Cross site Request Forgery in running schedule by using GET method. in autolab/autolab


Reported on

May 11th 2022


There is a CRSF in autolab source code in running scheduler due to usage of GET method.

Proof of Concept

  1. Install a local instance of autolab
  2. Go to /courses/<course-name>/schedulers and create a schedule
  3. Access the link courses/<course-name>/schedulers/<scheduler-id>/run and see that the schedulers is running


Forcefully make the user to run schedulers.


We are processing your report and will contact the autolab team within 24 hours. a year ago
We have contacted a member of the autolab team and are waiting to hear back a year ago
Joey Wildman validated this vulnerability a year ago

We have verified this issue and are working on a fix.

justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Damian Ho marked this as fixed in 2.8.0 with commit af5eb6 a year ago
Damian Ho has been awarded the fix bounty
This vulnerability will not receive a CVE
routes.rb#L75 has been validated
to join this conversation