Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-5084: Multiple Self-XSS Vulnerabilites in hestiacp

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.

CVE
Open in Source
#xss#vulnerability#web#google#git#php

Description

Multiple Self-XSS Vulnerabilities are triggered at multiple endpoints.

http://localhost:8083/edit/server/

There is a bug in web/templates/pages/edit_server.php file. Attacker can control $v_timezone.

<form
        x-data="{
            timezone: '<?= $v_timezone ?? "" ?>',
            theme: '<?= $_SESSION["THEME"] ?>',
            language: '<?= $_SESSION["LANGUAGE"] ?>',
            hasSmtpRelay: <?= $v_smtp_relay == "true" ? "true" : "false" ?>,
            remoteBackupEnabled: <?= !empty($v_backup_remote_adv) ? "true" : "false" ?>,
            backupType: '<?= !empty($v_backup_type) ? trim($v_backup_type, "'") : "" ?>',
            webmailAlias: '<?= $_SESSION["WEBMAIL_ALIAS"] ?? "" ?>',
            apiSystem: '<?= $_SESSION["API_SYSTEM"] ?>',
            legacyApi: '<?= $_SESSION["API"] ?>',
            showSystemOptions: false,
            showProtectionOptions: false,
            showPolicyOptions: false,
        }"
        id="main-form"
        name="v_configure_server"
        method="post"
    >

Proof of Concept

1. Intercept request with Burpsuite 
2. Replace $v_timezone with '}"><img+src%3d""+onerror%3d"alert(1)"><for+x-data%3d"{timezone%3a'

https://drive.google.com/file/d/1VcvdGdSXVDcAoDd1YbW5pWd8IqVKVuiE/view?usp=sharing

http://localhost:8083/add/package/

There is a bug in web/templates/pages/add_package.php file. Attacker can control $v_backend_template.

    <?php
                                foreach ($backend_templates as $key => $value) {
                                echo $v_backend_template;
                                    echo "\t\t\t\t<option value=\"".$value."\"";
                                    if ((!empty($v_backend_template)) && ( $value == trim($v_backend_template, "'"))){
                                        echo ' selected' ;
                                    }
                                    echo ">".htmlentities($value)."</option>\n";
                                }
?>

Proof of Concept

1. Intercept request with Burpsuite 
2. Replace $v_backend_template with '</select><img+src%3d""+onerror%3d"alert(1)">

https://drive.google.com/file/d/1nALSSZ3uUUa9fCC3Xhn1Zz0IJ-ZKYjjV/view?usp=sharing

Impact

The impact is low. Because the successful attack requires some conditions

Occurrences

Related news

CVE-2023-5084: Fix XSS in edit server and add package · hestiacp/hestiacp@5131f5a

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE