Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Dec 13th 2021


Description

CSRF to delete user accounts

Proof of Concept

<a href="http://[UNIT3D-URL]/users/{username}/destroy"></a>

Impact

This vulnerability is capable of tricking admin users to delete user accounts

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 2 months ago
HDVinnie validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on 835650 a month ago
HDVinnie has been awarded the fix bounty