SYM_PY_0182 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Cross-Site Request Forgery (CSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-352: Cross-Site Request Forgery (CSRF) |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Using the @csrf_exempt decorator in Django disables CSRF protection for the affected route, making it vulnerable to cross-site request forgery attacks. This means anyone can submit requests to this endpoint without a CSRF token.
Impact
If exploited, an attacker could trick users into performing unwanted actions—such as changing account details or extracting sensitive data—by submitting forged requests on their behalf, potentially leading to unauthorized access or data breaches.