Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition


Reported on

Nov 15th 2021


More CSRFs, related to warnings feature this time

1: /warnings/{id}/deactivate

2: /warnings/{username}/mass-deactivate

3: /warnings/{id}/restore

Proof of Concept

<a href="http://[UNITED-URL]/warnings/{id}/restore">CLICK ME!</a>


This vulnerability is capable of tricking users to deactivate / restore warnings.


api deactivate / mass-deactivate

mass-deactivate blade (not to be confused with mass-delete directly above)

api restore

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 19 days ago
HDVinnie validated this vulnerability 19 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on 33f490 19 days ago
HDVinnie has been awarded the fix bounty
web.php#L285L286 has been validated
warninglog.blade.php#L35L41 has been validated
web.php#L289 has been validated