The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

Posted Oct 25, 2021

Authored by Akash Rajendra Patil

WordPress Ninja Tables plugin version 4.1.7 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

MD5 | `1ee321f04776c466b3590854bba610c6`

Download | Favorite | View

**WordPress Ninja Tables 4.1.7 Cross Site Scripting**

    # Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)# Date: 25-10-2021# Exploit Author: Akash Rajendra Patil# Vendor Homepage: https://wordpress.org/plugins/ninja-tables/# Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/# Version: 4.1.7# Tested on Windows*How to reproduce vulnerability:*1. Install Latest WordPress2. Install and activate Ninja Tables <= 4.1.73. Enter JavaScript payload which is mentioned below"><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data'and enter the data into the user input field.Then Navigate to Table Design5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

**File Tags**

*   ActiveX (932)
*   Advisory (76,655)
*   Arbitrary (14,946)
*   BBS (2,859)
*   Bypass (1,518)
*   CGI (1,009)
*   Code Execution (6,477)
*   Conference (667)
*   Cracker (797)
*   CSRF (3,247)
*   DoS (21,554)
*   Encryption (2,320)
*   Exploit (49,159)
*   File Inclusion (4,121)
*   File Upload (933)
*   Firewall (821)
*   Info Disclosure (2,531)
*   Intrusion Detection (845)
*   Java (2,745)
*   JavaScript (789)
*   Kernel (5,904)
*   Local (13,904)
*   Magazine (586)
*   Overflow (12,045)
*   Perl (1,409)
*   PHP (5,024)
*   Proof of Concept (2,273)
*   Protocol (3,233)
*   Python (1,365)
*   Remote (29,340)
*   Root (3,428)
*   Ruby (564)
*   Scanner (1,628)
*   Security Tool (7,635)
*   Shell (3,014)
*   Shellcode (1,192)
*   Sniffer (877)
*   Spoof (2,064)
*   SQL Injection (15,868)
*   TCP (2,345)
*   Trojan (666)
*   UDP (865)
*   Virus (657)
*   Vulnerability (30,162)
*   Web (8,870)
*   Whitepaper (3,701)
*   x86 (939)
*   XSS (17,211)
*   Other

**File Archives**

*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   May 2021
*   April 2021
*   March 2021
*   February 2021
*   Older

**Systems**

*   AIX (423)
*   Apple (1,860)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,909)
*   Debian (5,947)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,150)
*   HPUX (875)
*   iOS (311)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,376)
*   Mac OS X (682)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (476)
*   RedHat (10,982)
*   Slackware (941)
*   Solaris (1,601)
*   SUSE (1,444)
*   Ubuntu (7,593)
*   UNIX (9,015)
*   UnixWare (182)
*   Windows (6,265)
*   Other

CVE-2021-24900: WordPress Ninja Tables 4.1.7 Cross Site Scripting ≈ Packet Storm

YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgey (CSRF) via the component /yzmcms/comment/index/init.html.

Prepare two accounts: test01 and test02, background settings allow users to contribute,  
Generate POC of CSRF with test01, First log in to test01 and comment on an article, and grab the request packet,  
![image](https://user-images.githubusercontent.com/89461075/150620972-2b6b5173-9595-4c8a-a420-4bf73e6f77d2.png)  
![image](https://user-images.githubusercontent.com/89461075/150620988-362e6ea5-c06f-4e82-ad39-5b3e926cb553.png)

Log in to TEST02 with another browser and open the web page of the generated POC,  
Triggered CSRF and successfully commented as TEST02.  
![image](https://user-images.githubusercontent.com/89461075/150621077-c0974563-9d10-4801-b255-631261e8242f.png)

CVE-2022-23888: YzmCMSV6. 3. There is a CSRF vulnerability in the foreground in the official version(YzmCMS V6.3 正式版前台存在csrf漏洞) · Issue #60 · yzmcms/yzmcms

YzmCMS v6.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete user accounts via /admin/admin_manage/delete.

This vulnerability allows arbitrary users to be deleted,  
There is a user with ID 3,  
![image](https://user-images.githubusercontent.com/89461075/150460342-a09eccf1-8611-42e2-a52d-336b307df441.png)

Click delete and capture the package to generate the POC of CSRF,  
![image](https://user-images.githubusercontent.com/89461075/150460532-43e70395-68f9-4c5d-aa8c-f9c208b44627.png)

Package the deletion request to dorp, and put the generated POC in the HTML page and send it to the administrator. When the administrator clicks the page, the user with ID 3 can be deleted.  
![image](https://user-images.githubusercontent.com/89461075/150460730-d7dca3d2-d913-4ce7-9d69-be0096f2092f.png)  
![image](https://user-images.githubusercontent.com/89461075/150460754-0f9e1660-4bb4-428d-bea6-ce66e30fc9df.png)

CVE-2022-23887: YzmCMS V6. 3. CSRF vulnerability exists in the official version(YzmCMS V6.3 正式版存在csrf漏洞) · Issue #59 · yzmcms/yzmcms

A CVE-352 Cross-Site Request Forgery (CSRF) vulnerability exists that could allow an attacker to impersonate the user or carry out actions on their behalf when crafted malicious parameters are submitted in POST requests sent to the charging station web server. Affected Products: EVlink City EVC1S22P4 / EVC1S7P4 (All versions prior to R8 V3.4.0.2 ), EVlink Parking EVW2 / EVF2 / EVP2PE (All versions prior to R8 V3.4.0.2), and EVlink Smart Wallbox EVB1A (All versions prior to R8 V3.4.0.2)

CVE-2021-22724

A SQL injection vulnerability exists in ZFAKA<=1.43 which an attacker can use to complete SQL injection in the foreground and add a background administrator account.

In zfaka version 1.4.3,

application / modules / product / admin / Controllers / product / imgurlajax php involed a SQL injection Vuln

Found the following paragraph

![image-20210526025356848](https://i.loli.net/2021/05/26/sgoDva5h4QYZIGw.png)

PDO is the default configuration, and stack injection is immediately thought of

After testing, the OrderID user is controllable. The global search for OrderID shows that OrderID is processed into a pure string by the function method, and there is no room for injection, so we choose another way

It is found that the IP parameters are also controllable by the user, and no processing is done before calling the select method.

The IP parameter calls the getclientip method. Let's follow the getclientip method

![image-20210526030817917](https://i.loli.net/2021/05/26/hng6kUiuVRmO4aQ.png)

It is easy to understand that it is to obtain the client IP from the common HTTP header

However, I am very glad that the IP parameters are not processed. We can implement Stack Injection by constructing XFF header

Because of CSRF\_ For the verification of token, we must arbitrarily enter an order number on the order query page, and then enter the correct verification code, and then the query is valid

Then, the XFF header is manually constructed for Stack Injection for PDO

Because the PDO is closed with double quotation marks and belongs to stack injection without echo

Therefore, the payload structure is

    
    X-FORWARDED-For:1'; select sleep(5)#
    
    

![image-20210526202008945](https://i.loli.net/2021/05/26/h6Tv1eJEpzQZcKg.png)

The injection was successful after a delay of 5S.

For this stack injection without echo, blind injection is too slow, and it is too slow to use dnslog OOB, so we choose to construct an insert statement to add a background administrator

Using prepare statement

    
    X-FORWARDED-For:1"; set@a =0x696E7365727420696E746F20745F61646D696E5F757365722076616C7565732839392C227465737440746573742E74657374222C223736623138303766633163393134663135353838353230623038333366626333222C22373865303535222C30293B; PREPARE a FROM @a; execute a; select sleep(3);#
    
    //Sleep is used to judge whether the injection is successful
    
    

Successfully added a background account with user name test@test.test , password 123456

You can directly log in to the target background / Admin  
![image-20210526202209072](https://i.loli.net/2021/05/26/e2Q5VTXWOKxEYpM.png)

CVE-2022-22294: Zfaka Foreground SQL injection - J0o1ey

What is Cross Site Request Forgery CSRF | Example and Methods of protection

Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.

@@ -4,7 +4,23 @@

  

<?php include(erLhcoreClassDesign::designtpl('lhkernel/csfr\_token.tpl.php'));?>

  

<div role\="tabpanel" ng-controller\="IClickToCallFormGenerator as cform" ng-init\='<?php if ($form\->static\_content != '') : ?>cform.staticResources = <?php echo $form\->static\_content?>;<?php endif;?><?php if ($form\->static\_js\_content != '') : ?>cform.staticJSResources = <?php echo $form\->static\_js\_content?>;<?php endif;?><?php if ($form\->static\_css\_content != '') : ?>cform.staticCSSResources = <?php echo $form\->static\_css\_content?>;<?php endif;?>'\>

<script\>

window.PersonalTheme \= {};

  

<?php if ($form\->static\_content != '') : ?>

window.PersonalTheme.staticResources \= <?php echo $form\->static\_content;?>

<?php endif; ?>

  

<?php if ($form\->static\_js\_content != '') : ?>

window.PersonalTheme.staticJSResources \= <?php echo $form\->static\_js\_content;?>

<?php endif; ?>

  

<?php if ($form\->static\_css\_content != '') : ?>

window.PersonalTheme.staticCSSResources \= <?php echo $form\->static\_css\_content;?>

<?php endif; ?>

</script\>

  

<div role\="tabpanel" ng-controller\="IClickToCallFormGenerator as cform" ng-init\="cform.initVariables();"\>

  



<ul class\="nav nav-tabs" role\="tablist"\>

CVE-2022-0370: CSRF For personal theme · LiveHelperChat/livehelperchat@9f5bc33

An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string.

This page lists all public releases of SynaMan. It does not list every nightly build and therefore, you will see gaps in the build numbers.

**Version 5.0****Build 1589 - January 03, 2022**

*   Ability to enable ciphers recommended by FIPS 140-2 guidelines. Details...
*   Ability to block user id besides IP address when incorrect passwords are specified.
*   X-Forwarded-For header is honored when SynaMan runs behind a reverse proxy server
*   **Security Fix** - Files affecting CVE-2019-17571 and CVE-2021-4104 are removed from SynaMan. Although these files were present in the older builds, they were not used. Out of an abundance of caution, this build completely removes them.
*   **Security Fix** - URLs for public link downloads can be modified with guessed files names to download unauthorized files.
*   **Security Fix** - A user can potentially create a public link with Javascripts in comments field, which could launch XSS attack in recipient's email client.

**Version 4.9****Build 1580 - September 23, 2021**

*   Bug Fix: Files in the recycling bin are saved even when disabled.

**Build 1579 - September 07, 2021**

*   Recycle Bin has been added. Details...
*   Ability to download uploaded files through the notification email message.
*   Ability to upload multiple files from mobile devices, such as iPhone/Android.
*   File Explorer's height gets adjusted on large screen.
*   Enhanced restarting.
*   Ability to modify existing folders, rather than creating new folders
*   Ability to patch a custom version using the web interface.
*   Security Update: JQuery version has been updated to mitigate risks mentioned on CVE-2015-9251, CVE-2015-11358, CVE-2020-11022, CVE-2020-11023
*   Security Update: Ability to force TLS 1.2
*   Security Update: Restore password URL uses AES encryption for authentication token for enhanced entropy.
*   New icons have been added to Manager User and Folder screen to indicate encryption and recycle bin.
*   Bug Fix: Mobile interface ignores delete and zip/unzip permissions
*   Bug Fix: Audit and Access logs are not created when connecting from mobile devices
*   Bug Fix: Current activity is not updated when using Login URL from a mobile device

**Version 4.8****Build 1567 - April 19, 2021**

*   At-rest encryption has been added. Details...
*   Ability to force new users to change their password upon first login
*   Ability to automatically connect to broken mounted drives.
*   Ability to contact support from the web interface
*   Bug Fix: Unable to download folders containing % sign.
*   Bug Fix: Default quota is not set when creating users from LDAP or invitation.

**Version 4.7****Build 1557 - August 24, 2020**

*   Access Logs. Details...
*   Mapped Drives across the Internet from any desktop machine. Details...
*   Ability to view and remove blacklisted IP address from **Configuration/Security** screen.
*   Bug Fix: Certain special characters were not allowed in password.

**Version 4.6****Build 1548 - June 23, 2020**

*   Granular permissions. Details...
*   Ability to upload multiple files when CSRF is enabled
*   User Management screen has been enhanced to accomodate for additional security permissions

**Version 4.5****Build 1544 - April 14, 2020**

*   Ability to Search Files. Details...
*   Ability to reset forgot passwords, rather than sending the password via email, which was not secure.
*   Security Fix: A vulnerability (CVE-2019-8331) was fixed.

**Version 4.4****Build 1533 - February 11, 2020**

*   Bug Fix: Uploads fail unless you explicity select an action for Harmful Extensions
*   Bug Fix: User validation from Active Directory fails occasionally.
*   Bug Fix: The Auto Update configuration toggles itself when the page is saved.

**Build 1532 - February 10, 2020**

*   Ability to prevent/rename potentially malicious files. Details...
*   Ability to use LDAP servers other than MS Exchange
*   Security Fix: HTTP redirection is forced after adding a new user, prevent someone from hitting the back button to reveal passwords.
*   Security Fix: Password policy rules are enforce even when administrators create new account

**Version 4.3****Build 1525 - August 28, 2019**

*   Ability to deny connections from Tor Nodes. Details...
*   Email notifications for public links are now in HTML
*   Confirmation dialog after creating a public link has been enhanced
*   Ability to prompt for end-user information before they upload/download files using public links. Details...
*   Ability to automatically block IP addresses that appear to send malicious requests
*   Security Fix: CSRF attacks were possible when uploading files.
*   Bug Fix: A 404 error is generated when using a DNS server for Let's Encrypt challenge
*   Bug Fix: Let's Encrypt certificate cannot be renewed automatically if using a different HTTP server for challenge

**Version 4.2****Build 1517 - April 29, 2019**

*   Ability to integrate with Let's Encrypt to create FREE SSL certificate. Details...
*   Ability to check-in/out files (Enterprise Edition) Details...
*   Web server has been updated
*   Ability to make passwords mandatory for public links.
*   Security Fix: XSS attack against SynaMan is possible through user's invitation screen.

**Version 4.1****Build 1506 - Feb 18, 2019**

*   Security Fix: Ability to call JSP files directly is disabled
*   Bug Fix: Emails are sent out using the admin account when public links are created.
*   Bug Fix: File names containing non-English characters are occasionally corrupted when using MS Edge.
*   Bug Fix: Total branding adds a question mark in the begining of the page

**Build 1500 - Sept 26, 2018**

*   Ability to route emails via Synametrics WebSMTP service if communication to your SMTP server fails. Details ...

**Build 1498 - August 15, 2018**

*   Bug Fix: Files larger than 2.1GB occasionally gets truncated when using the AJAX browser

**Build 1496 - July 26, 2018**

*   Bug Fix: Enhanced Browser gets stuck while fetching directory contents

**Build 1495 - July 25, 2018**

*   Ability to mount SMB shares (remote drives on Windows). Click here for details.
*   Bug Fix: Quote screen cannot be saved when CSRF is enabled
*   Bug Fix: Smtp password is stored in clear in AppConfig.xml

**Version 4.0****Build 1488 - December 06, 2017**

*   Completely redesigned user interface
*   Two-Factor Authentication (Enterprise Edition)
*   Quota for home folder (Enterprise Edition)

**Version 3.9****Build 1474 - November 21, 2016***   **Bug Fix:** Filenames containing foreign characters get corrupted when uploading using AJAX Browser
*   **Enhancement:** Two new fields are added in email notifications for public links. These fields includes the recipients name and email.
**Build 1472 - October 28, 2016**

*   **Bug Fix:** Empty folders are not uploaded when using Enhanced Browser
*   **Enhancement:** The downloaded JNLP file for Enhanced Browser can now optionally remember user credentials.

**Build 1469 - September 15, 2016**

*   **Bug Fix:** The upload button is not visible when trying to upload files using a Public Link and browser is IE

**Build 1468 - September 06, 2016**

*   Ability to upload files larger than 2.1 GB using the Ajax Browser
*   Integration with Xeams. Click here for details.

**Version 3.8****Build 1466 - August 01, 2016**

*   Significant changes have been made in Embedded SMTP Server.
    *   Ability to listen on two other ports besides primary. For example, you can make the embedded SMTP server listen on port 25, 587 as well as 465 (SSL)
    *   Ability disallow SMTP Authentication on port SMTP but not secondary
*   Ability to delegate SMTP authentication for embedded SMTP server. Click here for more information.

**Version 3.7****Build 1463 - May 20, 2016**

*   Public links can be created without specifying an email. In such cases, the link will be displayed on the following message without generating any email.
*   Bug Fix: The **File Preview** feature does not work when there is a space in the file name

**Build 1461 - March 07, 2016**

*   Enhancement: Automatically create new users by sending email invitations. More info...
*   Enhancement: The Enhanced Browser is no longer a Java Applet. More info...

**Version 3.6****Build 1456 - October 02, 2015**

*   Bug Fix: Fixes a bug related to SSL certificate in Enhanced Browser
*   Enhancement: The location of tmpZipDir can now be changed through server.properties file. This location is used by SynaMan to create a zipped file when multiple files or folders are downloaded by the user.
*   Bug Fix: A trailing space in user's email or shared folder name results in an error.
*   Bug Fix: An & sign in shared folder name creates problem in Enhanced Browser

**Build 1452 - June 29, 2015**

*   New Feature: Template user - new users will inherit shared folder from this user.
*   Bug Fix: A trailing space in either user name or shared folder name can result in errors.

**Version 3.5****Build 1451 - April 16, 2015**

*   New Feature: Ability to upload files using drag-n-drop when using Ajax Browser or public link. Supported browsers for this feature are Firefox, Google Chrome and Apple Safari. Click here for details.
*   New Feature: Ability to upload more than one file at a time.
*   New Feature: Ability to add a comment when uploading files using public link. Click here
*   Security Fix: CSRF attacks are detected and prevented. Click here for details.

**Version 3.4****Build 1444 - October 27, 2014**

*   Security update: Disables SSLv3, which prevents the newly discovered POODLE attack.

**Build 1434 - March 04, 2014**

*   Ability to upload files from a mobile device
*   UPnP support for easily configuring firewalls.
*   Troubleshooting wizard to easily identify connection problems.

**Version 3.3****Build 1430 - January 16, 2014**

*   Manifest problem fixed with the applet for Enhanced browser
*   The embedded SMTP server can now handle attachments encoded with printed-quotable.
*   Ability to rename files when public files are uploaded with same names

**Build 1425 - December. 08, 2013**

*   Support for STARTTLS in embedded SMTP
*   Bug fix: uploading files with unicode characters in their name does not work when using the AJAX browser.
*   Embedded SMTP can be configured to add the download link either at attachment or part of existing HTML body

**Build 1418 - June. 04, 2013**

*   Triggers - ability to launch custom scripts/executables when files are transferred.
*   CLI - Command line interface allow uploading/downloading files to a machine where SynaMan is running, allowing users to script file transfers.
*   Global notifications
*   Enhanced embedded SMTP server
*   Interface enahancments

**Version 3.2****Build 1398 - Nov. 09, 2012**

*   Public links can be protected by a password
*   Bug fix: Public link notification email does not work when users are authenticated using Active Directory.

**Build 1394 - Oct. 22, 2012**

*   Cache problem with iPhone/iPad is fixed. iOS tends to cache pages, causing users to see stale data.

**Build 1393 - Oct. 08, 2012**

*   Ability to assign free style note to any file
*   Ability to notify user when someone downloads/uploads file using public links

**Version 3.1****Build 1386 - Aug. 27, 2012**

*   Handing of Tricky path alerts is enhanced.

**Build 1384 - July 17, 2012**

*   Bug Fix: The web interface does not save user's email address under certain conditions.

**Build 1382 - June 28, 2012**

*   Bug Fix: Notification emails are not sent for uploads unless downloads notifications are also enabled.

