Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition


Reported on

Sep 23rd 2021


Attacker is able to disable the form

Proof of Concept

When you logged in open this POC.html in a browser. You can put the website into maintenance mode.

<script>history.pushState('', '', '/')</script>
<form action="">
    <input type="submit" value="Submit request" />


This vulnerability is capable of disabling the website.


We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back a year ago
hexdubbers modified the report
a year ago
a year ago


@hexdubbers this route is protected. While the POC works it only works if you are logged in as a user in the owner group. Hence why it works on the demo site using the demo owner login credentials.

However I do still agree it should be a POST request with CRSF token and not a GET.

Im just not sure this Disclosure is proper as is.

HDVinnie validated this vulnerability a year ago
hexdubbers has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on bde1c7 a year ago
HDVinnie has been awarded the fix bounty
web.php#L736 has been validated
a year ago


@HDVinnie hey thanks for the bounty! I read your comment and I'm curious on what the difference between this report and this "" one is that you reported. If an attacker sent an admin my POC and clicked on it then the forum would be disabled. Please let me known if I am wrong since that is my understanding.

to join this conversation