Cross-Site Request Forgery (CSRF) in liangliangyy/djangoblog


Reported on

Jan 17th 2022


Hi there, I would like to report a Cross Site Request Forgery in djangoblog source code. Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. This is due to the use of GET request in refresh cache url.

Proof of Concept

  1. Install a local instance of djangoblog
  2. Access this link /refresh and see that all cache is cleared.
  3. In real attack scenario, the attacker would feed this link to django blog admin and when they clicks it, the cache is cleared.


This vulnerability is capable of forcing the admin to clear djangoblog cache against his/her will.

We are processing your report and will contact the liangliangyy/djangoblog team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the liangliangyy/djangoblog team and are waiting to hear back a year ago
We have sent a follow up to the liangliangyy/djangoblog team. We will try again in 7 days. a year ago
且听风吟 validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
且听风吟 marked this as fixed in none with commit ccbb65 a year ago
且听风吟 has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation