The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2022-2540: Vulnerability Advisories - Wordfence

An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.2.0, version 6.4.0 through 6.4.9, version 7.0.0 through 7.0.5 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack through the URI parameter via the Threat Feed IP address section of the Security Fabric External connectors.

** PSIRT Advisories**

**FortiOS -- XSS vulnerability observed in External Connectors Of Security Fabric**

**Summary**

An improper neutralization of input during web page generation vulnerability \[CWE-79\] in FortiOS may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack through the URI parameter via the Threat Feed IP address section of the Security Fabric External connectors.

**Affected Products**

FortiOS verion 7.2.0.  
FortiOS version 6.4.0 through 6.4.9  
FortiOS version 7.0.0 through 7.0.5  
 

**Solutions**

Please upgrade to FortiOS version 6.4.10 or above.  
Please upgrade to FortiOS version 7.0.6 or above.  
Please upgrade to FortiOS version 7.2.1 or above.

**Acknowledgement**

Fortinet is pleased to thank Massimiliano Ferraresi, Massimiliano Brolli and TIM Security Red Team Research from TIM for reporting this vulnerability under responsible disclosure.

CVE-2021-43080: Fortiguard

An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.

** PSIRT Advisories**

**FortiMail - Cross-site scripting (XSS) in Webmail**

**Summary**

An improper neutralization of input during web page generation vulnerability \[CWE-79\] in FortiMail Webmail may allow an unauthenticated attacker to trigger a cross-site scripting (XSS) attack via sending specially crafted mail messages.

**Affected Products**

FortiMail version 7.0.0 through 7.0.3  
FortiMail version 6.4.0 through 6.4.7  
FortiMail version 6.2.0 through 6.2.8  
FortiMail version 6.0.0 through 6.0.12

**Solutions**

Please upgrade to FortiMail version 7.2.0 or above  
Please upgrade to FortiMail version 7.0.4 or above

**Acknowledgement**

Internally discovered by Giuseppe Cocomazzi.

CVE-2022-26114: Fortiguard

The phishing-as-a-service offering targets accounts from tech giants, and also has connections to PyPI phishing and the Twilio supply chain attack.

A phishing-as-a-service offering being sold on the Dark Web uses a tactic that can turn a user session into a proxy to bypass two-factor authentication (2FA), researchers have found.  

The service, widely called EvilProxy, uses reverse proxy and cookie-injection methods to give threat actors a way around 2FA "on the largest scale, without the need to hack upstream services," researchers from Resecurity said in a report published Monday. The principle is actually fairly simple, they added: After victims are lured to a phishing page, threat actors use a reverse proxy to fetch all the legitimate content users expect to see — including login pages — and then sniff victims' traffic as it passes through the proxy.

"This way they can harvest valid session cookies and bypass the need to authenticate with usernames, passwords, and/or 2FA tokens," researchers wrote.

At the same time, the approach gives cybercriminals ways to attack developers to facilitate supply chain attacks that affect customers downstream, they said.

In recent attacks, EvilProxy is being used to target consumer accounts belonging to top tech power players such as Apple, Dropbox, Facebook, GoDaddy, Google, Instagram, Microsoft, Twitter, and Yahoo.

**EvilProxy: An Evolution**

EvilProxy represents an evolution in phishing strategies, according to the report, given that reverse-proxy approaches are most commonly seen in advanced persistent threat (APT) and cyber-espionage activity. Now, the service makes this capability widely available to the cybercriminal marketplace, researchers said.

Some sources refer to the EvilProxy service as "Moloch," which is connected to a previously developed phishing kit that targeted the financial institutions and e-commerce sector, researchers said.

However, EvilProxy has different victims in mind, according to a demonstration video its actors released in May. Google and Microsoft accounts, in particular, appear to be the primary targets of EvilProxy threat actors.

**Acquiring the Service**

Cybercriminals can buy EvilProxy on a subscription basis based on the online service they plan to target — such as Facebook or LinkedIn — after which it is activated for a specific period of time, depending on the plan description, researchers said. Plan options include 10, 20, or 31 days, according to listings for the service on multiple Dark Web hacker forums, they said.

One of EvilProxy's key actors goes by the handle "John\_Malkovich" and acts as an administrator to vet new customers on major underground communities, including XSS, Exploit, and Breached, researchers said.

Cybercriminals can pay for EvilProxy via an operator on Telegram in a manual arrangement that deposits the funds received to an account in a customer portal hosted in TOR. The service also is available on the Dark Web hosted on the TOR network, with a kit available for $400 per month.

The home portal of the EvilProxy service makes it easy for those who purchase it to get on with their phishing campaigns, providing multiple tutorials and interactive videos regarding the use of the service and configuration tips, researchers said.

"Being frank, the bad actors did a great job in terms of the service usability, and configurability of new campaigns, traffic flows, and data collection," they acknowledged.

Once the service is activated, an operator must provide SSH credentials to further deploy a Docker container and a set of scripts that, after successful activation, will forward the traffic from the victims via two gateways defined as "upstream."

As is common in phishing campaigns, attackers register domain names that appear similar in spelling to related online services to mask them for use used in phishing campaigns, researchers noted.

**Connections to Recent Supply Chain Cyberattacks**

EvilProxy is notable also for its connections to recent threat activity — the first known phishing attack on users of the Python Package Index (PyPI), the official repository for the Python language, and a supply chain attack related to a credential breach at Twilio, researchers said.

Regarding the former, EvilProxy supports attacks against PyPI with the inclusion of a payload called JuiceStealer to the service, researchers said. The info-stealing malware was used in the PyPI phishing attack, and suspiciously added to EvilProxy just before that attack happened, researchers said.

EvilProxy also supports attacks on GitHub and the widely used JavaScript package manager NPJMS. This enables the service to deliver advanced phishing campaigns for supply chain attacks by targeting software developers and IT engineers, who may inadvertently add compromised code to applications and widen the spread of the attack without end users suspecting a thing, researchers said.

Indeed, the Twilio attack was a reminder of what can happen when enterprises are caught unawares, noted one security professional. In that attack, threat actors used phished Okta credentials to gain access to internal systems, applications, and customer data, affecting about 25 downstream organizations that use Twilio's phone verification and other services.

"Too many organizations assume that strong authentication is enough to protect their internal assets and data," Ronen Slavin, co-founder and CTO of Cycode, a software supply chain security solution provider, tells Dark Reading. "As a result of this mindset, most organizations over-credential their developers and expose way too many hard-coded secrets in places like repos, build logs, containers, and more."

With phishing attacks getting more advanced in both their methods to bypass security protections and target developers, enterprises need to be more wary of who within the organization has advanced access to systems, he adds.

"The key learning from this attack is to assume that developer accounts are compromised and that insiders could be malicious," Slavin says.

EvilProxy Commodifies Reverse-Proxy Tactic for Phishing, Bypassing 2FA

Online Market Place Site version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Online Market Place Site v1.0 - Stored Cross-Site Scripting (XSS)# Exploit Author: Joe Pollock# Date: September 03, 2022# Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip# Tested on: Kali Linux, Apache, Mysql# CVE: CVE-2022-30003 (RESERVED)# Vendor: oretnom23# Version: v1.0# Exploit Description:#   Online Market Place Site v1.0 suffers from an authenticated stored Cross-Site Scripting (XSS) vulnerability allowing attackers to register#   as a Seller then create new products containing XSS payloads in the 'Product Title' and 'Short Description' fields.To reporduce:1. Sign as a Seller (or create an account) then add a product by navigating to 'Products' > 'Add New'.2. Add an XSS payload (e.g. <script>alert(1)</script>) within the 'Product Title' and/or 'Short Description' fields.3. Click 'SAVE' - the XSS payload(s) will be executed immediately or anytime the product is viewed.

Online Market Place Site 1.0 Cross Site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.

CVE-2022-3127

The Fast Flow WordPress plugin before 1.2.13 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2775

The WP Database Backup WordPress plugin before 5.9 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2271

The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins

CVE-2022-2565

Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a.

@@ -105,13 +105,14 @@ protected function handle() }  
// requested diff view type $mode = ''; if ($INPUT\->has('difftype')) { $this\->preference\['difftype'\] = $INPUT\->str('difftype'); $mode = $INPUT\->str('difftype'); } else { // read preference from DokuWiki cookie. PageDiff only $mode = get\_doku\_pref('difftype', null); if (isset($mode)) $this\->preference\['difftype'\] = $mode; } if(in\_array($mode, \['inline','sidebyside'\])) $this\->preference\['difftype'\] = $mode;  
if (!$INPUT\->has('rev') && !$INPUT\->has('rev2')) { global $INFO, $REV; @@ -222,7 +223,7 @@ public function show()  
// display diff view table echo '<div class="table">'; echo '<table class="diff diff\_'.$this\->preference\['difftype'\] .'">'; echo '<table class="diff diff\_'.hsc($this\->preference\['difftype'\]) .'">';  
//navigation and header switch ($this\->preference\['difftype'\]) {

Tag

#xss