Cross-Site Request Forgery (CSRF) in amirsanni/mini-inventory-and-sales-management-system


Reported on

Sep 7th 2021

✍️ Description

Attacker is able to delete a administrator accounts if a logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser(Firefox and Safari) can check unintentionally you delete an administrator account.

 <script>history.pushState('', '', '/')</script>
   <form action="" method="POST">
     <input type="hidden" name="_aId" value="396" />
     <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of forging admin to unintentional delete an account.

💥 Test

Tested on Firefox and safari.

💥 Fix

You should set a CSRF token on this requests.


We have contacted a member of the amirsanni/mini-inventory-and-sales-management-system team and are waiting to hear back 3 months ago
3 months ago


hi are you checked this report?

Amir validated this vulnerability 7 days ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
Amir confirmed that a fix has been merged on ba36f6 7 days ago
Amir has been awarded the fix bounty