**Build 1380 - June 26, 2012**

*   Integration with Microsoft Active Directory
*   Ability to access SynaMan from iPhone, Android, Windows Phone and other mobile devices
*   User home folder

**Version 3.0****Build 1365 - May 11, 2012**

*   Bug fix: On rare occasions, the Embedded SMTP server does not send emails when multiple recipients are specified

**Build 1363 - March. 23, 2012**

*   Ability to download folders via public link

**Build 1358 - Feb. 09, 2012**

*   Enhanced browser - allowing users to upload/download multiple files, complete partially transfered files and Quick edit

**Version 2.7****Build 1342 - Nov. 09, 2011**

*   Bug fix: Access to public folder is broken.

**Build 1341 - Nov. 08, 2011**

*   Ability to display menu without right clicking, useful when connecting to SynaMan interface from Android devices.
*   Bug fix: Foreign characters are not displayed correctly when download and upload template files are modified.

**Build 1337 - May. 31, 2011**

*   Embedded SMTP server.
*   Total branding
*   Ability to force HTTPS if available
*   Branding using the web interface
*   Ability to use an SSL certificate from IIS server

**Version 2.6****Build 1328 - May. 05, 2011**

*   Ability to abort an upload.
*   File filter in the Explorer window. Users can specify a wild card like \*.txt to limit files ending with .txt. Multiple filters can be separated by a | symbol. For example, \*.gif|\*.jpg

**Version 2.5****Build 1325 - Apr. 20, 2011**

*   Weaker SSL ciphers are now disabled by default, forcing clients to use 128 bit encryption..

**Build 1324 - Apr. 08, 2011**

*   Remote file explorer is now compatible with IE 9.

**Build 1322 - Mar. 08, 2011**

*   Bug Fix: Zipped file cannot be created for multiple downloads if the shared folder does not have write access.

**Build 1321 - Sep. 15, 2010**

*   Bug Fix: A security related bug is fixed.

**Build 1318 - Sep. 01, 2010**

*   Bug Fix: The HTTP server accepts multiple Content-Length headers in request, which can be misused by a malicious user.

**Build 1316 - July 14, 2010**

*   Bug Fix: Ampersands in file names are not handled correctly when files are being downloaded.

**Build 1314 - June 17, 2010**

*   Users can change their password through the web interface.
*   Existing file name is displayed as default when renaming files.  
    

**Build 1313 - May 27, 2010**

*   Bug Fix: Public links are not created correctly when using IPv6 and connecting from localhost
*   Bug Fix: Sometimes users can delete files from a read-only folder  
    

**Build 1310 - May 12, 2010**

*   Public links for HTTPS can now be created.
*   Admin's home page displays current activity
*   Admin's home page displays disk status for the shared folder rather than the installation drive.

**Build 1304 - Apr 30, 2010**

*   Bug Fix: More than one public folder were not getting displayed through the explorer interface.

**Build 1303 - Apr 14, 2010**

*   TLS and SSL are now supported when sending out-bound emails.

**Build 1302 - Apr 01, 2010**

*   Login IDs are now case-insensitive.
*   Ability to integrate with Apache mod\_proxy

**Build 1291 - Feb 12, 2010**

*   Ability to specify a character sets for non-English users. Click here for more information

**Build 1289 - Feb 03, 2010**

*   Bug fix: When modifying data for existing users, users can mistakenly add one user twice.
*   Bug fix: Login form now uses HTTP POST rather than GET

**Build 1282 - Jan 25, 2010**

*   Download multiple files together
*   Discovery host is used for public links  
    

**Version 2.4****Build 1272 - Jan 09, 2010**

*   Preview - views files on a host machine without downloading them
*   Manage existing public links
*   The actual hyper link is displayed on the screen after you create a new public link  
    

**Version 2.3****Build 1261 - Dec. 22, 2009**

*   Bug fix - Public link for upload expires prematurely for empty folders.

**Build 1259 - Dec. 18, 2009**

*   Public folders - automatically adds folders to every user  
    
*   Custom branding for your company.
*   Ability to remove a folder from user's account. Earlier versions used to mark the folder for no access. Now you can completely remove an unwanted folder.  
    

**Version 2.2****Build 1246 - Nov.. 20, 2009**

*   Bug fix - deleting a user does not persist. User appears after reboot.
*   Bug fix - multiple public link do not work in the same HTTP session  
    

**Build 1205 - Oct. 15, 2009**

*   File upload/download notifications sent via email  
    
*   Ability to add public links  
    
*   Security alerts via email  
    
*   Remote cut/copy/paste operations  
    
*   Troubleshooting utility added for dynamic IP address  
    

**Version 2.1****Build 1202 - Jul. 29, 2009**

*   Several enhancements to AJAX interface has been made.
*   File upload status window  
    
*   Audit trail logs  
    
*   Additional logging entries added
*   Discovery service added for dynamic IP address  
    

**Version 2.0****Build 1185 - Dec. 27, 2008**

*   Completely new interface using AJAX. Includes:  
    

*   Remote file manager
*   Remote browse

*   Storage occurs in XML format rather than plain property files
*   Users can now use SSH to connect to the web Interface  
    
*   Many-to-many relationships can be created between folders and users  
    
*   Enhanced logging capabilities added  
    

**Version 1.1****Build 972 - May 10, 2008**

*   Runs as a service on Windows machine
*   Start/stop scripts added for Linux  
    
*   Ability to restart SynaMan from the web interface  
    
*   Enhanced logging capabilities added  
    

**Version 1.0****Build 805 - Jul 19, 2007**

*   Updated to JRE to 1.5
*   Bug fix - uploading large files fails sometimes  
    

**Build 786 - Jun 15, 2007**

*   Ability to move up to parent folder added  
    
*   Ability to jump to a user defined folder

CVE-2022-22828: Version History for SynaMan

Cross-site Scripting (XSS) - Stored in Packagist microweber/microweber prior to 1.2.11.

Permalink

Browse files

update

*   Loading branch information

![@bobimicroweber](https://avatars.githubusercontent.com/u/50577633?s=40&v=4)

1 parent 7ef4339 commit f017cbfbd5c4f097d2c78c5e15b6c8a9da479d7b

Showing with **5 additions** and **2 deletions**.

1.  +0 −1 src/MicroweberPackages/Checkout/Http/Middleware/CheckoutV2.php
2.  +5 −1 src/MicroweberPackages/Checkout/routes/web.php

@@ -15,7 +15,6 @@ class CheckoutV2

\*/

public function handle($request, Closure $next)

{

  

$checkCart = cart\_get\_items\_count();

  

if (!$checkCart) {

@@ -3,7 +3,11 @@

// Private

Route::name('checkout.')

// ->prefix(multilanguage\_route\_prefix('checkout'))

\->middleware(\[\\MicroweberPackages\\App\\Http\\Middleware\\VerifyCsrfToken::class, \\MicroweberPackages\\Checkout\\Http\\Middleware\\CheckoutV2::class\])

\->middleware(\[

\\MicroweberPackages\\App\\Http\\Middleware\\VerifyCsrfToken::class,

\\MicroweberPackages\\Checkout\\Http\\Middleware\\CheckoutV2::class,

\\MicroweberPackages\\App\\Http\\Middleware\\XSS::class

\])

\->namespace('\\MicroweberPackages\\Checkout\\Http\\Controllers')

\->group(function () {

  

**0 comments on commit `f017cbf`**

Please sign in to comment.

CVE-2022-0379: update · microweber/microweber@f017cbf

SPIP 4.0.0 is affected by a Cross Site Request Forgery (CSRF) vulnerability in ecrire/public/aiguiller.php, ecrire/public/balises.php, ecrire/balise/formulaire_.php. To exploit the vulnerability, a visitor must visit a malicious website which redirects to the SPIP website. It is also possible to combine XSS vulnerabilities in SPIP 4.0.0 to exploit it. The vulnerability allows an authenticated attacker to execute malicious code without the knowledge of the user on the website (CSRF).

