Liberapay: CSRF to make any user accept the invitation to the team

2018-06-01T16:04:26
ID H1:360834
Type hackerone
Reporter albatraoz
Modified 2018-06-02T13:03:20

Description

Description:

The victim can be tricked into accepting the invite as a normal GET request is sent while accepting the request.

Steps to reproduce

Make an html page using the following code: <a href="https://liberapay.com/test/membership/accept">click here</a> Change" test" with your team mate.

Impact

The impact is low but still it can make a user to accept the request even if he wanted not to.