Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy


Reported on

Jul 30th 2021

✍️ Description

You don't check CSRF token in following endpoint /timers/add/quick/ with PoC.html attacker able to add quick timers.

🕵️‍♂️ Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of ad quick timers.


We have contacted a member of the babybuddy team and are waiting to hear back 4 months ago
Christopher Charbonneau Wells validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells confirmed that a fix has been merged on c1dab4 4 months ago
Christopher Charbonneau Wells has been awarded the fix bounty