Cross-Site Request Forgery (CSRF) in patrowl/patrowlmanager


Reported on

Dec 10th 2021


Hi there, there is a CSRF in duplicating rule due to the usage of GET method.

Proof of Concept

  1. Install a local instance of PatrowlManager
  2. Go to list rule and create a new rule
  3. Access this link http://localhost:8083/rules/api/v1/alerting/duplicate/1 and see that the rule is duplicated


This vulnerability is capable of duplicating rules

We are processing your report and will contact the patrowl/patrowlmanager team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the patrowl/patrowlmanager team and are waiting to hear back 2 years ago
We have sent a follow up to the patrowl/patrowlmanager team. We will try again in 7 days. 2 years ago
patrowl/patrowlmanager maintainer
2 years ago


Hi there, vulnerability confirmed but I suggest to review the CVSS score to 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

patrowl/patrowlmanager maintainer validated this vulnerability 2 years ago
ComradeKtg has been awarded the disclosure bounty
The fix bounty is now up for grabs
patrowl/patrowlmanager maintainer marked this as fixed in 1.7.8 with commit 58f373 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation