Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module.

**Jfinal Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Aug 26, 2022 • Updated Sep 1, 2022

GHSA-34j6-m83c-52x2: Jfinal Cross-site Scripting vulnerability

Archer Platform 6.9 SP2 P2 before 6.11 P3 (6.11.0.3) contain a reflected XSS vulnerability. A remote unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious JavaScript code to the vulnerable web application. This code is then reflected to the victim and gets executed by the web browser in the context of the vulnerable web application. 6.10 P4 (6.10.0.4) and 6.11 P2 HF4 (6.11.0.2.4) are also fixed releases.

**Archer Identifier**

SA-5

**CVE Identifier**

CVE-2022-37317, CVE-2022-37318

**Severity**

High

**Severity Rating**

See below for scores of individual CVEs

**Affected Products**

Archer Platform versions greater than 6.x

**Summary**

Archer Platform contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.

**Details**

Archer Platform has been updated for the following vulnerabilities:

• HTML Injection Vulnerability CVE-2022-37317

Archer Platform 6.x before 6.11 P3 contain a HTML injection vulnerability. An authenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user to execute malicious code in the context of the web application. 6.10 P4 (6.10.0.4) and 6.11 P2 HF4 (6.11.0.2.4) are also fixed releases.

CVSSv3.1 Base Score: 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)

• Reflected Cross-site Scripting Vulnerability CVE-2022-37318

Archer Platform 6.9 SP2 P2 before 6.11 P3 (6.11.0.3) contain a reflected XSS vulnerability. A remote unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious JavaScript code to the vulnerable web application. This code is then reflected to the victim and gets executed by the web browser in the context of the vulnerable web application. 6.10 P4 (6.10.0.4) and 6.11 P2 HF4 (6.11.0.2.4) are also fixed releases.

CVSSv3.1 Base Score: 7.0 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L)

For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a particular CVE, use the database’s search utility at http://web.nvd.nist.gov/view/vuln/search.

**Recommendation**

For CVE-2022-37317, the following Archer releases contain a resolution to this vulnerability:

• Archer version 6.11 P3 (6.11.0.3) or higher  
• Archer version 6.11 P2 HF4 (6.11.0.2.4) or higher  
• Archer version 6.10 P4 (6.10.0.4) and subsequent 6.10 releases

For CVE-2022-37318, the following Archer releases contain a resolution to this vulnerability:

• Archer version 6.11 P3 (6.11.0.3) or higher  
• Archer version 6.11 P2 HF4 (6.11.0.2.4) or higher  
• Archer version 6.10 P4 (6.10.0.4) and subsequent 6.10 releases

Archer recommends all customers upgrade at the earliest opportunity.

**Severity Rating**

For an explanation of Severity Ratings, refer to the Archer Vulnerability Disclosure Policy. Archer recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

**EOPS Policy**

Archer has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

**Legal Information**

Read and use the information in this Archer Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact Archer Technical Support. Archer distributes Archer Security Advisories in order to bring to the attention of users of the affected Archer products, important security information.

Archer recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Archer disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.

In no event shall Archer, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Archer, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

CVE-2022-37318: Archer Update for Multiple Vulnerabilities

Nortek Linear eMerge E3-Series 0.32-07p devices are vulnerable to /card_scan.php?CardFormatNo= XSS with session fixation (via PHPSESSID) when they are chained together. This would allow an attacker to take over an admin account or a user account.

    # Exploit Title: Nortek Linear eMerge E3-Series - Account Take Over# Exploit Author: Omar Hashim# Version: 0.32-07p# Vendor home page: https://www.nortekcontrol.com/access-control/# Vendor home page: https://linear-solutions.com/# Authentication Required: No# CVE: CVE-2022-31798# Description ====================There is local session fixation that chained with reflected cross-sitescripting leads to account take over of admin or less privileged users# Proof Of Concept: ====================http://<HOST:PORT>/card_scan.php?No=1337&ReaderNo=1337&CardFormatNo=<imgsrc=x onerror=alert(document.location)>

CVE-2022-31798: Nortek Linear eMerge E3-Series Account Takeover ≈ Packet Storm

It was found that the smallrye health metrics UI component did not properly sanitize some user inputs. An attacker could use this flaw to conduct cross-site scripting attacks.

'2018015?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-3914: Invalid Bug ID

There is a stored XSS vulnerability in JFinal\_cms 's publish blog module. An attacker could insert malicious XSS code into the post title. When users and administrators view the blog post, the malicious XSS code is triggered successfully.

First register a user to test it, then go to the submit blog post page and insert the malicious XSS code in the subject field

Payload : test1" onmouseover="alert(document.cookie)  

Successfully executed malicious XSS code:

CVE-2022-36527: XSS vulnerability1 in jfinal_cms 5.1.0 · Issue #45 · jflyfox/jfinal_cms

A reflected cross-site scripting (XSS) vulnerability exists in the iHistorian Data Display of WorkstationST (<v07.09.15) could allow an attacker to compromise a victim's browser. WorkstationST is only deployed in specific, controlled environments rendering attack complexity significantly higher than if the attack were conducted on the software in isolation. WorkstationST v07.09.15 can be found in ControlST v07.09.07 SP8 and greater.

%PDF-1.7 %���� 79 0 obj <> endobj xref 79 44 0000000016 00000 n 0000001648 00000 n 0000001794 00000 n 0000001836 00000 n 0000002248 00000 n 0000002507 00000 n 0000002672 00000 n 0000002984 00000 n 0000003157 00000 n 0000003393 00000 n 0000003717 00000 n 0000003970 00000 n 0000004021 00000 n 0000004072 00000 n 0000004239 00000 n 0000004816 00000 n 0000005466 00000 n 0000006277 00000 n 0000006414 00000 n 0000006436 00000 n 0000006658 00000 n 0000006953 00000 n 0000006980 00000 n 0000007105 00000 n 0000007265 00000 n 0000007935 00000 n 0000008564 00000 n 0000009361 00000 n 0000010171 00000 n 0000010931 00000 n 0000011160 00000 n 0000011194 00000 n 0000011349 00000 n 0000017467 00000 n 0000017537 00000 n 0000047173 00000 n 0000102203 00000 n 0000102273 00000 n 0000102527 00000 n 0000102866 00000 n 0000103033 00000 n 0000103060 00000 n 0000001478 00000 n 0000001176 00000 n trailer <<38D43D8DEAB4B2110A00F021DC6DFD7F>\]/Prev 120019/XRefStm 1478>> startxref 0 %%EOF 122 0 obj <>stream h�b\`\`\`�+l�@(������ð��?z��5��,l� TyYz�^�D���آ��d����2��6��\\�@�c\`alcx��Ϩ�0����sY �Ȥ�T�,�PTu��t�.��xfvf�G�xZ�/0��������-�DV�(�)3�n�\`\`ܦ�X�if� @7�%U�c@��+� endstream endobj 121 0 obj <>/Filter/FlateDecode/Index\[12 67\]/Length 22/Size 79/Type/XRef/W\[1 1 1\]>>stream h�bb�\`\`b\`\`��th� endstream endobj 80 0 obj <>/Metadata 10 0 R/Pages 9 0 R/StructTreeRoot 12 0 R/Type/Catalog/ViewerPreferences 81 0 R>> endobj 81 0 obj <> endobj 82 0 obj <>/MediaBox\[0 0 612 792\]/Parent 9 0 R/Resources<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\]>>/Rotate 0/StructParents 0/Tabs/S/Type/Page>> endobj 83 0 obj <>/BS<>/F 4/Rect\[69.75 508.42 88.154 530.07\]/StructParent 1/Subtype/Link>> endobj 84 0 obj <>/BS<>/F 4/Rect\[300.75 161.06 463.91 182.72\]/StructParent 2/Subtype/Link>> endobj 85 0 obj \[226 0 0 0 0 0 0 221 303 303 0 0 0 306 252 0 507 0 507 507 0 507 0 507 0 507 268 0 0 0 0 0 0 579 0 533 615 488 0 631 623 252 0 0 0 855 646 0 517 0 543 459 487 0 567 890 519 0 0 0 0 0 0 0 0 479 525 423 525 498 305 471 525 230 239 455 230 799 525 527 525 0 349 391 335 525 452 715 0 453 395 0 460\] endobj 86 0 obj <> endobj 87 0 obj <> endobj 88 0 obj \[215 0 0 0 0 0 0 188 316 316 0 0 200 340 200 350 532 532 532 532 0 532 532 532 532 532 212 0 532 532 532 0 0 609 0 597 645 527 502 660 668 244 0 0 0 0 0 694 545 0 567 522 500 636 587 936 567 0 0 0 0 0 0 0 0 505 535 452 535 508 295 483 539 232 0 479 232 826 539 530 535 0 354 445 355 533 459 738 458 459 438\] endobj 89 0 obj <> endobj 90 0 obj <> endobj 91 0 obj <> endobj 92 0 obj <> endobj 93 0 obj <>stream H�ĕmk�@��~�y��}r����\\Z\\��B��;�\*MܫnZ��gWIC�Z�����p~;�3��ڔ{�5pvO�Q�/�n�\\7q~:�Z�J�RWq��ٸ��B���f�9|�=���RB��V����n�A�{����$A��|�{��a )���{��$�A\*$\`Ĺ�R�PZy�#\_�|�6X-!�@����6�G�{\[��lF�%Q͈(�2$�@�u�@;�Gd��g ӈ�aX ��N9�l G��#l�Ҝ\`F�\`��lt}�hy�/� ǈ<��ay�N���C�3>f�}�?A.�6�� y���� ��������@ݎ�!�84l�R<M{n ^�s5���c��#)E�?5 #��g%M���j׀7�v\`��א�q���M��=�\*ˇ����) b��ј(��$�&%E�p�kW�bF<(���m �0��ePVP:�t%n�Ht���c\[aU9ʽt凅��js�s� ���:t\_�< 0xy�\` endstream endobj 94 0 obj <>stream H�̕�o�0��#��G��vlK�� �Ti-�:i���C �%���������a9��|���l'{G�,����.�����J��m�5,�8�8�y��c��e�w�M�H��ƥ"5༦G6�P:�Qa,������e=G�ُ�G�J؀��EVJa�j��rS-�F�΋��^�& �n�wB�ijL��F$��\\�?) jKI�P)��mP�Q���2^��J�P%w�VH� � ��\`��-9u���Q�������m����A�I��JsVB��':Iq�Na���Fܲo��W�\]��rt�j���6������0n�H��8�O ������qʯ�wؘh-�ce�\[�U r�M��U�~ٹ�M0�}UӐo�r�L+��6gl�ܰ\[��PoN/׸���}/9

