🔒 N°1795 prevent CSRF on dashboard import

2026-04-22 01:58:47 +02:00 · 2018-11-26 15:17:53 +01:00
parent d5568afc68
commit 0f20f9ca5d
3 changed files with 10 additions and 2 deletions
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -1190,6 +1190,11 @@ EOF
 			break;

 		case 'import_dashboard':
+			$sTransactionId = utils::ReadParam('transaction_id', '', false, 'raw_data');
+			if (!utils::IsTransactionValid($sTransactionId, true))
+			{
+				throw new SecurityException('ajax.render.php import_dashboard : invalid transaction_id');
+			}
 			$sMenuId = utils::ReadParam('id', '', false, 'raw_data');
 			ApplicationMenu::LoadAdditionalMenus();
 			$index = ApplicationMenu::GetMenuIndexById($sMenuId);