Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition
Sep 24th 2021
CSRF allows enable/disable bots CSRF allows flush chatbox
Proof of Concept
After logging in to unit3d.site, Access this link: https://unit3d.site/dashboard/chat/bots/2/disable, https://unit3d.site/dashboard/chat/bots/2/enable See that the chat bot is disabled/enabled correspondingly. Access this link: https://unit3d.site/dashboard/flush/chat See that chatbox is flushed
This vulnerability is capable of enabling/disabling chat bots, flusing chatbox.