CSRF in saving invoices / modifying status of invoices (pending and cancel only
The following state-changing endpoints are vulnerable to CSRF
GET /en/invoice/save-invoice/9/5?searchTerm=&daterange=2021-11-01%20-%202021-11-30&tags=&exported=5&template=5&customers%5B%5D=9
GET /en/invoice/change-status/2/canceled
GET /en/invoice/change-status/2/pending
GET /en/invoice/?createInvoice=true&searchTerm=&daterange=2021-11-01%20-%202021-11-30&tags=&exported=5&template=5 (save all invoices)
Attackers can trick users to modify status of invoices, potentially disrupting invoice tracking.
CSRF in adding / deleting search favorites
The following state-changing endpoints are vulnerable to CSRF
GET /en/invoice/?removeDefaultQuery=InvoiceQuery
GET /en/invoice/?searchTerm=&daterange=2021-11-01+-+2021-11-30&tags=&exported=5&template=5&setDefaultQuery=
Although very low severity, these state-changing actions are CSRF unprotected.