Teedy Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Teedy versions through 1.12, due to inadequate CSRF protection. This flaw allows unauthenticated remote attackers to manipulate users into performing unintended actions, such as altering profile details or modifying application data. While most API requests are susceptible, those involving password changes are not, as passwords cannot be predicted by an attacker. The absence of a 'SameSite' attribute in the session cookie further complicates matters, leaving POST CSRF exploitation reliant on the victim's browser.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the user, such as changing passwords, modifying account information, deleting accounts, disabling two-factor authentication, creating new users, and managing group memberships.

Reproduction

To reproduce this vulnerability, an attacker must host a webpage that submits a form to the Teedy API user endpoint, including a new password in the form data. The attacker then needs to trick a user into visiting this webpage while they are logged into Teedy. This can be done by sending a link to the hosted page, which, when clicked, will automatically submit the form and change the user's password to the one specified in the form.