Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition


Reported on

Nov 16th 2021


CSRF to delete chat messages


<a href="http://[UNIT3D-URL]/api/chat/message/[MESSAGE_ID]/delete">CLICK ME!</a>


This vulnerability is capable of tricking users to delete messages. This is probably the last state-changing endpoint in your application which is unprotected from CSRF.

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 18 days ago
HDVinnie validated this vulnerability 17 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on 2cc3f5 12 days ago
HDVinnie has been awarded the fix bounty
ChatPms.vue#L48L50 has been validated
ChatMessages.vue#L128L130 has been validated
vue.php#L50 has been validated