CSRF Logout in vriteio/vrite

Valid

Reported on

Aug 18th 2023


Description

Bad actor can send to victim link (ie. obfuscated) with payload /logout and if victim will use it - can change the state of user (logged in/logged out).

Proof of Concept

As logged in user open in new browser tab this site https://app.vrite.io/session/logout Go back to previous tab, refresh - see also logged out.

Payload example: Please click<a href="https://app.vrite.io/session/logout"> for a SWAG pack from us.

Proposed remediation: CSRF tokens; POST instead of GET for endpoint

Impact

Changing the state of user (logged in -> logged out).

Occurrences

We are processing your report and will contact the vriteio/vrite team within 24 hours. 6 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 6 months ago
We have contacted a member of the vriteio/vrite team and are waiting to hear back 6 months ago
vriteio/vrite maintainer validated this vulnerability 6 months ago
coderbm1 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
cod3rbm
6 months ago

Researcher


Hi @maintainer Thank you for quick action - professional and responsible approach, I appreciate this ✨

vriteio/vrite maintainer marked this as fixed in 0.2.0 with commit d8c942 5 months ago
The fix bounty has been dropped
This vulnerability has now been published 5 months ago
session.ts#L23 has been validated
cod3rbm
3 months ago

Researcher


Hi @maintainer @areknawo Out of curiosity question, will there be any CVE for this vulnerability? Thank you for your time, Kind regards,

to join this conversation