Cross Site Request Forgery in acknowledging Toast in sissbruecker/linkding

Valid

Reported on

May 18th 2022

Description

Hi there linkding maintainers, I would like to report a Cross site request forgery in acknowledging toast.

This is due to the use of GET method.

Proof of Concept

  1. Install a local instance of linkding
  2. Create admin user admin
  3. Log in as admin and create a new toast
  4. Go back to /bookmarks and see that the toast appears in search bar
  5. Access the link /toasts/<toast-id>/acknowledge and see that the toast is forcefully acknowledged.

Impact

CSRF

Occurrences

We are processing your report and will contact the sissbruecker/linkding team within 24 hours. a year ago
We have contacted a member of the sissbruecker/linkding team and are waiting to hear back a year ago
Sascha Ißbrücker modified the Severity from Critical to None a year ago
Sascha
a year ago

Maintainer

Thanks for the report, I lowered the severity to none, as you can't really do any harm with this.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Sascha Ißbrücker validated this vulnerability a year ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Sascha Ißbrücker marked this as fixed in 1.9.1 with commit 117160 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
toasts.py#L10 has been validated
to join this conversation