Cross-Site Request Forgery (CSRF) in namelessmc/nameless

Valid

Reported on

Oct 16th 2021


Description

More CSRF endpoints in delete webhooks

Proof of Concept

/index.php?route=/panel/core/hooks/&action=delete&id=2

Impact

This vulnerability is capable of tricking admin users to deleting webhooks.

Occurences

Hook delete backend

Hook delete frontend

We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
We have contacted a member of the namelessmc/nameless team and are waiting to hear back a month ago
namelessmc/nameless maintainer validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer confirmed that a fix has been merged on ec1edb a month ago
The fix bounty has been dropped
hooks.php#L215L239 has been validated
hooks.tpl#L65L122 has been validated