Possible CSRF vulnerabilities
Closed this issue · 1 comments
scalzava commented
To whom it may concern.
Our security team is working on the automated detection of session vulnerabilities in opensource web applications, including CSRF. Our analyzer identified that the submit_as_json and submit_as_json_v1 functions of ledger_submit/views.py have been declared as CSRF exempt. After manual analysis, we believe that this practice might leave your application vulnerable to security-relevant CSRF attempts.
Can you take a look into the relevant code parts and comment on the issue?
vifon commented
These endpoints are intended to be used externally, the CSRF exempts are fully intended.