Moderate severityNVD Advisory· Published Aug 21, 2023· Updated Oct 3, 2024
Cross-Site Request Forgery (CSRF) in wallabag/wallabag
CVE-2023-4455
Description
Cross-Site Request Forgery (CSRF) in GitHub repository wallabag/wallabag prior to 2.6.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wallabag/wallabagPackagist | >= 2.0.0-alpha.1, < 2.6.3 | 2.6.3 |
Affected products
1- Range: unspecified
Patches
1ffcc5c9062fcMerge pull request from GHSA-gjvc-55fw-v6vq
3 files changed · +15 −12
src/Wallabag/ApiBundle/Controller/DeveloperController.php+7 −2 modified@@ -69,12 +69,17 @@ public function createClientAction(Request $request, EntityManagerInterface $ent /** * Remove a client. * - * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client") + * @Route("/developer/client/delete/{id}", requirements={"id" = "\d+"}, name="developer_delete_client", methods={"POST"}) * * @return RedirectResponse */ - public function deleteClientAction(Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) + public function deleteClientAction(Request $request, Client $client, EntityManagerInterface $entityManager, TranslatorInterface $translator) { + + if (!$this->isCsrfTokenValid('delete-client', $request->request->get('token'))) { + throw $this->createAccessDeniedException('Bad CSRF token.'); + } + if (null === $this->getUser() || $client->getUser()->getId() !== $this->getUser()->getId()) { throw $this->createAccessDeniedException('You can not access this client.'); }
src/Wallabag/CoreBundle/Resources/views/Developer/index.html.twig+5 −3 modified@@ -57,9 +57,11 @@ <p>{{ 'developer.remove.warn_message_1'|trans({'%name%': client.name}) }}</p> <p>{{ 'developer.remove.warn_message_2'|trans({'%name%': client.name}) }}</p> - <p> - <a class="waves-effect waves-light red btn" href="{{ path('developer_delete_client', {'id': client.id}) }}">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</a> - </p> + <form action="{{ path('developer_delete_client', { id: client.id }) }}" method="post" name="delete-client"> + <input type="hidden" name="token" value="{{ csrf_token('delete-client') }}" /> + + <button class="waves-effect waves-light btn red" type="submit">{{ 'developer.remove.action'|trans({'%name%': client.name}) }}</button> + </form> </div> </li> {% endfor %}
tests/Wallabag/ApiBundle/Controller/DeveloperControllerTest.php+3 −7 modified@@ -104,20 +104,16 @@ public function testRemoveClient() $this->assertStringContainsString('no_client', $client->getResponse()->getContent()); $this->logInAs('bob'); - $client->request('GET', '/developer/client/delete/' . $adminApiClient->getId()); + $client->request('POST', '/developer/client/delete/' . $adminApiClient->getId()); $this->assertSame(403, $client->getResponse()->getStatusCode()); // Try to remove the admin's client with the good user $this->logInAs('admin'); $crawler = $client->request('GET', '/developer'); - $link = $crawler - ->filter('div[class=collapsible-body] p a') - ->eq(0) - ->link() - ; + $form = $crawler->filter('form[name=delete-client]')->form(); - $client->click($link); + $client->submit($form); $this->assertSame(302, $client->getResponse()->getStatusCode()); $this->assertNull(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.