| Titel | givanz Vvveb Vvveb 1.0.7.2 State-Changing GET Request |
|---|
| Beschreibung | The application exposes endpoints that perform state-changing operations (create/update/delete/activate/configure) in response to HTTP GET requests. Because GET requests are treated as safe/read-only by browsers and many protections, these endpoints lack CSRF enforcement and proper HTTP method checks, allowing an attacker to trigger privileged actions simply by causing a victim (e.g., an admin) to load attacker-controlled content. Delivery vectors include <img>/<iframe> tags, CSS url(...) backgrounds, or automated URL previews; when an authenticated privileged user views such content the browser issues the GET request and the server executes the state change. |
|---|
| Quelle | ⚠️ https://gist.github.com/KhanMarshaI/165ae8f63ec6b5fdf1f4123252499fce |
|---|
| Benutzer | KhanMarshal (UID 89610) |
|---|
| Einreichung | 17.09.2025 12:18 (vor 7 Monaten) |
|---|
| Moderieren | 26.09.2025 10:24 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 325967 [givanz Vvveb bis 1.0.7.2 Cross Site Request Forgery] |
|---|
| Punkte | 20 |
|---|