#Cross-Site Request Forgery
Affected product and version: Plesk Obsidian 18.0.37
Severity: High
Impact: Submit requests with attacker information
Description: CSRF could let the attacker to submit new requests because there isn’t any CSRF_token protection sent with requests to server.
Steps to reproduce:
- Login and try to submit any request
- Capture the request with burp suite
- Will note that there isn’t any token protection sent with request to server
- Write simple html exploit to submit request
- Open it in browser
- Submit the request
- Will find that your data are submitted successfully
