Cross-Site Request Forgery (CSRF) in in pkp/pkp-lib

Valid

Reported on

Oct 9th 2023

Description

CSRF led to change permissions of participant in Edit Assignment sessions.

Proof of Concept

Payload: https://drive.google.com/file/d/1dHY9CS6R4mKM4F0im5n1aUxFamMEjbAa/view?usp=sharing
Video PoC: https://drive.google.com/file/d/1AdDFE_-qOF-EvVEJzzXKguMfr6ZkXXEx/view?usp=drive_link

Impact

This vulnerability is capable of changing permissions assignments of participant

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. 2 months ago

We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 2 months ago

Alec Smecher modified the Severity from Medium (5.4) to Medium (4.3) 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Alec Smecher validated this vulnerability 2 months ago

0x5468616e68 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Alec Smecher marked this as fixed in 3.3.0-16 with commit 2d04e7 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Nov 1st 2023

Alec Smecher published this vulnerability a month ago

to join this conversation