Closed randomstuff closed 2 years ago
The reconfiguration endpoint of the HotSpot application is vulnerable to CSRF. A malicious website could use the browser of a connected user to reconfigure the HotSpot application.
See https://github.com/sofadesign/limonade/issues/54
This is probably blocked by recent browsers (which implement SameSite=Lax). This setting is now set by SSOWat.
SameSite=Lax
Closing because the app got reworked, probably not relevant anymore
The reconfiguration endpoint of the HotSpot application is vulnerable to CSRF. A malicious website could use the browser of a connected user to reconfigure the HotSpot application.