The settings of repositories is vulnerable to CSRF in ikus060/rdiffweb
Valid
Reported on
Sep 19th 2022
Description
The malicious user can change the settings of repository by sending the URL to the victim.
Proof of Concept
1.Login into the application https://rdiffweb-demo.ikus-soft.com/settings/admin/test-encoding .
2.Go to test-encoding.
3.Check that the value of remove older is forever.

4.Open the URL https://rdiffweb-demo.ikus-soft.com/settings/admin/test-encoding?keepdays=1 .

5.Refresh the page.
6.The setting is updated.

Impact
A malicious user can change the setting of repository.
We are processing your report and will contact the
ikus060/rdiffweb
team within 24 hours.
8 months ago
The researcher's credibility has increased: +7
Sure, once we get the go-ahead from the maintainer, we can assign and publish a CVE for you :)
Hi Maintainer,
Could you reply so that @admin can provide the CVE.
to join this conversation