Koillection Cross-Site Request Forgery Vulnerability in CSRF Protection Controller

A cross-site request forgery (CSRF) vulnerability has been identified in Koillection versions prior to 1.6.18. The issue resides in the CSRF protection controller, specifically within the file 'assets/controllers/csrf_protection_controller.js'. This vulnerability allows attackers to manipulate form submissions on behalf of users, potentially leading to unauthorized changes in user credentials such as passwords and email addresses. The vulnerability can be exploited remotely, without requiring authentication, by tricking a user into interacting with a malicious website.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, where an attacker can perform actions on behalf of an authenticated user, such as changing account credentials. This could lead to account takeover, especially if an administrator's account is compromised.

Reproduction

The vulnerability can be reproduced by hosting a malicious website that sends a POST request to the '/profile' endpoint of an authenticated user. This can be done by including the CSRF token and other profile data in the request. When the user visits the malicious site, the form is submitted automatically, applying the changes to the user's profile.

Remediation

Users are advised to upgrade to Koillection version 1.7.0, which addresses this vulnerability by implementing a new CSRF handling method using stateless tokens. The update is available on the Koillection GitHub releases page.