Cross-Site Request Forgery (CSRF) in chiefonboarding/chiefonboarding

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in ChiefOnboarding versions prior to v2.0.47. The AdminTaskToggleDoneView handled task completion toggling via a GET request without including a CSRF token, allowing unauthorized state changes. The view was changed to a BaseDetailView that only accepts POST requests with proper CSRF protection in the fix commit [1].

Exploitation

An attacker can craft a malicious link or HTML form that, when visited or submitted by an authenticated admin user, silently triggers a GET request to toggle the completion status of any admin task. The exploit requires no special network position—only that the victim has an active session and follows the attacker's link (e.g., via email or social engineering).

Impact

Successful exploitation allows the attacker to toggle the completion status of any admin task, breaking workflow integrity. This could lead to misreported task progress and administrative confusion, though no data confidentiality or availability impact is described.

Mitigation

The vulnerability is fixed in ChiefOnboarding version 2.0.47, released on or before 2023-10-10, by changing the view to accept only POST requests and enforcing CSRF token validation [1][2]. Users should upgrade to v2.0.47 or later; no workaround is documented.