Cross-Site Request Forgery (CSRF) in i-love-flamingo/flamingo-commerce


Reported on

Oct 8th 2021


CSRF in cart related endpoints. This include:

  • Adding items to cart
  • Clean cart
  • Delete item from cart
  • Update cart

This happens because the system use GET request for these actions and thus allows CSRF attacks.

Proof of Concept

  1. Access this link in a browser ​See that your cart is added 100 products.
  2. Access this link:, see that your cart is emptied.
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the i-love-flamingo/flamingo-commerce team and are waiting to hear back a year ago
a year ago


Please see

i-love-flamingo/flamingo-commerce maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
i-love-flamingo/flamingo-commerce maintainer marked this as fixed with commit afe9d2 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation