fcd25f8b11a017e76636
@hdvinnie - we can no longer validate reports on behalf of the maintainers, and so will require the maintainer to mark this report as valid.
Following up for you on this here.