Lucene search
Ciph0x015EC206E0-ECA0-4957-9AF4-FDD9185D1DB3HistorySep 16, 2022 - 2:49 p.m.
CSRF leads to disabling notifications in users profile
2022-09-1614:49:43
ciph0x01
www.huntr.dev
3
csrf
repository notifications
server acceptance
0.001 Low
EPSS
Percentile
30.1%
Description
Periodic updates of repositories were sent as notifications to the user’s email and here GET request sent to the server for modifying repository notifications settings is accepted by the server, which can lead to disabling notifications through a CSRF attack.
Proof of Concept
Replace repos with valid repo names
https://rdiffweb-demo.ikus-soft.com/prefs/notification?repo1%2FC=0&repo2=0&repo3=0&action=set_notification_info
example:
https://rdiffweb-demo.ikus-soft.com/prefs/notification?MyWindowsLaptop%2FC=0&test-encoding=0&testcases=0&action=set_notification_info
Related
veracode
veracode
Cross-site Request Forgery (CSRF)
2022-09-22 05:30:37
cvelist
cvelist
CVE-2022-3233 Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb
2022-09-21 19:40:08
osv
osv
CVE-2022-3233
2022-09-21 20:15:10
rdiffweb CSRF could lead to disabling notifications in user profile
2022-09-22 00:00:21
PYSEC-2022-285
2022-09-21 20:15:00
github
github
rdiffweb CSRF could lead to disabling notifications in user profile
2022-09-22 00:00:21
nvd
nvd
CVE-2022-3233
2022-09-21 20:15:10
cve
cve
CVE-2022-3233
2022-09-21 20:15:10
prion
prion
Cross site request forgery (csrf)
2022-09-21 20:15:00