[BUG] Possible CSRF vulnerability #373
Comments
scalzava
added
bug
|
GreaterWMS 2.1.49 will be end of GreaterWMS2 and I start new project Bomiot,it will change all things |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Our security team is working on the automated detection of session vulnerabilities in opensource web applications, including CSRF. Our analyzer identified that the register function of userregister/views.py has been declared as CSRF exempt. After manual analysis, we believe that this practice might leave your application vulnerable to security-relevant CSRF attempts.
Can you take a look into the relevant code parts and comment on the issue?
Steps to Reproduce
A web attacker with control of a malicious web page can use HTML / JavaScript to craft a request towards the user registration endpoint, thus being able to register new users in the web application.
Expected behavior
The user registration endpoint should only accept HTTP requests bearing an anti-CSRF token or some other authentication credential which is not susceptible to CSRF.
Deployment Method
Version Information
Latest version available on GitHub as of May 15, 2024.
The text was updated successfully, but these errors were encountered: