#csrf

## Summary Critical security vulnerabilities exist in both the `UUIDv4()` and `UUID()` functions of the `github.com/gofiber/utils` package. When the system's cryptographic random number generator (`crypto/rand`) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID `"00000000-0000-0000-0000-000000000000"`. This compromises the security of all Fiber applications using these functions for security-critical operations. **Both functions are vulnerable to the same root cause (`crypto/rand` failure):** - `UUIDv4()`: Indirect vulnerability through `uuid.NewRandom()` → `crypto/rand.Read()` → fallback to `UUID()` - `UUID()`: Direct vulnerability through `crypto/rand.Read(uuidSeed[:])` → silent zero UUID return ## Vulnerability Details ### Affected Functions - **Package**: `github.com/gofiber/utils` - **Functions**: `UUIDv4()` and `UUID()` - **Return Type**: `string` (both functions) - **Locations**: `common.go:93-99` (UUIDv4), `common.go:60-8...

**Endpoint**: `admin/config/system` **Submenu**: `Languages` **Parameter**: `Supported` **Application**: Grav v 1.7.48 --- ## Summary A Denial of Service (DoS) vulnerability was identified in the **"Languages"** submenu of the Grav **admin configuration panel** (`/admin/config/system`). Specifically, the `Supported` parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (`/`) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the `preg_match()` function with an **improperly constructed regular expression**, resulting in the following error: `preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244` Once triggered, the site becomes completely unavailable to all users. --- ## Details - **Vulnerable Endpoint**: `POST /admin/config/system` - **Submenu**: `Languages` - **Paramet...

### Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. ### Details **Vulnerable Code:** `spotipy/oauth2.py` lines 1238-1274 (RequestHandler.do_GET) **The Problem:** During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the `error` URL parameter directly into HTML without sanitization. **Vulnerable code at line 1255:** ```python status = f"failed ({self.server.error})" ``` **Then embedded in HTML at line 1265:** ```python self._write(f"""<html> <body> <h1>Authentication status: {status}</h1> </body> </html>""") ``` The `error` parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection. **Attack Flow:** 1. User starts OAuth authentication → local server runs on `http://127.0.0.1:8080` 2. Attacker crafts malicious URL: `http://127.0.0.1:8080/?err...

The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (`http://` or `https://`) to determine if it is cross-origin. If the URL starts with protocol-relative URL (`//`), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the `X-XSRF-TOKEN` header. ### Impact The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session. ### Attack Preconditions 1. The victim's Angular application must have **XSRF protection enabled**. 2. The attacker must be able to make the application send a st...

### Summary A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter `args[types]` is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. ### Details Control Flow: 1. `redaxo/src/addons/mediapool/pages/index.php` reads args via `rex_request('args', 'array')` and passes them through as `$argUrl` to `media.list.php`. 2. `redaxo/src/addons/mediapool/pages/media.list.php` injects `$argUrl['args']['types']` into an HTML string without escaping: ``` if (!empty($argUrl['args']['types'])) { echo rex_view::info(rex_i18n::msg('pool_file_filter') . ' <code>' . $argUrl['args']['types'] . '</code>'); } ``` ### PoC 1. Log into the REDAXO backend. 2. While authenticated, open a crafted URL like: `<host>/index.php?page=mediapool/media&args[types]="><img+src%3Dx+onerror%3Dalert%28document.domain%29>` 4. The inf...

## Summary When using Astro's Cloudflare adapter (@astrojs/cloudflare) with `output: 'server'`, the image optimization endpoint (`/_image`) contains a critical vulnerability in the `isRemoteAllowed()` function that unconditionally allows `data:` protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. ## Details On-demand rendered sites built with Astro include an `/_image` endpoint for image optimization. While this endpoint is designed to restrict processing to local images and authorized remote domains (configured via `image.domains` or `image.remotePatterns`), a critical vulnerability exists in the underlying validation logic. The `isRemoteAllowed()` function in [packages/internal-helpers/src/remote.ts](https://github.com/withastro/astro/blob/b8ca69b97149becefaf89bf21853de9c905cdbb7/packages/internal-helpers/src/remote.ts) (lines 128-131) unconditionally allows ALL `data...

## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The `Image Name` parameter is reflected in the HTTP response without proper output encoding or sanitization, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript execution in the victim’s browser. ## Details - **Vulnerable Endpoint:** `GET /maps/nodeimage` - **Parameter:** `Image Name` (reflected in response) - **Vulnerability type:** Reflected Cross-Site Scripting (XSS) — input is reflected in server response and executed in victim browser. - **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-site Scripting) ## Description The application takes the value of the `Image Name` parameter from a request to `/maps/nodeimage` and includes it in the generated page or response without proper contextual encoding. Because the input is reflected immediately...

### Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitation can lead to a full compromise of the database, including reading, modifying, or deleting all data, as well as potential remote code execution depending on the database configuration. ### Details The vulnerability exists in the `save` method within the `src/phpMyFAQ/Controller/Administration/ConfigurationTabController.php` controller. This method handles the saving of application-wide configuration settings. It retrieves all submitted form data as an associative array via `$request->get('edit')`. The core of the issue is that while the *values* of this array are processed, the *keys* are trusted implicitly and are not sanitized or validated. **File:** `src/phpMyFAQ/Controller/Administration/ConfigurationTabController.php` ```php...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SICAM P850 family and SICAM P855 family Vulnerabilities: Cross-Site Request Forgery (CSRF), Incorrect Permission Assignment for Critical Resource 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform arbitrary actions on the device on behalf of a legitimate user, or impersonate that user. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: SICAM P850 (7KG8500-0AA00-0AA0): Versions prior to 3.11 SICAM P850 (7KG8501-0AA02-2AA0): Versions prior to 3.11 SICAM P85...

Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us. But security teams are fighting back. They’re building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It’s a constant race — every