New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF issue in extension manager #3559

Closed

splitbrain opened this issue Dec 8, 2021 · 0 comments

Labels

Collaborator

splitbrain commented Dec 8, 2021 •

edited

As reported in https://huntr.dev/bounties/d74ba950-6336-4c77-90e1-22ea3ff5cbdd/, the extension manager does not do an CSRF check for enabling or disabling extensions via AJAX.

This would allow to trick logged in administrative users to disable or enable installed plugins.

The impact of this is relatively low. With regards to the upcoming Igor release, I don't think a hotfix is necessary.

splitbrain added the Security label

splitbrain closed this as completed in

96f679f

splitbrain mentioned this issue

Create SECURITY.md #3558

Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment