CSRF on marking an admin task as complete in chiefonboarding/chiefonboarding

Valid

Reported on

Sep 30th 2023


Description

A data altering method is done through a get request in AdminTaskToggleDoneView, making it vulnerable to csrf attack. In django, get request is considered as a safe method and is not protected against csrf.

Proof of Concept

class AdminTaskToggleDoneView(LoginRequiredMixin, ManagerPermMixin, RedirectView):
    permanent = False
    pattern_name = "admin_tasks:detail"

    def get(self, request, *args, **kwargs):
        task_id = self.kwargs.get("pk", -1)
        admin_task = get_object_or_404(AdminTask, id=task_id)
        admin_task.completed = not admin_task.completed
        admin_task.save() # <- Marked as completed
        return super().get(request, *args, **kwargs)

Impact

An attacker can make an admin mark a task as completed on his behalf without him knowing

Occurrences

We are processing your report and will contact the chiefonboarding team within 24 hours. 5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 5 months ago
We have contacted a member of the chiefonboarding team and are waiting to hear back 5 months ago
chiefonboarding/chiefonboarding maintainer validated this vulnerability 5 months ago

Good find. This has been patched now. Thank you!

tomorroisnew has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
5 months ago

Thanks. can i get a cve for it

chiefonboarding/chiefonboarding maintainer marked this as fixed in v2.0.47 with commit 7de93f 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 5 months ago
views.py#L52 has been validated
5 months ago

Oh, sorry. I already closed it without an CVE assigned to it.

@admin can I change it to assign an CVE for this?

5 months ago

Hi @admin

Ben Harvie
5 months ago

Admin


I have went ahead and assigned a CVE to this report as requested.

to join this conversation