SYM_PY_0129 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cross-Site Request Forgery (CSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Explicitly setting 'WTF_CSRF_ENABLED' to False in a Flask application disables CSRF protection, leaving forms and endpoints vulnerable to cross-site request forgery attacks. This means users are not protected against unauthorized actions performed by malicious websites.
Impact
If CSRF protection is disabled, attackers can trick authenticated users into performing unintended actions, such as changing account details or making transactions without their consent. This can lead to data breaches, account compromise, and unauthorized changes in the application, severely impacting user trust and security.