HireFlow Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in HireFlow version 1.2, as the application fails to validate CSRF tokens on any state-changing POST endpoint. This issue affects all forms, including password changes, candidate deletions, feedback submissions, and interview scheduling. An attacker who can deceive an authenticated user into visiting a malicious page could silently alter the user's password, remove records, or submit data on their behalf. Additionally, the absence of the SESSION_COOKIE_SAMESITE attribute eliminates a crucial browser-level defense against CSRF attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized password changes, allowing for silent account takeovers. It also enables the deletion of candidate records and the submission of forged feedback and interview entries on behalf of any authenticated user.

Reproduction

To reproduce this vulnerability, an attacker can create a malicious HTML page with an auto-submitting form that targets one of HireFlow's state-changing POST endpoints. When an authenticated user visits the page, the browser will automatically include the user's session cookie with the cross-origin POST request, completing the CSRF attack without any user interaction beyond visiting the page.

Remediation

Users are advised to update to HireFlow version 1.3, where this vulnerability has been patched. For those using an earlier version, implementing CSRF tokens on all state-changing POST forms and setting the SESSION_COOKIE_SAMESITE attribute in the Flask configuration are recommended.