Cross-Site Request Forgery (CSRF) in i-love-flamingo/flamingo-commerce


Reported on

Oct 8th 2021


CSRF in cart related endpoints. This include:

  • Adding items to cart
  • Clean cart
  • Delete item from cart
  • Update cart

This happens because the system use GET request for these actions and thus allows CSRF attacks.

Proof of Concept

  1. Access this link in a browser ​See that your cart is added 100 products.
  2. Access this link:, see that your cart is emptied.
We created a GitHub Issue asking the maintainers to create a 2 months ago
We have contacted a member of the i-love-flamingo/flamingo-commerce team and are waiting to hear back 2 months ago
2 months ago


Please see

i-love-flamingo/flamingo-commerce maintainer validated this vulnerability 2 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
i-love-flamingo/flamingo-commerce maintainer confirmed that a fix has been merged on afe9d2 2 months ago
The fix bounty has been dropped