CSRF Set 1 (modify invoice status [Medium severity])

Description

CSRF in saving invoices / modifying status of invoices (pending and cancel only

Proof of Concept

The following state-changing endpoints are vulnerable to CSRF

GET /en/invoice/save-invoice/9/5?searchTerm=&daterange=2021-11-01%20-%202021-11-30&tags=&exported=5&template=5&customers%5B%5D=9
GET /en/invoice/change-status/2/canceled
GET /en/invoice/change-status/2/pending
GET /en/invoice/?createInvoice=true&searchTerm=&daterange=2021-11-01%20-%202021-11-30&tags=&exported=5&template=5   (save all invoices)

Impact

Attackers can trick users to modify status of invoices, potentially disrupting invoice tracking.

CSRF Set 2 (modify search favourites [Low severity])

Description

CSRF in adding / deleting search favorites

Proof of Concept

The following state-changing endpoints are vulnerable to CSRF

GET /en/invoice/?removeDefaultQuery=InvoiceQuery
GET /en/invoice/?searchTerm=&daterange=2021-11-01+-+2021-11-30&tags=&exported=5&template=5&setDefaultQuery=

Impact

Although very low severity, these state-changing actions are CSRF unprotected.