#csrf

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the web port configuration functionality. The port-change endpoint lacks CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a port-change request; when a victim visits it while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the port on which the 1Panel web service listens, causing loss of access on the original port and resulting in service disruption or denial of service, and may unintentionally expose the service on an attacker-chosen port.

1Panel versions 1.10.33 through 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the panel name management functionality. The affected endpoint does not implement CSRF defenses such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a panel-name change request; if a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows a remote attacker to change the victim’s panel name to an arbitrary value without consent.

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers to trick users into logging in to the attacker's account.

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery (CSRF) vulnerability in the Change Username functionality available from the settings panel (/settings/panel). The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can craft a malicious webpage that submits a username-change request; when a victim visits the page while authenticated, the browser includes valid session cookies and the request succeeds. This allows an attacker to change the victim’s 1Panel username without consent. After the change, the victim is logged out and unable to log in with the previous username, resulting in account lockout and denial of service.

## Summary Critical security vulnerabilities exist in both the `UUIDv4()` and `UUID()` functions of the `github.com/gofiber/utils` package. When the system's cryptographic random number generator (`crypto/rand`) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID `"00000000-0000-0000-0000-000000000000"`. This compromises the security of all Fiber applications using these functions for security-critical operations. **Both functions are vulnerable to the same root cause (`crypto/rand` failure):** - `UUIDv4()`: Indirect vulnerability through `uuid.NewRandom()` → `crypto/rand.Read()` → fallback to `UUID()` - `UUID()`: Direct vulnerability through `crypto/rand.Read(uuidSeed[:])` → silent zero UUID return ## Vulnerability Details ### Affected Functions - **Package**: `github.com/gofiber/utils` - **Functions**: `UUIDv4()` and `UUID()` - **Return Type**: `string` (both functions) - **Locations**: `common.go:93-99` (UUIDv4), `common.go:60-8...

**Endpoint**: `admin/config/system` **Submenu**: `Languages` **Parameter**: `Supported` **Application**: Grav v 1.7.48 --- ## Summary A Denial of Service (DoS) vulnerability was identified in the **"Languages"** submenu of the Grav **admin configuration panel** (`/admin/config/system`). Specifically, the `Supported` parameter fails to properly validate user input. If a malformed value is inserted—such as a single forward slash (`/`) or an XSS test string—it causes a fatal regular expression parsing error on the server. This leads to application-wide failure due to the use of the `preg_match()` function with an **improperly constructed regular expression**, resulting in the following error: `preg_match(): Unknown modifier 'o' File: /system/src/Grav/Common/Language/Language.php line 244` Once triggered, the site becomes completely unavailable to all users. --- ## Details - **Vulnerable Endpoint**: `POST /admin/config/system` - **Submenu**: `Languages` - **Paramet...

### Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. ### Details **Vulnerable Code:** `spotipy/oauth2.py` lines 1238-1274 (RequestHandler.do_GET) **The Problem:** During OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the `error` URL parameter directly into HTML without sanitization. **Vulnerable code at line 1255:** ```python status = f"failed ({self.server.error})" ``` **Then embedded in HTML at line 1265:** ```python self._write(f"""<html> <body> <h1>Authentication status: {status}</h1> </body> </html>""") ``` The `error` parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection. **Attack Flow:** 1. User starts OAuth authentication → local server runs on `http://127.0.0.1:8080` 2. Attacker crafts malicious URL: `http://127.0.0.1:8080/?err...

The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (`http://` or `https://`) to determine if it is cross-origin. If the URL starts with protocol-relative URL (`//`), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the `X-XSRF-TOKEN` header. ### Impact The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session. ### Attack Preconditions 1. The victim's Angular application must have **XSRF protection enabled**. 2. The attacker must be able to make the application send a st...

### Summary A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter `args[types]` is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. ### Details Control Flow: 1. `redaxo/src/addons/mediapool/pages/index.php` reads args via `rex_request('args', 'array')` and passes them through as `$argUrl` to `media.list.php`. 2. `redaxo/src/addons/mediapool/pages/media.list.php` injects `$argUrl['args']['types']` into an HTML string without escaping: ``` if (!empty($argUrl['args']['types'])) { echo rex_view::info(rex_i18n::msg('pool_file_filter') . ' <code>' . $argUrl['args']['types'] . '</code>'); } ``` ### PoC 1. Log into the REDAXO backend. 2. While authenticated, open a crafted URL like: `<host>/index.php?page=mediapool/media&args[types]="><img+src%3Dx+onerror%3Dalert%28document.domain%29>` 4. The inf...

## Summary When using Astro's Cloudflare adapter (@astrojs/cloudflare) with `output: 'server'`, the image optimization endpoint (`/_image`) contains a critical vulnerability in the `isRemoteAllowed()` function that unconditionally allows `data:` protocol URLs. This enables Cross-Site Scripting (XSS) attacks through malicious SVG payloads, bypassing domain restrictions and Content Security Policy protections. ## Details On-demand rendered sites built with Astro include an `/_image` endpoint for image optimization. While this endpoint is designed to restrict processing to local images and authorized remote domains (configured via `image.domains` or `image.remotePatterns`), a critical vulnerability exists in the underlying validation logic. The `isRemoteAllowed()` function in [packages/internal-helpers/src/remote.ts](https://github.com/withastro/astro/blob/b8ca69b97149becefaf89bf21853de9c905cdbb7/packages/internal-helpers/src/remote.ts) (lines 128-131) unconditionally allows ALL `data...