Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Nov 16th 2021


Description

CSRF to delete chat messages

POC

<a href="http://[UNIT3D-URL]/api/chat/message/[MESSAGE_ID]/delete">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to delete messages. This is probably the last state-changing endpoint in your application which is unprotected from CSRF.

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 18 days ago
HDVinnie validated this vulnerability 17 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on 2cc3f5 12 days ago
HDVinnie has been awarded the fix bounty
ChatPms.vue#L48L50 has been validated
ChatMessages.vue#L128L130 has been validated
vue.php#L50 has been validated