A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 could allow a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for this vulnerability is FPSA006.

**CVE List**

**FPSA001:** Remote Privilege Escalation

Summary

A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device.

Affected Products

WARP, MPVPN, IPVPN

10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).

Details

A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device.

The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a read-only user to execute functions as if they were an administrative user.

FatPipe has released software updates that address this vulnerability.

Workarounds

There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.

Fixed Software

10.1.2r60p91 or later  
10.2.2r42 or later

Source

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php

**FPSA002:** Hidden Backdoor Account (Write Access)

Summary

For centralized management, FatPipe uses a user account that allows the current logged in user to access multiple devices from the web management interface of FatPipe software. This was not intended to be used to directly log into the web management interface. Someone can use it to log into the web interface.

Affected Products

WARP, MPVPN, IPVPN

10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).

Details

For centralized management, FatPipe uses a user account that allows the current logged in user to access multiple appliances from the web management interface of FatPipe software. This was not intended to be used to directly log into the web management interface. Someone can use it to log into the web management interface.

While this user account is not displayed in the Users list, the customer has control over the password for this user account. On the Users page, you can set the password in for this user.

FatPipe has released software updates that address this vulnerability. Newer versions of our software do not allow a user to login directly using this user account (see Fixed Software).

Workarounds

Disable "Central Manager Login".

Fixed Software

10.1.2r60p91 or later  
10.2.2r42 or later

Source

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php

**FPSA003:** Unauthenticated Config Download

Summary

A user is able to create and download a backup file containing the FatPipe device's configuration using the web management interface of FatPipe software. A vulnerability exists where an unauthenticated user can access the backup file on the system.

Affected Products

WARP, MPVPN, IPVPN

10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).

Details

A user is able to create and download a backup file containing the FatPipe device's configuration using the web management interface of FatPipe software. A vulnerability exists where an unauthenticated user can access the backup file on the system.

FatPipe has released software updates that address this vulnerability.

Workarounds

There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.

Fixed Software

10.1.2r60p91 or later  
10.2.2r42 or later

Source

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php

**FPSA004:** Authorization Bypass

Summary

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

Affected Products

WARP

10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).

Details

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages.

Workarounds

There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.

Fixed Software

10.1.2r60p91 or later  
10.2.2r42 or later

Source

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php

**FPSA005:** CSRF Add Admin Exploit

Summary

A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device by adding a user with Administrator privileges.

Affected Products

WARP, MPVPN, IPVPN

10.1.2 and 10.2.2 versions prior to releases with the fix (see Fixed Software).

Details

A vulnerability in the web management interface of FatPipe software could allow an authenticated, remote attacker with read-only privileges to elevate privileges to the level of an Administrator user on an affected device by adding a user with Administrator privileges.

The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device. An exploit could allow the attacker as a read-only user to execute functions as if they were an administrative user.

FatPipe has released software updates that address this vulnerability.

Workarounds

There are no workarounds that address this vulnerability. To mitigate the vulnerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.

Fixed Software

10.1.2r60p91 or later  
10.2.2r42 or later

Source

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php

**FPSA006:** Config Upload Exploit

Summary

A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device.

Affected Products

WARP, MPVPN, IPVPN

All versions prior to the fixed releases (see Fixed Software).

Details

A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device.

The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device.

FatPipe has released software updates that address this vulnerability.

Workarounds

There are no workarounds that address this vulnerability. To mitigate the vlunerability, disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources..

Fixed Software

10.1.2r60p92 or later  
10.2.2r44p1 or later

Source

Found by code review after being made aware of active exploit activity.

CVE-2021-27860: Technical Support - FatPipe Networks

An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.

**![](https://fortiguard.com/static/images/icons/psirt.svg?v=4940) PSIRT Advisories**

**FortiOS & FortiProxy - SSL-VPN portal is vulnerable to CSRF**

**Summary**

An insufficient verification of data authenticity vulnerability (CWE-345) in the user interface of FortiProxy and FortiGate SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery (CSRF) attack . Only SSL VPN in web mode or full mode are impacted by this vulnerability.

**Affected Products**

FortiProxy versions 2.0.3 and below.  
FortiProxy version 1.2.11 and below.  
FortiGate version 7.0.0.  
FortiGate versions 6.4.6 and below.  
FortiGate versions 6.2.9 and below.  
FortiGate versions 5.6.x and 6.0.x are also impacted.

**Solutions**

Please upgrade to FortiProxy version 2.0.4 or above.

