CSRF in Cancel Reviewer and Reinstate Reviewer in pkp/pkp-lib

Valid

Reported on

Oct 12th 2023


Description

CSRF in Cancel Reviewer and Reinstate Reviewer

Proof of Concept

Link Poc

I attach the Poc link below. Thank You.

       https://drive.google.com/drive/folders/1QA5Kz6w2A_g_YdFDoDX2hHWK0zHAPoWt?usp=sharing

Impact

Traps user execute action unexpected

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. 4 months ago
Alec Smecher modified the CWE from Authentication Bypass by Spoofing to Cross-Site Request Forgery (CSRF) 4 months ago
Alec Smecher modified the Severity from Medium (6.3) to Low (3.5) 4 months ago
The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alec Smecher validated this vulnerability 4 months ago
hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.3.0-16 with commit 01feef 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation