A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1.

**4.8.1¶**

Released: 20th of January 2023

**Bug Fixes¶**

*   Avoid unbounded recursion when retrieving DS records from some misconfigured domains. CVE-2023-22617.¶
    
    References: pull request 12442
    

**4.8.0-beta2¶**

Released: 7th of November 2022

**Improvements¶**

*   Only replace protobuf logger config objects if the reload changed them.¶
    
    References: #12063, pull request 12146
    
*   Be more lenient replacing auth by non-auth records in cache.¶
    
    References: #12140, pull request 12150
    

**Bug Fixes¶**

*   Fix SNMP OID numbers for rcode stats.¶
    
    References: #12155, pull request 12163
    
*   Implement output operator for QTypes, avoids numeric qtypes in trace logs.¶
    
    References: #12122, pull request 12162
    
*   Handle IXFR connect and transfer timeouts.¶
    
    References: #12125, pull request 12161
    
*   Log invalid RPZ content when obtained via IXFR.¶
    
    References: #12081, pull request 12145
    
*   Detect invalid bytes in makeBytesFromHex().¶
    
    References: #12066, pull request 12147
    

**4.8.0-beta1¶**

Released: 5th of October 2022

**Improvements¶**

*   Add support for NOD/UDR notifications using dnstap.¶
    
    References: pull request 12047
    
*   Protobuf and dnstap metrics, including rec\_control subcommand to show them.¶
    
    References: #11841, pull request 11903, pull request 12049
    
*   Provide metrics for rcode received from authoritative servers.¶
    
    References: #7164, pull request 11949
    
*   Proxymapping metrics, including rec\_control subcommand to show them.¶
    
    References: #11648, pull request 11866
    
*   Add querytime attribute to Lua DNSQuestion object, to see the time a query was received.¶
    
    References: pull request 11909
    
*   Enable include-dir by default in RPM builds, to be in line with DEB builds (Frank Louwers).¶
    
    References: #11766, pull request 11768
    
*   Improve error message when invalid values for local-address are provided in recursor config file.¶
    
    References: pull request 11989
    
*   Enable SNMP support for debian and ubuntu builds.¶
    
    References: #11999, pull request 12011
    
*   Warn if snmp-agent is set but SNMP support is not available.¶
    
    References: #11998, pull request 12009
    
*   A few tweaks to structured logging calls.¶
    
    References: pull request 11959
    

**Bug Fixes¶**

*   Fix –config (should be equal to –config=default), followup to #11907.¶
    
    References: pull request 12048
    
*   Fix compilation of the event ports multiplexer.¶
    
    References: #12044, pull request 12046
    
*   When an expired NSEC3 entry is seen move it to the front of the expiry queue.¶
    
    References: pull request 12038
    
*   If new data is auth and existing data is not, replace even if cache locking is active.¶
    
    References: #11958, pull request 12027
    

**4.8.0-alpha1¶**

Released: 23rd of September 2022

**Improvements¶**

*   Lock record cache entries if enabled by record-cache-locked-ttl-perc.¶
    
    References: pull request 11958
    
*   Use nullptr in getNSEC3PARAM + init bool at call site (Axel Viala).¶
    
    References: pull request 11957
    
*   Axfr-retriever: abort on chunk with TC set.¶
    
    References: #11804, pull request 11953
    
*   Clarify return codes for the Lua hooks in the Recursor (Frank Louwers).¶
    
    References: pull request 11955
    
*   Recursor: Add --config[=check|=diff|=default].¶
    
    References: pull request 11907
    
*   Implement optional Serve stale functionality, enabled by serve-stale-extensions..¶
    
    References: pull request 11776
    
*   Implement padding of (DoT) messages to authoritative servers, if set by edns-padding-out (default yes).¶
    
    References: pull request 11906
    
*   Log socket directory path if there is a problem.¶
    
    References: pull request 11800
    
*   Handle Lua script loading errors.¶
    
    References: pull request 11823
    
*   Stop sending Server: header (Chris Hofstaedtler).¶
    
    References: #4979, pull request 11813
    
*   Keep time and count metrics when maintenance is called.¶
    
    References: #6981, pull request 11869
    
*   Consider dns64 processing in more cases than Rcode == NoError.¶
    
    References: pull request 11849
    
*   Set rec_control_LDFLAGS, needed for MacOS or any platforms where libcrypto is not in default lib path.¶
    
    References: #11855, pull request 11857
    
*   Replace/remove jQuery (Chris Hofstaedtler)¶
    
    References: pull request 11812
    
*   Remove unused jsrender.js (Chris Hofstaedtler).¶
    
    References: pull request 11811
    
*   Save the last nameserver speed recorded plus output it in rec_control dump-nsspeeds.¶
    
    References: #11736, pull request 11780
    
*   Set TCP_NODELAY on in and outgoing TCP.¶
    
    References: #11734, pull request 11754
    
*   Remove > 5 check on TTL of glue from the cache.¶
    
    References: pull request 11744
    
*   Structured logging for various subsystems.¶
    
    References: pull request 11631, pull request 11642, pull request 11654, pull request 11662, pull request 11681, pull request 11693, pull request 11710, pull request 11714, pull request 11854
    
*   Make edns table a sparse table.¶
    
    References: pull request 11704, pull request 11779
    
*   Shared ednsmap.¶
    
    References: pull request 11601
    
*   Load IPv6 entries from etc-hosts file.¶
    
    References: #2248, pull request 11682
    
*   Use systemd-journal for structured logging if it is available and set by structured-logging-backend.¶
    
    References: #11705, #11706, pull request 11660, pull request 11709
    
*   Fix typos in stats log messages (Matt Nordhoff).¶
    
    References: #11654, #11671, pull request 11671, pull request 11680
    
*   Shared throttle map.¶
    
    References: pull request 11598
    
*   Adaptive root refresh interval, normally at 80% of max-cache-ttl.¶
    
    References: pull request 11381
    

**Bug Fixes¶**

*   Libssl: Properly load ciphers and digests with OpenSSL 3.0.¶
    
    References: #11853, pull request 11862
    
*   rec\_control: test for --version before requiring an argument.¶
    
    References: #11864, pull request 11867
    
*   Make rec zone files with trailing dot (phonedph1).¶
    
    References: pull request 11672
    
*   Handle file related errors initially loading Lua script.¶
    
    References: #10079, #11818, pull request 11820

CVE-2023-22617: Changelogs for 4.8.X — PowerDNS Recursor documentation

In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-24027: fix: [security] XSS through network history name · MISP/MISP@72c5424

In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload.

@@ -636,7 +636,7 @@ class EventGraph {

btn\_plot.data('network-preview', preview);

btn\_plot.popover({

container: 'body',

content: function() { return '<img style="width: 500px; height: 150px;" src="' + $(this).data('network-preview') + '" />'; },

content: function() { return '<img style="width: 500px; height: 150px;" src="' + $('<div>').text($(this).data('network-preview')).html() + '" />'; },

placement: 'right',

trigger: 'hover',

template: '<div class="popover" role="tooltip"><div class="arrow"></div><h3 class="popover-title"></h3><div class="popover-content" style="width: 500px; height: 150px;"></div></div>',

@@ -2002,7 +2002,7 @@ function reset\_graph\_history() {

btn\_plot.data('network-preview', preview);

btn\_plot.popover({

container: 'body',

content: function() { return '<img style="width: 500px; height: 150px;" src="' + $(this).data('network-preview') + '" />'; },

content: function() { return '<img style="width: 500px; height: 150px;" src="' + $('<div>').text($(this).data('network-preview')).html() + '" />'; },

placement: 'right',

trigger: 'hover',

template: '<div class="popover" role="tooltip"><div class="arrow"></div><h3 class="popover-title"></h3><div class="popover-content" style="width: 500px; height: 150px;"></div></div>',

CVE-2023-24026: fix: [security] XSS in eventgraph preview payload · MISP/MISP@a46f794

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 13 and Jan. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for January 13 to January 20

The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an authenticated SQL injection vulnerability in the 'surveys_ids' parameter of its 'ays_surveys_export_json' action.

_All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

Tenable Advisory ID

TRA-2023-2

CVSSv3 Base / Temporal Score

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Paid Memberships Pro WordPress Plugin

Easy Digital Downloads WordPress Plugin

Survey Maker WordPress Plugin

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

 BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Nessus Professional Free**

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

**Buy Nessus Professional**

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

65 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable.io Web Application Scanning**

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

**Buy Tenable.io Web Application Scanning**

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable.io Container Security**

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

**Buy Tenable.io Container Security**

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

**Thank You**

Thank you for your interest in the Tenable.io Container Security program. A representative will be in touch soon.

**Try Tenable Lumin**

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable.sc**

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable.ot**

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable.ad**

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Try Tenable.cs**

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

**Contact a Sales Rep to Buy Tenable.cs**

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

**Thank You**

Thank you for your interest in Tenable.cs. A representative will be in touch soon.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable.asm In Action**

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable.asm. A representative will be in touch soon.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-23490: SQL Injection in Multiple WordPress Plugins

Cross Site Scripting (XSS) vulnerability in InventorySystem thru commit e08fbbe17902146313501ed0b5feba81d58f455c (on Apr 23, 2021) via edit_store_name and edit_active inputs in file InventorySystem.php.

Hello,

I would like to report for possible XSS vulnerabilities.

For example,

In file InventorySystem-master\\application\\controllers\\Stores.php in update function

$data = array(
	'name' => $this\->input\->post('edit\_store\_name'),
	'active' => $this\->input\->post('edit\_active'),	
);

$update = $this\->model\_stores\->update($data, $id);

In file InventorySystem-master\\application\\models\\Model\_stores.php

public function update($data, $id){
  if($data && $id) {
	  $this\->db\->where('id', $id);
	  $update = $this\->db\->update('stores', $data);
	  return ($update == true) ? true : false;
  }
}

Then In file InventorySystem-master\\application\\controllers\\Stores.php

public function fetchStoresDataById($id) {
  if($id) {
	  $data = $this\->model\_stores\->getStoresData($id);
	  echo json\_encode($data);
  }
}

In file InventorySystem-master\\application\\models\\Model\_stores.php

public function getStoresData($id = null){
  if($id) {
	  $sql = "SELECT \* FROM \`stores\` where id = ?";
	  $query = $this\->db\->query($sql, array($id));
	  return $query\->row\_array();
  }
  
  $sql = "SELECT \* FROM \`stores\`";
  $query = $this\->db\->query($sql);
  return $query\->result\_array();
}

CVE-2023-23014: Possible XSS vulnerabilities · Issue #23 · ronknight/InventorySystem

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability.

**Impact:** Users with the editinterface right (not limited to editsitejs) can cause Wikibase to emit arbitrary HTML in certain situations, including in APIs where callers might treat the result as trusted HTML and use it in their own sites. On Wikidata, the editinterface right is granted not only to interface administrators (who also have editsitejs, so they can already run arbitrary JS on Wikidata, though they still shouldn’t be able to break API users in this way), but also to regular administrators as well as Wikidata staff.

**Description:** Wikibase formats time values for HTML using two classes, MwTimeIsoFormatter and HtmlTimeFormatter. MwTimeIsoFormatter is responsible for formatting the timestamp depending on the precision of the time value, using various interface messages; HtmlTimeFormatter wraps it to add the calendar model, if necessary. An example result looks like this:

14 March 1879<sup class\="wb-calendar-name"\>Gregorian</sup\>
|MwTimeIsoF…||.............HtmlTimeFormatter.............|

HtmlTimeFormatter assumes that its inner formatter (which can actually be any formatter, as far as it’s concerned) emits HTML:

/\*\*
 \* @param FormatterOptions|null $options
 \* @param ValueFormatter $dateTimeFormatter A value formatter that accepts TimeValue objects and
 \*  returns the formatted date and time, but not the calendar model. Must return HTML.
 \*/
public function \_\_construct(

HtmlTimeFormatter::format()

$formatted \= $this\->dateTimeFormatter\->format( $value );

if ( $this\->calendarNameNeeded( $value ) ) {
	$formatted .= '<sup class="wb-calendar-name">'
		. $this\->formatCalendarName( $value\->getCalendarModel() )
		. '</sup>';
}

However, MwTimeIsoFormatter returns plain text:

/\*\*
 \* @param TimeValue $timeValue
 \*
 \* @return string Text
 \*/
private function formatTimeValue( TimeValue $timeValue ) {

MwTimeIsoFormatter::getLocalizedYear()

return wfMessage(
	'wikibase-time-precision-' . ( $isBCE ? 'BCE-' : '' ) . $msg,
	$year
)
\->inLanguage( $this\->language )
\->text();

The two formatters are wired up without any escaping layer between them:

WikibaseValueFormatterBuilders::newTimeFormatter()

return new HtmlTimeFormatter( $options, new MwTimeIsoFormatter( $options ) );

So if a user with the editinterface right edits one of the relevant interface messages (wikibase-time-precision-\*) to include HTML (e.g. <script>), it will be returned unchanged by $message->text() and be added directly to the resulting HTML; this HTML can then turn up in the Wikibase UI (such as on item pages and diffs), but also in third parties who use the wbformatvalue API with the generate parameter set to one of the available HTML formats.

CVE-2023-22910: XSS in Wikibase date formatting

### Impact
The vulnerability is capable of resulting in stolen user cookies.

#### Proof of Concept
```
Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective=

Go to setting --> data objects --> classes --> events

Click media under genaral settings

Add payload in title field.

Go to data objects module and open events, xss will trigger

// PoC.js "><iMg SrC="x" oNeRRor="alert(xss);">
```
### Patches
Update to version 10.5.14 or apply this patch manually https://github.com/pimcore/pimcore/pull/13916.patch

### Workarounds
Apply https://github.com/pimcore/pimcore/pull/13916.patch manually.

### References
https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343/


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-0323

**pimcore is vulnerable to cross-site scripting via "title field " in data objects**

Moderate severity GitHub Reviewed Published Jan 20, 2023 in pimcore/pimcore • Updated Jan 20, 2023

Vulnerability details Dependabot alerts 0

**Package**

composer pimcore/pimcore (Composer)

**Affected versions**

< 10.5.14

**Patched versions**

10.5.14

**Description**

**Impact**

The vulnerability is capable of resulting in stolen user cookies.

**Proof of Concept**

    Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective=
    
    Go to setting --> data objects --> classes --> events
    
    Click media under genaral settings
    
    Add payload in title field.
    
    Go to data objects module and open events, xss will trigger
    
    // PoC.js "><iMg SrC="x" oNeRRor="alert(xss);">
    

**Patches**

Update to version 10.5.14 or apply this patch manually https://github.com/pimcore/pimcore/pull/13916.patch

**Workarounds**

Apply https://github.com/pimcore/pimcore/pull/13916.patch manually.

**References**

https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343/

**References**

*   GHSA-6vf6-g3pr-j83h
*   https://nvd.nist.gov/vuln/detail/CVE-2023-0323
*   https://github.com/pimcore/pimcore/pull/13916.patch
*   pimcore/pimcore@746fac1
*   https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343

 dvesh3 published the maintainer security advisory

Jan 16, 2023

**Severity**

Moderate

**Weaknesses**

CWE-79

**CVE ID**

CVE-2023-0323

**GHSA ID**

GHSA-6vf6-g3pr-j83h

**Source code**

pimcore/pimcore

Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-6vf6-g3pr-j83h: pimcore is vulnerable to cross-site scripting via "title field " in data objects

OpenText Extended ECM versions 16.2.2 through 22.3 suffer from arbitrary file deletion, information disclosure, local file inclusion, and privilege escalation vulnerabilities.

OpenText Extended ECM 22.3 File Deletion / LFI / Privilege Escsalation

OpenText Extended ECM versions 20.4 through 22.3 suffer from a pre-authentication remote code execution vulnerability in cs.exe.

SEC Consult Vulnerability Lab Security Advisory < 20230117-0 >  
=======================================================================  
               title: Pre-authenticated Remote Code Execution in cs.exe  
             product: OpenText™ Content Server component of OpenText™ Extended ECM  
  vulnerable version: 20.4 - 22.3  
       fixed version: 22.4  
          CVE number: CVE-2022-45923  
              impact: Critical  
            homepage: https://www.opentext.com/  
               found: 2022-09-16  
                  by: Armin Stock (Atos)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the  
information lifecycle by integrating with leading enterprise applications, such  
as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content  
and processes together, Extended ECM provides access to information when and  
where it’s needed, improves decision-making and drives operational effectiveness."

Source: https://www.opentext.com/products/extended-ecm

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)  
The `Common Gateway Interface (CGI)` program `cs.exe` of the `Content Server`  
has a vulnerability, which allows an attacker to increase/decrease an arbitrary  
memory address by 1 and to trigger a call to a method of a `vftable` with a  
`vftable pointer` value chosen by the attacker.

The `cs.exe` does de-serialize (crack) the user provided data in the `_fInArgs`  
parameter, if the parameter `_ApiName` is set. During this de-serialization to  
a `class KOSValue` object, the function `obj_ref_cracker` can be called. This  
function tries to create a new `class KOSValue` object with an unknown class ID  
of `3`.

As the class ID is unknown the function returns an object of type  
`KOSValueBaseClass` instead of `KOSObjRefClass`, but the value of the  
`class_ptr` attribute of the new `class KOSValue` object is controlled by the  
attacker. This new object can then be used to increase/decrease arbitrary  
memory addresses and call methods of its `vftable` via the functions  
`KOSValueBaseClass::AddReference` and `KOSValueBaseClass::ReleaseReference`.

Proof of concept:  
-----------------  
1) Pre-authenticated Remote Code Execution in cs.exe (CVE-2022-45923)  
The following request crashes the `CGI` binary `cs.exe` with an `access  
violation exception - 0xC0000005` trying to read memory from address  
`0xAAAA+8`:

-------------------------------------------------------------------------------  
[ PoC removed, will be published at a later date ]  
-------------------------------------------------------------------------------

There are `.dll` files (`libaprutil-1` & `libapriconv-1.dll`) which are not  
compiled with the security flag `Address Space Layout Randomization - ASLR`  
enabled, which can be used to achieve remote code execution.

-------------------------------------------------------------------------------  
.\winchecksec.exe --json (get-item C:\OPENTEXT-22\cgi\*.dll) > .\checksec-results.json  
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------  
cat checksec-results.json | jq -r '.[] | [.path, .mitigations.aslr.presence] | @csv'

"icudt69.dll","Present"  
"icuin69.dll","Present"  
"icuio69.dll","Present"  
"icutu69.dll","Present"  
"icuuc69.dll","Present"  
"jsoncpp.dll","Present"  
"libapr-1.dll","Present"  
"libapriconv-1.dll","NotPresent"  
"libaprutil-1.dll","NotPresent"  
"libcrypto-1_1-x64.dll","Present"  
"libexpat.dll","Present"  
"libssl-1_1-x64.dll","Present"  
"llcrypt.dll","Present"  
"llisapi.dll","Present"  
"llkernel.dll","Present"  
"llresources.dll","Present"  
"log4cxx.dll","Present"  
"PocoFoundation.dll","Present"  
-------------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 22.1 (16.2.19.1803)

The following versions are vulnerable according to the vendor:  
* 20.4 - 22.3

Vendor contact timeline:  
------------------------  
2022-10-07: Vendor contacted via security@opentext.com  
2022-10-07: Vendor acknowledged the email and is reviewing the reports  
2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to  
             be released in November  
2022-11-24: Vendor delays the patch "few days/weeks into December"  
2022-11-25: Requesting CVE numbers (Mitre)  
2022-12-15: Vendor delays the patch and provides a release date: January 16th 2023  
2023-01-17: Public release of security advisory

Solution:  
---------  
Upgrade to at least version 22.4 or apply hotfixes which can be downloaded at  
the vendor's page:  
https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2023

Tag

#js