Please upgrade to FortiProxy version 1.2.12 or above.

Please upgrade to FortiGate version 7.0.1 or above.

Please upgrade to FortiGate version 6.4.7 or above.

Please upgrade to FortiGate version 6.2.10 or above.

**Acknowledgement**

Fortinet is pleased to thank Gabriel Costa Castello and Pablo Valle Alvear for bringing this issue to our attention under responsible disclosure.

CVE-2021-26103: Fortiguard

livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)

@@ -30,7 +30,7 @@

<a title\="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('chat/user\_settings','Toggle between dark and white themes');?>" href\="<?php echo erLhcoreClassDesign::baseurl('front/switchdashboard')?>/(action)/mode" class\="dropdown-item pl-2"\><span class\="material-icons"\>settings\_brightness</span\><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Dark/bright');?></a\>

</div\>

<div class\="col-6"\>

<a class\="dropdown-item pl-2" href\="<?php echo erLhcoreClassDesign::baseurl('user/logout')?>" title\="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Logout');?>"\><i class\="material-icons"\>exit\_to\_app</i\><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Logout');?></a\>

<a class\="dropdown-item pl-2" onclick\="$(this).attr('href',$(this).attr('href')+'/(csfr)/'+confLH.csrf\_token)" href\="<?php echo erLhcoreClassDesign::baseurl('user/logout')?>" title\="<?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Logout');?>"\><i class\="material-icons"\>exit\_to\_app</i\><?php echo erTranslationClassLhTranslation::getInstance()->getTranslation('pagelayout/pagelayout','Logout');?></a\>

</div\>

</div\>

CVE-2021-4049: csrf for logout url · LiveHelperChat/livehelperchat@e7fe1aa

b2evolution CMS v7.2.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the User login page. This vulnerability allows attackers to escalate privileges.

There is a Cross-Site Request Forgery (CSRF) on 2bevolution version 7.2.3 attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. This occurs because web browsers automatically include most credentials with each request, such as session cookies, basic authentication header, IP address, and client side SSL certificates.

<cfif NOT StructIsEmpty(form) >

&lt;cfif NOT CSRFverifyToken(form.token)>

&lt;cfabort showerror="Invalid Token" />

&lt;/cfif>

&lt;cfoutput>&lt;p>Hello, #EncodeForHTML(form.name)#&lt;/p>&lt;/cfoutput>

</cfif>

<html>

<body>

<form action="https://localhost/users/59215b8f0ec7c37a4ca27b00/password\_reset" method="POST">

<input type="hidden" name="utf8" value="â&#156;&#147;" />

<input type="hidden" name="&#95;method" value="patch" />

<input type="hidden" name="old&#95;password" value="phew phew" />

<input type="hidden" name="password" value="qweqji" />

<input type="hidden" name="password&#95;confirmation" value="qweqji" />

<input type="submit" value="Submit request" />

</form>

</body>

</html>

CVE-2021-31631: CSRF

Serv-U server responds with valid CSRFToken when the request contains only Session.

Release date: December 2, 2021

These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.2.5. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.

For details about the latest hotfixes, see Serv-U hotfixes.

Additional Serv-U documentation includes:

*   Serv-U Installation and Upgrade Guide
*   Serv-U 15.2 Administrator Guide
*   System Requirements
*   Getting Started with Serv-U

**New features and improvements**

Serv-U 15.2.5 is a service release containing internal improvements and security fixes, described in the Fixed Issues section.

**Upgrade notes****Licensing**

The Serv-U licensing framework was changed in Serv-U 15.2.3 and a new license key needs to be used to activate this product version otherwise it will not be possible to use it.

If your Serv-U product maintenance is active, you can find your new license key generated on customer portal. Use this new license key to activate Serv-U after installation.

SolarWinds strongly recommend that you upgrade to this version with the new licensing framework as older framework will not be supported in the future.

**Password security**

If you are upgrading from version 15.1.7 or older, increased password security will automatically convert existing MD5 passwords using a more secure algorithm when users connect for the first time after upgrade.

If an account is not used within 90 days of the upgrade, access will be restricted and the user will not be able to log in afterward. The administrator will be required to change their password.

**Fixed issues**

Serv-U 15.2.5 fixes the following issues:

 

Case Number

Description

00784127

Authenticated Serv-U account can be moved to new Collection.

00875523, 00897792

Preload and SubDomains arguments added to HSTS headers.

