atjiu pybbs Cross-Site Request Forgery Vulnerability in Cookie Management

A cross-site request forgery (CSRF) vulnerability has been identified in atjiu pybbs versions through 6.0.0. The issue arises in the 'setCookie' function within 'src/main/java/co/yiiu/pybbs/util/CookieUtil.java'. This vulnerability allows attackers to manipulate cookie settings, potentially leading to unauthorized actions being performed on behalf of users.

Impact

Exploitation of this vulnerability allows for cross-site request forgery attacks, where an attacker can trick a user into performing actions they did not intend to, such as modifying account information or deleting user accounts.

Reproduction

To reproduce this vulnerability, send a POST request to the '/admin/user/edit' endpoint without a valid CSRF token. Include the 'id', 'username', 'password', 'email', and 'bio' fields in the request. The absence of CSRF protection allows the request to be processed as if it were sent by the user.

Remediation

Users are advised to update to the latest version of atjiu pybbs, where this vulnerability has been addressed.