Anyone can run tasks by simply posting to /scheduletask/runtask in Nop4.3

1 year ago
I discovered, that anyone can run a task on a site running NopCommerce 4.3, if he knows the name of the task.
While some tasks may appear to be harmless, other can be very long-running. The attacker can run tasks at a very high speed and make the site very busy and unresponsive.

The problem is in ScheduleTaskController:
[HttpPost]
[IgnoreAntiforgeryToken]
public virtual IActionResult RunTask(string taskType)
{
...
}
2 weeks ago
Did you find a resolution to this?
2 weeks ago
That's not true because we make appropriate validation. Please check here.