The ajax bin clearing doesn't use tokens nor a confirmation to protect against csrf.

menu definition

callback definition

Some CSRF protection is necessary to prevent an attacker from clearing all bins.

Comments

spleshka’s picture

spleshka
he/him
Primary language English
Location UAE
commented
Status: Active » Fixed

Thanks for you report, fixed (bd8d3bf).

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.