Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Sep 24th 2021


Description

CSRF in flushing peer

Proof of Concept

1. Login stafff/admin account
2. Access this link https://unit3d.site/dashboard/flush/peers
3. See that the peers has been flushed.

Impact

This vulnerability is capable of flushing peers

Occurences

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a month ago
We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a month ago
HDVinnie validated this vulnerability a month ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on 220db8 a month ago
HDVinnie has been awarded the fix bounty
web.php#L751 has been validated