Cross Site Request Forgery in acknowledging Toast in sissbruecker/linkding

Valid

Reported on

May 18th 2022


Description

Hi there linkding maintainers, I would like to report a Cross site request forgery in acknowledging toast.

This is due to the use of GET method.

Proof of Concept

  1. Install a local instance of linkding
  2. Create admin user admin
  3. Log in as admin and create a new toast
  4. Go back to /bookmarks and see that the toast appears in search bar
  5. Access the link /toasts/<toast-id>/acknowledge and see that the toast is forcefully acknowledged.

Impact

CSRF

Occurrences

We are processing your report and will contact the sissbruecker/linkding team within 24 hours. a month ago
We have contacted a member of the sissbruecker/linkding team and are waiting to hear back a month ago
Sascha Ißbrücker modified the Severity from Critical to None a month ago
Sascha
a month ago

Maintainer


Thanks for the report, I lowered the severity to none, as you can't really do any harm with this.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Sascha Ißbrücker validated this vulnerability a month ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sascha Ißbrücker confirmed that a fix has been merged on 117160 a month ago
The fix bounty has been dropped
toasts.py#L10 has been validated
to join this conversation