- Issue created by @HitchShock
On our client's site after auditing by "CERT-EU - CERT for the EU institutions, bodies, and agencies" we received a report that like_and_dislike.vote route must be protected by CSRF.
The main argument here is - "since an attacker can make you click on a button/link on another website while you are logged into the site"
So we request a review from a Drupal security team to approve/disapprove that it must be fixed.
Places where the route is used:
Active
2.0
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.