We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

CSRF Logout in aptabase/aptabase

Valid

Reported on

Aug 5th 2023

Description

Bad actor can send to victims link (ie. obfuscated) with payload /signout and when victims will use it - can change the state of user (logged in/logged out).

Proof of Concept

Payload: https://eu.aptabase.com/api/_auth/signout Repro steps: As logged in user https://eu.aptabase.com/ open new browser tab and use, paste link https://eu.aptabase.com/api/_auth/signout , see logged out, refresh previous tab - the same Logged out.

Payload example: Please click<a href="https://eu.aptabase.com/api/_auth/signout "> for a SWAGpack from us.

Proposed remediation: CSRF tokens; POST instead of GET for endpoint

Impact

Changing the state of user (logged in -> logged out).

We are processing your report and will contact the aptabase team within 24 hours. 2 months ago
We have contacted a member of the aptabase team and are waiting to hear back a month ago
aptabase/aptabase maintainer
a month ago

Maintainer

Thanks. This has been fixed.

aptabase/aptabase maintainer validated this vulnerability a month ago
cod3rbm has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
aptabase/aptabase maintainer marked this as fixed in N/A with commit 058245 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
aptabase/aptabase maintainer published this vulnerability a month ago
AuthController.cs#L86 has been validated
cod3rbm
a month ago

Researcher

Hi @Maintainer thank you for message, quick action and your time here. I appreciate this. Professional & responsible approach. Have a good day, Kind regards,

to join this conversation