Primary

Context

Webkul QloApps Cross-Site Request Forgery Vulnerability in Logout Function

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Webkul QloApps version 1.6.1. The issue arises in the logout function within the URL Handler component, specifically through the '/en/?mylogout' endpoint. This vulnerability allows an attacker to force an authenticated user to log out without their consent, potentially disrupting active sessions and causing issues for users and administrators alike.

Impact

Exploitation of this vulnerability leads to unauthorized logout of users, including administrators, which can disrupt active sessions and site management functions.

Reproduction

To reproduce this vulnerability, log in as a user or administrator on QloApps 1.6.1. Then, visit the '/en/?mylogout' URL. This action will immediately log the user out without any confirmation.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.9

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.6

exploitability

7.9

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Webkul QloApps Cross-Site Request Forgery Vulnerability in Logout Function

Vulnerability

Impact

Reproduction

Affected Products

Webkul QloApps

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating