Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition


Reported on

Sep 24th 2021


CSRF allows enable/disable bots CSRF allows flush chatbox

Proof of Concept

After logging in to,
Access this link:,
See that the chat bot is disabled/enabled correspondingly.

Access this link:
See that chatbox is flushed


This vulnerability is capable of enabling/disabling chat bots, flusing chatbox.

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 years ago
M0rphling modified the report
2 years ago
2 years ago


I dont see how this is a vulnerability. Those routes are behind a middleware that check if said user is staff or not. If you login to the demo site using a non staff account like Username: System and Password: UNIT3D and try to access those routes you will be redirected to a Error 403 Permission Denied.

Correct me if im wrong here @Ky Tran

2 years ago


Hi @HDVinnie, I use this account Username: UNIT3D Password: UNIT3D, access the link and you will see the result. CSRF is a vulnerability that make request on behalf of any user, the goal is to force them to make some action against their will, so the type of user shouldn't matter.


HDVinnie validated this vulnerability 2 years ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed with commit efb593 2 years ago
HDVinnie has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation