#csrf

SvelteKit is a web development framework. The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to its users. While the implementation does a sufficient job in mitigating common CSRF attacks, prior to version 1.15.1, the protection can be bypassed by simply specifying a different `Content-Type` header value. If abused, this issue will allow malicious requests to be submitted from third-party domains, which can allow execution of operations within the context of the victim's session, and in extreme scenarios can lead to unauthorized access to users’ accounts. SvelteKit 1.15.1 updates the `is_form_content_type` function call in the CSRF protection logic to include `text/plain`. As additional hardening of the CSRF protection mechanism against potential method overrides, SvelteKit 1.15...

### Summary The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery (CSRF) protection to it’s users. The protection is implemented at `kit/src/runtime/server/respond.js#L52`. While the implementation does a sufficient job in mitigating common CSRF attacks, the protection can be bypassed by simply specifying a different `Content-Type` header value. ### Details The CSRF protection is implemented using the code shown below. ```js const forbidden = // (1) request.method === 'POST' && // (2) request.headers.get('origin') !== url.origin && // (3) is_form_content_type(request); if (forbidden) { // (4) const csrf_error = error(403, `Cross-site ${request.method} form submissions are forbidden`); if (request.headers.get('accept') === 'application/json') { return json(csrf_error.body, {...

Cross Site Scripting vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via javascript code in the markdown editor.

SQL Injection vulnerability found in San Luan PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via the sql parameter.

Cross-Site Request Forgery (CSRF) vulnerability in PeepSo Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin <= 6.0.2.0 versions.

GLPI versions 10.0.0 through 10.0.2 suffer from a remote SQL injection vulnerability that can lead to remote code execution.

The User Role by BestWebSoft WordPress plugin before 1.6.7 does not protect against CSRF in requests to update role capabilities, leading to arbitrary privilege escalation of any role.

The Redirection WordPress plugin before 1.1.4 does not add nonce verification in place when adding the redirect, which could allow attackers to add redirects via a CSRF attack.

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.