Browse Source

**Balise #FORMULAIRE : nettoyer du code mort qui ne sert plus, ameliorer la securite en ajoutant une signature des arguments du formulaire dès que l'auteur identifié.**

A la reception on refuse un formulaire non signé si on a une session ou un formulaire signé si on a pas de session. Si on a une session, la signature doit etre identique.
En absence de session on ne signe pas les arguments du formulaire car tout le monde a le droit de l'afficher, et ca permet de garder un cache identique commun a tous les hits anonymes (perf issue)

pull/4922/head

**3 changed files** with **37 additions** and **1 deletions**

1.  13
    
      ecrire/balise/formulaire\_.php
2.  23
    
      ecrire/public/aiguiller.php
3.  2
    
      ecrire/public/balises.php

`@ -252,6 +252,11 @@ function balise_FORMULAIRE__contexte($form, $args) {`

`$action = parametre_url($action, 'formulaire_action_args', '');`

`}`

`/**`

`* @deprecated`

`* servait pour poster sur les actions de type editer_xxx() qui ne prenaient pas d'argument autrement que par _request('arg') et pour lesquelles il fallait donc passer un hash valide`

`*/`

`/*`

`if (isset($valeurs['_action'])) {`

`$securiser_action = charger_fonction('securiser_action', 'inc');`

`$secu = $securiser_action(reset($valeurs['_action']), end($valeurs['_action']), '', -1);`

`@ -259,6 +264,7 @@ function balise_FORMULAIRE__contexte($form, $args) {`

`"<input type='hidden' name='arg' value='" . $secu['arg'] . "' />"`

`. "<input type='hidden' name='hash' value='" . $secu['hash'] . "' />";`

`}`

`*/`

`// empiler la lang en tant que premier argument implicite du CVT`

`// pour permettre de la restaurer au moment du Verifier et du Traiter`

`@ -269,6 +275,13 @@ function balise_FORMULAIRE__contexte($form, $args) {`

`$valeurs['action'] = $action;`

`$valeurs['form'] = $form;`

`$valeurs['formulaire_sign'] = '';`

`if (!empty($GLOBALS['visiteur_session']['id_auteur'])) {`

`$securiser_action = charger_fonction('securiser_action', 'inc');`

`$secu = $securiser_action($valeurs['form'], $valeurs['formulaire_args'], '', -1);`

`$valeurs['formulaire_sign'] = $secu['hash'];`

`}`

`if (!isset($valeurs['id'])) {`

`$valeurs['id'] = 'new';`

`}`

`   `

`@ -195,9 +195,30 @@ function traiter_formulaires_dynamiques($get = false) {`

`return false;`

`} // le hit peut continuer normalement`

`// verifier que le post est licite (du meme auteur ou d'une session anonyme)`

`$sign = _request('formulaire_action_sign');`

`if (!empty($GLOBALS['visiteur_session']['id_auteur'])) {`

`if (empty($sign)) {`

`spip_log("signature ajax form incorrecte : $form (formulaire non signe mais on a une session)", 'formulaires' . _LOG_ERREUR);`

`return false;`

`}`

`$securiser_action = charger_fonction('securiser_action', 'inc');`

`$secu = $securiser_action($form, $args, '', -1);`

`if ($sign !== $secu['hash']) {`

`spip_log("signature ajax form incorrecte : $form (formulaire signe mais ne correspond pas a la session)", 'formulaires' . _LOG_ERREUR);`

`return false;`

`}`

`}`

`else {`

`if (!is_null($sign)) {`

`spip_log("signature ajax form incorrecte : $form (formulaire signe mais pas de session)", 'formulaires' . _LOG_ERREUR);`

`return false;`

`}`

`}`

`include_spip('inc/filtres');`

`if (($args = decoder_contexte_ajax($args, $form)) === false) {`

`spip_log("signature ajax form incorrecte : $form");`

`spip_log("signature ajax form incorrecte : $form (encodage corrompu)", 'formulaires' . _LOG_ERREUR);`

`return false; // continuons le hit comme si de rien etait`

`} else {`

`   `

`@ -2532,6 +2532,8 @@ function balise_ACTION_FORMULAIRE($p) {`

`value=\'' . $_form . '\' />' .`

`'<input name=\'formulaire_action_args\' type=\'hidden\'`

`value=\'' . @\$Pile[0]['formulaire_args']. '\' />' .`

`'<input name=\'formulaire_action_sign\' type=\'hidden\'`

`value=\'' . @\$Pile[0]['formulaire_sign']. '\' />' .`

`(!empty(\$Pile[0]['_hidden']) ? @\$Pile[0]['_hidden'] : '') .`

`'</span>'";`

`   `

Tag

#csrf