Low
resolved
resolved
CSRF allowing unauthorized modification of user Notes on ███████
Bug reported by Mahmoud Khaled was disclosed at October 10, 2025, 6:37 pm | Cross-Site Request Forgery (CSRF)
A CSRF vulnerability was discovered that allowed unauthorized modification of user notes. The vulnerability was present in the endpoint that handled saving the notes. The endpoint did not implement proper CSRF protection, allowing an attacker to craft a malicious link that could be used to modify or delete the victim's notes. The complexity of the attack was that the attacker needed to be a member of the same organization as the victim in order to obtain the victim's correct ID, which was required to carry out the attack.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
