Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

CVE-2023-28821: Releases · concretecms/concretecms

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

Expand Up

@@ -29,6 +29,7 @@

use Pimcore\\Http\\ResponseHelper;

use Pimcore\\Logger;

use Pimcore\\Model\\User;

use Pimcore\\Security\\SecurityHelper;

use Pimcore\\Tool;

use Pimcore\\Tool\\Authentication;

use Symfony\\Component\\HttpFoundation\\RedirectResponse;

Expand Down Expand Up

@@ -114,7 +115,7 @@ public function loginAction(Request $request, CsrfProtectionHandler $csrfProtect

$params\['csrfTokenRefreshInterval'\] = ((int)$session\_gc\_maxlifetime - 60) \* 1000;

  

if ($request\->get('too\_many\_attempts')) {

$params\['error'\] = $request\->get('too\_many\_attempts');

$params\['error'\] = SecurityHelper::convertHtmlSpecialChars($request\->get('too\_many\_attempts'));

}

if ($request\->get('auth\_failed')) {

$params\['error'\] = 'error\_auth\_failed';

Expand Down

CVE-2023-2341: fixed xss on login page (#14975) · pimcore/pimcore@66f1089

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.



**Description**

URL parsing with Qwik uses the new URL(a, b) constructor. A little-known fact about this constructor is that if an attacker controls a they have complete control of the finally resolved URL.

For example:

    const url = new URL(attacker_value, "http://localhost")
    

By entering //test.com, we can change the origin to resolve to http://test.com.

**Qwik URL Resolution**

The getUrl function is used in production and development node servers link.

    export function getUrl(req: IncomingMessage) {
      const origin = ORIGIN ?? getOrigin(req);
      return new URL((req as any).originalUrl || req.url || '/', origin);
    }
    

This follows the earlier vulnerable pattern, and the origin can be controlled.

Cloudflare, Vercel and other deployments which do not use this mechanism are not vulnerable.

**Proof of Concept**

Start any node Qwik Server.

For simplicity, I am using curl to simulate the request from the browser. In this case, the origin is "attacker.com". An actual attack would use the victim's web browser to send these requests and be unable to edit headers manually.

Observe curl -X POST http://localhost:5173/ -H "Origin: http://attacker.com" causes a CSRF error

Observe curl -X POST http://localhost:5173//attacker.com/ -H "Origin: http://attacker.com" does not cause a CSRF error!

**The internal URL now points to http://attacker.com; Qwik thinks it's attacker.com!**

**Impact**

Bypass of CSRF protections.

The result is the ability to modify user resources, provided they have an active session and are using SameSite: None for session cookies.

**Occurrences**

CVE-2023-2307: CSRF bypass in qwik

Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.

@@ -0,0 +1,37 @@

import { test } from 'uvu';

import { equal } from 'uvu/assert';

import { normalizeUrl } from './http';

  

\[

{

url: '/',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/',

},

{

url: '/attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '//attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '\\\\\\\\attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/attacker.com',

},

{

url: '/some-path//attacker.com',

base: 'https://qwik.dev',

expect: 'https://qwik.dev/some-path/attacker.com',

},

\].forEach((t) \=> {

test(\`normalizeUrl(${t.url}, ${t.base})\`, () \=> {

equal(normalizeUrl(t.url, t.base).href, t.expect);

});

});

  

test.run();

CVE-2023-2307: fix: relative protocol urls · BuilderIO/qwik@09190b7

The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.

CVE-2022-40724: We’re here to help

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to the Configuration Dashboard page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Nokia

**Vulnerable software**

NetAct v 20.1

**Severity level**

Severity level: Medium  
Impact: XML External Entity (XXE)  
Access Vector: Remote  

CVSS v3.1  
Base Score: 5,8  
Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:N/MS:U/MC:H/MI:L/MA:L)

CVE-2023-26057

**Vulnerability description:**

Input validation and proper XML parsers configuration was missing. On the Configuration Dashboard page, an attacker can import XML files. Support of external entities (External Entity) is enabled for processing of such files, which leads to Arbitrary File Read and SSRF. The attack can only be performed by an internal user. The vulnerability is fixed in NetAct 22 FP2211 and onwards.

**Advisory status**

10.10.2022 - Vendor gets vulnerability details

**Credits**

The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)

CVE-2023-26057: PT-2022-01: XML External Entity (XXE)

An XXE issue was discovered in Nokia NetAct before 22 FP2211 via an XML document to a Performance Manager page. Input validation and a proper XML parser configuration are missing. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user.

Nokia

**Vulnerable software**

NetAct v 20.1

**Severity level**

Severity level: Medium  
Impact: XML External Entity (XXE)  
Access Vector: Remote  

CVSS v3.1  
Base Score: 5,8  
Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/MAV:L/MAC:H/MPR:L/MUI:N/MS:U/MC:H/MI:L/MA:L)

CVE-2023-26058

**Vulnerability description:**

Input validation and proper XML parsers configuration was missing. On the Perfomance Manager+ page, attackers can import XML files. Support of external entities is enabled for processing of such files, which leads to Arbitrary File Read and SSRF. The attack can only be performed by an internal user. The vulnerability is fixed in NetAct 22 FP2211 and onwards.

**Advisory status**

10.10.2022 - Vendor gets vulnerability details

**Credits**

The vulnerability was detected by Vladimir Razov and Aleksandr Ustinov (Positive Technologies)

CVE-2023-26058: PT-2022-02: XML External Entity (XXE)

The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders

CVE-2023-1624

The Custom Post Type UI WordPress plugin before 1.13.5 does not properly check for CSRF when sending the debug information to a user supplied email, which could allow attackers to make a logged in admin send such information to an arbitrary email address via a CSRF attack.

CVE-2023-1623

The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours

Tag

#csrf