It's important to note, that the lack of CSRF protection is generally out of scope, but I reported it, because this request is just a simple GET method.

An attacker is able to craft an URL, what contains the ID of a report, and if the user, who has access to the report, clicks on it, the report is being self closed.

To reproduce the issue, please follow the steps below:

1; Register a user 2; Submit a report at the test site 3; After submission, the report receives a unique(incremental) identifier 4; Craft the malicious URL : https://hckrt.com/Reports/SelfClose?report={REPORTID} 5; Open the URL above, and the submission has been self-closed.

If an attacker enchances the above link with an URL shortener function, or some type of open redirect issue, a targeted attack is easy to carry out against the hackers at H4ckr4t3, and the workflow of a report submission and lifecycle can be affected.