This was submitted as a security report, the security team evaluated it can be fixed in public.
update.php has no CSRF protection, so if there are pending updates, and it's possible to trick a user with access to load a link, you can get them to run updates.
The window for this would be very short because updates should be run immediately anyway, but it's a theoretical possibility.
The actual update.php page isn't the problem, it's the batch handling which uses the same URL, and it's this that could use a CSRF token.
Comments