Cross-site Request Forgery (CSRF)

bolt/bolt is vulnerable to cross-site request forgery. The vulnerability exists as it accepts requests without a valid token in the preview generating endpoint in src/Controller/Frontend.php which allows an attacker to inject and execute arbitrary javascript...

CVE-2020-4040

Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized...