The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0585: Updates.php in all-in-one-seo-pack/tags/4.2.9/app/Common/Main – WordPress Plugin Repository

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor+ role to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0586: PostSettings.php in all-in-one-seo-pack/tags/4.2.9/app/Common/Admin – WordPress Plugin Repository

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Jessica Haworth 24 February 2023 at 13:09 UTC  
Updated: 24 February 2023 at 13:15 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward.

The social media site historically enabled two-factor authentication (2FA) to all users, providing they connected their mobile phone number to their account.

This week, however, users were warned that this security option would no longer be available to users who did not pay for verification.

Of course, this sparked huge backlash online, particularly among the majority of those with non-paid accounts.

It’s worth noting, though, that users can still use 2FA with third-party authentication apps such as Google Authenticate.

Want the latest web security news straight to your inbox? Sign up to our newsletter here

Elsewhere, web hosting provider GoDaddy announced it had fallen victim to a cyber-attack… and this was part of a campaign lasting almost three years.

The company announced in a statement that it had evidence of an intrusion that took place back in December 2022, when “a small number of customers” complained about their websites being intermittently redirected.

In a filing to the US Securities and Exchange Commission (PDF), the American domain registrar also divulged that it had evidence this attack was linked to an earlier incident in March 2020, when an attacker “compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel”.

GoDaddy says it believes these attacks, together with a 2021 compromise of its hosted WordPress service, “are part of a multi-year campaign by a sophisticated threat actor group”.

BACKGROUND Truffle Security relaunches XSS Hunter tool with new features

Finally, the maintainers of newly resurfaced tool XSS Hunter announced the introduction of optional end-to-end (e2e) encryption to its fork after a backlash from privacy-conscious users.

Truffle Security, which launched a new fork of the open source utility after its deprecation by original creator Matthew Bryant, were criticized earlier this month for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

As reported by The Daily Swig, users have now been reassured that e2e encryption has been added to the fork in a statement given by Truffle Security’s founder.

We also recently reported that Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, and how Frans Rosén topped PortSwigger’s top 10 web hacking techniques of 2022 with his research ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   FortiNAC / Critical / Unauthenticated RCE / An external control of file name or path in certain Fortinet FortiNAC versions allow attackers to execute unauthorized code / Patched and disclosed February 16
*   Node.js / Medium / CLRF injection / The fetch API in Node.js did not prevent CRLF injection in the host header potentially allowing attacks such as HTTP response splitting and HTTP header injection / Patched and disclosed February 16
*   Node.js / High / Permissions policies bypass / Non-authorized modules potentially accessible via / Patched and disclosed February 16
*   Kardex MLOG / Severity TBC / RCE / SSTI to RCE due to sanitization issue on industrial web interface / Patched January 24, disclosed February 7
*   Apache Kerby / LDAP injection / Vulnerability exists in / Patched and disclosed February 20

**Research and attack techniques**

*   PortSwigger’s\* Gareth Heyes demonstrated how to detect server-side prototype pollution without causing denial-of-service at AppSec Dublin conference earlier this month.
*   Researchers from CyberXplore detailed how they hacked GitHub for a whole month, resulting in the finding of six vulnerabilities, which are detailed in this blog post.
*   Software engineer Matt Frisbie built a purposely-malicious Google Chrome extension that steals as much data as possible to demonstrate what users could expose themselves to if they aren’t careful with what they install.

A security researcher has praised the merits of hacking on Apple’s bug bounty program

**Bug bounty/vulnerability disclosure**

*   A write-up from security researcher Omar Hashem, who fully took over a HubSpot account, details his failures on the path to exploitation. Research is inherently about trial and error, yet few write ups shared online talk about the things that didn’t work.
*   A researcher calling themselves ‘infiltrateops’ shared details on how they were awarded a decent payout from Apple and lauded the response from its security team.
*   Google released a review of all of the bugs found in its vulnerability reward program in 2022, revealing it fixed more than 2,900 issues in that year alone.

**New open source security tools**

*   Legitify, a tool for detecting and remediating security issues across GitHub and GitLab assets, added support for GPT-based misconfiguration scanning.
*   GuardDog, a tool used to identify malicious Python packages using Semgrep and package metadata analysis, has been updated to provide npm support, new heuristics, and easier CI integration.

\*PortSwigger is the parent company of The Daily Swig.

PREVIOUS EDITION Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

A vulnerability was found in SourceCodester Medical Certificate Generator App 1.0. It has been classified as problematic. This affects an unknown part of the component New Record Handler. The manipulation of the argument lastname with the input "><script>prompt(1)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-221739.

CVE-2023-1006

sanitize-url (aka @braintree/sanitize-url) before 6.0.1 allows XSS via HTML entities.

