Summary The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery (CSRF) attack. This proof of concept shows how an unauthenticated user could trick the administrator's browser into creating a new admin user. PoC We host the following HTML file on an attacker-controlled server. “`html history.pushState('', '', '/'); document.forms[0].submit(); “` If we now trick an administrator into visiting our malicious page at https://attacker.com/CSRF.html, we see that their browser will make a request to /api/add_user/%22hacker%22,%22hacker%22, adding a new administrator to the pyload application. The attacker can now authenticate as this newly created administrator user with the username hacker and password hacker. Impact Any API call can be made via a CSRF attack by an unauthenticated…Read More