1 comment

[ 2.5 ms ] story [ 12.6 ms ] thread
> Although the page does provide an authenticity token aimed at preventing CSRF, it does not seem to validate that the token is correct, and therefore, we can enter any value.

That is just damning. No way should that have been overlooked