Hotfix 2.3.6 - fix security bug that allow to change service account token (!164) · Merge requests · Maarch / maarchRM

Alexis Ragot requested to merge hotfix/2.3.6 into master Dec 06, 2018

The http request to change the token is of type GET. The GET type isn't check by the CSRF protection. So, with a CSRF attack on an administrator user, is possible to change the service token. The API was changed with the PUT http request type.

Hotfix 2.3.6 - fix security bug that allow to change service account token

Merge request reports