| Название | SourceCodester Note Taking App 1.0 Cross Site Request Forgery |
|---|
| Описание | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in SourceCodester Note Taking App 1.0. The vulnerability exists in the note deletion functionality located in notes/delete.php. The application processes deletion requests via HTTP GET method using the id parameter without implementing any CSRF token validation or request origin
verification. An unauthenticated remote attacker can craft a malicious HTML page containing a hidden image tag or script that silently sends a deletion request to the vulnerable endpoint. When an authenticated victim visits the attacker-controlled page while logged into the application, the browser automatically includes the session cookie with the forged request, causing the victim's notes to be permanently deleted without their knowledge or consent. The attack requires no privileges and only needs the victim to visit a malicious webpage, making it easily exploitable through phishing or social engineering campaigns. |
|---|
| Источник | ⚠️ https://gist.github.com/Mohdanass/b7c5984922238397d10644f5f33ec592 |
|---|
| Пользователь | Anas22335 (UID 96357) |
|---|
| Представление | 11.03.2026 19:10 (26 дни назад) |
|---|
| Модерация | 27.03.2026 09:53 (16 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 353858 [SourceCodester Note Taking App до 1.0 подделка межсайтовых запросов] |
|---|
| Баллы | 20 |
|---|