Cross-Site Request Forgery (CSRF) in namelessmc/nameless


Reported on

Sep 24th 2021


With this CSRF any user is able to remove any punishment on any user made by the staff.

Proof of Concept

After you log in, open this POC.html in a browser. This will remove any punishment that's specified in the POC.

<script>history.pushState('', '', '/')</script>
<form action="">
    <input type="submit" value="Submit request" />

This specific POC will remove the 1st punishment from the userid 2.


This vulnerability is capable of allowing banned users to re access the site.

We have contacted a member of the namelessmc/nameless team and are waiting to hear back 2 years ago
hexdubbers modified the report
2 years ago
Sam validated this vulnerability 2 years ago
hexdubbers has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sam marked this as fixed with commit e24722 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation