Moderate severityNVD Advisory· Published Feb 7, 2023· Updated Mar 25, 2025
Cross-Site Request Forgery (CSRF) in wallabag/wallabag
CVE-2023-0735
Description
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.5.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wallabag/wallabagPackagist | < 2.5.4 | 2.5.4 |
Affected products
1- Range: unspecified
Patches
1268372dbbdd7Merge pull request #6289 from wallabag/2.5/fix-csrf-user-deletion
3 files changed · +14 −8
src/Wallabag/CoreBundle/Controller/ConfigController.php+5 −1 modified@@ -586,14 +586,18 @@ public function resetAction($type) /** * Delete account for current user. * - * @Route("/account/delete", name="delete_account") + * @Route("/account/delete", name="delete_account", methods={"POST"}) * * @throws AccessDeniedHttpException * * @return \Symfony\Component\HttpFoundation\RedirectResponse */ public function deleteAccountAction(Request $request) { + if (!$this->isCsrfTokenValid('delete-account', $request->request->get('token'))) { + throw $this->createAccessDeniedException('Bad CSRF token.'); + } + $enabledUsers = $this->get('wallabag_user.user_repository') ->getSumEnabledUsers();
src/Wallabag/CoreBundle/Resources/views/themes/material/Config/index.html.twig+6 −4 modified@@ -548,7 +548,7 @@ </div> </div> </div> - + <div id="set7" class="col s12"> <div class="row"> <h5>{{ 'config.reset.title'|trans }}</h5> @@ -573,9 +573,11 @@ <div class="row"> <h5>{{ 'config.form_user.delete.title'|trans }}</h5> <p>{{ 'config.form_user.delete.description'|trans }}</p> - <a href="{{ path('delete_account') }}" onclick="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red delete-account"> - {{ 'config.form_user.delete.button'|trans }} - </a> + <form action="{{ path('delete_account') }}" method="post" onsubmit="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" name="delete-account"> + <input type="hidden" name="token" value="{{ csrf_token('delete-account') }}" /> + + <button class="waves-effect waves-light btn red" type="submit">{{ 'config.form_user.delete.button'|trans }}</button> + </form> </div> {% endif %} </div>
tests/Wallabag/CoreBundle/Controller/ConfigControllerTest.php+3 −3 modified@@ -794,7 +794,7 @@ public function testDeleteUserButtonVisibility() $this->assertGreaterThan(1, $body = $crawler->filter('body')->extract(['_text'])); $this->assertStringNotContainsString('config.form_user.delete.button', $body[0]); - $client->request('GET', '/account/delete'); + $client->request('POST', '/account/delete'); $this->assertSame(403, $client->getResponse()->getStatusCode()); $user = $em @@ -860,9 +860,9 @@ public function testDeleteAccount() $crawler = $client->request('GET', '/config'); - $deleteLink = $crawler->filter('.delete-account')->last()->link(); + $deleteForm = $crawler->filter('form[name=delete-account]')->form(); - $client->click($deleteLink); + $client->submit($deleteForm); $this->assertSame(302, $client->getResponse()->getStatusCode()); $em = $client->getContainer()->get('doctrine.orm.entity_manager');
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
4News mentions
0No linked articles in our index yet.