camaleon-cms icon indicating copy to clipboard operation
camaleon-cms copied to clipboard

Published 20 hours ago verified publisher icon owen2345

Breaking change: Use a POST request to log out

Open brian-kephart opened this issue 3 years ago • 0 comments

Currently a GET request is used to log out, meaning a CSRF attack could logout the user. The request should be a POST with a CSRF token to prevent this.

This route is used in the built-in themes. While the themes can be updated, it's likely that users have used the built-in themes as a starting point for their own custom themes, so fixing this issue would be a breaking change.

Since the only thing such an attack would accomplish is to log out the user, this issue does not put users or data at risk, but it should be addressed at the next major version bump.

brian-kephart avatar Feb 21 '22 23:02 brian-kephart