iF.SVNAdmin is Web-based GUI to manage Subversion repositories and User/Group permissions with LDAP support. This management interface is vulnerable to CSRF on the User Creation function, leading to arbitrary SVN repository user creation, with subsequent access to underlying repository code.
Proof of Concept example:
Plugin Homepage: https://wordpress.org/plugins/svg-vector-icon-plugin/
WP SVG Icons allows admins to upload “Custom Icon” sets within the plugin, however it fails to stop CSRF and subsequently leads to Arbitrary File Upload vulnerability, as the .zip package that gets uploaded has no content checks so a POC or shell can be put into the zip and will be unzipped into the /wp-content/uploads/wp-svg-icons/custom-pack directory.
The following POC is the CSRF with a zip file containing “test.php” which invokes phpinfo(). If successful, RCE will be confirmed here: /wp-content/uploads/wp-svg-icons/custom-pack/test.php
Sharing my proof of concept for Atlassian Crowd RCE – CVE-2019-11580. I was going to make a blog post detailing all the inner workings but someone has already made a very detailed analysis here: https://www.corben.io/atlassian-crowd-rce/
You can find all the source code here:
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.
wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.
Proof of Concept:
where poc.js could be a payload similar to:
miniOrange SAML SP Single Sign On WordPress Plugin version 4.8.72 and below are vulnerable to a Cross Site Scripting attack via a specially crafted SAMLReponse XML payload.
This exploit works by passing a crafted SAMLReponse and RelayState variable to https://victim.com/wp-login.php
It will then parse out the SAMLResponse message and in the event that the SAML is anything other than a “Success” the script will dump the contents of the expected parameter, so you can inject any HTML into this variable.
For example a SAMLResponse payload will look like this:
This payload will need to be Base64 encoded and sent as a “SAMLReponse” parameter along with RelayState=testValidate.
Proof of concept:
RestAPI/PasswordSelfServiceAPI in Zoho ManageEngine ADSelfService Plus version 5707 and below allows remote attackers to inject arbitrary web
script or HTML via the PSS_OPERATION parameter.
Example Proof of Concept:
Store XSS Payload: