Cross-Site Request Forgery (CSRF) vulnerability in automatededitor.Com Automated Editor plugin <= 1.3 versions.

**Solution**

 No fix

No patched version is available.

Prasanna V Balaji discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Automated Editor Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45276: WordPress Automated Editor plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Apple, Google, and Microsoft are promoting passkeys as a solution for accounts recovery, but enterprises are slow-walking their adoption.

The growing support for passkeys means consumers and small businesses finally have an easy-to-use technology for passwordless access to websites and cloud applications, but enterprises will likely not see a usable form of the technology for some time yet.

The passwordless authentication approach, based on the FIDO Alliance's WebAuthn standard, allows developers to leverage the user device's authentication technology — such as FaceID and fingerprint sensors — to log into cloud services and Web applications. While WebAuthn resulted in many implementations, which added significant complexity for consumers, passkeys are supported by major Internet firms — including Apple, Google, and Microsoft — which dramatically simplifies their use for consumers.

Yet that usability, which could extend to cloud-native small businesses, does not allow for the control and attestation necessary for passkeys in large corporations, says Jasson Casey, CEO of Beyond Identity. Instead, passkeys will likely develop into a optional factor in their current public key infrastructure (PKI) or credential-based system.

"I honestly think it's going to be a love child of passkeys and PKI that ultimately businesses need," Casey says. "The really cool thing about passkeys is the idea that there's a well-defined interface between a browser or user agent and an actual authenticator that manages credentials and keys."

Major companies have pushed passkeys as a more secure way to sign into online accounts. In June, Google began allowing companies to switch their Workspace users over to passkeys rather than using passwords. On Oct. 10, the company began giving users the ability to make passkeys the default option across their personal accounts, prompting them to make the switch when they sign in.

Apple and Microsoft have both added support for passkeys in their hardware and software, with iOS, Mac OS, and Windows 11 all supporting the technology.

For companies, passkeys could eliminate some of the cost of improving managing identity and improving authentication, says Steve Won, chief product officer at 1Password, an identity and password management firm.

"I'm really optimistic that enterprise adoption will be totally tenable within the next decade," Won says. "I've talked to so many businesses that are like, holy crap, \[passkeys are\] basically usable certificates or ... usable Yubikeys. Certificates are such a nightmare to be able to handle, and on the Yubikey side, nobody wants to be in the business of managing hardware."

**The End of Phishing?**

Done right, passkeys could eliminate phishing attacks aimed at harvesting credentials because there are no passwords to steal. The specification, which aims for interoperability among the largest identify providers, allow a user's device to attest to their identity, using private and public keys to then log the user into a service.

A major sticking point was the issue of recovering the keys when a device is lost, says Beyond Identity's Casey.

"A passkey is actually anchored in an enclave on my device, so if I throw that device in the ocean because — I don't even need a reason — and I go buy a new device, how do I log back in? That was viewed as a major stumbling block for the B2C \[business-to-consumer\] community," he says.

Apple, Google, and Microsoft fix this problem by tying the keys to their services. A user who logs back into one of the services can then recover by being issued a new set of keys.

Despite the promise of phishing resistance and doing away with shared secrets, businesses are still hesitant to commit to passkeys, says Andras Cser, vice president and principal analyst at Forrester Research.

"We still see zero to minimal adoption in the market," he says. "Service providers — \[such as\] retailers, healthcare orgs, \[and financial services\] companies — are concerned about device attestation and presence of the person authenticating."

**Companies Need More Than Passkeys**

The problems faced by enterprises are different. For companies, passkeys hold the promise of providing a standardized PKI as a way of interacting with online resources, as long as four requirements are met, says Casey. The system has to guarantee that keys cannot move; it solves the recovery problem for lost devices; it works across all sorts of devices, browsers, and online services; and it provides companies with centralized policy management for devices.

"An effective passkey system is going to have a distributed, automated PKI system under the hood that is providing similar security guarantees but without requiring you to actively manage the service ... regardless of whether the device is managed or BYOD devices," Casey says. "Classical PKI systems don't do any of that for you, not without a huge administrative burden."

While some small businesses may mandate the use of passkey, companies will more likely offer the technology as an authentication option for their customers.

**Another Zero-Trust Possibility**

If passkey providers and identity and access management (IAM) companies solve the enterprise-use problems of passkeys, they could take off in business. While consumers need easy-to-use services, companies can mandate that their employees use a specific technology, even if that technology has a learning curve or adds some steps to daily workflows, says Ian Hassard, senior director of product management at Okta, a single sign-on provider.

"If you look at customer identity being focused around balancing security and friction, because if you have too much friction, people don't buy your products," he says. "But in workforce identity, if you're managing your workforce, you have a bit more of a captive audience in the sense of, you can apply more friction to ensure a higher level of assurance and security."

Okta, for example, focuses on the management of identities, access privileges, and ensuring the user's device has the proper security controls in place and does not show signs of compromise, says Hassard. These are all foundational for a zero-trust approach to security.

"You want that assurance that the device is not compromised," he says. "Because obviously a lot of this technology is great until the client device is completely owned, and that's not a good thing."

