- Issue created by @prudloff
The basicshib.logout route is vulnerable to CSRF attacks.
If an attacker can insert this kind of HTML in a page:
<img src="http://example.com/basicshib/logout">
Any user that displays the page will be logged out without a confirmation.
The route should probably have the _csrf_token requirement: https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout... →
Active
3.0
Documentation
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.