Cross Site Request Forgery at refreshing watch list for courses in autolab/autolab

Valid

Reported on

May 13th 2022


Description

Hi there autolab maintainers, there is a CRSF in autolab source code in refreshing watch list due to usage of GET method.

Proof of Concept

  1. Install a local instance of autolab and create a course
  2. Access the link /courses/<course-name>/metrics/refresh_watchlist_instances and see that any previously added watchlist is archieved.

Impact

CRSF.

Occurrences

We are processing your report and will contact the autolab team within 24 hours. a month ago
We have contacted a member of the autolab team and are waiting to hear back a month ago
autolab/autolab maintainer validated this vulnerability a month ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the autolab team. We will try again in 7 days. a month ago
Joey Wildman confirmed that a fix has been merged on 151aa1 a month ago
Joey Wildman has been awarded the fix bounty
routes.rb#L83 has been validated
to join this conversation