Sebastian's Blog

software developer. security enthusiast.

Category: Security

XSRF in Benno MailArchiv Web-App (benno-web < 2.10.2) (CVE-2023-38348)

The Benno MailArchiv Web-App (benno-web prior is vulnerable to Cross-Site-Request-Forgery. To exploit the vulnerability the attacker sends a link to a prepared page to a Benno MailArchiv user. The link then is able to trigger actions in the name of the user such as changing the users password (if the user is logged in).

WPS Hide Login 1.6.1 Protection Bypass (CVE-2021-3332)

The protective feature of WPS Hide Login can be bypassed by sending a crafted POST request containg the field post_password towards the default WordPress login url /wp-login.php. In file /classes/plugin.php on line 494 the plugin explicitly checks for the absence of this POST field but no else-case is defined.