Add the validation of the CSRF token. It is missing in some cases when it is sent by GET or POST.

web/add/cron/autoupdate/index.php

@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled');

web/add/cron/reports/index.php

@@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled');
 unset($output);

web/add/firewall/banlist/index.php

@@ -15,6 +15,12 @@ if ($_SESSION['user'] != 'admin') {
 // Check POST request
 if (!empty($_POST['ok'])) {
 
+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
     // Check empty fields
     if (empty($_POST['v_chain'])) $errors[] = __('banlist');
     if (empty($_POST['v_ip'])) $errors[] = __('ip address');