Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website


CVE-2023-2000: Security Updates

mccms v2.6.3 is vulnerable to Cross Site Request Forgery (CSRF).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-29815: Under v2.6.3, your project has a CSRF vulnerability · Issue #3 · chshcms/mccms

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

CVE-2023-28821: Releases · concretecms/concretecms

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

Expand Up

@@ -29,6 +29,7 @@

use Pimcore\\Http\\ResponseHelper;

use Pimcore\\Logger;

use Pimcore\\Model\\User;

use Pimcore\\Security\\SecurityHelper;

use Pimcore\\Tool;

use Pimcore\\Tool\\Authentication;

use Symfony\\Component\\HttpFoundation\\RedirectResponse;

Expand Down Expand Up

@@ -114,7 +115,7 @@ public function loginAction(Request $request, CsrfProtectionHandler $csrfProtect

$params\['csrfTokenRefreshInterval'\] = ((int)$session\_gc\_maxlifetime - 60) \* 1000;

  

if ($request\->get('too\_many\_attempts')) {

$params\['error'\] = $request\->get('too\_many\_attempts');

$params\['error'\] = SecurityHelper::convertHtmlSpecialChars($request\->get('too\_many\_attempts'));

}

if ($request\->get('auth\_failed')) {

$params\['error'\] = 'error\_auth\_failed';

Expand Down

CVE-2023-2341: fixed xss on login page (#14975) · pimcore/pimcore@66f1089

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.



**Description**

URL parsing with Qwik uses the new URL(a, b) constructor. A little-known fact about this constructor is that if an attacker controls a they have complete control of the finally resolved URL.

For example:

    const url = new URL(attacker_value, "http://localhost")
    

By entering //test.com, we can change the origin to resolve to http://test.com.

**Qwik URL Resolution**

The getUrl function is used in production and development node servers link.

    export function getUrl(req: IncomingMessage) {
      const origin = ORIGIN ?? getOrigin(req);
      return new URL((req as any).originalUrl || req.url || '/', origin);
    }
    

This follows the earlier vulnerable pattern, and the origin can be controlled.

Cloudflare, Vercel and other deployments which do not use this mechanism are not vulnerable.

**Proof of Concept**

Start any node Qwik Server.

For simplicity, I am using curl to simulate the request from the browser. In this case, the origin is "attacker.com". An actual attack would use the victim's web browser to send these requests and be unable to edit headers manually.

Observe curl -X POST http://localhost:5173/ -H "Origin: http://attacker.com" causes a CSRF error

Observe curl -X POST http://localhost:5173//attacker.com/ -H "Origin: http://attacker.com" does not cause a CSRF error!

**The internal URL now points to http://attacker.com; Qwik thinks it's attacker.com!**

**Impact**

Bypass of CSRF protections.

The result is the ability to modify user resources, provided they have an active session and are using SameSite: None for session cookies.

**Occurrences**

CVE-2023-2307: CSRF bypass in qwik

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

@@ -0,0 +1,37 @@

import { test } from 'uvu';

import { equal } from 'uvu/assert';

import { normalizeUrl } from './http';

  

\[

{

url: '/',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/',

},

{

url: '/attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '//attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '\\\\\\\\attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '/some-path//attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/some-path/attacker.com',

},

\].forEach((t) \=> {

test(\`normalizeUrl(${t.url}, ${t.base})\`, () \=> {

equal(normalizeUrl(t.url, t.base).href, t.expect);

});

});

  

test.run();

CVE-2023-2307: fix: relative protocol urls · BuilderIO/qwik@09190b7

The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.

CVE-2022-40724: We’re here to help

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Nokia

**Vulnerable software**

NetAct v 20.1

**Severity level**

Severity level: Medium  
Impact: XML External Entity (XXE)  
Access Vector: Remote  

CVSS v3.1  
Base Score: 5,8  
Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:N/MS:U/MC:H/MI:L/MA:L)

CVE-2023-26057

**Vulnerability description:**

Input validation and proper XML parsers configuration was missing. On the Configuration Dashboard page, an attacker can import XML files. Support of external entities (External Entity) is enabled for processing of such files, which leads to Arbitrary File Read and SSRF. The attack can only be performed by an internal user. The vulnerability is fixed in NetAct 22 FP2211 and onwards.

**Advisory status**

10.10.2022 - Vendor gets vulnerability details

**Credits**

The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)

CVE-2023-26057: PT-2022-01: XML External Entity (XXE)

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Nokia

**Vulnerable software**

NetAct v 20.1

**Severity level**

Severity level: Medium  
Impact: XML External Entity (XXE)  
Access Vector: Remote  

CVSS v3.1  
Base Score: 5,8  
Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:N/MS:U/MC:H/MI:L/MA:L)

CVE-2023-26058

**Vulnerability description:**

Input validation and proper XML parsers configuration was missing. On the Perfomance Manager+ page, attackers can import XML files. Support of external entities is enabled for processing of such files, which leads to Arbitrary File Read and SSRF. The attack can only be performed by an internal user. The vulnerability is fixed in NetAct 22 FP2211 and onwards.

**Advisory status**

10.10.2022 - Vendor gets vulnerability details

**Credits**

The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)

CVE-2023-26058: PT-2022-02: XML External Entity (XXE)

The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders

Tag

#csrf