Cross-Site Request Forgery (CSRF) in patrowl/patrowlmanager

Valid

Reported on

Dec 10th 2021


Description

Hi there, there is a CSRF in duplicating rule due to the usage of GET method.

Proof of Concept

  1. Install a local instance of PatrowlManager
  2. Go to list rule and create a new rule
  3. Access this link http://localhost:8083/rules/api/v1/alerting/duplicate/1 and see that the rule is duplicated

Impact

This vulnerability is capable of duplicating rules

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. a year ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back a year ago
We have sent a follow up to the patrowl/patrowlmanager team. We will try again in 7 days. a year ago
patrowl/patrowlmanager maintainer
a year ago

Maintainer


Hi there, vulnerability confirmed but I suggest to review the CVSS score to 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

patrowl/patrowlmanager maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer marked this as fixed in 1.7.8 with commit 58f373 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation