Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Nov 29th 2021

Description

Very low severity CSRF in /comments/thanks/{id}

Proof of Concept

<a href="http://[UNIT3D-URL]/comments/thanks/{id}">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to send quick thanks. Can potentially trick users to infringe rate limits and get themselves banned via a repeated CSRF attack if admins choose to set SameSite=None.

Occurrences

web.php L185

torrent.blade.php L88L90

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 2 years ago

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 years ago

HDVinnie validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

HDVinnie marked this as fixed in 5.3.0 with commit a49560 2 years ago

HDVinnie has been awarded the fix bounty

This vulnerability will not receive a CVE

web.php#L185 has been validated

torrent.blade.php#L88L90 has been validated

to join this conversation