PlaciPy Missing CSRF Protection Vulnerability in CORS Requests

A vulnerability exists in PlaciPy version 1.0.0, where the application allows credentialed Cross-Origin Resource Sharing (CORS) requests but lacks proper Cross-Site Request Forgery (CSRF) protection. This issue affects all authenticated state-changing endpoints, including POST, PUT, PATCH, and DELETE methods. The absence of CSRF tokens, combined with the failure to validate Origin or Referer headers and the lack of SameSite cookie protection, exposes the application to cross-site request forgery attacks. As a result, unauthorized state changes, account manipulation, and potential privilege abuse for targeted admin accounts could occur.

Impact

Exploitation of this vulnerability could lead to unauthorized state changes, account manipulation, and assessment creation or deletion via CSRF. Additionally, if an admin account is targeted, it could result in privilege abuse.

Remediation

To address this vulnerability, it is recommended to implement CSRF tokens using a library like 'csurf', enforce 'SameSite=Strict' cookie settings, validate 'Origin' and 'Referer' headers, and require re-authentication for sensitive actions.