There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.

Esri has released the Portal for ArcGIS Security 2022 Update 1 Patch that resolves two high priority security vulnerabilities and seven medium priority security vulnerabilities across versions 10.9.1, 10.8.1, and 10.7.1.

As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.

This patch addresses two high severity vulnerability and seven medium severity vulnerabilities. This patch is available _here__._

We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.

Both the base score and a modified temporal score is provided for each issue to reflect the availability of an official patch.  Please see Common Vulnerability Scoring System for more information on how these metrics are defined.

**Vulnerabilities fixed in this patch include:**

There is an **improper access control vulnerability** in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.5 Base Score, 6.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C/MPR:L

**Mitigations**

Disable anonymous access to Portal for ArcGIS

**Vulnerability Details**

**Esri Bug ID:** BUG-000143640

CVE-2022-38184 – Improper Access Control CWE-284 – CVSS 6.2

There is an **improper access control vulnerability** in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.5 Base Score, 6.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C/MPR:L

**Mitigations**

Disable anonymous access to Portal for ArcGIS

**Vulnerability Details**

**Esri Bug ID:** BUG-000143638

CVE: CVE-2022-38184 – Improper Access Control CWE-284 – CVSS 6.2

There is **a reflected XSS vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.1 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L

**Mitigations:**

Disable Anonymous Access to Portal for ArcGIS

**Vulnerability Details:**

**Esri Bug ID:** BUG-000143642

CVE: CVE-2022-38186 – Cross-site Scripting (XSS) CWE-79  – CVSS 6.2

**Acknowledgements:**

Simone La Porta

There is **a reflected XSS vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.1 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L

**Mitigations:**

Disable Anonymous Access to Portal for ArcGIS

**Vulnerability Details:**

**Esri Bug ID:** BUG-000137733

CVE: CVE-2022-38186- Cross-site Scripting (XSS) CWE-79  – CVSS 6.2

There is **a reflected XSS vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.1 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L

**Mitigations:**

Disable Anonymous Access to Portal for ArcGIS

**Vulnerability Details:**

**Esri Bug ID:** BUG-000136544

CVE: CVE-2022-38188 – Cross-site Scripting (XSS) CWE-79  – CVSS 6.2

In Esri Portal for ArcGIS versions 10.8.1, **a system property is not properly encrypted**. This may lead to a local user reading sensitive information from a properties file.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   6.7 Base Score, 6.4 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N/RL:O/RC:C

**Mitigations:**

**Vulnerability Details:**

**Impacts Portal for ArcGIS 10.8.1 ONLY**

**Esri Bug ID:** BUG-000133255

CVE: CVE-2022-38194 –   Missing Encryption of Sensitive Data  CWE-311 – CVSS 5.2

There is **a code injection vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victims browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   6.1 Base Score, 5.8 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID:** BUG-000135726

CVE: CVE-2022-38193 – Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) CWE-95 – CVSS 5.8

There is a **stored Cross Site Scripting (XSS) vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser

Common Vulnerability Scoring System (CVSS v3.1) Details

*   5.7 Base Score, 5.5 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/RL:O

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID:** BUG-000149597

CVE: CVE-2022-38192 – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2

There is a **stored Cross Site Scripting (XSS) vulnerability** in Esri Portal for ArcGIS configurable apps versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser

Common Vulnerability Scoring System (CVSS v3.1) Details

*   5.4 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID:** BUG-000143643

CVE: Coming soon – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2

**Acknowledgements:**

Fredrik Ljung

There is **an HTML injection issue** in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   5.4 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID**: BUG-000138486

CVE: CVE-2022-38191 – Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) CWE-74  – CVSS 5.2

There is a **stored Cross Site Scripting (XSS) vulnerability** in Esri Portal for ArcGIS which may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. This is a separate fix than BUG-000149597.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   5.4 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID:** BUG-000133257

CVE: CVE-2022-38189 – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2

**Acknowledgements:**

Gustavo Silva

**Additional Notes:**

This patch is highly recommended and encouraged for all customers running on versions of ArcGIS Enterprise in mainstream and extended support status. (10.7.1, 10.8.1, and 10.9.1). Customers on older versions of ArcGIS Enterprise are encouraged to upgrade.

CVE-2022-38191: Portal for ArcGIS Security 2022 Update 1 Patch

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

Authenticated stored cross-site scripting (XSS) vulnerability in "Field Server Address" field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload.

Change Mirror Download

    # Exploit Title: Intelbras ATA 200 Authenticated Stored XSS# Date: 17/01/2022# Exploit Author: Leonardo Goncalves# Vendor Homepage: https://www.intelbras.com/pt-br/adaptador-ip-para-telefones-analogicos-ata-200# Version: Firmware 74.19.10.211) Log in the equipment via your web browser2) Go to Management > Syslog3) In the "Field Server Address" inject the payload "-prompt("XSS")-"4) Click Save5) Exploit

CVE-2022-24654: Intelbras ATA 200 Cross Site Scripting ≈ Packet Storm

Inout SiteSearch version 2.0.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                        │ │                                         :│  Website  : inoutscripts.com               │ │                                         ││  Vendor   : Inout Scripts                  │ │                                         ││  Software : Inout SiteSearch 2.0.1         │ │ Inout SiteSearch is a premium script    ││  Vuln Type: Cross Site Scripting Reflected │ │ that allows you to add a site           ││  Method   : GET                            │ │ search feature                          ││  Impact   : Manipulate the content of      │ │                                         ││             the site                       │ │                                         ││────────────────────────────────────────────┘ └─────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL     Phr33k , NK, GoldenX, Wehla, Cap, DarkCatSpace, R0ot, KnG, Centerk, chamanwal  loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, ix7         CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'searchkeyword' is vulnerable to XSShttp://inout-sitesearch.demo.inoutscripts.net/index.php/search/result?searchkeyword=[XSS]Some XSS Payloads Reflectedjavascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'><IMG """><SCRIPT>alert("XSS")</SCRIPT>"\></TITLE><SCRIPT>alert("XSS");</SCRIPT>[-] Done

Inout SiteSearch 2.0.1 Cross Site Scripting

Ubuntu Security Notice 5568-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-5568-1August 15, 2022webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.6-0ubuntu0.22.04.1  libwebkit2gtk-4.0-37            2.36.6-0ubuntu0.22.04.1  libwebkit2gtk-4.1-0             2.36.6-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.6-0ubuntu0.20.04.1  libwebkit2gtk-4.0-37            2.36.6-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5568-1  CVE-2022-2294, CVE-2022-32792, CVE-2022-32816Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.6-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.6-0ubuntu0.20.04.1

Ubuntu Security Notice USN-5568-1

A vulnerability classified as problematic has been found in SourceCodester Guest Management System. This affects an unknown part of the file myform.php. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206397 was assigned to this vulnerability.

CVE-2022-2811

A vulnerability has been found in SourceCodester Simple and Nice Shopping Cart Script and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /mkshope/login.php. The manipulation of the argument msg leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206401 was assigned to this vulnerability.

CVE-2022-2814

The Duplicate Page and Post Plugin WordPress plugin through 2.7 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-2152

The Easy Student Results WordPress plugin through 2.2.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

CVE-2022-2378

The Digital Publications by Supsystic WordPress plugin before 1.7.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Tag

#xss