Open fozi6044 opened 5 years ago
any reward for me on this bug report?
Hello @fozi6044. First of all, it seems we forgot to thank you for report back then. Sorry. Second, unfortunately we don't have budget for bug bounties at this point as non-commercial OpenSource project. See https://www.yiiframework.com/security
Hi Team,
I am a security Researcher and I found this vulnerability on your website.
Vulnerability: No CSRF Protection here
So here I will show you how CSRF protection is needed or capture code is a need in Password Reset form. So here is the POST request which I captured through the burp. I will send it to the repeater. I will flood a lot of new passwords through multiple clicks. I can send you a proof of video