Cross Site Request Forgery at refreshing watch list for courses in autolab/autolab
May 13th 2022
Hi there autolab maintainers, there is a CRSF in autolab source code in refreshing watch list due to usage of GET method.
Proof of Concept
- Install a local instance of autolab and create a course
- Access the link
/courses/<course-name>/metrics/refresh_watchlist_instancesand see that any previously added watchlist is archieved.
A autolab/autolab maintainer validated this vulnerability a year ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joey Wildman marked this as fixed in 2.8+ with commit 151aa1 a year ago
This vulnerability will not receive a CVE
to join this conversation