Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition


Reported on

Nov 15th 2021


More unprotected CSRF endpoints that allows for state-changing operations.

1: GET /dashboard/moderation/1/approve

2: GET /requests/1/accept

3: GET /requests/1/reject

4: GET /requests/1/unclaim

5: GET /requests/1/reset

Proof of Concept

<a href="https://[UNIT3D-URL]/dashboard/moderation/1/approve">CLICK ME!</a>


This vulnerability is capable of tricking admin users to accept / reject / unclaim / reset requests and admin users to approve stuff.


requests accept api

requests unclaim / reset api

moderation api

requests accept blade

requests reject api

requests reject blade

requests unclaim blade

moderation blade

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. a year ago
HDVinnie validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed with commit 804c4c a year ago
HDVinnie has been awarded the fix bounty
This vulnerability will not receive a CVE
web.php#L250L251 has been validated
web.php#L785 has been validated
request.blade.php#L295L299 has been validated
request.blade.php#L207L213 has been validated
request.blade.php#L291L293 has been validated
web.php#L247 has been validated
web.php#L244 has been validated
index.blade.php#L55L62 has been validated
to join this conversation