It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

CVE-2021-26272: ckeditor4/CHANGES.md at major · ckeditor/ckeditor4

The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens.

This repository has been archived by the owner. It is now read-only.

**CSRF vulnerability for reporting revisions**

**Package**

No package listed

**Affected versions**

<f828dc6

**Description**

**Impact**

Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged.

**Patches**

The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens.

**Workarounds**

Disable the extension or upgrade it. No workarounds.

CVE-2021-21275: Build software better, together

M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.

2021-01-04 14:01 (CET) VDE-2020-038  

**Pepperl+Fuchs: Multiple vulnerabilites in Comtrol IO-Link Master. Affected versions <= 1.5.48**  
Share: Email | Twitter  

**

Published

**

2021-01-04 14:01 (CET)

**

Last update

**

2021-11-11 08:36 (CET)

**Vendor(s)**

Pepperl+Fuchs SE  

**Product(s)**

Article No°

Product Name

Affected Version(s)

IO-Link Master 4-EIP

<= v1.5.48

IO-Link Master 4-PNIO

<= v1.5.48

IO-Link Master 8-EIP

<= v1.5.48

IO-Link Master 8-EIP-L

<= v1.5.48

IO-Link Master 8-PNIO

<= v1.5.48

IO-Link Master 8-PNIO-L

<= v1.5.48

IO-Link Master DR-8-EIP

<= v1.5.48

IO-Link Master DR-8-EIP-P

<= v1.5.48

IO-Link Master DR-8-EIP-T

<= v1.5.48

IO-Link Master DR-8-PNIO

<= v1.5.48

IO-Link Master DR-8-PNIO-P

<= v1.5.48

IO-Link Master DR-8-PNIO-T

<= v1.5.48

**

Summary

**

Several vulnerabilities exist within firmware versions up to and including v1.5.48.

**

Vulnerabilities

**

**Weakness**

Cross-Site Request Forgery (CSRF) (CWE-352)

**Summary**

_Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface._

**Weakness**

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

**Summary**

_Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection._

**Summary**

_An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak ..._

**Summary**

_During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting_

**Summary**

_Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd_

**

Impact

**

Pepperl+Fuchs analyzed and identified affected devices.  
Remote attackers may exploit multiple vulnerabilities to get access to the device and  
execute any program and tap information.

**

Solution

**

In order to prevent the exploitation of the reported vulnerabilities, we recommend that the  
affected units be updated with the following three firmware packages:

*   U-Boot bootloader version 1.36 or newer
*   System image version 1.52 or newer
*   Application base version 1.6.11 or newer

Furthermore, it is always recommended to observe the following measures if the affected  
products are connected to public networks:

1.  An external protective measure to be put in place.  
    Traffic from untrusted networks to the device should be blocked by a firewall.  
    Especially traffic targeting the administration webpage.
2.  Device user accounts to be enabled with secure passwords.  
    If non-trusted people/applications have access to the network that the device is connected to, then configuring passwords for all three User Accounts is recommend.

**

Reported by

**

T.Weber (SEC Consult Vulnerability Lab) reported this vulnerability.

CERT@VDE coordinated and provided the CVE IDs.

CVE-2020-12525: VDE-2020-038 | CERT@VDE

Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

CVE-2020-27733: List of bug fixes and feature enhancements

The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.

CVE-2021-3133: Changeset 2454670 – WordPress Plugin Repository

The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.

**wp\_create\_nonce( string|int $action = \-1 )**

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

**Contents**

*   Parameters
*   Return
*   More Information
*   Source
*   Related
    *   Uses
    *   Used By
*   Changelog
*   User Contributed Notes

**Parameters**

$action

(string|int) (Optional) Scalar value to add context to the nonce.

Default value: -1

Top ↑

**Return**

(string) The token.

Top ↑

**More Information**

The function should be called using the init or any subsequent action hook. Calling it outside of an action hook can lead to problems, see the ticket #14024 for details.

Top ↑

**Source**

File: wp-includes/pluggable.php

	function wp\_create\_nonce( $action = -1 ) {
		$user = wp\_get\_current\_user();
		$uid  = (int) $user->ID;
		if ( ! $uid ) {
			/\*\* This filter is documented in wp-includes/pluggable.php \*/
			$uid = apply\_filters( 'nonce\_user\_logged\_out', $uid, $action );
		}

		$token = wp\_get\_session\_token();
		$i     = wp\_nonce\_tick();

		return substr( wp\_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	}

Expand full source code Collapse full source code View on Trac View on GitHub

Top ↑

**Changelog**

Changelog

Version

Description

4.0.0

Session tokens were integrated with nonce creation

2.0.3

Introduced.

Top ↑

**User Contributed Notes**

CVE-2020-35773: wp_create_nonce() | Function | WordPress Developer Resources

An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Lantronix XPort EDGE 3.0.0.0R11  
Lantronix XPort EDGE 3.1.0.0R9  
Lantronix XPort EDGE 3.4.0.0R12  
Lantronix XPort EDGE 4.2.0.0R7  
Lantronix SGX 5150 8.7.0.0R1  
Lantronix SGX 5150 8.9.0.0R4

**Product URLs**

https://www.lantronix.com/products/xport-edge/

**CVSSv3 Score**

4.8 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:N

**CWE**

CWE-352 - Cross-Site Request Forgery (CSRF)

**Details**

The XPort EDGE is a next-generation wired Ethernet gateway for providing secure Ethernet connectivity to serial devices.

A GET request to the XPort EDGE Web Manager application with a valid username and password will cause a session to be set for that user. Any subsequent requests made by the user’s browser will be granted the same privileges as the original authenticated GET request. An attacker could craft a malicious web page that submits a POST request which would allow an attacker to modify configuration data. Some examples of configuration changes that could be made by an attacker include, enabling or disabling services such as telnet, modification of user credentials, and modifying the serial line configuration. This attack could result in denying access to legitimate users, allowing the attacker to further configure the device through the telnet service, or denying access to the serial line data.

**Timeline**

2020-08-10 - Vendor Disclosure  
2020-12-16 - Public Release

Discovered by Kelly Leuschner of Cisco Talos.

CVE-2020-13527: TALOS-2020-1135 || Cisco Talos Intelligence Group

The ultimate-category-excluder plugin before 1.2 for WordPress allows ultimate-category-excluder.php CSRF.

Timestamp:

12/08/2020 12:29:27 PM (20 months ago)

Marios Alexandrou

Message:

Addressed minor vulnerability reported by SCA AppSec.  

Location:

ultimate-category-excluder/trunk

Files:

  

*   readme.txt (1 diff)
*   ultimate-category-excluder.php (3 diffs)

**Legend:**

Unmodified

Added

Removed

*   **ultimate-category-excluder/trunk/readme.txt**
    
    r2364782
    
    r2434070
    
     
    
    32
    
    32
    
    33
    
    33
    
    \== Changelog ==
    
     
    
    34
    
     
    
    35
    
    \= 1.2 =
    
     
    
    36
    
    \* Addressed minor vulnerability reported by SCA AppSec. If concerned, review your UCE category settings to ensure they are set as expected.
    
    34
    
    37
    
    35
    
    38
    
    \= 1.1 =
    
*   **ultimate-category-excluder/trunk/ultimate-category-excluder.php**
    
    r1490271
    
    r2434070
    
     
    
    2
    
    2
    
    /\*
    
    3
    
    3
    
    Plugin Name: Ultimate Category Excluder
    
    4
    
     
    
    Version: 1.1
    
     
    
    4
    
    Version: 1.2
    
    5
    
    5
    
    Plugin URI: http://infolific.com/technology/software-worth-using/ultimate-category-excluder/
    
    6
    
    6
    
    Description: Easily exclude categories from your front page, feeds, archives, and search results.
    
    …
    
    …
    
     
    
    42
    
    42
    
    43
    
    43
    
    function ksuce\_options\_page() {
    
    44
    
     
    
        if( isset( $\_POST\[ 'ksuce' \] ) ) { $message = ksuce\_process(); }
    
     
    
    44
    
        if( isset( $\_POST\[ 'ksuce' \] ) ) {
    
     
    
    45
    
            check\_admin\_referer( 'uce\_form' );
    
     
    
    46
    
            $message = ksuce\_process();
    
     
    
    47
    
        }
    
    45
    
    48
    
        $options = ksuce\_get\_options();
    
    46
    
    49
    
        ?>
    
    …
    
    …
    
     
    
    50
    
    53
    
            <p><?php \_e( 'Use this page to select the categories you wish to exclude and where you would like to exclude them from.', 'UCE' ); ?></p>
    
    51
    
    54
    
            <form action="options-general.php?page=ultimate-category-excluder.php" method="post">
    
     
    
    55
    
            <?php wp\_nonce\_field( 'uce\_form' ); ?>
    
    52
    
    56
    
            <table class="widefat">
    
    53
    
    57
    
            <thead>
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2020-35135: Changeset 2434070 – WordPress Plugin Repository

Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Chaos Monkey Plugin
*   Chaos Monkey Plugin
*   CVS Plugin
*   Shelve Project Plugin
*   Plugin Installation Manager Tool

**Descriptions****XXE vulnerability in CVS Plugin**

**SECURITY-2146 / CVE-2020-2324**  
**Severity (CVSS):** High  
**Affected plugin: cvs**  
**Description:**

CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVS Plugin 2.17 disables external entity resolution for its XML parser.

**Plugin Installation Manager Tool did not verify plugin downloads**

**SECURITY-1856 / CVE-2020-2320**  
**Severity (CVSS):** High  
**Description:**

Plugin Installation Manager Tool is part of the Jenkins project Docker images. As jenkins-plugin-cli it is used to download and install plugins even before Jenkins is running.

Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads.

Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of downloaded plugin match the expected checksums.

Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation Manager Tool 2.2.0. Users of older Docker images can change the version they use by extending the Jenkins image and update the tool themselves with:

ARG PLUGIN\_CLI\_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN\_CLI\_URL} -o /usr/lib/jenkins-plugin-manager.jar

Jenkinsfile Runner 1.0-beta-22 Docker images also include Plugin Installation Manager Tool 2.2.0.

**CSRF vulnerability in Shelve Project Plugin**

**SECURITY-2108 / CVE-2020-2321**  
**Severity (CVSS):** High  
**Affected plugin: shelve-project-plugin**  
**Description:**

Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to shelve, unshelve, or delete a project.

Shelve Project Plugin 3.1 requires POST requests for the affected HTTP endpoints.

**Missing permission checks in Chaos Monkey Plugin**

**SECURITY-2109 (1) / CVE-2020-2322**  
**Severity (CVSS):** Medium  
**Affected plugin: chaos-monkey**  
**Description:**

Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to generate load and to generate memory leaks.

Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and to generate memory leaks.

**Missing permission checks in Chaos Monkey Plugin**

**SECURITY-2109 (2) / CVE-2020-2323**  
**Severity (CVSS):** Medium  
**Affected plugin: chaos-monkey**  
**Description:**

Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.

Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and to see the history of actions.

**Severity**

*   SECURITY-1856: High
*   SECURITY-2108: High
*   SECURITY-2109 (1): Medium
*   SECURITY-2109 (2): Medium
*   SECURITY-2146: High

**Affected Versions**

*   **Chaos Monkey Plugin** up to and including 0.3
*   **Chaos Monkey Plugin** up to and including 0.4
*   **CVS Plugin** up to and including 2.16
*   **Shelve Project Plugin** up to and including 3.0
*   **Plugin Installation Manager Tool** up to and including 2.1.3

**Fix**

*   **Chaos Monkey Plugin** should be updated to version 0.4
*   **Chaos Monkey Plugin** should be updated to version 0.4.1
*   **CVS Plugin** should be updated to version 2.17
*   **Shelve Project Plugin** should be updated to version 3.1
*   **Plugin Installation Manager Tool** should be updated to version 2.2.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1856, SECURITY-2146

CVE-2020-2322: Jenkins Security Advisory 2020-12-03

Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

Tag

#csrf