CSRF to make any user accept the invitation to the team

Disclosed: 2018-06-02 13:03:20 By albatraoz To liberapay

None

Vulnerability Details

#Description: The victim can be tricked into accepting the invite as a normal GET request is sent while accepting the request. #Steps to reproduce Make an html page using the following code: ``` <a href="https://liberapay.com/test/membership/accept">click here</a> ``` Change" test" with your team mate. ## Impact The impact is low but still it can make a user to accept the request even if he wanted not to.

Actions

View on HackerOne

Report Stats

Report ID: 360834
State: Closed
Substate: informative
Upvotes: 4

CSRF to make any user accept the invitation to the team

Vulnerability Details

Actions

Report Stats

Share this report