Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Nov 29th 2021


Description

Very low severity CSRF in /comments/thanks/{id}

Proof of Concept

<a href="http://[UNIT3D-URL]/comments/thanks/{id}">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to send quick thanks. Can potentially trick users to infringe rate limits and get themselves banned via a repeated CSRF attack if admins choose to set SameSite=None.

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. a year ago
We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a year ago
HDVinnie validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed in 5.3.0 with commit a49560 a year ago
HDVinnie has been awarded the fix bounty
This vulnerability will not receive a CVE
web.php#L185 has been validated
torrent.blade.php#L88L90 has been validated
to join this conversation