Localize: No Cross-Site Request Forgery protection at multiple locations

2014-04-17T20:12:51
ID H1:7916
Type hackerone
Reporter melvin
Modified 2014-04-18T08:35:52

Description

The Localize application does not provide protection against CSRF attacks at various locations. For example, the following actions/pages are vulnerable:

POST /pages/create_project POST /pages/settings POST /add_phrase/$var/languages/$var

See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) for more information.