Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)

Exploit Title: Admidio 3.3.5 - Cross-Site Request Forgery Change Permissions Author: Nawaf Alkeraithe Date: 2018-09-01 Vendor Homepage: https://www.admidio.org/ Software Link: https://sourceforge.net/projects/admidio/files/Admidio/3.3.x/admidio-3.3.5.zip/download Version: 3.3.5 Tested on: PHP CVE...

Ruby on Rails: rails-ujs will send CSRF tokens to other origins

I reported this via email a few months ago. Here was my initial email: Hello, I've been playing with getting Rails apps to send CSRF tokens to the wrong domains and I found a few problems. The main motivation for this is in attacking a site that uses Content Security Policy. With CSP enabled, an...