Passkeys Are Cool, but They Aren't Enterprise-Ready

Cross-Site Request Forgery (CSRF) vulnerability in Zizou1988 IRivYou plugin <= 2.2.1 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress IRivYou Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45267: WordPress IRivYou plugin <= 2.2.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Hitsteps Hitsteps Web Analytics plugin <= 5.86 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Hitsteps Web Analytics Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45268: WordPress Hitsteps Web Analytics plugin <= 5.86 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

** PSIRT Advisories**

**FortiSandbox - Reflected Cross Site Scripting (XSS) on the "file ondemand" rendering endpoint**

**Summary**

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability \[CWE-79\] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version

Affected

Solution

FortiSandbox 4.4

4.4.0 through 4.4.1

Upgrade to 4.4.2 or above

FortiSandbox 4.2

4.2.0 through 4.2.5

Upgrade to 4.4.2 or above

FortiSandbox 4.0

4.0.0 through 4.0.3

Upgrade to 4.0.4 or above

FortiSandbox 3.2

3.2 all versions

Migrate to a fixed release

FortiSandbox 3.1

3.1 all versions

Migrate to a fixed release

FortiSandbox 3.0

3.0 all versions

Migrate to a fixed release

FortiSandbox 2.5

2.5 all versions

Migrate to a fixed release

FortiSandbox 2.4

2.4.1

Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Fortinet is pleased to thank security researcher Sander Van der Borght (@Sander\_\_VdB\_) for discovering and reporting this vulnerability under responsible disclosure.

**Timeline**

2023-10-13: Initial publication

CVE-2023-41843: Fortiguard

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 and 2.5.0 through 2.5.2 and 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

** PSIRT Advisories**

**FortiSandbox - XSS on delete endpoint**

**Summary**

Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability \[CWE-79\] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version

Affected

Solution

FortiSandbox 4.4

4.4.0 through 4.4.1

Upgrade to 4.4.2 or above

FortiSandbox 4.2

4.2.0 through 4.2.5

Upgrade to 4.4.2 or above

FortiSandbox 4.0

4.0.0 through 4.0.3

Upgrade to 4.0.4 or above

FortiSandbox 3.2

3.2 all versions

Migrate to a fixed release

FortiSandbox 3.1

3.1 all versions

Migrate to a fixed release

FortiSandbox 3.0

3.0 all versions

Migrate to a fixed release

FortiSandbox 2.5

2.5 all versions

Migrate to a fixed release

FortiSandbox 2.4

2.4.1

Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

**Timeline**

2023-10-13: Initial publication

CVE-2023-41680: Fortiguard

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.4, and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

** PSIRT Advisories**

**FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint**

**Summary**

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability \[CWE-79\] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version

Affected

Solution

FortiSandbox 4.4

4.4.0

Upgrade to 4.4.2 or above

FortiSandbox 4.2

4.2.0 through 4.2.4

Upgrade to 4.4.2 or above

FortiSandbox 4.0

4.0 all versions

Migrate to a fixed release

FortiSandbox 3.2

3.2 all versions

Migrate to a fixed release

FortiSandbox 3.1

3.1 all versions

Migrate to a fixed release

FortiSandbox 3.0

3.0.4 through 3.0.7

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

**Timeline**

2023-10-13: Initial publication

CVE-2023-41836: Fortiguard

A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request

** PSIRT Advisories**

**FortiEDR - Session API token does not expires after a renewal**

**Summary**

An insufficient session expiration vulnerability \[CWE-613\] in FortiEDR may allow an attacker to reuse the unexpired user API access token to gain privileges, should the attacker be able to obtain that API access token (via other, hypothetical attacks).

**Affected Products**

FortiEDR version 5.0.0 through 5.0.3:873  
FortiEDR version 5.2.0:2500 and below.

**Solutions**

Please upgrade to FortiEDR version 5.2.0.2501 or above  
Please upgrade to FortiEDR version 5.0.3.873 or above

**Acknowledgement**

Fortinet is pleased to thank security researcher Kevin Carli for discovering and reporting this vulnerability under responsible disclosure.

**Timeline**

2023-09-29: Initial publication

CVE-2023-33303: Fortiguard

A stored cross-site scripting (XSS) vulnerability in the Create A New Employee function of Granding UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter.

**GRANDING UTime Master - Stored XSS**

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v UTime Master\_9.0.7-Build:Apr 4,2023).

UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser.

1.  Login to UTime Master using admin account
2.  Click on Personnel > Employee Management >Employee
3.  Select Any employee or create a new employee
4.  In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)>

_XSS payload embedded in EMP NAME field._

Save the employee details, Once the page refreshed it will execute your payload.

_our payload executed successfully._

_I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc._

XSS has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

**Popular posts from this blog**

**ZKT Eco ADMS - Stored XSS**

 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

CVE-2023-45391: GRANDING UTime Master - Stored XSS

An indirect object reference (IDOR) in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie.

**GRANDING UTime Master - IDOR**

 Hi All,

I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v UTime Master\_9.0.7-Build:Apr 4,2023). 

UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser.

Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees.

1.  Login to UTime Master using any account.
2.  Capture the request in burpsuite with the valid cookies.
3.  modify the URL to "/base/adminlog/table/?page=1&limit=200"
4.  Forward the request and it will fetch all the admin logs.

  

XSS has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

**Popular posts from this blog**

**ZKT Eco ADMS - Stored XSS**

 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

Tag

#auth