Security
Headlines
HeadlinesLatestCVEs

Tag

#csrf

GHSA-cr45-98w9-gwqx: Viewing wget extractor output while logged in as an admin allows archived JS to execute in the admins context

### Impact Any users who are using the `wget` extractor and view the content it outputs. The impact is potentially severe if you are logged in to the ArchiveBox admin site in the same browser session and view an archived malicious page designed to target your ArchiveBox instance. Malicious JS could potentially act using your logged-in admin credentials and add/remove/modify snapshots, add/remove/modify ArchiveBox users, and generally do anything an admin user could do. The impact is less severe for non-logged-in users, as malicious JS cannot *modify* any archives, but it can still *read* all the other archived content by fetching the snapshot index and iterating through it. Because all of ArchiveBox's archived content is served from the same host and port as the admin panel, when archived pages are viewed the JS executes in the same context as all the other archived pages (and the admin panel), defeating most of the browser's usual CORS/CSRF security protections and leading to th...

ghsa
Open in Source
#csrf#js#git
CVE-2023-5626: pkp/pkp-lib#9407 Add CSRF check to payment types form · pkp/ojs@99a9f39

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/ojs prior to 3.3.0-16.

CVE-2023-45905: dreamer_cms/There is a csrf vulnerability in variable management with added functionality.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/variable/add.

CVE-2023-45907: dreamer_cms/There is a csrf vulnerability in the variable management deletion function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/variable/delete.

CVE-2023-45904: dreamer_cms/There is a csrf vulnerability in the variable management modification function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /variable/update.

CVE-2023-45903: dreamer_cms/There is a csrf vulnerability in the label management deletion function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/label/delete.

CVE-2023-45901: dreamer_cms/There is a csrf in the newly added column of column management.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin\/category\/add.

CVE-2023-45902: dreamer_cms/There is a csrf in the attachment management deletion function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/attachment/delete.

CVE-2023-45906: dreamer_cms/There is a csrf in the user added function.md at main · moonsabc123/dreamer_cms

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/user/add.

GHSA-mv73-f69x-444p: Go Fiber CSRF Token Validation Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. ## Vulnerability Details The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified: 1. **Lack of Token Association**: The CSRF token was validated against tokens in storage but was not tied to the original requestor that generated it, allowing for token reuse. ### Specific Go Packages Affected github.com/gofiber/fiber/v2/middleware/csrf ## Remediation To remediate this vulnerability, it is recommended to take the following actions: 1. **Update the Application**: Upgrade the application to a fixed version with a patch for the vulnerability. 2. **Implement Proper CSRF Protecti...