Primary

Context

Laundry Cross-Site Request Forgery Vulnerability Allowing Account Takeover

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Laundry version 2.3.0, running on Linux and MacOS. This vulnerability allows for an account takeover by exploiting the application's lack of proper CSRF protection. Users can be tricked into clicking a malicious link that performs unauthorized actions on their behalf, such as changing passwords.

Impact

Exploitation of this vulnerability allows for unauthorized account access, enabling an attacker to take over a user's account.

Reproduction

To reproduce this vulnerability, send a CSRF attack that targets the 'change_pass.php' script within the 'laundry/data' directory. The request must include a POST parameter named 'pwd' with the value set to the desired password. When the victim clicks the malicious link, the password will be changed to the one specified, effectively taking over the account.

Added: Jul 2, 2025, 5:18 PM

Updated: Jul 2, 2025, 8:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Laundry Cross-Site Request Forgery Vulnerability Allowing Account Takeover

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating