Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2

Valid

Reported on

Oct 4th 2021

Description

After taking a look at the application again, I found few more (create / update) endpoints which should have CSRF protection

Proof of Concept

http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/saveUserGroup?name=123&description=abc&group_id=         
http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/ajaxSaveSetInfo?name=abc&description=&set_id=
http://[PAWTUCKET-URL]/pawtucket/index.php/Lightbox/saveShareSet?group_id=15&user=&access=2

Impact

This vulnerability is capable of tricking user to create / modify new lightbox and user groups and add unauthorized users to lightbox

Occurrences

Save User Group (validation)

Save Set Info (validation)

Save Share Set (validation)

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
haxatron modified the report
2 years ago
CollectiveAccess
2 years ago

Maintainer

There are others too. Fix covers additional endpoints... I think this is everything. (Should've done this to begin with, but time is short).

haxatron
2 years ago

Researcher

Yep looks like those are everything, apologies for missing out SetAccess. Could you validate this report?

CollectiveAccess validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess marked this as fixed with commit 47dffa 2 years ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation