Cross-Site Request Forgery (CSRF) in kunstmaan/kunstmaanbundlescms


Reported on

Nov 23rd 2021


An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="submit" value="Submit request" />


This vulnerability is capable of forging users to unintentional logout.

More details

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.


While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF

We are processing your report and will contact the kunstmaan/kunstmaanbundlescms team within 24 hours. 2 years ago
We have contacted a member of the kunstmaan/kunstmaanbundlescms team and are waiting to hear back 2 years ago
We have sent a follow up to the kunstmaan/kunstmaanbundlescms team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the kunstmaan/kunstmaanbundlescms team. We will try again in 7 days. 2 years ago
2 years ago


Hi @admin,

I see that the maintainer committed a fixed for this vulnerability 14 days ago on their project:

How can I let them go here and validate this report?

Jamie Slome
2 years ago

@khanhchauminh - I would recommend dropping the URL for this report as a comment on the commit you sent, and asking if the maintainer could take a look. They will have the necessary permissions to view the page, assuming they have write access to the repository.

kunstmaan/kunstmaanbundlescms maintainer validated this vulnerability 2 years ago
khanhchauminh has been awarded the disclosure bounty
The fix bounty is now up for grabs
kunstmaan/kunstmaanbundlescms maintainer marked this as fixed in 6.2.0 with commit 82ba64 2 years ago
The fix bounty has been dropped
2 years ago


Sorry I thought I confirmed the report already, thank for reminding me!

to join this conversation