Cross-Site Request Forgery (CSRF) in namelessmc/nameless


Reported on

Oct 16th 2021


More CSRF endpoints in delete webhooks

Proof of Concept



This vulnerability is capable of tricking admin users to deleting webhooks.


Hook delete backend

Hook delete frontend

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago
namelessmc/nameless maintainer validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer marked this as fixed with commit ec1edb 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
hooks.php#L215L239 has been validated
hooks.tpl#L65L122 has been validated
to join this conversation