Cross Site Request Forgery at refreshing watch list for courses in autolab/autolab
May 13th 2022
Hi there autolab maintainers, there is a CRSF in autolab source code in refreshing watch list due to usage of GET method.
Proof of Concept
- Install a local instance of autolab and create a course
- Access the link
/courses/<course-name>/metrics/refresh_watchlist_instancesand see that any previously added watchlist is archieved.