ChatGPT: Productivity tool, great for writing poems, and… a security risk?! In this article, we show how threat actors can exploit ChatGPT, but also how defenders can use it for leveling up their game.
ChatGPT is the most swiftly growing consumer application to date. The extremely popular generative AI chatbot has the ability to generate human-like, coherent and contextually relevant responses.

Artificial Intelligence / Data Security

_ChatGPT: Productivity tool, great for writing poems, and… a security risk?! In this article, we show how threat actors can exploit ChatGPT, but also how defenders can use it for leveling up their game._

ChatGPT is the most swiftly growing consumer application to date. The extremely popular generative AI chatbot has the ability to generate human-like, coherent and contextually relevant responses. This makes it very valuable for applications like content creation, coding, education, customer support, and even personal assistance.

However, ChatGPT also comes with security risks. ChatGPT can be used for data exfiltration, spreading misinformation, developing cyber attacks and writing phishing emails. On the flip side, it can help defenders who can use it for identifying vulnerabilities and learning about various defenses.

In this article, we show numerous ways attackers can exploit ChatGPT and the OpenAI Playground. Just as importantly, we show ways that defenders can leverage ChatGPT to enhance their security posture as well.

**The Threat Actor - Hacking Made Easy**

ChatGPT makes it easier for people looking to enter the world of cybercrime. Here are a few ways it can be used for system exploitation:

*   **Finding Vulnerabilities** \- Attackers can prompt ChatGPT about potential vulnerabilities in websites, systems, APIs, and other network components.
    
    According to Etay Maor, Senior Director of Security Strategy at **Cato Networks**, "There are guardrails in ChatGPT and the Playground to prevent them from giving answers that support doing something bad or evil. But, 'social engineering' the AI enables finding a way around that wall."
    
    For example, this can be done by impersonating a pen tester about how to test a website's input field for vulnerabilities. The response from ChatGPT will include a list of website exploitation methods, like input validation testing, XSS testing, SQL injection testing, and more.
    
*   **Exploiting Existing Vulnerabilities** - ChatGPT can also provide attackers with the technological information they need about how to exploit an existing vulnerability. For example, a threat actor could ask ChatGPT how to test a known SQL injection vulnerability in a website field. ChatGPT will respond with input examples that will trigger the vulnerability.
*   **Using Mimikatz** - Threat actors can prompt ChatGPT to write code that downloads and runs Mimikatz.
*   **Writing Phishing Emails** - ChatGPT can be prompted to create authentic-looking phishing emails across a wide variety of languages and writing styles. In the example below, the prompt requests that the email is written to sound like it's coming from a CEO.
*   **Identifying Confidential Files** - ChatGPT can help attackers identify files with confidential data.

In the example below, ChatGPT is prompted to write a Python script that searches for Doc and PDF files that contain the word "confidential," copy them into a random folder and transfer them. While the code is not perfect, it is a good start for a person who wants to develop this capability. Prompts could also be more sophisticated and include encryption, creating a Bitcoin wallet for the ransom money, and more.

**The Defender - Defending Made Easy**

ChatGPT can and should also be used to enhance defender capabilities. According to Etay Maor, "ChatGPT also lowers the bar, in a good sense, for Defenders and for people who want to get into security." Here are a number of ways professionals can improve their security expertise and capabilities.

*   **Learning New Terms and Technologies** - ChatGPT can shorten the time it takes to research and learn new terms, technologies, processes and methodologies. It provides immediate, accurate and concise answers to security-related questions.

In the example below, ChatGPT explains what a specific snort rule is.

*   **Summarizing Security Reports** - ChatGPT can help summarize breach reports, helping analysts learn about how attacks were performed so they can prevent them from recurring in the future.
*   **Deciphering Attacker Code** - Analysts can upload attacker code to ChatGPT and get an explanation of the steps taken and the executed payload.
*   **Predicting Attack Paths** - ChatGPT can predict future probable attack paths of an attack, by analyzing similar past cyber attacks and the techniques that were used.
*   **Researching Threat Actors and Attack Paths** - Providing a report that maps a threat actor, including their recent attacks, technical data, mapping to frameworks, and more. In this example, a detailed, technical report is provided about the ALPHV Ransomware group.

*   **Identifying Code Vulnerabilities** \- Engineers can paste code in ChatGPT and prompt it to identify any vulnerabilities. ChatGPT can even identify vulnerabilities when there is no bug, only a logical error. Be wary of the code you upload. If it contains proprietary data you may be exposing it externally.

*   **Identifying Suspicious Activities in Logs** - Reviewing log activity and looking for suspicious activities.
*   **Identifying Vulnerable Web Pages** \- Web developers or security professionals can prompt ChatGPT to review a website's HTML code and identify vulnerabilities that would enable SQL injections, CSRF attacks, XSS attacks, or DDoS attacks.

**Additional Considerations When Using ChatGPT**

When using ChatGPT, it's important to acknowledge the importance of the following factors:

*   **Copyrights** - Who owns the generated content? When asking ChatGPT, the answer is that the person who wrote the prompt owns them. However, it is not as simple as that. This issue is still not completely resolved and will depend on various legal systems and precedents. A body of law is currently emerging about this issue.
*   **Data retention -** OpenAI may retain some of the data used as prompts for training or other research purposes. That's why it's important to exercise caution and avoid pasting any sensitive data into the application.
*   **Privacy -** There are privacy issues surrounding ChatGPT, ranging from how it uses the data it is being prompted with to how it stores user interactions. Therefore, it's recommended to avoid entering PII or customer data into the application.
*   **Bias -** ChatGPT is subject to bias. For example, when asked to rate groups based on intelligence, it placed certain ethnicities before others. Using responses blindly could have significant consequences for individuals. For example, if it is used to guide decision-making in courts, police profiling, recruitment processes, and more.
*   **Accuracy** - It's important to verify ChatGPT's results, since they are not always accurate (i.e, 'hallucinations'. In the example below, ChatGPT was prompted to write a list of five-letter words starting with B and ending with KE. One of the answers was "Bike".

*   **AI vs. AI** - Currently ChatGPT is not able to identify if a prompted text was written by AI or not. In the future, newer versions might be able to, which can help with security efforts. For example, this ability could help identify phishing emails.

Etay summarizes, "We can't stop progress, but we do need to teach people how to use these tools."

**To learn more about how security professionals can make the most of ChatGPT, watch the entire masterclass here.**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Offensive and Defensive AI: Let’s Chat(GPT) About It

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPSolutions-HQ WPDBSpringClean plugin <= 1.6 versions.

**Solution**

 No fix

No patched version is available.

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WPDBSpringClean Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-47510: WordPress WPDBSpringClean plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

The Ziteboard Online Whiteboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ziteboard' shortcode in versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5076: Ziteboard Online Whiteboard <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via ziteboard Shortcode — Wordfence Intelligence

A vulnerability classified as problematic was found in dstar2018 Agency up to 61. Affected by this vulnerability is an unknown functionality of the file search.php. The manipulation of the argument QSType/QuickSearch leads to cross site scripting. The attack can be launched remotely. The patch is named 975b56953efabb434519d9feefcc53685fb8d0ab. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-244495.

CVE-2019-25156

Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

JesseDahl opened this issue

May 24, 2018

· 34 comments

**Comments**

bootbox.confirm and alert use jquery's .html() (and other functions) that add content to html elements. These are a potential XSS security issue since jquery evaluates the content.

Here's a working example (scroll down to the bottom of the JS window for the example code, I just borrowed somebody's fiddle and modified)  
https://jsfiddle.net/93sk1zeh/2/

Pass in the following string to the text input field

<script>alert('HELLO WORLD')</script>

it should show 3 separate alert boxes (which verifies it can potentially be used for XSS attacks).

I think there's two options:

1.  Sanitize input before adding it to a DOM element using jquery, or build up the element in a safe manner (i'm not 100% sure the right way to do that just yet tbh)
2.  Mention in the documentation the potential danger of passing in user-submitted data as the first parameter to bootbox.confirm() and bootbox.alert(), or, if using an object instead of a string message, as the title property. This way it's clear the library user is responsible for sanitizing any input that might be used with bootbox.

I suppose I can see your point, although taking input from a user and then (safely) using it in a call to Bootbox as dialog content seems like something that's the responsibility of the developer, not this library.

I'll look into whether it's relatively easy to add something to sanitize message and title content, but I a) really don't want to write that myself, and b) really dislike adding another dependency to Bootbox.

Yeah I get that.

Maybe just a quick note in the docs about sanitizing your inputs before passing it in to bootbox?

The bootboxjs website is generated from the gh-pages branch, so if you would like to take a crack at that, I'd be happy to review a pull-request. Otherwise, it may be a little while before I get to something like that - what little free-time I have to work on projects like this has been spent trying to get the v5x branch ready for becoming the master branch.

oh yeah, didn't know the docs were on github too. i'll take a crack at it.

I'm not sure if this is very hard to fix but I think the current implementation is useful in many cases.  
So from a user perspective I want to still be able to show a dialog with HTML elements inside.

From implementation perspective all that needs to be done is to use .text method instead of .html  
And I think you can add a constructor called like Bootbox.Unsafe that if provided for message or title will be entered into the DOM using the html method. So unless user wraps the strings in this object explicitly the data will be parsed as text only.

If it sounds reasonable I can probably try to submit a pull request

@yonjah I'm not entirely sure I understand what you're suggesting.

I won't be changing the internals to use text() instead of html() - that would break most of the existing functionality, since the message and title options have always allowed HTML.

I'd have to reiterate my previous statement: sanitizing content seems out of scope for this plugin. If I can get 5.0 squared away and pushed to master, _maybe_ I could think about adding an option to allow a sanitizer to be passed in - that would allow devs to sanitize content, without having another large chunk of code for me to maintain.

@tiesont Using text() method by default seem like the best fix to this problem.  
But it is indeed a breaking change.

I wouldn't bother with implementing any solution that can't be activated by default since users will need to know to activate it. So it's not much better than changing the documentation and let users decide how they want to handle this issue.

BTW it seem like SweetAlert decided to solve this issue by offering a content property  
Which will contain an actual element to be injected into the dialog -  
t4t5/sweetalert#845  
It's also have the extra benefit of allowing easier integration with UI frameworks

@vedmant  
you just need to make sure you pass your input through a sanitizer before passing it into this library.

@vedmant "fix it" implies that something is broken. I think I've made it clear that I don't consider this a "bug" or problem with Bootbox, in spite of whatever external sites want to claim. If not, well, here it is:

I don't consider sanitizing the content that gets passed to the message option as in-scope for Bootbox, and it's been a feature for quite some time to allow HTML to be be passed in, allowing messages shown by bootbox.alert(), bootbox.confirm(), and bootbox.prompt() to have formatted text. It's not up to bootbox to decide if a programmer has a valid use or not to inject a <script> tag, which in and of itself is not malicious - it's whatever code it contains and what the intent was that matters.

@JesseDahl @tiesont I don't have security concerns here, the issue is that Snyk is reporting this package as not safe. Which required to manually add it to Snyk ignore list on every project, which is also a bad idea as if there any real security issue then it also will be ignored and not reported.

This gridlock needs to be resolved in some way, I enjoy using this package safely but cannot get a clean build without getting dirty :(

@nullivex I hope this doesn't come across poorly, as there's no malicious intent behind it, but I'm not terribly concerned about what external sites report about this library. Bootbox works the way it does by intent, allowing users to have formatted text in their messages (which is no different than normal Bootstrap modals). I'm not going to change the default behavior and force users to enable HTML via an option, which is probably what I would have to do to make HackerOne et al happy.

It's always an option to fork this library, make that change, and create a new npm package, if someone really wanted to use Bootbox without warnings, but I'm not interested in doing so at the moment. Granted, I'm not the owner of this package, but since @makeusabrew hasn't been seen in a while, the most active collaborator (which seems to be me) pretty much becomes the de facto decision maker.

As a note, there is a recent fork that possibly has fixed some of these issues, found here: https://github.com/lddubeau/bootprompt - you may want to investigate if that works better. At the least, no one has filed a vulnerability report on that package yet, so you wouldn't get the warnings you're seeing here.

@tiesont Thanks for getting back to me. I appreciate the time you took and sorry to bother you in the first place. I understand that life was all good until a security researcher decided something arbitrarily bad could happen when this library is used improperly. (Typically my thumb hurts after hitting it with a hammer so I think you are completely in the right!) Rather than continue to prod you over this and try to push you a direction you would rather not go. I would like to ask what you would see as a fitting solution to this issue? It could be important for other projects. I think you have ran into a reasonable disagreement with the security research done. I agree with your stance and wish the advisory could be adjusted personally. That being said. I would not mind hearing your opinion.

I hope this finds you well!

@nullivex I wouldn't call it "bothering" me. I understand that having that warning on the package is a problem for some users, but there's not a whole lot I can do about it. Someone decided that this small(ish) library needs to act the same way as a large framework like React, so now it's seen an issue.

As I noted, using bootprompt might a option - it's Bootbox ported to TypeScript, plus whatever changes that author has made since then. I did a quick scan, and it doesn't seem to use the html() function, which seems to be what all the fuss is about.

There are also other packages that have ported Bootbox to be jQuery-free, so that it can used in frameworks like Angular (I think one was called ng-bootbox, but it's been a bit since I last looked), so if you're using something like React or Angular, you might want to investigate those options.

I have thought about looking into what Bootstrap uses internally, since I think they have some form of HTML sanitizing built into their JavaScript components, if I recall correctly. I know that **I** don't have the requisite knowledge to build my own sanitizer, and there isn't much of a point of introducing an external dependency (developers can do that themselves, after all) if I were to rely on some other library (other than Bootstrap) to sanitize content.

Bootstrap's sanitizer functions (https://github.com/twbs/bootstrap/blob/master/js/src/util/sanitizer.js) seem fairly straight-forward, but none of these functions are part of it's public API. I suppose I could pull the code from that file into this project, but that would require manually updating the functions whenever Bootstrap fixes something. I'll consider it, but not promising anything.

@tarlepp Thoughts?

Using that bootstrap sanitizer would be nice addition, although using it won't solve all possible attacks with inputs (eg. SQL injections, etc.) - We cannot know how those input data are used in backend side and that isn't something that bootstrap/bootbox itself should do.

I've pinned this issue, to make it easier to find (and hopefully reduce duplicate issues being raised).

And imho this issue is not solved yet, so it should not be closed one - there is some improvements that could be done to bootbox side for this.

> it won't solve all possible attacks with inputs (eg. SQL injections, etc.)

@tarlepp could you elaborate on this point  
As far as I know bootbox only injects input into the DOM so it make sense to handle input in a safe manner preventing XSS and DOM related injections.  
Does bootbox send SQL queries with inputs? if not how can it cause SQL injections ?

BTW as implemented in #699 the fix desn't require any sanitation and allows to keep the exact same functionality with a minor API change

@yonjah Minor API change, yes. Major change in functionality, also yes, and I'm not okay with that.

@tarlepp was just making a point that user input should never be trusted implicitly - Bootbox doesn't do anything that involves back-end code.

@tiesont what is the major functionality change introduced in #699 ?

> @tarlepp was just making a point that user input should never be trusted implicitly - Bootbox doesn't do anything that involves back-end code.

So if it only handles the DOM I would say this is the only kind of injections we should worry about.

@yonjah Making HTML rendering (for the various options which currently allow it) require an extra step, rather than the default behavior, is a major difference, IMO, which is the majority of what your pull-request does. Anyone who's okay with adding something like

as their message option should be capable of using

$('<b>Hello World!</b>').sanitize() // assuming some external sanitizing library or function

@tiesont so from functionality perspective there is no issue the only change is API change -

bootbox.alert('<b>Hello World!</b>'); //Old API
bootbox.alert($('<b>Hello World!</b>')); //new API

Functionality is identical in both cases.

I agree that from API change adding some sanitize call when you need the HTML functionality might not be an issue but it probably wont solve the security issue. It will introduce the exact functionality change you are trying to prevent and when you don't need it it can be a major pain -

bootbox.alert(\`Hello ${user.name}\`);
bootbox.alert(request.error);

This examples are safe to use after the API change but are completely vulnerable with the current API.  
if the API expect a call to some sanitize function before passing the input in it will still be vulnerable.

@yonjah I think we'll have to agree to disagree. I respect your input and value the time you've put into this, but I don't agree with the changes you want to make, so **I** won't be pulling them in.

Hi all,

Forgive me if this is a noob question, but doesn't dev tools give the ability to execute arbitrary javascript code on a page **in the same way** that this bootbox "vulnerability" gives? Sure, maybe a malicious user can inject code into the bootbox callback, but then it's still running frontend code which we already know is manipulable by the user.

If this ability to execute code gives malicious users a route to cause arbitrary code to be executed for anyone other than themselves, then I definitely want to fill in the gaps in my understanding.

Ryan

It could be a "stored XSS" type of attack. Some malicious user enters some value that gets stored in the backend. Then later some other user accesses some record or piece of information, and that stored bit of xss payload gets loaded into the app and into bootbox somehow.

In this case the user input is indirect and stored on the backend first before becoming a problem.

Is there any update on the topic? My pipeline warns about this XSS issue and it's not fixable for me. If it's not an issue, maybe this can be sorted out with the security repo to remove the warning there?

@GitRon It's still an issue in that the notice isn't going to go away unless we change the internals of Bootbox to not use jQuery's .html() function or introduce an internal sanitizer. I'm not doing either anytime soon, as mentioned above and in related issues.

If you're never going to use HTML in your messages or titles, you can fork this repo and replace any uses of .html() with respect to the message and title options, which would probably let your fork pass whatever tool was used to determine Bootbox is vulnerable to injection.

This was referenced

Sep 6, 2021

> @tiesont, what about having bootbox accept a user provider sanitizer function, like prototyped in https://github.com/makeusabrew/bootbox/compare/master...gberaudo:accept\_global\_sanitizer?expand=1. This would:

@gberaudo That's been suggested before, but doesn't really solve the problem, at least as far as these "scan this project for issues" sites are concerned. There's nothing stopping anyone from running user input from an external sanitizer already (which seems like a completely rational solution). I suppose it would be a little less work from a developer's standpoint - supply an sanitizer, then all future values are cleaned automatically. But then again, that's solvable with a global helper function, so...

The core of the issue is that there seems to be an expectation that our small library, which has been around a while and was never built to be used in the context of things like React, should provide the same sort of "protect me from myself" functionality that much larger libraries do. **I** don't have the time or inclination to support an embedded sanitizing function, nor does @tarlepp. Since we're pretty much it as far as active collaborators, well, you get what we're okay with supporting.

If we ever decide to do a Bootbox 6, sure, I'll make sure that there's a way to define a sanitizer (and provide some sort of basic cleaning), but that's a project for next year, _maybe_...

Thanks for your reply @tiesont. I have double checked the discussion in this thread and I did not see where a similar proposition has been made before. Maybe it was proposed in another place? If you have a pointer to it, I would appreciate it because I really like to understand the situation here.

So far, I get that you want:

*   no breaking changes (which is fair);
*   no undue maintenance burden (writing an internal sanitizer function is a no-go).  
    Also you don't care about bootbox being flagged as "unsafe" by companies like Snyk.

I am completly aligned with what you wrote, it is fair and reasonable to me. That is why I proposed a solution that has the merits of:

*   closing this issue;
*   being easy to implement and maintain;
*   being opt-in, no breaking change;
*   being flexible (use or not a sanitizer function, choose the one you like, implement your own, ...);
*   addressing the problem of unsafe usage of the lib: as soon as a sanitizer is defined, all subsequent usages of bootbox will be secure which is a great step forwards for me and my team, making us confident to press the "I know what I am doing button and whitelist this library".

That is as far as I can go to try to explain and convince you that the current issue is addressable upstream in a sane way.  
Thanks for the great discussions and have a good day.

CVE-2023-46998: Document or fix possible XSS vulnerability (via jquery) · Issue #661 · bootboxjs/bootbox

Veeam has released security updates to address four flaws in its ONE IT monitoring and analytics platform, two of which are rated critical in severity.
The list of vulnerabilities is as follows -

CVE-2023-38547 (CVSS score: 9.9) - An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration

Network Security / Vulnerability

Veeam has released security updates to address four flaws in its ONE IT monitoring and analytics platform, two of which are rated critical in severity.

The list of vulnerabilities is as follows -

*   **CVE-2023-38547** (CVSS score: 9.9) - An unspecified flaw that can be leveraged by an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database, resulting in remote code execution on the SQL server.

*   **CVE-2023-38548** (CVSS score: 9.8) - A flaw in Veeam ONE that allows an unprivileged user with access to the Veeam ONE Web Client to obtain the NTLM hash of the account used by the Veeam ONE Reporting Service.

*   **CVE-2023-38549** (CVSS score: 4.5) - A cross-site scripting (XSS) vulnerability that allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role.

*   **CVE-2023-41723** (CVSS score: 4.3) - A vulnerability in Veeam ONE that permits a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.

While CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 impact Veeam ONE versions 11, 11a, 12, CVE-2023-38548 affects only Veeam ONE 12. Fixes for the issues are available in the below versions -

*   Veeam ONE 11 (11.0.0.1379)
*   Veeam ONE 11a (11.0.1.1880)
*   Veeam ONE 12 P20230314 (12.0.1.2591)

Over the past few months, critical flaws in the Veeam backup software have been exploited by multiple threat actors, including FIN7 and BlackCat ransomware, to distribute malware.

Users running the affected versions are recommended to stop the Veeam ONE Monitoring and Reporting services, replace the existing files with the files provided in the hotfix, and restart the two services.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaws Discovered in Veeam ONE IT Monitoring Software – Patch Now

Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

**Description**

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.

**Proof of Concept**

https://drive.google.com/file/d/1ZrzJwy1kKdGPPmkIbU-GOB5Ok\_G3Yywf/view?usp=sharing

**Impact**

This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...

CVE-2023-5903: STORED XSS in Journal-> Sections in pkp-lib

**BUG**

Stored xss using journal-name in journal-tab

**ACCOUNT**

1\. user-A --> superadmin --> Victim --> Firefox browser Normal mode  
2\. user-B --> journal manager --> Attacker --> Firefox browser Container-1\\

**STEP TO RERPODUCE**

1\. From user-A account create a journal called "journal-A".

2\. Add user-B to this journal as "journal manager" .i already did

3\. Login into user-B account and change journal name to xss payloadxss"'><img src=x onerror=alert(document.domain)>

4\. from user-A account open journal-statistics in http://localhost/ojs-3.4.0-3/index.php/xss/stats/context/context and see xss is executed \\

**IMPACT**

Using this xss attacker(user-B) can execute any javascript code in victim(user-A) account . And can full control over the victim account by executing any javascript code

**VIDEO POC**

https://drive.google.com/file/d/1iA456XdYaWe7qgkkkhp\_I3Wzlr8fn2Re/view?usp=sharing

**Impact**

Using this xss attacker(user-B) can execute any javascript code in victim(user-A) account . And can full control over the victim account by executing any javascript code

CVE-2023-5904: Stored xss using journal-name in journal-tab in pkp-lib

Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.



**Description**

I tested the demo site you provided. I see that there is a file upload vulnerability which can lead to XSS. Hope you check and find a solution as soon as possible.

**Proof of Concept**

link video Poc

https://drive.google.com/file/d/1LAcTulbfhGJfCmWdIel9e-Sk\_\_uoQbDq/view?usp=sharing

**Steps**

1 .Login as account demo

2 .Access the module issues

3 .Then create an issue

4 .Upload an SVG file with the following content:

             <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
                 <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
                 <script type="text/javascript">
                         alert(document.cookie);
                 </script>
              </svg>
    

5 .Save the issue and access the newly created issue, then access the just uploaded SVG file and the payload will be executed

**Impact**

XSS (Cross-Site Scripting) is a type of web security vulnerability caused by improper input validation and inadequate data sanitization in a web application. It occurs when an attacker injects malicious scripts (usually in the form of HTML or JavaScript) into a website's database or storage, which is then fetched and displayed to unsuspecting users. These scripts are executed in the browsers of those who visit the infected page, enabling the attacker to steal sensitive information, such as login credentials or personal data, and potentially take control of the user's account or perform malicious actions on their behalf. To prevent stored XSS, developers must implement proper input validation and output encoding to ensure that user-supplied data is treated as plain text and not executed as code on the web page.

CVE-2023-5901: Cross-Site Scripting ( XSS) Via file upload in pkp-lib

Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.

�PNG  IHDRxT�W#AsRGB���gAMA���a pHYs%%IR$�ciTXtSnipMetadata{"clipPoints":\[{"x":0,"y":0},{"x":1656,"y":0},{"x":1656,"y":852},{"x":0,"y":852}\]}{�} �6IDATx^��\`e�?�o�i$!!��$�zDA;��C;�ꩇ���NENϟ�/rz��rz6,���,��4I!�$@ �M����L����M�������Nߙ���}}z��W������ͩ@�y�Z�{����V��������g��~5D���{�k"""""j��!"""�6�\*���1�QM�;�\_�w�������Q���\_��\*x��ap����������ղ���,Q��z6""""":~0�CDDDD�{y""""��

Tag

#xss