PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings in the application.
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSSv3 Base Score:
4.3
Steps to reproduce
Create a malicious html file with the following content.
@alestorm980 Thank you for bring this to me, I missed the csrf token in the delete endpoints. Take a look into the last commit and let me know if do you find more issues.
Hi I am a security researcher at Fluid Attacks, our security team found a security issue inside PeteReport version 0.5.
Attached below are the links to our responsible disclosure policy.
Bug description
PeteReport Version 0.5 contains a Cross Site Request Forgery (CSRF) vulnerability allowing an attacker to trick users into deleting users, products, reports and findings in the application.
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSSv3 Base Score:
4.3
Steps to reproduce
Screenshots and files
System Information
The text was updated successfully, but these errors were encountered: