Yohaan Guzdar

**Name of the Vulnerable Software and Affected Versions** HireFlow version 1.2 **Description** The software fails to implement Cross-Site Request Forgery (CSRF) token validation on state-changing POST endpoints. This allows an attacker to trick an authenticated user into visiting a malicious page to perform unauthorized actions, such as changing passwords, deleting records, or injecting arbitrary data. The `SESSION COOKIE SAMESITE` attribute is also not configured, which removes browser-level defenses against CSRF. Affected endpoints include: - '/profile' (password change) - '/candidates/delete/<id>' (candidate deletion) - '/feedback/add/<id>' (feedback submission) - '/interviews/add' (interview scheduling) **Recommendations** Implement CSRF token validation for all state-changing POST endpoints. Configure the `SESSION COOKIE SAMESITE` attribute to enable browser-level CSRF protection.