Headline
CVE-2022-29152: CVE-Disclosures/CVE-2022-29152.md at main · the-emmons/CVE-Disclosures
The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an XSS payload from the AppPortal cookie into the page.
CVE-2022-29152****Description
The Ericom PowerTerm WebConnect login portal unsafely writes values from the ‘AppPortal’ cookie into the page source, permitting arbitrary Javascript execution.
Impact
Portal credentials can be captured via cross-site scripting.
Exploitability
To persist the login form fields, the Ericom portal sets the ‘AppPortal’ cookie and populates it with POST data from the last failed login attempt. Because of that behavior, a malicious cookie can be set from an attacker-controlled domain by using cross-site request forgery to submit a failed login request. If a victim views an attacker’s webpage a single time, an attacker can trigger an exploit chain that may result in the theft of Active Directory credentials.
CVE Reference
CVE-2022-29152
Resolution
The vendor has not responded to responsible disclosure.
Discovery Credits
Ryan Emmons - CBI
Disclosure Timeline
- 2 April 2022 - A ticket was created with the vendor and an autoreply was received.
- 15 April 2022 - No follow-up from the vendor after two weeks, so the issue is being publicly disclosed.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29152
Related news
### Impact The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. ### Patches The problem has been patched on versions 12.6.7, 12.10.3 and 13.0RC1. ### Workarounds There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. ### References https://jira.xwiki.org/browse/XWIKI-5168 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [XWiki Security mailing-list](mailto:[email protected])
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
### Impact It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. For example: ``` {{velocity}} #set($xml=$services.get('xml')) #set($xxe_payload = "<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE root[<!ENTITY xxe SYSTEM 'file:///etc/passwd' >]><root><foo>&xxe;</foo></root>") #set($doc=$xml.parse($xxe_payload)) $xml.serialize($doc) {{/velocity}} ``` ### Patches The problem has been patched on versions 12.10.10, 13.4.4 and 13.8RC1. ### Workarounds There's no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. ### References https://jira.xwiki.org/browse/XWIKI-18946 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [XWiki Security mailing-list](mailto:[email protected])
Shopware is an open source e-commerce software platform. Versions prior to 5.7.9 are vulnerable to malfunction of cross-site request forgery (CSRF) token validation. Under certain circumstances, the CSRF tokens were not generated anew and not validated correctly. This issue is fixed in version 5.7.9. Users of older versions may attempt to mitigate the vulnerability by using the Shopware security plugin.
Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted configuration file to the managing server, which may result in the managed clients to execute arbitrary code with the administrative privilege.
**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?** This vulnerability could lead to a browser sandbox escape.
cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file.
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0, 6.2.X and 6.0.X. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.