| Título | SourceCodester Note Taking App 1.0 Cross Site Request Forgery |
|---|
| Descrição | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in SourceCodester Note Taking App 1.0. The vulnerability exists in the note deletion functionality located in notes/delete.php. The application processes deletion requests via HTTP GET method using the id parameter without implementing any CSRF token validation or request origin
verification. An unauthenticated remote attacker can craft a malicious HTML page containing a hidden image tag or script that silently sends a deletion request to the vulnerable endpoint. When an authenticated victim visits the attacker-controlled page while logged into the application, the browser automatically includes the session cookie with the forged request, causing the victim's notes to be permanently deleted without their knowledge or consent. The attack requires no privileges and only needs the victim to visit a malicious webpage, making it easily exploitable through phishing or social engineering campaigns. |
|---|
| Fonte | ⚠️ https://gist.github.com/Mohdanass/b7c5984922238397d10644f5f33ec592 |
|---|
| Utilizador | Anas22335 (UID 96357) |
|---|
| Submissão | 11/03/2026 19h10 (há 26 dias) |
|---|
| Moderação | 27/03/2026 09h53 (16 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 353858 [SourceCodester Note Taking App até 1.0 Falsificação de Pedido entre Sites] |
|---|
| Pontos | 20 |
|---|