Cross-Site Request Forgery (CSRF)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
The controller does not enable CSRF (Cross-Site Request Forgery) protection using ‘protect_from_forgery’. This leaves the application vulnerable to malicious requests that can be made from other sites without user consent.
Impact#
Without CSRF protection, attackers may trick users into performing unwanted actions, such as changing account details or making transactions, while logged in. This can lead to data loss, unauthorized changes, or compromise of sensitive user information.