**@braintree/sanitize-url Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023

GHSA-q8gg-vj6m-hgmj: @braintree/sanitize-url Cross-site Scripting vulnerability

Stored cross-site scripting vulnerability in Theme switching function of SHIRASAGI v1.16.2 and earlier versions allows a remote attacker with an administrative privilege to inject an arbitrary script.

****

*   シラサギとは
*   ダウンロード
*   導入事例
*   お問い合わせ

2023年2月22日

JPCERT コーディネーションセンターと独立行政法人情報処理推進機構 (IPA)が共同運営するJVNに、SHIRASAGI におけるクロスサイト・スクリプティング脆弱性が公開されました。

https://jvn.jp/jp/JVN18765463/

JVN18765463 には複数の脆弱性の指摘が含まれています。

1.  スケジュール機能における格納型クロスサイトスクリプティング - CVE-2023-22425
2.  Theme切り替え機能における格納型クロスサイトスクリプティング - CVE-2023-22427

スケジュール機能における格納型クロスサイトスクリプティングの脆弱性をついた攻撃を成立させるには、下記のいずれかの条件が必要となります。

1.  シラサギのグループウェアにログインし、左側のメニューから　「スケジュール」 - 「設備設定」をたどる
2.  上部メニューの「新規作成」をクリックし、設備名に XSS<script>alert(document.URL)</script> のような内容を入力し、保存ボタンをクリックして設備を作成する
3.  左側のメニューから　「スケジュール」 - 「個人」をたどる。
4.  カレンダーの上部の「予定を作成」をクリックし、「設備を選択する」をクリックし、2 で作成した設備を選択する。

Theme切り替え機能における格納型クロスサイトスクリプティングの脆弱性をついた攻撃を成立させるには、下記のいずれかの条件が必要となります。

1.  CMS の管理画面にログインし、 サイト設定＞Theme切り替え＞新規作成まで遷移する。
2.  名前に "XSS" などの適当な名前を入力、class属性に "xss" などの適当な値を入力し、cssパスに #"><script>alert('XSS')</script><!-- と入力後「保存」を押下し、Theme切り替えを新規作成する。
3.  2 で登録した Theme 切り替えを反映するためにページ書き出しやフォルダー書き出しを実行する。
4.  Theme 切り替えを利用したページにアクセスする。

この脆弱性は v1.16.2 以前のシラサギに存在し、v1.17.0 で修正されています。

v1.16.2 以前のバージョンをお使いの方は v1.17.0 へのバージョンアップを実施頂くか、下記のコミットの反映をお願いします。

*   https://github.com/shirasagi/shirasagi/commit/79a59b2aaa15260ded79728198fdf9321570911f

v1.14.2 以前のバージョンをお使いの方向けの注意点として、シラサギ1.15.0 リリースに記載しているとおり CMS に重大な非互換がありますので、この点を考慮の上バージョンアップを検討するようにしてください。

**カテゴリー**

*   その他

*   シラサギ  
    LGWAN-ASPサービス
*   シラサギ  
    クラウドサービス
*   シラサギ  
    業務代行サービス
*   シラサギ  
    講習会サービス
*   シラサギ  
    サポートサービス

CVE-2023-22427: JVN#18765463 SHIRASAGI におけるクロスサイト・スクリプティング脆弱性 -  SHIRASAGI公式サイト

sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

@@ -100,6 +100,7 @@ describe("sanitizeUrl", () => { "&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29", "jav&#x09;ascript:alert('XSS');", " &#14; javascript:alert('XSS');", "javasc&Tab;ript: alert('XSS');", \];  
attackVectors.forEach((vector) \=> { @@ -136,6 +137,15 @@ describe("sanitizeUrl", () => { ); });  
it(\`disallows ${protocol} urls that use &colon; for the colon portion of the url\`, () \=> { expect(sanitizeUrl(\`${protocol}&colon;alert(document.domain)\`)).toBe( "about:blank" ); expect(sanitizeUrl(\`${protocol}&COLON;alert(document.domain)\`)).toBe( "about:blank" ); });  
it(\`disregards capitalization for ${protocol} urls\`, () \=> { // upper case every other letter in protocol name const mixedCapitalizationProtocol \= protocol

CVE-2022-48345: Fix html entity tab (#45) · braintree/sanitize-url@d4bdc89

Cross-site Scripting (XSS) - Stored in GitHub repository unilogies/bumsys prior to v2.0.1.

CVE-2023-0995

SquaredUp Dashboard Server SCOM edition before 5.7.1 GA allows XSS (issue 1 of 2).

CVE-2022-46785

If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.

**Cross-site Scripting in Quarkus**

Moderate severity GitHub Reviewed Published Feb 23, 2023 to the GitHub Advisory Database • Updated Feb 23, 2023

Tag

#xss