We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Valid

Reported on

Oct 16th 2021

Description

More CSRF endpoints in delete webhooks

Proof of Concept

/index.php?route=/panel/core/hooks/&action=delete&id=2

Impact

This vulnerability is capable of tricking admin users to deleting webhooks.

Occurrences

Hook delete backend

Hook delete frontend

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago
namelessmc/nameless maintainer validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer marked this as fixed with commit ec1edb 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
hooks.php#L215L239 has been validated
hooks.tpl#L65L122 has been validated
to join this conversation