Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Nov 15th 2021


Description

More CSRFs, related to warnings feature this time

1: /warnings/{id}/deactivate

2: /warnings/{username}/mass-deactivate

3: /warnings/{id}/restore

Proof of Concept

<a href="http://[UNITED-URL]/warnings/{id}/restore">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to deactivate / restore warnings.

Occurences

api deactivate / mass-deactivate

mass-deactivate blade (not to be confused with mass-delete directly above)

api restore

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 19 days ago
HDVinnie validated this vulnerability 19 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on 33f490 19 days ago
HDVinnie has been awarded the fix bounty
web.php#L285L286 has been validated
warninglog.blade.php#L35L41 has been validated
web.php#L289 has been validated