00888650, 00808537

Issue resolved with HTTP authentication on CentOS 7/8.

n/a

Issue with the server setting option "Allow HTTP sessions to change IP address" has been fixed.

n/a

The limit for the number of passive FTP ports increased to 500.

n/a

The user setting "Change password on next login" has been fixed.

For Serv-U 15.2.4 fixes, see the 15.2.4 Release Notes.

For Serv-U 15.2.3 fixes, see the 15.2.3 Release Notes.

For Serv-U 15.2.2 fixes, see the 15.2.2 Release Notes.

For Serv-U 15.2.1 fixes, see the 15.2.1 Release Notes.

For Serv-U 15.2 fixes, see the 15.2 Release Notes.

**CVE information**

SolarWinds would like to thank our Security Researchers below for reporting on this issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2021-35242

A valid CSRF token is present in response to an invalid request

Serv-U server responds with valid CSRFToken when the request contains only Session.

High

N/A

CVE-2021-35245

Broken Access Control Vulnerability for Serv-U

When a user has admin rights in the Serv-U Console, the user can move, create, and delete any files outside the home directory.

High

N/A

**Legal notices**

© 2021 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2021-35242: Serv-U File Server  15.2.5 Release Notes

The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages.

CVE-2021-24914

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Valid

Reported on

Nov 23rd 2021

**Description**

CSRF to disable 2FA

**Proof of Concept**

    <a href="http://10.0.2.15/profile/delete-code">CLICK ME!</a>
    

**Impact**

This vulnerability is capable of tricking users to disable 2FA.

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We are processing your report and will contact the firefly-iii team within 24 hours. 11 days ago

![](https://avatars.githubusercontent.com/u/76475453?v=4)

haxatron

commented 11 days ago

Researcher

My apologies for submitting the reports earlier regarding /debug and /flush. I was under the assumption that the /debug and /flush was available to only admin users, as the /flush UI only appeared in the Administration panel.

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

haxatron

commented 11 days ago

Researcher

With further testing on the application after I made the reports, I discovered another CSRF unprotected endpoint which allows for a state-change, the endpoint is as listed above.

![](https://avatars.githubusercontent.com/u/5889984?v=4)

Nice find, that's an important one to fix. No worries about the other endpoints, keep it up!

![](https://avatars.githubusercontent.com/u/5889984?v=4)

James Cole validated this vulnerability 11 days ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/55323451?v=4)

Are we able to mark a fix against this report, and we can go ahead and publish the CVE!

![](https://avatars.githubusercontent.com/u/5889984?v=4)

Not yet I completely forgot about it. :D

![](https://avatars.githubusercontent.com/u/55323451?v=4)

No worries, take your time! 🤝

![](https://avatars.githubusercontent.com/u/5889984?v=4)

![](https://huntr.dev/_nuxt/img/generic-avatar.9a3295c.png)

We are processing your report and will contact the firefly-iii team within 24 hours. 11 days ago

![](https://avatars.githubusercontent.com/u/76475453?v=4)

haxatron

commented 11 days ago

Researcher

My apologies for submitting the reports earlier regarding /debug and /flush. I was under the assumption that the /debug and /flush was available to only admin users, as the /flush UI only appeared in the Administration panel.

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

![](https://avatars.githubusercontent.com/u/76475453?v=4)

haxatron

commented 11 days ago

Researcher

With further testing on the application after I made the reports, I discovered another CSRF unprotected endpoint which allows for a state-change, the endpoint is as listed above.

![](https://avatars.githubusercontent.com/u/5889984?v=4)

Nice find, that's an important one to fix. No worries about the other endpoints, keep it up!

![](https://avatars.githubusercontent.com/u/5889984?v=4)

James Cole validated this vulnerability 11 days ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

![](https://avatars.githubusercontent.com/u/55323451?v=4)

Are we able to mark a fix against this report, and we can go ahead and publish the CVE!

![](https://avatars.githubusercontent.com/u/5889984?v=4)

Not yet I completely forgot about it. :D

![](https://avatars.githubusercontent.com/u/55323451?v=4)

No worries, take your time! 🤝

![](https://avatars.githubusercontent.com/u/5889984?v=4)

CVE-2021-4005: Cross-Site Request Forgery (CSRF) in firefly-iii

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.

CVE-2021-35414: Security issues - Chamilo LMS

IBM Cognos Analytics 11.1.7 and 11.2.0 could allow a low level user to reas of the application that privileged user should only be allowed to view.  IBM X-Force ID:  201087.

Tag

#csrf