Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Nov 16th 2021

Description

CSRF to delete chat messages

POC

<a href="http://[UNIT3D-URL]/api/chat/message/[MESSAGE_ID]/delete">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to delete messages. This is probably the last state-changing endpoint in your application which is unprotected from CSRF.

Occurrences

ChatMessages.vue L128L130

ChatPms.vue L48L50

vue.php L50

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. a year ago

HDVinnie validated this vulnerability a year ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

HDVinnie marked this as fixed with commit 2cc3f5 a year ago

HDVinnie has been awarded the fix bounty

This vulnerability will not receive a CVE

ChatPms.vue#L48L50 has been validated

ChatMessages.vue#L128L130 has been validated

vue.php#L50 has been validated

to join this conversation