We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery (CSRF) in hdinnovations/unit3d-community-edition

Valid

Reported on

Sep 24th 2021

Description

CSRF allows enable/disable bots CSRF allows flush chatbox

Proof of Concept

After logging in to unit3d.site,
Access this link: https://unit3d.site/dashboard/chat/bots/2/disable, https://unit3d.site/dashboard/chat/bots/2/enable
See that the chat bot is disabled/enabled correspondingly.

Access this link: https://unit3d.site/dashboard/flush/chat
See that chatbox is flushed

Impact

This vulnerability is capable of enabling/disabling chat bots, flusing chatbox.

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 2 years ago
M0rphling modified the report
2 years ago
HDVinnie
2 years ago

Maintainer

I dont see how this is a vulnerability. Those routes are behind a middleware that check if said user is staff or not. If you login to the demo site using a non staff account like Username: System and Password: UNIT3D and try to access those routes you will be redirected to a Error 403 Permission Denied.

Correct me if im wrong here @Ky Tran

M0rphling
2 years ago

Researcher

Hi @HDVinnie, I use this account Username: UNIT3D Password: UNIT3D, access the link and you will see the result. CSRF is a vulnerability that make request on behalf of any user, the goal is to force them to make some action against their will, so the type of user shouldn't matter.

Regards.

HDVinnie validated this vulnerability 2 years ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie marked this as fixed with commit efb593 2 years ago
HDVinnie has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation