Cross-Site Request Forgery (CSRF) in laravelio/laravel.io
Dec 14th 2021
This CSRF is capable of making a user unintentionally subscribe and unsubscribe to a thread.
Proof of Concept
One way GET could be abused here is that a person placed an image tag with src=" https://laravel.io/forum/storing-sessions-as-in-a-storage-bucket/subscribe" ANYWHERE on the internet, and if a user of your site stumbles upon that page, he will be unknowingly subscribed to a thread. Same can be done with a URL shortener or alike. This is a state changing route and thus should be a POST with a @csrf token.