Cross-Site Request Forgery (CSRF) in emoncms/dashboard


Reported on

Jul 22nd 2021

ūüí• BUG

csrf bug to regenerate api-key


  1. First login into your account and open the link http://localhost/emoncms/user/newapikeywrite.json and a new api key will be generated.


Any attacker can send those link to vicitm and when vicitm open the link then api-key will be changed

ūüí• STUDY\

We have contacted a member of the emoncms/dashboard team and are waiting to hear back 2 years ago
A emoncms/dashboard maintainer validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
A emoncms/dashboard maintainer
2 years ago

Here's the fix in the core repo

I will link last commit in the dashboard repo to close this issue.

Thanks again!

A emoncms/dashboard maintainer marked this as fixed with commit 58af4f 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation