You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Our security team is working on the automated detection of session vulnerabilities in opensource web applications, including CSRF. Our analyzer identified that the register function of userregister/views.py has been declared as CSRF exempt. After manual analysis, we believe that this practice might leave your application vulnerable to security-relevant CSRF attempts.
Can you take a look into the relevant code parts and comment on the issue?
Steps to Reproduce
A web attacker with control of a malicious web page can use HTML / JavaScript to craft a request towards the user registration endpoint, thus being able to register new users in the web application.
Expected behavior
The user registration endpoint should only accept HTTP requests bearing an anti-CSRF token or some other authentication credential which is not susceptible to CSRF.
Deployment Method
[ x ] Docker
[ x ] Bare Metal
Version Information
Latest version available on GitHub as of May 15, 2024.
The text was updated successfully, but these errors were encountered:
Describe the bug
Our security team is working on the automated detection of session vulnerabilities in opensource web applications, including CSRF. Our analyzer identified that the register function of userregister/views.py has been declared as CSRF exempt. After manual analysis, we believe that this practice might leave your application vulnerable to security-relevant CSRF attempts.
Can you take a look into the relevant code parts and comment on the issue?
Steps to Reproduce
A web attacker with control of a malicious web page can use HTML / JavaScript to craft a request towards the user registration endpoint, thus being able to register new users in the web application.
Expected behavior
The user registration endpoint should only accept HTTP requests bearing an anti-CSRF token or some other authentication credential which is not susceptible to CSRF.
Deployment Method
Version Information
Latest version available on GitHub as of May 15, 2024.
The text was updated successfully, but these errors were encountered: