Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message (DM).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-39840: Stored XSS · Issue #1660 · Cotonti/Cotonti

Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

delyura opened this issue

Aug 30, 2022

· 4 comments

Closed

**Stored XSS on forum #1661**

delyura opened this issue

Aug 30, 2022

· 4 comments

Assignees

**Comments**

Hello, we found the stored xss on forum.  
Tested on latest version 0.9.20.  
Poc:

1.  Create new topic with poll  
    
2.  XSS execute  
    

This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users.

It is needed to disable JavaScript in HTMLPurifier somehow for admins too.

Alex300 added a commit that referenced this issue

Sep 4, 2022

<script> tags are disabled in HTMLPurifier for admins too

<script> tags are disabled in HTMLPurifier for admins too

> <script> tags are disabled in HTMLPurifier for admins too

Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload <img src=x onerror=alert(1)> will work.  
For a comprehensive list, check out the DOMPurify allowlist.

Are you suggesting to make a whitelist with all possible valid options, except for the <script> tag :)?

> but the payload <img src=x onerror=alert(1)>

Really? I can't reproduce this case.

Moreover, this situation is only possible if administrator will save text with the XSS script. Regular users has more stricter HTMLPurifier settings.

2 participants

CVE-2022-39839: Stored XSS on forum · Issue #1661 · Cotonti/Cotonti

This package is a PrestaShop module that allows users to post reviews and rate products. There is a vulnerability where the attacker could steal an administrator's cookie. The issue is fixed in version 5.0.2.

Moderate

atomiix published GHSA-prrh-qvhf-x788

Aug 31, 2022

**Package**

composer prestashop/productcomments (Composer)

**Affected versions**

5.0.1

**Patched versions**

5.0.2

**Description**

**Impact**

An attacker could steal an admin's cookie

**Patches**

The issue is fixed in 5.0.2

**References**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

**Severity**

Moderate

4.3

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

**CVE ID**

CVE-2022-35933

**Weaknesses**

CWE-79

**Credits**

*    tonius85

CVE-2022-35933: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in prestashop/productcomments

New web targets for the discerning hacker

New web targets for the discerning hacker

The otherwise typically low-key month of August also brings infosec’s most renowned conference: Black Hat USA, which this year brought a word of warning for bug bounty hunters.

Dylan Ayrey, CEO of Truffle Security, cited a number of cases in which poor research and shoddy data governance has led to the leak of users’ personally identifiable information. In some cases, the data is still available long after the corresponding ticket has been closed, he warned.

“These privacy leaks in bug bounties are really common, and for every example that we can share publicly there are 100 examples that can’t be shared publicly,” said Ayrey.

In another, alleged example of suboptimal bug bounty practices CrowdStrike came under fire recently over its vulnerability disclosure process.

Pascal Zenker, a partner of Swiss security analyst service Modzero AG, claimed the Texas-based cybersecurity firm’s bug bounty program, run through HackerOne, is “NDA-ridden”, while the disclosure process “turned unprofessional in the end”.

CrowdStrike, however, defended its actions and countered that Modzero had not responded to attempts to “continue the dialogue” until six weeks had elapsed.

Among the most notable new bug bounty programs this month is Google’s latest VRP, this time focused on its open source projects, such as Golang, Angular, and Fuchsia.

Announced on August 30, the Open Source Software Vulnerability Rewards Program (OSS VRP) is designed to stem the rising tide of attacks against the software supply chain.

There were several notable payouts on existing Google VRPs, most notably when Alesandro Ortiz netted $20,000 from the tech giant – giving $4,000 to a collaborator – for unearthing a bug in the Chromium project. This allowed attackers to bypass site isolation protection through iFrames and popup windows to steal private information, read and modify cookies, and gain access to microphone and camera feeds, among other exploits.

Meanwhile, researcher ‘NDevT’ discovered two XSS vulnerabilities in Google Cloud, DevSite, and Google Play that could lead to account hijacks. They won $3,000 and $5,000 in bug bounties for their pains.

And there was a $5,000 payout for a third Google issue, with Adi Cohen discovering an XSS in AMP for Email that involved tricking Gmail’s dynamic email feature into a rendering context that the browser would not use to render a given piece of code.

Finally, in non-Google payout news, there were $4,000 and $5,000 rewards respectively for serious GitHub Pages and Reddit issues, while a Yahoo hackathon paid out $218,121 for 218 bug submissions related to its text search engine tool Vespa.

**The latest bug bounty programs for September 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Abraxas VOTING**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**$10,000

**Outline:  
**VOTING will be used to manage ballots and aggregate tallied votes in Swiss elections.

**Notes:  
**The maximum reward is around 10,000 Swiss francs, which equates to roughly the same amount in US dollars.

Apply to hack on the program via Bug Bounty Switzerland

**Airlock**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**Undisclosed

**Outline:  
**Airlock’s Secure Access Hub, a web application firewall (WAF), protects more than 30,000 web applications worldwide.

**Notes:  
**“This program is built in the style of a CTF competition,” said the company.

Apply to hack on the program via Bug Bounty Switzerland

**Cornershop by Uber**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Uber’s on-demand grocery delivery service is offering $2,500 for critical vulnerabilities and $1,000 for high severity flaws.

**Notes:  
**Seven assets in scope: the .cornershopapp.com website, iOS and Android apps, source code, two domains containing internal assets, and QA environment.

Check out the Cornershop bug bounty page for more details

**Ethereum – Enhanced**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$1m

**Outline:  
**Bug bounty rewards for the Ethereum blockchain have quadrupled for a two-week period – ending September 8 – when related to the network’s transition to proof-of-stake.

**Notes:  
**The application of a fourfold multiplier to payouts means ethical hackers could earn up to $1 million for the submission of valid critical vulnerabilities.

Check out our earlier coverage for more details

**Google OSS VRP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$31,337

**Outline:  
**Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) focuses on the public repositories of Google-owned GitHub organizations such as GoogleAPIs and GoogleCloudPlatform, as well as their third-party dependencies.

**Notes:  
**Ranging from $100 to $31,337, rewards will typically be higher for particularly sensitive projects – such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia – and vulnerabilities that can lead to supply chain compromise.

Check out the Google OSS VRP bug bounty page for more details

**Pogo**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**Pogo is a mobile app that offers users a way to leverage their personal data online in order to access earn credits and discounts for shopping, finances, and more.

**Notes:  
**In scope are the platform’s production Android and iOS apps and API endpoint used by the mobile apps.

Check out the Pogo bug bounty page for more details

**Proton**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**$30,000

**Outline:  
**If you are accepted onto the program, privacy-preserving email service Proton “will give you early and exclusive access to not published versions of the applications and their source code”.

**Notes:  
**Swiss platform also promises attractive bounties, “a constructive dialogue, fair rules and a legal safe harbor”.

Apply to hack on the program via Bug Bounty Switzerland

**Secure Open Source Rewards**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$10,000

**Outline:  
**Developers and security researchers have been invited to suggest ways to “harden critical open source projects” by the Linux Foundation, with Google’s open source security team providing initial sponsorship.

**Notes:  
**Rewards range from $505 for minor improvements up to $10,000 or more for “complicated, high-impact, and lasting improvements that almost certainly prevent major vulnerabilities”.

Check out our earlier coverage for more details

**Starbucks – Enhanced**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Bug reports that include a unique Nuclei Template to validate the finding will now earn researchers a $250 bonus.

**Notes:  
**Launched in 2016, the Starbucks program has 36 assets in scope, approaching 1,500 resolved reports, and average payouts of $250-$500 at the time of writing.

Check out the Starbucks bug bounty page for more details

**Trendyol**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Trendyol Group, Turkey’s largest ecommerce platform, has launched an ongoing bug bounty program after what it said was a successful, time-limited HackerOne Challenge.

**Notes:  
**Critical bugs will command rewards ranging between $2,000-$3,000, while high severity issues will net bug hunters between $750-$1,250.

Check out the Trendyol bug bounty page for more details

**Other bug bounty and VDP news this month**

*   Switzerland’s National Cyber Security Centre has announced the launch, later this year, of a new bug bounty program for the Swiss federal government following a 2021 pilot
*   Staying in Switzerland, federal postal service Swiss Post offered rewards up to 30,000 francs ($30,530) during a four-week bug bounty program that concludes today (September 2)
*   New or improved bug bounty or penetration testing tools showcased at Black Hat USA 2022 included pen test management platform AttackForge, open source recon framework ReNgine, and pen testing tools AWSGoat and AzureGoat

Curated by Adam Bannister. Introduction by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for August 2022

Bug Bounty Radar // The latest bug bounty programs for September 2022

OX App Suite versions 8.2 and earlier suffer from multiple cross site scripting vulnerabilities. Versions 7.10.6 and earlier suffer from a command injection vulnerability.

Product: OX App Suite  
Vendor: OX Software GmbH

Internal reference: MWB-1540  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 8.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.324  
Vendor notification: 2022-03-30  
Solution date: 2022-06-10  
Public disclosure: 2022-09-01  
CVE reference: CVE-2022-29852  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:  
The output filter mechanism for binary data can be confused by using unknown media-types. Some valid image formats were not part of our deny-list that handles potentially harmful content. Attackers can generate, upload and share malicious JS code, disguised as the BMFreehand10 or image/x-freehand image file format. This format is not detected and therefore no download gets enforced. Some browsers may attempt to render its content "inline".

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:  
We improved content detection to include previously unknown media-types.

---

Internal reference: MWB-1572  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 8.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0  
Vendor notification: 2022-04-20  
Solution date: 2022-06-10  
Public disclosure: 2022-09-01  
CVE reference: CVE-2022-29853  
CVSS: 4.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:  
Malicious HTML content at E-Mail can be abused to bypass existing content sanitization mechanisms. In this case an attacker adds junk code to force the "Show entire message" feature for huge HTML mails to generate malicious output. This involves a complex hierarchy of HTML elements and event handlers that confuse existing sanitization logic.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:  
We improved detection and handling of such huge HTML blocks to make sure no malicious content is returned to the client.

---

Internal reference: MWB-1602  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 8.2 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0  
Vendor notification: 2022-04-20  
Solution date: 2022-06-10  
Public disclosure: 2022-09-01  
CVE reference: CVE-2022-31468  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:  
Content stored in attachments or OX Drive content can be requested by the client using "len" and "off" parameters. Malicious HTML content is filtered however this filter does not apply to all kind of HTML tags and allows to extract malicious code using the mentioned parameters.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:  
We improved detection and handling of malicious HTML content that is requested via offset and length parameters.

---

Internal reference: DOCS-4428  
Vulnerability type: OS Command Injection (CWE-78)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev5, 7.10.6-rev5  
Vendor notification: 2022-04-19  
Solution date: 2022-06-10  
Public disclosure: 2022-09-01  
CVE reference: CVE-2022-29851  
CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:  
In case an instance running documentconverter (readerengine) has non-default ghostscript (gs) utility installed, it may get invoked when converting EPS files that are disguised as PDF files. Ghostscript suffers from a range of vulnerabilities, some of which could be exploited via readerengine. While most are non-deterministic and cannot be used to inflict relevant damage, few may be used to execute code fragments, embedded in EPS files, on the target instance.

Risk:  
Unauthorized code may be executed with persmissions of the "open-xchange" user on readerengine instances if additional software packages like gs are installed. We urge customers to apply best-practice system hardening, which includes removal of unused components.

Solution:  
We removed a fallback to use external commands for processing EPS and other file formats.

OX App Suite Cross Site Scripting / Command Injection

WordPress Netroics Blog Posts Grid plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in post_title parameter in WordPress Plugin "Netroics Blog Posts Grid" v1.0# Date: 08/08/2022# Exploit Author: saitamang, syad, yunaranyancat# Vendor Homepage: wordpress.org# Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip# Version: 1.0# Tested on: Centos 7 apache2 + MySQLWordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected.Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the postpayload --> user s1"><img src=x onerror=alert(document.cookie)>.gifThe draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.Further information can be preview from github below:https://github.com/saitamang/POC-DUMP/blob/main/wordpress/Netroics%20Blog%20Posts%20Grid%20v1.0%20Stored%20XSS.md

WordPress Netroics Blog Posts Grid 1.0 Cross Site Scripting

Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports.
In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an unauthenticated malicious user could perform a stored XSS attack in order to inject a malicious payload and execute it using the stored XSS.


**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-25370

Garage Management System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the brand_name parameter at /brand.php.

About one week ago, author mayurik released **Garage Management System 1.0** on https://sourcecodester.com. The web application has a lot of vulnerabilities, so let’s take a look at some of them.

**Vendor Homepage:** https://www.sourcecodester.com/users/mayurik 

**Software Link:** **https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html**

**Version:** 1.0

**Test Environment:** Ubuntu 22.04 + Apache2

**Sample Vulnerability 1:**

**Vulnerability**: Persistent Cross-site Scripting

**Component**: Parameter “brand\_name” in /brand.php

**Credits**: Russell Shen

**Cause:** There is no user input sanitization on parameter “brand\_name”.

**Simple PoC**:

**Screenshot of Exploitation:**

**Sample Vulnerability 2:**

**Vulnerability**: SQL Injection

**Component**: Parameter “id” in /print.php

**Credits**: Russell Shen

**Cause:** There is no user input sanitization on parameter “id”.

**Simple PoC**:

http://hostname:port/garage/print.php?id=1 ’\[SQL Query\]

**Screenshot of Exploitation:**

**Sample Vulnerability 3:**

**Vulnerability**: Persistent Cross-site Scripting

**Component**: Parameter “name” in /client.php

**Credits:** Chengcheng Tian, Russell Shen

**Cause:** There is no user input sanitization on parameter “name”.

**Simple PoC**:

**Screenshot of Exploitation:**

**Sample Vulnerability 4:**

**Vulnerability**: Bad Access Control

**Component**: Parameter “brand\_name” in /brand.php

**Credit:** Chengcheng Tian, Russell Shen

**Cause:** /print.php does not verify authentication and authorization.

**Simple PoC**:

Access http://hostname:port/print.php?id=2

**Screenshot of Exploitation:**

Post Views: 41

CVE-2022-36637: Vulnerability of Garage Management System 1.0

BlogEngine v3.3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /blogengine/api/posts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.

CVE-2022-36600: Cross-Site Scripting (XSS) in "/blogengine/api/posts" · Issue #254 · BlogEngine/BlogEngine.NET

Miniblog.Core v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /blog/edit. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Excerpt field.

Tag

#xss