# Description
Bad actor can send to victims link (ie. obfuscated) with payload /signout and when victims will use it – can change the state of user (logged in/logged out).

# Proof of Concept
Payload: https://eu.aptabase.com/api/_auth/signout
Repro steps: As logged in user https://eu.aptabase.com/ open new browser tab and use, paste link https://eu.aptabase.com/api/_auth/signout
, see logged out, refresh previous tab – the same Logged out.

Payload example: Please click for a SWAGpack from us.

Proposed remediation: CSRF tokens; POST instead of GET for endpointRead More