Cross Site Request Forgery in acknowledging Toast in sissbruecker/linkding
May 18th 2022
Hi there linkding maintainers, I would like to report a Cross site request forgery in acknowledging toast.
This is due to the use of GET method.
Proof of Concept
- Install a local instance of linkding
- Create admin user
- Log in as
adminand create a new toast
- Go back to
/bookmarksand see that the toast appears in search bar
- Access the link
/toasts/<toast-id>/acknowledgeand see that the toast is forcefully acknowledged.