Authenticated CSRF in Delete Campaign / Contact #3486
Labels
bug
Issues or PR's relating to bugs
pending-feedback
PR's and issues that are awaiting feedback from the author
What type of report is this:
Description:
Mautic suffers from autnehticated CSRF in which an attacker can trick a user/admin to delete campaigns or contacts. These two operations are not protected with an anti-CSRF token. Other operations, e.g., adding contacts/campaigns are protected.
If a bug:
Steps to reproduce:
{ID}{ID}?mauticUserLastActive=1Replace
{ID}with the ID of step 1.Log errors:
N.A.
The text was updated successfully, but these errors were encountered: