This repository has been archived by the owner on Jul 17, 2018. It is now read-only.
CSRF vulnerability #46
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The view accepts vote updates as a GET request (actually any kind of request). As such it is trivial to use this to exploit the rating system from any third party site.
Example: site A uses django-ratings to rate some items. On site B add
Any user visiting site B will rate the thing on site A.
The effects of this vulneraibility depend mostly on
can_change_voteandallow_anonymous.The text was updated successfully, but these errors were encountered: