Cross-Site Request Forgery (CSRF) in namelessmc/nameless


Reported on

Oct 10th 2021


Several endpoints are vulnerable to CSRF

1: module install /index.php?route=/panel/core/modules/&action=install

2: clear template cache /index.php?route=/panel/core/panel_templates/&action=clear_cache

3: install templates, activate template, deactivate template, delete template, make_default... /index.php?route=/panel/core/panel_templates/&action=install

4: purge alerts /index.php?route=/user/alerts/&action=purge

Proof of Concept

Open up this index.html
<img src="http://[NAMELESS]/index.php?route=/panel/core/panel_templates/&action=clear_cache">


This vulnerability is capable modifying templates, clearing cache and installing modules by tricking the admin user


install_template & clear_cache html

purge alerts

deactivate template

install module

purge alerts html

install module html

We have contacted a member of the namelessmc/nameless team and are waiting to hear back a year ago
haxatron modified the report
a year ago
Sam validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
namelessmc/nameless maintainer marked this as fixed with commit 803104 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
panel_templates.tpl#L39L42 has been validated
alerts.tpl#L1L57 has been validated
panel_templates.tpl#L87 has been validated
modules.tpl#L32L79 has been validated
panel_templates.tpl#L72 has been validated
alerts.php#L24L83 has been validated
modules.php#L271L298 has been validated
to join this conversation