- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by elit3pwner - 16.08.2024
Last edited by cbay - 17.08.2024
Opened by elit3pwner - 16.08.2024
Last edited by cbay - 17.08.2024
FS#70 - ClickJacking Leads to deletion of user profile
Description: There is clickjacking vulnerability at https://admin.alwaysdata.com/admin/details/ endpoint. And, for deleting a profile, we just need two clicks.
Steps to reproduce:
1) Open your browser and search for https://admin.alwaysdata.com/admin/details/ 2) create an html file that overlays delete this profile icon and then the submit button.
Impact: Admin's account can be deleted in two clicks.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
We're already setting the `frame-ancestors` directive in our Content Security Policy to prevent clickjacking.
Kind regards,
Cyril
So, will this issue be a valid one??
No.