The text was updated successfully, but these errors were encountered:
piaolin
changed the title
There is three CSRF vulnerability that can add the administrator account
There is three CSRF vulnerability that can add the administrator account, delete administrator account, edit configuration.
Jul 27, 2020
After the administrator logged in, open the following three pages:
1. add_admin.html
Add a administrator.
2. delete_admin.html
Delete a administrator use username(email), and the param 'id' is not useful, you can delete any user you think username(email).
3. configure.html
It can edit configure, example:
1. Change HTTP Basic Auth User&Password to download a backup of your data via HTTP.
2. Change administrator email and used with add_admin.html.
3. Change Client Secret which is used to validate requests.
The text was updated successfully, but these errors were encountered: