| Title | GitHub OpnForm 1.9.3 Cross-Site Request Forgery |
|---|
| Description | Title: Cross-Site Request Forgery on all API endpoints
Description: CSRF attacks are possible on all API endpoints. An attacker would require a valid token in order to conduct the attack. Although this vulnerability appears to be benign due to requiring a valid JWT for authentication, it can be executed in a chain with the aforementioned XSS vulnerabilities.
Please see the attached Google Doc link for more information under 4. Cross-Site Request Forgery on all API endpoints and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: N/A |
|---|
| Source | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.w5b1nllxwvdq |
|---|
| User | balejin (UID 89385) |
|---|
| Submission | 10/01/2025 21:12 (9 months ago) |
|---|
| Moderation | 10/07/2025 15:17 (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327379 [JhumanJ OpnForm up to 1.9.3 API Endpoint cross-site request forgery] |
|---|
| Points | 20 |
|---|