Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney

Valid

Reported on

Jul 18th 2021

✍️ Description

CSRF bug to delete project

🕵️‍♂️ Proof of Concept

1. goto https://ihatemoney.org/ and create a new project and project-name is XXXX .
Now bellow request is vulnerable to csrf attack which will delete the whole project
https://ihatemoney.org/xxxx/delete

💥 Impact

Attacker can delete project just by sending a link to vicitm

Occurrences

manage.py L87

Z-Old

commented 2 years ago

Admin

Hey ranjit, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 2 years ago

A spiral-project/ihatemoney maintainer marked this as fixed with commit 2bb6f2 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A spiral-project/ihatemoney maintainer

commented 2 years ago

The reference link is wrong. It's a real issue, we had already fixed it.

to join this conversation

Z-Old

commented 2 years ago

Admin

Hey ranjit, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the spiral-project/ihatemoney team and are waiting to hear back 2 years ago

A spiral-project/ihatemoney maintainer marked this as fixed with commit 2bb6f2 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A spiral-project/ihatemoney maintainer

commented 2 years ago

The reference link is wrong. It's a real issue, we had already fixed it.

to join this conversation