Description

Login CSRF via /register/confirm/{token} endpoint.

Proof of Concept

1: Register account with the same username as our victim, an email confirmation will take place

2: Retrieve token from email.

3: Send a link http://[BOOKSTACK_APP_URL]/register/confirm/{token} to user.

4: When the user clicks the link, they will be logged into the account, even if they already have an active session on Bookstack.

Impact

This vulnerability can be used to trick the user into unknowingly logging into an attacker account. They might then perform sensitive actions which will then be logged into the attacker’s account. This can be chained with the fact that Bookstack allows duplicate usernames and hence the victim might believe the attacker account is actually theirs.

Recommended Fix

There are two possible remediations I can think of for this:
A) Use a middle page for confirming the email and then logging in (for example, a showConfirm and then a confirm action)
B) Do not login the user after email confirmation.
Additionally may want to prevent duplicate usernames to prevent confusion.