User deletion caused by CSRF

CSRF exists in the background (administrator) to delete users:
The backend only cares about the values of the parameters' deleteuserids' and 'updateuserids'
So the attacker only needs to know the user's ID to construct a malicious link to complete the intrusion
The following is a normal request packet for deleting user operations。
![image](https://user-images.githubusercontent.com/42021243/68638496-b28d4200-053c-11ea-9896-f7db80fce32b.png)
I use this request package to construct a malicious html interface and only add the required parameters.
![image](https://user-images.githubusercontent.com/42021243/68638817-b2417680-053d-11ea-985f-7b9b2a8e86c7.png)
When a user with administrative rights clicks on this malicious link, the user (id=3) is successfully deleted.
![image](https://user-images.githubusercontent.com/42021243/68639064-57f4e580-053e-11ea-8a17-f9562318304b.png)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User deletion caused by CSRF #13

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

User deletion caused by CSRF #13

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions