Commercify Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Commercify version 1.0, an open-source e-commerce platform. The vulnerability allows remote attackers to perform unauthorized actions on behalf of authenticated users. This issue arises from a lack of proper CSRF protection on sensitive endpoints, such as '/update_settings', which can be exploited to modify user data.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in user account information, potential privilege escalation if the modified settings include role or email changes, and scenarios of account takeover.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/update_settings' endpoint without a CSRF token. This can be done from another domain, taking advantage of the missing CSRF protection. An HTML form can be created to automate the submission of such a request, including the desired data changes.

Remediation

To address this vulnerability, CSRF tokens should be added to all state-changing endpoints. Additionally, cookies should be set with the 'SameSite' attribute to 'Strict' or 'Lax', and CORS policies should be defined more restrictively.