Oomb

Hey @jackycute, let me put forward the issue in a clearer way. Say that a legitimate user is logged on to their account. And he visits a malicious page at...

> Also, there is no way we can add CSRF for HTTP GET method. You could add a CSRF token to the link before download is initiated. The download link...

Yeah. You are right. That would be a good fix for this. Can you consider marking this disclosure verified [here](https://huntr.dev/bounties/1-other-hackmdio/codimd/) as well? /cc @JamieSlome

I have updated the write-up as well as the CVSS score. Please let me know if you would like to suggest any changes. Thanks.