Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Dec 13th 2021


Description

CSRF to delete user accounts

Proof of Concept

<a href="http://[UNIT3D-URL]/users/{username}/destroy"></a>

Impact

This vulnerability is capable of tricking admin users to delete user accounts

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. a year ago
HDVinnie validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed in 6.0.0 with commit 835650 a year ago
HDVinnie has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation