IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2012-2160: Fix List for Rational Change

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess.

CVE-2020-15330: Multiple vulnerabilities found in Zyxel CNM SecuManager

IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.

CVE-2015-1931

An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2021-42045

Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.

**Version**

v1.15.4

**Description**

Authenticated users can control the parameters in the "order by" statement, which causing SQL injection.

API: /test/case/list/{goPage}/{pageSize}

Vulnerable source code:  
ExtTestPlanTestCaseMapper.xml

        <select id="list" resultType="io.metersphere.track.dto.TestPlanCaseDTO">
            select test_plan_test_case.id as id, test_case.id as caseId, test_case.name, test_case.priority,
            test_case.type,test_case.test_id as testId,test_case.node_id, test_case.tags, test_case.maintainer,
            test_case.custom_fields,
            test_case.node_path, test_case.method, if(project.custom_num = 0, cast(test_case.num as char),
            test_case.custom_num) as customNum, test_plan_test_case.executor, test_plan_test_case.status,
            test_plan_test_case.actual_result,
            test_plan_test_case.update_time, test_plan_test_case.create_time,test_case_node.name as model, project.name as
            projectName,test_plan_test_case.issues as issues,test_plan_test_case.issues_count as issuesCount,
            test_plan_test_case.plan_id as planId
            from test_plan_test_case
            inner join test_case on test_plan_test_case.case_id = test_case.id
            left join test_case_node on test_case_node.id = test_case.node_id
            inner join project on project.id = test_case.project_id
            <include refid="queryWhereCondition"/>
            <if test="request.orders != null and request.orders.size() > 0">
                order by
                <foreach collection="request.orders" separator="," item="order">
                    <choose>
                        <when test="order.name == 'custom_num'">
                         customNum ${order.type}
                        </when>
                         <when test="order.name == 'name'">
                            test_case.name ${order.type}
                         </when>
                        <otherwise>
                            test_plan_test_case.${order.name} ${order.type}
                        </otherwise>
                    </choose>
                </foreach>
            </if>
        </select>
    

TestPlanTestCaseService.java

        public List<TestPlanCaseDTO> list(QueryTestPlanCaseRequest request) {
            request.setOrders(ServiceUtils.getDefaultSortOrder(request.getOrders()));
            List<TestPlanCaseDTO> list = extTestPlanTestCaseMapper.list(request);
            QueryMemberRequest queryMemberRequest = new QueryMemberRequest();
            queryMemberRequest.setProjectId(request.getProjectId());
            Map<String, String> userMap = userService.getProjectMemberList(queryMemberRequest)
                    .stream().collect(Collectors.toMap(User::getId, User::getName));
            list.forEach(item -> {
                item.setExecutorName(userMap.get(item.getExecutor()));
                item.setMaintainerName(userMap.get(item.getMaintainer()));
            });
            return list;
        }
    
    

**To Reproduce**

I have tested this vulnerability on the demo website https://demo.metersphere.com/.  
Set the value of the "orders" parameter

    "orders":[{"name":"name","type":",if(1=1,sleep(2),0)"}]
    

As we have seen, this lead to time-based sqli

  
  
Some other APIs also have sqli，such as

    /test/plan/case/list/all
    /test/plan/case/list/ids
    /issues/list/{goPage}/{pageSize}
    /test/case/list/{goPage}/{pageSize}

CVE-2021-45788: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere

An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.

CVE-2021-42046

An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.

CVE-2021-42048

Reflected XSS on ticket filter function in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability is capable of executing a malicious javascript code in web page

**Description**

Ticket management filter in Trudesk v1.2.0 allow user to perform XSS due to improper validation on filter attribute such as "status", "ticket type", "assignee" and etc.

**Proof of Concept**

1.  Login to Trudesk with role user privilege
2.  Tickets -> Filter ticket
3.  Filter for ticket status (poc on attribute status)
4.  Insert payload in the filter result

**Endpoint**

1.  http://{IP}/tickets/filter/

**Payload used**

1.  "><img src=a onerror=alert(document.domain)>

**Screenshot POC**

1.  ticket filter
2.  xss domain
3.  xss cookie

**Impact**

This vulnerability is capable of executing a malicious javascript code in web page

**Occurrences**

CVE-2022-1719: Reflected XSS on ticket filter function in trudesk

An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

rainmanzzz opened this issue

Dec 20, 2021

· 2 comments

Assignees

 

**Comments**

**Version**

v1.15.4

**Description**

Unauthenticated users can upload any kinds of file to arbitrary directory，which could lead to RCE.

API: /resource/md/upload

Vulnerable source code:  
ResourceService.java

        public void mdUpload(MdUploadRequest request, MultipartFile file) {
            FileUtils.uploadFile(file, FileUtils.MD_IMAGE_DIR, request.getId() + "_" + request.getFileName());
        }
    

**To Reproduce**

I have tested this vulnerability on the demo website https://demo.metersphere.com/.  
Post the data below and we successfully upload a file .1 under the /root/ directory.  
  
If we write a cron job, then we can execute command remotely.

Thanks very much for your discovery，we will fixed it within next version.

AgAngle added a commit that referenced this issue

Dec 21, 2021

AgAngle added a commit that referenced this issue

Dec 21, 2021

Tag

#java