Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy


Reported on

Jul 30th 2021

✍️ Description

You don't check CSRF token in following endpoint /timers/1/restart/ with PoC.html attacker able to reset timer with id equal to 1.

🕵️‍♂️ Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of reset any timer.


We have contacted a member of the babybuddy team and are waiting to hear back a year ago
Christopher Charbonneau Wells validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells confirmed that a fix has been merged on c2513f a year ago
Christopher Charbonneau Wells has been awarded the fix bounty
to join this conversation