Critical Vulnerability Information Product and Version Product: QloApps Tested Version: 1.7.0 CWE IDs CWE-639: Authorization Bypass Through User-Controlled Key CWE-352: Cross-Site Request Forgery (CSRF) Description QloApps uses a token parameter ( ) in its logout functionality to prevent CSRF attacks. However, this implementation has the following flaws: 1. CSRF Token Exposed in URL - Example URL: - Since the token is included in the URL, it may be leaked through browser history, server logs, referrer headers, and third-party analytics scripts. 2. Token is Reusable - The token can be reused across multiple requests and does not expire after a single use. These weaknesses allow attackers to repeatedly force user logouts and potentially bypass CSRF protections in other sensitive operations. Proof of Concept (PoC) 1. Log in to the QloApps demo site. 2. Capture the logout request. 3. Observe that the response includes the token in the URL, making it visible to logs and third-party trackers. 4. Replay the same request multiple times in Burp Suite. 5. The server consistently returns and accepts the same token. This demonstrates that the token is both exposed and reusable. Security Impact Attackers can repeatedly terminate user sessions via malicious links or hidden images: