skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
February 3, 2021

GHSL-2020-147: Cross-Site Request Forgery (CSRF) in Sustainsys/Saml2

Jaroslav Lobacevski

Coordinated Disclosure Timeline


Saml2 is vulnerable to a Cross-Site Request Forgery (CSRF) that may lead per-user denial of service (DoS).



Tested Version

The develop branch.


Issue: CSRF (CVE-2018-0785)

The application doesn’t have a fix for CVE-2018-0785 that was found in ASP.NET Core templates. It is vulnerable to CSRF. A logged-in user with enabled Second Factor Authentication (2FA) may lose their recovery codes if they are tricked into clicking a link like https://localhost:44315/manage/GenerateRecoveryCodes or visit a malicious site that makes the request without the user’s consent. As a result the user may be permanently locked out of their account after losing access to their 2FA device, as the initial recovery codes would no longer be valid.


This issue may lead to a per-user DoS.


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-147 in any communication regarding this issue.