Impact
Users with session tokens can make a request to add anything to the profileUI
field of their user record in the db.
Patches
Requires patch in API:
|
function updateMyProfileUI(req, res, next) { |
Patch should accept only known values for the update.
Workarounds
None.
Example Attack
fetch('https://api.freecodecamp.dev/update-my-profileui', {
method:"PUT", credentials: "include",
headers: {
"Content-Type": "application/json", "CSRF-TOKEN": document.cookie.split(';').find(c => c.trim().startsWith('csrf_token')).split('=')[1]
},
body: JSON.stringify({profileUI: {anythingYouWant: 1})
}).catch(e => console.error(e));
Impact
Users with session tokens can make a request to add anything to the
profileUI
field of their user record in the db.Patches
Requires patch in API:
freeCodeCamp/api-server/src/server/boot/settings.js
Line 144 in f53879b
Patch should accept only known values for the update.
Workarounds
None.
Example Attack