Liberapay: CSRF to make any user accept the invitation to the team

ID H1:360834
Type hackerone
Reporter albatraoz
Modified 2018-06-02T13:03:20



The victim can be tricked into accepting the invite as a normal GET request is sent while accepting the request.

Steps to reproduce

Make an html page using the following code: <a href="">click here</a> Change" test" with your team mate.


The impact is low but still it can make a user to accept the request even if he wanted not to.