CSRF on Site Configuration leading to Total Site Defacement

### Description:
The com.site.blog.my.core.controller.admin.ConfigurationController#website interface is vulnerable to CSRF attacks. It allows an attacker to modify global website settings through a logged-in administrator.
### Impact:
This is a high-impact vulnerability as it allows for total site defacement. An attacker can change the website's name, logo, footer information, and other core settings, effectively taking control of the site's visual identity and administrative information.
### Cause:
Critical configuration updates are performed via standard POST requests that do not require a CSRF token or custom headers.

### com.site.blog.my.core.controller.admin.ConfigurationController#website
Arbitrary modification of website configuration

Before the attack

<img width="1748" height="1222" alt="Image" src="https://github.com/user-attachments/assets/37a8470c-7143-4d7f-b8c9-1da04da5b538" />

After the attack

<img width="1144" height="407" alt="Image" src="https://github.com/user-attachments/assets/5b9ab823-d6e3-4a87-afca-b10229151e5c" />

<img width="1539" height="1115" alt="Image" src="https://github.com/user-attachments/assets/f296eee2-f3d1-43ab-9042-875647bb2227" />



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSRF on Site Configuration leading to Total Site Defacement #157

Description:

Impact:

Cause:

com.site.blog.my.core.controller.admin.ConfigurationController#website

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CSRF on Site Configuration leading to Total Site Defacement #157

Description

Description:

Impact:

Cause:

com.site.blog.my.core.controller.admin.ConfigurationController#website

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions