Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CSRF. Show all posts

New Vulnerabilities Discovered in 5 WooCommerce WordPress Plugins


The U.S. state authorities Nationwide Vulnerability Database (NVD) has recently warned of vulnerabilities in 5 WooCommerce WordPress plugins, where over 135,000 installations were affected.

Many of the vulnerabilities are rated 9.8, on the scale of 1-10, ranging in severity from moderate to as excessive as Essential. 

The respective vulnerabilities were provided a CVE (Common Vulnerabilities and Exposures) identity number, given to the discovered vulnerabilities. 

Advanced Order Exported For WooCommerce 

The Advanced Order Export for WooCommerce plugin that was installed on as many as 100,000 websites, is vulnerable to a Cross-Site Request Forgery attack (CSRF). 

A CSRF vulnerability is created via a flaw in a website plugin, that enables the threat actor to deceive the online user into conducting an unintentional action. 

Generally, a website browser consists of cookies that notify a website that a user is registered and logged in. The threat actor could assume the privilege levels of an admin, giving him complete access to a website. Consequently, exposing admin’s sensitive customer information. 

This vulnerability could lead to an export file download. It may be reasonable to presume that order data is the type of file an attacker can access, given that the plugin's goal is to export WooCommerce order data. 

1. Official Vulnerability Description: 

The Official vulnerability description states that “Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.” 

This vulnerability could impact all versions of the Advanced Order Export for WooCommerce plugin that is less than or equal to version 3.3.2. 

2. Advanced Dynamic Pricing for WooCommerce: 

The second affected plugin, the Superior Dynamic Pricing plugin for WooCommerce is being put in over 20,000 websites. The plugin was discovered to have two CSRF vulnerabilities, having an impact on all plugin versions lower than 4.1.6. 

The goal of the plugin is to make it simpler for retailers to create low-cost and pricing guidelines. 

The primary vulnerability (CVE-2022-43488) can result in a “rule sort migration.” 

The official description by the NVD reads “Cross-Web site Request Forgery (CSRF) vulnerability in Superior Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress resulting in rule sort migration.” 

3. Advanced Coupons for WooCommerce Coupons plugin: 

The third plugin that was affected, Advanced Coupons for WooCommerce Coupons, has over 10,000 installs. The issue being discovered in this plugin is as well a CSRF vulnerability, affecting all versions less than version 4.5.01. 

The official description by the NVD reads “Cross-Web site Request Forgery (CSRF) vulnerability in Superior Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress main to note dismissal.” 

4. WooCommerce Dropshipping by OPMC – Critical: 

The next affected plugin, named the WooCommerce Dropshipping by OPMC plugin has around 3,000 installations. 

A Critical Unauthenticated SQL injection vulnerability scored 9.8 (on a scale of 1-10), and occurs in versions of this plugin less than version 4.4. The SQL injection vulnerability leads an attacker to manipulate the WordPress database and assume admin-level permissions. Consequently, making changes to the database, erasing, or even downloading sensitive data. 

The NVD while describing this specific plugin vulnerability says, “The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection.” 

5. Role-Based Pricing for WooCommerce: 

This plugin consists of two CSRF vulnerabilities, with over 2,000 installations. 

As noted about another plugin, a CSRF vulnerability involves a threat actor deceiving the admin or other users into clicking on a link or performing some other malicious actions. This could result in the actor acquiring the user’s website permissions levels. This vulnerability is rated as high as 8.8. 

The NVD description of the first vulnerability warns “The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorization and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP” 

Following this, the official NVD description of the second vulnerability says, “The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorization and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog” 

Moreover, the official Role Based Pricing for WooCommerce WordPress plugin changelog states that the plugin is fully patched in version 1.6.2: 

“Changelog 2022-10-01 – version 1.6.2 

* Fixed the Arbitrary File Upload Vulnerability. 

* Fixed the issue of ajax nonce check.” 

Plan of Action

In order to avoid the consequences, users should update all the vulnerable plugins. It is also considered best to back up the website prior to the plugin updates and to test the plugin before updating, if at all feasible. 

Cisco Patched High Severity Bugs in Networking and Communications Products


Flaws found in Cisco

Various flaws in the API and web-based management interface of Cisco TelePresence Video Communication Server (VCS) Software and Cisco Expressway Series Software can permit remote actors to dodge certificate authentication or execute cross-site request forgery attacks on targeted devices. 

About the first bug

The first bug, tracked as CVE-2022-20814, is an improper certification validation problem, a remote, unauthorized actor can activate it to access critical information via a man-in-the-middle attack.

A bug in the certificate validation of Cisco TelePresence VCS and Cisco Expressway-C could permit a malicious, remote actor to have unauthenticated access to sensitive information. 

The flaw is due to no validation of the SSL server certificate for an impacted device while it builds a connection to a Cisco Unified Communications Manager device. 

The Cisco advisory says: "An attacker could exploit this vulnerability by using a man-in-the-middle technique to intercept the traffic between the devices and then using a self-signed certificate to impersonate the endpoint. A successful exploit could allow the attacker to view the intercepted traffic in clear text or alter the contents of the traffic.” 

About the second bug

The second vulnerability, tracked CVE-2022-20853 is cross-site request forgery (CSRF) that can be compromised to launch a denial of service (DoS) state by luring the victim to open a specially crafted link. 

"A vulnerability in the REST API of Cisco Expressway Series and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.” states the advisory. 

“This vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit this vulnerability by persuading a user of the REST API to follow a crafted link. A successful exploit could allow the attacker to cause the affected system to reload."

The Cisco PSIRT did not say anything about attacks in the wild exploiting these bugs or any public announcements. 




Atlassian Patched Vulnerabilities in its Domains

 

On Wednesday 23rd of June, cyber-security experts uncovered key vulnerabilities in the Atlassian project and software development platform that might have been exploited to take over the account and control certain apps connected via its single sign-on (SSO) capabilities. 

The vulnerabilities are due to Atlassian using SSO to ensure the uninterrupted navigation of the above-mentioned domains, thereby attempting to create a possible attack scenario involving the use of XSS and CSRF to inject malicious code into the portal and leveraging a session fixation error in the event of a valid user session. Though these vulnerabilities have been patched. 

On January 08, 2021, the Australian company delivered a patch for its upgrades, after Atlassian was notified of the problem. The issues in the sub-domains include – 
jira.atlassian.com 
confluence.atlassian.com 
getsupport.atlassian.com 
partners.atlassian.com 
developer.atlassian.com 
support.atlassian.com 
training.atlassian.com 

"With just one click, an attacker could have used the flaws to get access to Atlassian's to publish Jira system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket, and on-premise products," Check Point Research stated. 

The appropriate exploitation of such vulnerabilities could escalate to an attack through a supply chain where the attacker can take over an account, take illegal measures on behalf of the victim, modify pages of Confluence, access Jira tickets, and even inject malicious implants to perpetrate further attacks. 

In other words, an attacker can deceive a user by clicking an Atlassian link that has been created to carry out a malicious payload, which can be utilized by the wrong player to log into the victim's account and gain confidential information. 

Moreover, the attacker can regulate a Bitbucket account with a Jira account by opening a Jira ticket that is incorporated with a malicious link to a rogue site which, when clicking on a message autogenerated by an e-mail, can be used to remove the credentials, essentially give them the authorization to access or modify the source code, make the repository publicly accessible or even insert the backdoors. 

"Supply chain attacks have piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organization's workflow," said Oded Vanunu, head of products vulnerabilities research at Check Point. "An incredible amount of supply chain information flows through these applications, as well as engineering and project management."