Submit #777877: SourceCodester Note Taking App 1.0 Cross Site Request Forgeryinfo

TitleSourceCodester Note Taking App 1.0 Cross Site Request Forgery
DescriptionA Cross-Site Request Forgery (CSRF) vulnerability was discovered in SourceCodester Note Taking App 1.0. The vulnerability exists in the note deletion functionality located in notes/delete.php. The application processes deletion requests via HTTP GET method using the id parameter without implementing any CSRF token validation or request origin verification. An unauthenticated remote attacker can craft a malicious HTML page containing a hidden image tag or script that silently sends a deletion request to the vulnerable endpoint. When an authenticated victim visits the attacker-controlled page while logged into the application, the browser automatically includes the session cookie with the forged request, causing the victim's notes to be permanently deleted without their knowledge or consent. The attack requires no privileges and only needs the victim to visit a malicious webpage, making it easily exploitable through phishing or social engineering campaigns.
Source⚠️ https://gist.github.com/Mohdanass/b7c5984922238397d10644f5f33ec592
User
 Anas22335 (UID 96357)
Submission03/11/2026 19:10 (4 months ago)
Moderation03/27/2026 09:53 (16 days later)
StatusAccepted
VulDB entry353858 [SourceCodester Note Taking App up to 1.0 cross-site request forgery]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!