Cross-Site Request Forgery (CSRF) in attendize/attendize


Reported on

Sep 25th 2021


Attacker is able to make an event live.

Proof of Concept

When you logged in open this POC.html in a browser.

<script>history.pushState('', '', '/')</script>
<form action="Demo URL">
    <input type="submit" value="Submit request" />


This vulnerability is capable of forging user to unintentional mark an event live.


Tested on Safari.


You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.

We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the attendize team and are waiting to hear back 2 years ago
We have sent a third and final follow up to the attendize team. This report is now considered stale. 2 years ago
2 years ago


To expand:

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out.

This is why it should be a POST with a @csrf token.

Johanna Cherry validated this vulnerability 2 years ago
HDVinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Johanna Cherry marked this as fixed with commit a2aadf 2 years ago
Johanna Cherry has been awarded the fix bounty
This vulnerability will not receive a CVE
TopNav.blade.php#L10 has been validated
web.php#L326-L328 has been validated
to join this conversation