Cross-Site Request Forgery (CSRF) in kestasjk/webdiplomacy

✍️ Description CSRF bug when disabling notice 🕵️‍♂️ Proof of Concept no csrf token checking during enable/desable notice .\ Bellow request is vulnerable to csrf attack POST /index.php HTTP/1.1 Host: webdiplomacy.net User-Agent: Mozilla/5.0 X11; Ubuntu; Linux x8664; rv:88.0 Gecko/20100101...

InnoGames: Unprivileged alliance member is able to recruit new members to his alliance and accepting them (xs1.grepolis.com)

Alliances are a very integral part of Grepolis. Attacks are planned and strategies are forged. All of this in secret from the other players. A broken access control allowed any member of the alliance to invite "external" players, even though the alliance invitations were closed/invite-only. This...