Weblate: Logout CSRF

ID H1:223329
Type hackerone
Reporter japz
Modified 2017-05-17T14:20:15


Hi Team,

This is a low risk but want you to know that logout on this domain demo.weblate.org did not protect the logout form with csrf token, therefor i can logout any user by sending this url https://demo.webplate.org/accounts/logout/.

Logout should have post method with a valid csrf token.

Let me know if you need more info.

Regards Japz