Cross-Site Request Forgery (CSRF) in easysoft/zentaopms


Reported on

Dec 26th 2021


Zentaopms 16.0 is vulnerable to CSRF in the delete functionality.

Proof of Concept

1 - Go to my section and create a my todo

2 - Browse to and take note of the ID in the first column.

3 - Create the following page (use the ID found at the step 2) and visit it in another browser tab while the admin is authenticated.

   <img src="">

4 - The todo identified by the ID 1 will be deleted.

The vulnerability is present because the function ajaxDelete at performs the delete operation using a GET request and no anti-CSRF token is used.


This vulnerability allows an attacker to force an end user to execute unwanted actions on the web application.

Remediation advices

For all the operations which change the state on the server (add, edit, delete, etc.):

1 - Use HTTP POST request

2 - Use unpredictable and cryptographically strong anti-CSRF token sent along with the POST request

Also set Samesite: Lax or Samesite: Strict for the cookie zentaosid.


        <img src="">

The function confirm at performs e redirect at the okurl via self.location returned as javascript code at line Thus the delete action is performed via a GET request to

Remediation advices

Same as for the first occurrence.

We are processing your report and will contact the easysoft/zentaopms team within 24 hours. 2 years ago
midist0xf modified the report
2 years ago
We have contacted a member of the easysoft/zentaopms team and are waiting to hear back 2 years ago
chunsheng wang validated this vulnerability 2 years ago
midist0xf has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation