Cross-Site Request Forgery (CSRF) in pheditor/pheditor

Valid

Reported on

Dec 26th 2021

Description

Hi there, there is a minor CSRF problem in your logout function, this will force the user to logout without their consent.

Proof of Concept

  1. Install phpeditor on your system
  2. Login as admin
  3. Go to this link /pheditor/pheditor.php?logout=1
  4. See that you are logged out of phpeditor.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the pheditor team within 24 hours. a year ago
We have contacted a member of the pheditor team and are waiting to hear back a year ago
We have sent a follow up to the pheditor team. We will try again in 7 days. a year ago
We have sent a second follow up to the pheditor team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the pheditor team. This report is now considered stale. a year ago
Hamid Samak validated this vulnerability a year ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak marked this as fixed in 2.0.0 with commit 7660bd a year ago
Hamid Samak has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation