Reflected XSS on ticket filter function in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability is capable of executing a malicious javascript code in web page

**Description**

Ticket management filter in Trudesk v1.2.0 allow user to perform XSS due to improper validation on filter attribute such as "status", "ticket type", "assignee" and etc.

**Proof of Concept**

1.  Login to Trudesk with role user privilege
2.  Tickets -> Filter ticket
3.  Filter for ticket status (poc on attribute status)
4.  Insert payload in the filter result

**Endpoint**

1.  http://{IP}/tickets/filter/

**Payload used**

1.  "><img src=a onerror=alert(document.domain)>

**Screenshot POC**

1.  ticket filter
2.  xss domain
3.  xss cookie

**Impact**

This vulnerability is capable of executing a malicious javascript code in web page

**Occurrences**

CVE-2022-1719: Reflected XSS on ticket filter function in trudesk

An arbitrary file upload vulnerability was found in Metersphere v1.15.4. Unauthenticated users can upload any file to arbitrary directory, where attackers can write a cron job to execute commands.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

rainmanzzz opened this issue

Dec 20, 2021

· 2 comments

Assignees

 

**Comments**

**Version**

v1.15.4

**Description**

Unauthenticated users can upload any kinds of file to arbitrary directory，which could lead to RCE.

API: /resource/md/upload

Vulnerable source code:  
ResourceService.java

        public void mdUpload(MdUploadRequest request, MultipartFile file) {
            FileUtils.uploadFile(file, FileUtils.MD_IMAGE_DIR, request.getId() + "_" + request.getFileName());
        }
    

**To Reproduce**

I have tested this vulnerability on the demo website https://demo.metersphere.com/.  
Post the data below and we successfully upload a file .1 under the /root/ directory.  
  
If we write a cron job, then we can execute command remotely.

Thanks very much for your discovery，we will fixed it within next version.

AgAngle added a commit that referenced this issue

Dec 21, 2021

AgAngle added a commit that referenced this issue

Dec 21, 2021

CVE-2021-45790: [BUG]Arbitrary File Upload Vulnerability leading to RCE in v1.15.4 · Issue #8653 · metersphere/metersphere

An issue was discovered in SecurePoll in the Growth extension in MediaWiki through 1.36.2. Simple polls allow users to create alerts by changing their User-Agent HTTP header and submitting a vote.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2021-42045

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess.

CVE-2020-15330: Multiple vulnerabilities found in Zyxel CNM SecuManager

Time-based SQL Injection vulnerabilities were found in Metersphere v1.15.4 via the "orders" parameter.

**Version**

v1.15.4

**Description**

Authenticated users can control the parameters in the "order by" statement, which causing SQL injection.

API: /test/case/list/{goPage}/{pageSize}

Vulnerable source code:  
ExtTestPlanTestCaseMapper.xml

        <select id="list" resultType="io.metersphere.track.dto.TestPlanCaseDTO">
            select test_plan_test_case.id as id, test_case.id as caseId, test_case.name, test_case.priority,
            test_case.type,test_case.test_id as testId,test_case.node_id, test_case.tags, test_case.maintainer,
            test_case.custom_fields,
            test_case.node_path, test_case.method, if(project.custom_num = 0, cast(test_case.num as char),
            test_case.custom_num) as customNum, test_plan_test_case.executor, test_plan_test_case.status,
            test_plan_test_case.actual_result,
            test_plan_test_case.update_time, test_plan_test_case.create_time,test_case_node.name as model, project.name as
            projectName,test_plan_test_case.issues as issues,test_plan_test_case.issues_count as issuesCount,
            test_plan_test_case.plan_id as planId
            from test_plan_test_case
            inner join test_case on test_plan_test_case.case_id = test_case.id
            left join test_case_node on test_case_node.id = test_case.node_id
            inner join project on project.id = test_case.project_id
            <include refid="queryWhereCondition"/>
            <if test="request.orders != null and request.orders.size() > 0">
                order by
                <foreach collection="request.orders" separator="," item="order">
                    <choose>
                        <when test="order.name == 'custom_num'">
                         customNum ${order.type}
                        </when>
                         <when test="order.name == 'name'">
                            test_case.name ${order.type}
                         </when>
                        <otherwise>
                            test_plan_test_case.${order.name} ${order.type}
                        </otherwise>
                    </choose>
                </foreach>
            </if>
        </select>
    

TestPlanTestCaseService.java

        public List<TestPlanCaseDTO> list(QueryTestPlanCaseRequest request) {
            request.setOrders(ServiceUtils.getDefaultSortOrder(request.getOrders()));
            List<TestPlanCaseDTO> list = extTestPlanTestCaseMapper.list(request);
            QueryMemberRequest queryMemberRequest = new QueryMemberRequest();
            queryMemberRequest.setProjectId(request.getProjectId());
            Map<String, String> userMap = userService.getProjectMemberList(queryMemberRequest)
                    .stream().collect(Collectors.toMap(User::getId, User::getName));
            list.forEach(item -> {
                item.setExecutorName(userMap.get(item.getExecutor()));
                item.setMaintainerName(userMap.get(item.getMaintainer()));
            });
            return list;
        }
    
    

**To Reproduce**

I have tested this vulnerability on the demo website https://demo.metersphere.com/.  
Set the value of the "orders" parameter

    "orders":[{"name":"name","type":",if(1=1,sleep(2),0)"}]
    

As we have seen, this lead to time-based sqli

  
  
Some other APIs also have sqli，such as

    /test/plan/case/list/all
    /test/plan/case/list/ids
    /issues/list/{goPage}/{pageSize}
    /test/case/list/{goPage}/{pageSize}

CVE-2021-45788: [BUG]Time-based SQL Injetion in v1.15.4 · Issue #8651 · metersphere/metersphere

An issue was discovered in the GlobalWatchlist extension in MediaWiki through 1.36.2. The rev-deleted-user and ntimes messages were not properly escaped and allowed for users to inject HTML and JavaScript.

CVE-2021-42046

An issue was discovered in the Growth extension in MediaWiki through 1.36.2. Any admin can add arbitrary JavaScript code to the Newcomer home page footer, which can be executed by viewers with zero edits.

CVE-2021-42048

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

**Package**

maven org.apache.tomcat:tomcat (Maven)

**Affected versions**

\>= 8.5.0, < 8.5.78

\>= 9.0.0-M1, < 9.0.62

\>= 10.0.0-M1, < 10.0.20

\>= 10.1.0-M1, < 10.1.0-M14

**Patched versions**

8.5.78

9.0.62

10.0.20

10.1.0-M14

GHSA-jx7c-7mj5-9438: Apache Tomcat Race Condition vulnerability

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

@@ -494,6 +494,7 @@ describe("MatrixClient crypto", () => {

aliTestClient.expectKeyQuery({ device\_keys: { \[aliUserId\]: {} }, failures: {} });

await aliTestClient.start();

await bobTestClient.start();

bobTestClient.client.crypto.deviceList.downloadKeys \= () \=> Promise.resolve({});

await firstSync(aliTestClient);

await aliEnablesEncryption();

await aliSendsFirstMessage();

@@ -504,6 +505,7 @@ describe("MatrixClient crypto", () => {

aliTestClient.expectKeyQuery({ device\_keys: { \[aliUserId\]: {} }, failures: {} });

await aliTestClient.start();

await bobTestClient.start();

bobTestClient.client.crypto.deviceList.downloadKeys \= () \=> Promise.resolve({});

await firstSync(aliTestClient);

await aliEnablesEncryption();

await aliSendsFirstMessage();

@@ -567,6 +569,7 @@ describe("MatrixClient crypto", () => {

aliTestClient.expectKeyQuery({ device\_keys: { \[aliUserId\]: {} }, failures: {} });

await aliTestClient.start();

await bobTestClient.start();

bobTestClient.client.crypto.deviceList.downloadKeys \= () \=> Promise.resolve({});

await firstSync(aliTestClient);

await aliEnablesEncryption();

await aliSendsFirstMessage();

@@ -584,6 +587,9 @@ describe("MatrixClient crypto", () => {

await firstSync(bobTestClient);

await aliEnablesEncryption();

await aliSendsFirstMessage();

bobTestClient.httpBackend.when('POST', '/keys/query').respond(

200, {},

);

await bobRecvMessage();

await bobEnablesEncryption();

const ciphertext \= await bobSendsReplyMessage();

CVE-2022-39236: Resolve multiple CVEs · matrix-org/matrix-js-sdk@a587d7c

A stored Cross-Site Scripting (XSS) vulnerability exists in version 1.0 of the Expense Management System application that allows for arbitrary execution of JavaScript commands through index.php.

Tag

#java