Headline
ECOA Building Automation System Cross-Site Request Forgery
The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform any CRUD operation like user creation, alarm shutdown and account password change with administrative privileges if a logged-in user visits a malicious web site.
Related news
Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request.
Beijing Wuzhi Internet Technology Co., Ltd. Wuzhi CMS 4.0.1 is an open source content management system. The five fingers CMS backend in***.php file has arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.