Skip to content

Hotfix 2.3.6 - fix security bug that allow to change service account token

Alexis Ragot requested to merge hotfix/2.3.6 into master

The http request to change the token is of type GET. The GET type isn't check by the CSRF protection. So, with a CSRF attack on an administrator user, is possible to change the service token. The API was changed with the PUT http request type.

Merge request reports

Loading