Cross-Site Request Forgery (CSRF) in pkp/omp


Reported on

Oct 14th 2021

✍️ Description

Attacker or malicious user is able to delete any user profile photo if a logged in user visits attacker website. because lack of CSRF token

🕵️‍♂️ Proof of Concept

1.when you logged in open this POC.html in a browser can check unintentionally your profile photo deleted

  <script>history.pushState('', '', '/')</script>
    <form action="$$$call$$$/tab/user/profile-tab/delete-profile-image">
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of forcing user to unintentional delete profile photo

💥 Test

Tested on Firefox and safari.

💥 Fix

You should set a CSRF token on this requeset.

We have contacted a member of the pkp/omp team and are waiting to hear back 2 years ago
Alec Smecher validated this vulnerability 2 years ago
Musio has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alec Smecher
2 years ago


Fix here:

This does not rate a "high" severity.

The cited "navigationMenus.xml" has nothing to do with the reported issue.

Alec Smecher marked this as fixed with commit 1ae8e3 2 years ago
Alec Smecher has been awarded the fix bounty
This vulnerability will not receive a CVE
navigationMenus.xml#L1-L41 has been validated
2 years ago


Hi. I did many search for finding flawed code but i cann't find it and the only file i found with profile/photo is navigationMenus.xml. i cann't now edit the severity but you right it's not high

to join this conversation