CVE-2022-37952

Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting (XSS) via SVG file upload.

Permalink

Cannot retrieve contributors at this time

**Stored XSS via SVG file upload (version : 13.5.7)**

Claroline Connect presents a stored xss vulnerability because of the possibility to upload an arbitrary svg file, which is one of the allowed image types. Several upload forms can be used, I've personnally choosed the resource icon upload.

By crafting a svg file which contains some javascript, an attacker can trigger some xss payload.

**Fix suggest :** disallow svg file type, and enhance file upload check.

CVE-2022-37161: claroline-CVEs/svg_xss.md at main · matthieu-hackwitharts/claroline-CVEs

Claroline 13.5.7 and prior allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. By combining the XSS vulnerability present in several upload forms and a javascript request to the present API, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.

**Admin account takeover (CSRF) via XSS because of arbitrary file upload (version : 13.5.7)**

Claroline Connect is affected by a CSRF vulnerability, because of missing CSRF tokens or other protection means. This CSRF can be triggered via the Claroline's API, by combining an XSS vulnerability (like svg maybe ?) with a fetch request to the API. An arbitrary user with admin rights can be created by triggering the XSS from an admin user.

**Example of POC :**

**Fix suggest :** adding CSRF tokens or other protection way.

CVE-2022-37160: claroline-CVEs/csrf.md at main · matthieu-hackwitharts/claroline-CVEs

Claroline 13.5.7 and prior is vulnerable to Cross Site Scripting (XSS). An attacker can obtain javascript code execution by adding arbitrary javascript code in the 'Location' field of a calendar event.

**'Location' stored XSS (version : 13.5.7)**

Claroline Connect suffers from a stored xss vulnerability in 'Calendar' functionality. By adding a specific payload in the Location of an event, an attacker can trigger an xss.

User input is reflected as an href attribute in the Location parameter. Therefore it is possible to enter a payload like javascript:alert(document.domain) to execute some javascript code.

**Fix suggestion :** apply XSS filters on user input, and check if the entered content is a real URL.

CVE-2022-37162: claroline-CVEs/calendar_xss.md at main · matthieu-hackwitharts/claroline-CVEs

MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the currentRequest parameter.

Tag

#xss