-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is a CSRF vulnerability that can add the administrator account #800
Comments
Thank you for pointing the vulnerability. Could you apply a fix?
… On 10-Aug-2018, at 3:44 PM, Vict00r ***@***.***> wrote:
After the administrator logged in, open the following page to add an administrator.
poc:
<script>history.pushState('', '', '/')</script>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
You can add an token in your form or url to avoid this kind of vulnerability. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
After the administrator logged in, open the following page to add an administrator.
<script>history.pushState('', '', '/')</script>poc:
The text was updated successfully, but these errors were encountered: