Multiple Stored Cross Site Scripting (XSS) vulnerabilities in Opart opartmultihtmlblock before version 2.0.12 and Opart multihtmlblock* version 1.0.0, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field in /sourcefiles/BlockhtmlClass.php and /sourcefiles/blockhtml.php.

**IMPORTANT NOTICE**: DO NOT REPORT VULNERABILITIES SOLELY TO THE AUTHOR OR MARKETPLACE.

We urge you to report any vulnerabilities directly to us. Our mission is to ensure the safety and security of the PrestaShop ecosystem. Unfortunately, many module developers may not always recognize or acknowledge the vulnerabilities in their code, whether due to lack of awareness, or inability to properly evaluate the associated risk, or other reasons.

Given the rise in professional cybercrime networks actively seeking out these vulnerabilities, it's crucial that any potential threats are promptly addressed and the community is informed. The most effective method to do this is by publishing a CVE, like the one provided below.

Should you discover any vulnerabilities, **please report them to us at: report\[@\]security-presta.org**.

Every vulnerability report helps make the community more secure, and we are profoundly grateful for any information shared with us.

Multiple cross-site scripting (XSS) vulnerabilities of Type 2 (Stored XSS) B2F (Back to front) in the Multi html block (opartmultihtmlblock) module and multihtmlblock\* sub-modules from Opart for PrestaShop, prior to version 2.0.12, allows remote authenticated users to inject arbitrary web script or HTML via the body_text or body_text_rude field.

**Summary**

*   **CVE ID**: CVE-2023-30148
*   **Published at**: 2023-10-10
*   **Advisory source**: Friends-Of-Presta
*   **Platform**: PrestaShop
*   **Product**: opartmultihtmlblock and multihtmlblock\* sub-modules
*   **Impacted release**: For opartmultihtmlblock <= 2.0.11 (Fixed in 2.0.12), for multihtmlblock\* : = 1.0.0
*   **Product author**: Opart
*   **Weakness**: CWE-79
*   **Severity**: medium (6.1)

**Description**

Prior to version 2.0.12 of the Prestashop Multi html block (opartmultihtmlblock) module and multihtmlblock\* sub-modules for PrestaShop, scripts can be injected into the database by the admin configuration form or chained by an SQL injection, which can then be executed in user browsers.

**WARNING**: This vulnerability has been seen as exploited to inject malicious code into the payment page using the displayBanner hook from the multihtmlblockmessageheader sub-module (exploited by a compromised admin).

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: high
*   **User interaction**: high
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

**Possible malicious usage**

*   Hijack payment modules
*   Redirect users to another website
*   Technical and personal data leaks

**Patch**

Patches listed below will:

1.  Sanitize the admin form (removing scripts thanks to isCleanHtml validate, and removing iframes is not authorized in HTML fields
2.  Sanitize the string saved in the database before displaying it (to disable corrupted data from SQL injections)

Please note that these patches should be applied to the main module opartmultihtmlblock and all multihtmlblock\* sub-modules. For the main module, the component to modify is the class BlockhtmlClass in sourcefiles directory and well as the main class Blockhtml, and for the sub-modules, the component to edit is the Multihtmlblock*Class as well as the main class Multihtmlblock*

    --- a/sourcefiles/BlockhtmlClass.php
    +++ b/sourcefiles/BlockhtmlClass.php
    @@ -62,8 +62,8 @@ class %Modulename%Class extends ObjectModel
                    'fields' => array(
                            'id_shop' =>                            array('type' => self::TYPE_INT, 'validate' => 'isunsignedInt', 'required' => true),
                            // Lang fields
    -                       'body_text' =>                  array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isString'),
    -                        'body_text_rude' =>            array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isString'),
    +                       'body_text' =>                  array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isCleanHtml'),
    +                        'body_text_rude' =>            array('type' => self::TYPE_HTML, 'lang' => true, 'validate' => 'isCleanHtml'),
                             'all_pages' => array('type' => self::TYPE_BOOL, 'validate' => 'isBool'),
                             'show_on_home' =>            array('type' => self::TYPE_STRING, 'validate' => 'isBool'),
                             'category_id' =>            array('type' => self::TYPE_STRING, 'validate' => 'isString'),
    

    --- a/sourcefiles/blockhtml.php
    +++ b/sourcefiles/blockhtml.php
    @@ -384,9 +384,27 @@ class %Modulename% extends Module
                                 $blockhtml=new %Modulename%Class();
                                 $blockhtml->id_shop=$id_shop;                                
                                 $blockhtml->copyFromPost();
    +                            // Validate if our html fields contains an iframe
    +                            $isIframeValidated = $this->validateIframe($blockhtml->body_text);
    +                            $isIframeValidated = $isIframeValidated ?
    +                                $this->validateIframe($blockhtml->body_text_rude) :
    +                                $isIframeValidated;
    +                            if (!$isIframeValidated) {
    +                                // There is an iframe that is not allowed, we stop here
    +                                return false;
    +                            }
                                 $blockhtml->save();
                            }
                             $blockhtml->copyFromPost();
    +                        // Validate if our html fields contains an iframe
    +                        $isIframeValidated = $this->validateIframe($blockhtml->body_text);
    +                        $isIframeValidated = $isIframeValidated ?
    +                            $this->validateIframe($blockhtml->body_text_rude) :
    +                            $isIframeValidated;
    +                        if (!$isIframeValidated) {
    +                            // There is an iframe that is not allowed, we stop here
    +                            return false;
    +                        }
                             $blockhtml->update();
                             
                            $this->messages[]=$this->l('Block successfuly update');
    @@ -395,6 +413,25 @@ class %Modulename% extends Module
                    }
            }
     
    +    /**
    +     * Validate a string depending if iframes are allowed in HTML fields
    +     *
    +     * @param string $htmlBody
    +     *
    +     * @return bool
    +     */
    +    protected function validateIframe($htmlBody)
    +    {
    +        foreach ($htmlBody as $stringToValidate) {
    +            if (!Configuration::get('PS_ALLOW_HTML_IFRAME') &&
    +                preg_match('/<iframe.*src=\"(.*)\".*><\/iframe>/isU', $stringToValidate)) {
    +                $this->erreurs[] = $this->trans('To use <iframe>, enable the feature in Shop Parameters > General');
    +                return false;
    +            }
    +        }
    +        return true;
    +    }
    +
             private function getIsInArray($controller_name,$obj_value,$the_get) {
                 if(get_class($this->context->controller)==$controller_name && $obj_value != "") {
                     $id_array = explode(',',$obj_value);
    @@ -478,7 +515,10 @@ class %Modulename% extends Module
                     
                     if(!$this->displayAllowed($blockhtml))
                         return false;
    -                
    +        // Remove all scripts tags (including inline scripts)
    +        $blockhtml->body_text_rude = $this->sanatizeHtmlForDisplay($blockhtml->body_text_rude);
    +        $blockhtml->body_text = $this->sanatizeHtmlForDisplay($blockhtml->body_text);
    +
                    $this->smarty->assign(array(
                            'blockhtml' => $blockhtml,
                            'default_lang' => (int)$this->context->language->id,
    @@ -495,6 +535,68 @@ class %Modulename% extends Module
                         return $this->display(__FILE__, 'views/templates/ps17/blockhtml.tpl');
            }
            
    +    /**
    +     * Remove JavaScript from HTML
    +     * Credit to : https://www.mradeveloper.com/blog/remove-javascript-from-html-with-php
    +     *
    +     * @param string $inputP
    +     *
    +     * @return string sanatized HTML
    +     */
    +    protected function sanatizeHtmlForDisplay($inputP)
    +    {
    +        $spaceDelimiter = "#BLANKSPACE#";
    +        $newLineDelimiter = "#NEWLNE#";
    +                                    
    +        $inputArray = [];
    +        $minifiedSanitized = '';
    +        $unMinifiedSanitized = '';
    +        $sanitizedInput = [];
    +        $returnData = [];
    +        $returnType = "string";
    +
    +        if($inputP === null) return null;
    +        if($inputP === false) return false;
    +        if(is_array($inputP) && sizeof($inputP) <= 0) return [];
    +
    +        if (is_array($inputP)) {
    +            $inputArray = $inputP;
    +            $returnType = "array";
    +        } else {
    +            $inputArray[] = $inputP;
    +            $returnType = "string";
    +        }
    +
    +        foreach($inputArray as $input)
    +        {
    +            $minified = str_replace(" ",$spaceDelimiter,$input);
    +            $minified = str_replace("\n",$newLineDelimiter,$minified);
    +
    +            //removing <script> tags
    +            $minifiedSanitized = preg_replace("/[<][^<]*script.*[>].*[<].*[\/].*script*[>]/i","",$minified);
    +
    +            $unMinifiedSanitized = str_replace($spaceDelimiter," ",$minifiedSanitized);
    +            $unMinifiedSanitized = str_replace($newLineDelimiter,"\n",$unMinifiedSanitized);
    +
    +            //removing inline js events
    +            $unMinifiedSanitized = preg_replace("/([ ]on[a-zA-Z0-9_-]{1,}=\".*\")|([ ]on[a-zA-Z0-9_-]{1,}='.*')|([ ]on[a-zA-Z0-9_-]{1,}=.*[.].*)/","",$unMinifiedSanitized);
    +
    +            //removing inline js
    +            $unMinifiedSanitized = preg_replace("/([ ]href.*=\".*javascript:.*\")|([ ]href.*='.*javascript:.*')|([ ]href.*=.*javascript:.*)/i","",$unMinifiedSanitized);
    +
    +                                        
    +            $sanitizedInput[] = $unMinifiedSanitized;
    +        }
    +
    +        if ($returnType == "string" && sizeof($sanitizedInput) > 0) {
    +            $returnData = $sanitizedInput[0];
    +        } else {
    +            $returnData = $sanitizedInput;
    +        }
    +                                    
    +        return $returnData;
    +    }
    +    
            public function hookDisplayTop($param)  {
                    return $this->hookDisplayLeftColumn($param);
            }
    

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module
*   To mitigate potential issues arising from credential leaks, enforce mandatory 2FA for backoffice logins. This will necessitate the integration of a 2FA module.

**Timeline**

Date

Action

2023-02-10

First exploit detected in server logs

2023-03-11

Discovery and POC of the vulnerability by Profileo

2023-03-12

Contacting the editor

2023-03-14

Editor confirmed the vulnerability and is planning a new release of the module

2023-03-15

First patch (2.0.11) of the module suggested. Additional fixes were required

2023-03-15

New release of the module (2.0.12)

2023-04-03

The editor communicated with known customers concerning the vulnerability

2023-04-21

CVE ID Received

2023-10-10

Publishing this security advisory

**Links**

*   Editor Website store-opart
*   National Vulnerability Database

**DISCLAIMER:** _The French Association Friends Of Presta (FOP) acts as an intermediary to help hosting this advisory. While we strive to ensure the information and advice provided are accurate, FOP cannot be held liable for any consequences arising from reported vulnerabilities or any subsequent actions taken._

CVE-2023-30148: [CVE-2023-30148] Multiple cross-site scripting (XSS) vulnerabilities in the Multi html block (opartmultihtmlblock) module and multihtmlblock* sub-modules from Opart for PrestaShop

A cross-site scripting (XSS) vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.

We have already fixed the vulnerability in the following version:
Video Station 5.7.0 ( 2023/07/27 ) and later


Security ID : QSA-23-52

*   Release date : October 14, 2023
    
*   CVE identifier : CVE-2023-34975 | CVE-2023-34976 | CVE-2023-34977
    
*   Affected products: Video Station 5.7.x
    

**Summary**

Three vulnerabilities have been reported to affect Video Station:

*   CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities
*   CVE-2023-34977: Cross-site scripting (XSS) vulnerability

If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network.

We have already fixed the vulnerability in the following version:

Affected Product

Fixed Version

Video Station 5.7.x

Video Station 5.7.0 (2023/07/27) and later

**Recommendation**

To fix the vulnerability, we recommend updating Video Station to the latest version.

**Updating Video Station**

1.  Log on to QTS or QuTS hero as administrator.
2.  Open the **App Center** and then click  .  
    A search box appears.
3.  Type "Video Station" and then press **ENTER**.  
    Video Station appears in the search results.
4.  Click **Update**.  
    A confirmation message appears.  
    **Note:** The **Update** button is not available if your Video Station is already up to date.
5.  Click **OK**.  
    The application is updated.

**Attachment**

*   CVE-2023-34975.json
*   CVE-2023-34976.json
*   CVE-2023-34977.json

**Acknowledgements:** Kaibro

**Revision History:**  
V1.0 (October 14, 2023) - Published

CVE-2023-34977: Vulnerabilities in Video Station - Security Advisory

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.

**Cross-site Scripting (XSS) in froxlor/froxlor**

Moderate severity GitHub Reviewed Published Oct 13, 2023 to the GitHub Advisory Database • Updated Oct 13, 2023

GHSA-cvwv-h85m-w37h: Cross-site Scripting (XSS) in froxlor/froxlor

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

** PSIRT Advisories**

**FortiSandbox - Reflected Cross Site Scripting (XSS) on the "file ondemand" rendering endpoint**

**Summary**

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability \[CWE-79\] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version

Affected

Solution

FortiSandbox 4.4

4.4.0 through 4.4.1

Upgrade to 4.4.2 or above

FortiSandbox 4.2

4.2.0 through 4.2.5

Upgrade to 4.4.2 or above

FortiSandbox 4.0

4.0.0 through 4.0.3

Upgrade to 4.0.4 or above

FortiSandbox 3.2

3.2 all versions

Migrate to a fixed release

FortiSandbox 3.1

3.1 all versions

Migrate to a fixed release

FortiSandbox 3.0

3.0 all versions

Migrate to a fixed release

FortiSandbox 2.5

2.5 all versions

Migrate to a fixed release

FortiSandbox 2.4

2.4.1

Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Fortinet is pleased to thank security researcher Sander Van der Borght (@Sander\_\_VdB\_) for discovering and reporting this vulnerability under responsible disclosure.

**Timeline**

2023-10-13: Initial publication

CVE-2023-41843: Fortiguard

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.1 and 4.4.0 and 4.2.0 through 4.2.5 and 4.0.0 through 4.0.3 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 and 2.5.0 through 2.5.2 and 2.4.1 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

** PSIRT Advisories**

**FortiSandbox - XSS on delete endpoint**

**Summary**

Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability \[CWE-79\] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version

Affected

Solution

FortiSandbox 4.4

4.4.0 through 4.4.1

Upgrade to 4.4.2 or above

FortiSandbox 4.2

4.2.0 through 4.2.5

Upgrade to 4.4.2 or above

FortiSandbox 4.0

4.0.0 through 4.0.3

Upgrade to 4.0.4 or above

FortiSandbox 3.2

3.2 all versions

Migrate to a fixed release

FortiSandbox 3.1

3.1 all versions

Migrate to a fixed release

FortiSandbox 3.0

3.0 all versions

Migrate to a fixed release

FortiSandbox 2.5

2.5 all versions

Migrate to a fixed release

FortiSandbox 2.4

2.4.1

Migrate to a fixed release

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

**Timeline**

2023-10-13: Initial publication

CVE-2023-41680: Fortiguard

An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.4, and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

** PSIRT Advisories**

**FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint**

**Summary**

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability \[CWE-79\] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version

Affected

Solution

FortiSandbox 4.4

4.4.0

Upgrade to 4.4.2 or above

FortiSandbox 4.2

4.2.0 through 4.2.4

Upgrade to 4.4.2 or above

FortiSandbox 4.0

4.0 all versions

Migrate to a fixed release

FortiSandbox 3.2

3.2 all versions

Migrate to a fixed release

FortiSandbox 3.1

3.1 all versions

Migrate to a fixed release

FortiSandbox 3.0

3.0.4 through 3.0.7

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

**Timeline**

2023-10-13: Initial publication

CVE-2023-41836: Fortiguard

An indirect object reference (IDOR) in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie.

**GRANDING UTime Master - IDOR**

 Hi All,

I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v UTime Master\_9.0.7-Build:Apr 4,2023). 

UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser.

Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees.

1.  Login to UTime Master using any account.
2.  Capture the request in burpsuite with the valid cookies.
3.  modify the URL to "/base/adminlog/table/?page=1&limit=200"
4.  Forward the request and it will fetch all the admin logs.

  

XSS has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

**Popular posts from this blog**

**ZKT Eco ADMS - Stored XSS**

 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

CVE-2023-45393: GRANDING UTime Master - IDOR

A stored cross-site scripting (XSS) vulnerability in the Create A New Employee function of Granding UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter.

**GRANDING UTime Master - Stored XSS**

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v UTime Master\_9.0.7-Build:Apr 4,2023).

UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser.

1.  Login to UTime Master using admin account
2.  Click on Personnel > Employee Management >Employee
3.  Select Any employee or create a new employee
4.  In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)>

_XSS payload embedded in EMP NAME field._

Save the employee details, Once the page refreshed it will execute your payload.

_our payload executed successfully._

_I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc._

XSS has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

**Popular posts from this blog**

**ZKT Eco ADMS - Stored XSS**

 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

CVE-2023-45391: GRANDING UTime Master - Stored XSS

WordPress Core versions prior to 6.3.2 suffer from arbitrary shortcode execution, cross site scripting, denial of service, and information leakage vulnerabilities. Versions prior to 6.3.2 are vulnerable.

The newest WordPress patch includes fixes for 8 Medium-Severity security issues, several of which are trivial to exploit.

WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While all of the vulnerabilities are of Medium severity, several of them are impactful enough to potentially allow site takeover, and thus the 6.3.2 update has the most significant security fixes we’ve seen in a while.

Many of these patches have been backported to every version of WordPress since 4.1, with just a few being backported to the major version in which the functionality was released. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.

The Wordfence Threat Intelligence Team released two new firewall rules today to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities patched, and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023.

If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.

Technical Analysis and Overview

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

No More ShortCode Abuse

Description: WordPress Core <= 6.3.1 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

Affected Versions: WordPress Core < 6.3.2

Researcher: James Golovich & WhiteCyberSec 

CVE ID: Pending

CVSS Score: 5.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to arbitrary shortcode execution in versions up to, and including, 6.3.1 due to a lack of input validation on the ‘shortcode’ parameter in the parse_media_shortcode AJAX function. This allows authenticated attackers, with subscriber-level privileges and above, to execute arbitrary shortcodes.

While this patch does not address a specific vulnerability, it blocks a common vector that enables attackers to exploit vulnerabilities that use shortcodes. Before WordPress 6.3.2, any authenticated user, including subscribers could execute any shortcode by calling the built-in ‘parse-media-shortcode’ AJAX handler.

The changeset in WordPress 6.3.2 restricts this AJAX handler to media shortcodes, and requires the ’embed’ shortcode to be associated with an active post ID that the user can access.

This means that a large range of SQL Injection, Sensitive Information Disclosure, and Remote Code Execution vulnerabilities that required only an active user login can now only be exploited by Contributor-level users or above.

You can find several of the shortcode-based vulnerabilities we reference by searching the Wordfence Intelligence vulnerability database.

Previously our team could not add a firewall rule to prevent the execution of arbitrary shortcodes due to the varying use cases. Fortunately, with this patch and change, the expected behavior of the parse-media-shortcode action has been restricted by WordPress Core, so we were able to create a generic firewall rule that will prevent arbitrary execution of shortcodes that are not in the allowlist from the function. Wordfence Premium, Care, and Response customers received this rule today, while those still on the free version of Wordfence will receive this rule after a 30 day delay on November 11th, 2023.

Reflected Cross-Site Scripting via Application Passwords

Description: WordPress Core 5.6-6.3.1 – Reflected Cross-Site Scripting via Application Password Requests

Affected Versions: WordPress Core < 6.3.2

Researcher: mascara7784 

CVE ID: Pending

CVSS Score: 6.1(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Reflected Cross-Site Scripting via the ‘success_url’ and ‘reject_url’ parameters when requesting application passwords in versions between 5.6 and 6.3.1 due to insufficient input sanitization and output escaping of pseudo protocol URIs. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link and accepting or rejecting the application password.

WordPress allows applications to request application passwords to be generated for them. WordPress before 6.3.2 fails to validate the redirect URIs used when a password is authorized or rejected, which means that an attacker could generate a URL for an application password request containing data: and javascript: pseduo protocol redirects. If the victim visits this URL on their site and approves or rejects the application password request, they could be redirected to a URI that executes JavaScript on their browser. WordPress 6.3.2 contains a patch for this issue.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors.

All Wordfence users, including Wordfence free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Additionally, Wordfence disables application passwords by default.

Comment Visibility

Description: WordPress Core <= 6.3.1 – Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts

Affected Versions: WordPress Core < 6.3.2

Researcher: JB Audras(WordPress Security Team) & Rafie Muhammad(Patchstack) 

CVE ID: Pending

CVSS Score: 4.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.3.1 via the comments listing. This allows authenticated users, with contributor-level privileges or above, to view comments on protected posts.

Prior to WordPress 6.3.2, it was possible for users to view comments on posts even when they did not have access to those posts. While this is in most cases a relatively low-impact issue, WordPress 6.3.2 contains a patch protecting the privacy of comments on private or protected posts.

Removing POP Chains

While WordPress Core has not had a known Object Injection vulnerability for some time, Object Injection vulnerabilities in various plugins and themes are regularly discovered by researchers, including Wordfence’s own in-house Threat Intelligence team.

All Object Injection vulnerabilities require POP chains in order to be successful. Prior to WordPress 6.3.2, potential POP chains were present in the WP_Theme, WP_Block_Type_Registry, WP_Block_Patterns_Registry, Requests/Session, Request/Iri, and Requests/Hooks classes. While we were unable to develop a functioning exploit for these in the time available, the patches involved indicate that they are designed to prevent unexpected Object Unserialization that could lead to Remote Code Execution. Credit to Marc Montpas of Automattic for discovering the vulnerable POP chains.

The Wordfence Threat Intelligence Team will continue reverse engineering this patch to determine if a firewall rule will be necessary, but at this time it has not received an official vulnerability entry because it is not technically a vulnerability on its own.

No More Searching By Email

Description: WordPress Core 4.7.0-6.3.1 – Sensitive Information Exposure via User Search REST Endpoint

Affected Versions: WordPress Core < 6.3.2

Researcher: Marc Montpas(Automattic) 

CVE ID: Pending

CVSS Score: 5.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the ‘list_users’ capability, the search is applied to the user_email column. This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.

While WordPress prior to 6.3.2 did not directly display user email addresses to users without the “list_users” capability, it still searched the user email column in wp_users. This meant that it was possible to brute-force search or verify the email address of any user with a published post or page by including the partial email address in the search parameter, potentially impacting user privacy. The patch for this limits the search columns for users without the “list_users” capability to only the columns displayed.

Cache Poisoning Denial of Service

Description: WordPress Core 4.7.0-6.3.1 – Denial of Service via Cache Poisoning

Affected Versions: WordPress Core < 6.3.2

Researcher: s5s & raouf_maklouf 

CVE ID: Pending

CVSS Score: 5.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Denial of Service via Cache Poisoning in versions between 4.7.0 and 6.3.1. In cases where the X-HTTP-Method-Override header was sent in a request to a REST endpoint and the endpoint returned a 4xx error, the error could be cached, resulting in denial of service.

Responses to REST API requests are not cached for logged-in users, but WordPress Core before 6.3.2 had an edge case where, in heavily cached configurations, an unauthenticated attacker could send a request to the REST API using the X-HTTP-Method-Override header to a public endpoint and receive a 4xx error, either because the endpoint restricts access to those methods or does not support them at all. In cases where the error is cached, any other unauthenticated visitors attempting to retrieve data from that endpoint would see the cached 4xx error.

Contributor+ Stored Cross-Site Scripting in Footnotes

Description: WordPress Core 6.3-6.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Footnotes Block

Affected Versions: WordPress Core < 6.3.2

Researcher: Jorge Costa(WordPress Core Team) 

CVE ID: Pending

CVSS Score: 6.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Stored Cross-Site Scripting via the footnotes block in versions between 6.3 and 6.3.1 due to insufficient input sanitization and output escaping on the footnotes block. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress prior to 6.3.2 did not adequately sanitize the content of footnote blocks, allowing authenticated users, with Contributor-level privileges or above, to insert JavaScript that would execute when a page containing the footnotes was visited. While input is partially escaped on the client-side, it is possible to intercept a request and add unescaped script tags to the footnote metadata. WordPress has released a patch for this vulnerability in 6.3.2.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors.

We have released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response users against this vulnerability, and free Wordfence users will receive the same protection in 30 days, on November 11th, 2023.

Contributor+ Stored Cross-Site Scripting in Navigation Links

Description: WordPress Core 5.9-6.3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via navigation attributes

Affected Versions: WordPress Core 5.9-6.3.1

Researcher: Rafie Muhammad & Edouard L of Patchstack 

CVE ID: Pending

CVSS Score: 6.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Stored Cross-Site Scripting via the arrow navigation block attributes in versions between 5.9 and 6.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level privileges and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress Core’s Block Editor includes a navigation block that includes arrows or chevrons to display previous and next posts. WordPress before 6.3.2 failed to adequately check or sanitize the attribute defining whether to use an arrow or a chevron. As a result, any user with access to the post editor could insert malicious JavaScript into the arrow navigation element, which would be executed whenever a visitor accessed that page.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors. We were unable to successfully exploit this vulnerability at the time of publication, but will update this post if we are able to achieve a proof of concept, along with a firewall rule if needed to protect our users.

Conclusion

WordPress 6.3.2 includes patches for 5 Medium-Severity vulnerabilities as well as hardening against separate Object Injection vulnerabilities found in third-party plugins and themes. Several of these vulnerabilities are trivial to exploit and we recommend updating immediately if your site has not yet automatically done so.

We have released firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023.

If you know someone who uses WordPress and isn’t keeping it automatically updated, we recommend sharing this advisory with them to ensure their site remains secure, as several of these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Special thanks to the security researchers who responsibly disclosed these vulnerabilities, as well as to Threat Intelligence Lead Chloe Chamberland for her assistance with this article and for writing the firewall rules to protect Wordfence customers.

WordPress Core 6.3.1 XSS / DoS / Arbitrary Shortcode Execution

**Description**

Stored HTML Injection: A Hidden Web Threat. Learn how attackers exploit input fields to inject malicious code into web applications, jeopardizing user data and site integrity. Discover crucial prevention measures to safeguard against this insidious vulnerability.

#Step to reproduce

      1. Login to froxlor as admin
      2. Under the resource go to Hosting plans  and Add new plan  
      3. In the plan name field  add the HTML payload and save it  
      4. once after saving the plan we can see that  the payload is working 
    

**Proof of Concept**

    https://drive.google.com/file/d/1zAKGmVoxwmzXZbi6S4TZs9ZA3A7VhXxJ/view?usp=sharing
    
    

**Impact**

The impact of stored HTML injection can be severe and far-reaching, affecting both website owners and their users. Here are some of the key impacts:

Compromised User Data: Stored HTML injection allows attackers to access and manipulate sensitive user data stored in the application's database. This can include personal information, passwords, financial details, and other confidential data, leading to identity theft and fraud.

Malicious Code Execution: Attackers can inject harmful scripts into the web application, leading to the execution of arbitrary code on users' browsers. This can result in unauthorized actions, data theft, or the installation of malware on users' devices.

Loss of Trust: When users' data is compromised due to stored HTML injection, it erodes their trust in the website and the organization behind it. Loss of trust can lead to a decline in user engagement, decreased customer loyalty, and damage to the company's reputation.

Financial Loss: A successful attack can have financial repercussions, including costs associated with data breaches, legal liabilities, and the expenses of recovering and securing the compromised system.

Business Disruption: If a website is affected by stored HTML injection, it may become inaccessible or experience performance issues, leading to a disruption in services and potential loss of revenue.

Regulatory Compliance Issues: Depending on the nature of the compromised data, organizations may face legal consequences and regulatory penalties for failing to protect user information adequately.

Negative SEO Impact: A compromised website may be used to host malicious content, leading search engines to flag the site as unsafe, resulting in a negative impact on its search engine rankings.

Long-term Damage: The aftermath of a successful stored HTML injection attack can be long-lasting. Rebuilding user trust and restoring the website's reputation can be a time-consuming and challenging process

Tag

#xss