manuel-sommer
commented
8 months ago @V35HR4J, there are a lot more security issues within gapps, I have reported 11 of them, but there hasn't been any notice or update since June 2023.
Open V35HR4J opened 9 months ago
manuel-sommer
commented
8 months ago @V35HR4J, there are a lot more security issues within gapps, I have reported 11 of them, but there hasn't been any notice or update since June 2023.
bmarsh9
commented
8 months ago @manuel-sommer XSS issues have likely been resolved with other updates. Open a PR in the future.
@V35HR4J Please open a pull request.
As a notice, this is a open-source project and I'm the only maintainer. It provides little value to highlight issues and never open PR's. I encourage you both to open a PR to fix the issue. In the README, it explains the project is still in Beta and should not be used in production.
Eventually I will get around to it, but there's no guarantee. That's why you both should open a PR to fix the issue.
manuel-sommer
commented
8 months ago @bmarsh9, I tried to resolve these issues, but I am not familiar enough with flask. However, if you give me a guide in this regards, I can help with PRs. Furthermore, I can retest my findings.
There's a security problem on gapps related to CSRF (Cross-Site Request Forgery) tokens, particularly when updating user profiles. Currently, if a user is logged in, their password can be changed without their permission with just one click. This happens because of not using CSRF tokens, which are special codes meant to make sure that the person making changes on the website is the actual user and not someone else trying to interfere. Without these tokens, there's a risk that an outsider could trick a user into clicking a link or a button that would unknowingly change their password or make other unwanted changes to their profile. It's important to fix this to keep users' accounts safe.