Cross-Site Request Forgery (CSRF) in namelessmc/nameless


Reported on

Oct 16th 2021


More CSRF endpoints in delete webhooks

Proof of Concept



This vulnerability is capable of tricking admin users to deleting webhooks.


Hook delete backend

Hook delete frontend

We have contacted a member of the namelessmc/nameless team and are waiting to hear back a year ago
namelessmc/nameless maintainer validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer confirmed that a fix has been merged on ec1edb a year ago
The fix bounty has been dropped
hooks.php#L215L239 has been validated
hooks.tpl#L65L122 has been validated
to join this conversation