Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition


Reported on

Dec 13th 2021


CSRF to delete user accounts

Proof of Concept

<a href="http://[UNIT3D-URL]/users/{username}/destroy"></a>


This vulnerability is capable of tricking admin users to delete user accounts

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 2 years ago
HDVinnie validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed in 6.0.0 with commit 835650 2 years ago
HDVinnie has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation