https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38797 Bug ID: 38797 Summary: CSRF Token Not Validated in Koha v24.05 Change sponsored?: --- Product: Koha Version: 24.05 Hardware: All OS: All Status: NEW Severity: critical Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: amar@ourlib.in QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com Created attachment 175986 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=175986&action=edit Removed csrf token and subitted form, still patron created successfully In Koha version 24.05, CSRF tokens are not validated during insert or update operations (e.g., creating a new patron). Even when the CSRF token is removed or invalid, Koha still processes the request and creates the new patron. Koha Version: 24.05 Steps to Reproduce: Navigate to the patron creation form in Koha. Remove the CSRF token from the input and meta tags. Submit the form to create a new patron. The new patron is created successfully, despite the missing or invalid CSRF token. Comparison with Koha v24.11: In Koha v24.11, the same test results in an error for an invalid CSRF token, which indicates proper validation. Koha v24.05 does not validate CSRF tokens correctly, potentially exposing the system to CSRF attacks. Please see attached files for additional details. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.