Csrf in watch-unwatch projects
Low
W
Weblate
Submitted None
Actions:
Reported by
ashish_r_padelkar
Vulnerability Details
Technical details and impact analysis
Hello,
When you visit any projects from `https://hosted.weblate.org/` , there is a button provided on top-right called `Watch` / `Unwatch` for each projects. when you click on that button, a POST request is sent which contains csrf token. But this request also works without that token.
Just hit the urls in your browser and you will be able to `Watch` or `Unwatch` the projects
`https://hosted.weblate.org/accounts/watch/androbd/`
https://hosted.weblate.org/accounts/unwatch/androbd/
where androbd is a project name!
Regrads
Ashish
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-Site Request Forgery (CSRF)