Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition


Reported on

Sep 23rd 2021


Attacker is able to change a torrents featured state to un-featured if a logged in user visits attacker website.

Proof of Concept

When you logged in open this POC.html in a browser. You can check the torrents state changed to un-featured.

<script>history.pushState('', '', '/')</script>
<form action="">
    <input type="submit" value="Submit request" />


This vulnerability is capable of forging user to unintentional change torrents state to featured.


Tested on Safari.


You should set a CSRF token on such GET requests or you can use POST instead of GET then because of cookie SameSite is Lax, request from other origins could not carry cookie.

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 years ago
HDVinnie validated this vulnerability 2 years ago
hdvinnie has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed with commit 9d49c5 2 years ago
HDVinnie has been awarded the fix bounty
web.php#L276 has been validated
torrent.blade.php#L686-L696 has been validated
to join this conversation