The Better PDF Exporter add-on 10.0.0 for Atlassian Jira is prone to stored XSS via a crafted description to the PDF Templates overview page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-038 Product: Better PDF Exporter for Jira Manufacturer: Midori Global Consulting Kft. Affected Version(s): 10.0.0 Tested Version(s): 9.6.0 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Open Manufacturer Notification: 2022-05-27 Solution Date: - Public Disclosure: 2022-07-22 CVE Reference: CVE-2022-36131 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Better PDF Exporter is an add-on for Jira to export Jira artifacts to PDF files. The manufacturer describes the product as follows (see \[1\]): "Better PDF Exporter exports Jira issues to PDF documents to share, print, email, archive and report issues in the standard business document file format." Due to insufficient input validation of user-provided input, Better PDF Exporter is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The 'PDF Templates' overview is prone to a stored cross-site scripting attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the web browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer\[1\] was used in a local Jira Server\[4\] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The 'PDF Template' view in the administration back end can be exploited for an attack. After entering the attack vector "" in the description field of a PDF template, the following request is sent to the server: POST /rest/com.midori.jira.plugin.pdfview/1.0/pdf-resource/30 HTTP/2 Host: \[REDACTED\] Cookie: Content-Length: 153 Sec-Ch-Ua:"Not A;Brand";v="99","Google Chrome";v="101" Accept: \*/\* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: "Linux" Origin: \[REDACTED\] Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: \[REDACTED\]/secure/update-pdf-resource.jspa?id=30 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 name=Pentest.pdf&description=%3cscript%3ealert('SySS\_PXSS\_PoC')%3b%3c %2fscript%3e&content=content By calling the 'PDF Template' overview page through the URL "https://\[REDACTED\]/secure/pdf-resources.jspa", the payload is loaded and executed. The payload is listed in the following response: ... Pentest.pdf

CVE-2022-36131

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

By uploading SVG files, the users can perform Stored XSS attack.

**Payload**

Copy the following code and save as filename.svg. <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

**Proof of Concept**

\[1\] Login as admin.

\[2\] upload the payload injected SVG file at https://demo.microweber.org/demo/admin/view:modules/load_module:files

\[3\] Copy the uploaded svg file url and open in new tab.

\[4\] XSS!

**Impact**

If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies.

CVE-2022-2495: Stored XSS via SVG File  in microweber

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.

**Description**

openemr / openemr is vulnerable to Cross-site Scripting (XSS) - Stored

**Proof of Concept**

    // Poc 
    <script>alert(document.cookie)</script>
    

steps to reproduce:

    1) login open emr patient portal https://demo.openemr.io/openemr/portal/index.php
    
    2) goto my profile in https://demo.openemr.io/openemr/portal/home.php
    
    ​3)click on pending review.
    
    4)add the payload in the first name /middle name  (<script>alert(document.cookie)</script>)
    
    5) click  submit changes
    
    6) after that we get an with Error: Patient was successfully updated
    
    7) on clicking  pending review  the xss wil be triggered
    

**Impact**

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

CVE-2022-2494: Cross-site Scripting (XSS) - Stored in openemr

A vulnerability in the web-based management interface of Cisco IoT Control Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

**

Summary

**

*   A vulnerability in the web-based management interface of Cisco IoT Control Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
    
    This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    This advisory is available at the following link:  
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iotcc-xss-WQrCLRVd
    

**

Affected Products

**

*   This vulnerability affects Cisco IoT Control Center, which is cloud based.
    
    Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
    

**

Workarounds

**

*   There are no workarounds that address this vulnerability.
    

**

Fixed Software

**

*   Cisco has addressed this vulnerability in Cisco IoT Control Center, which is cloud based. No user action is required.
    
    Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    

**

Exploitation and Public Announcements

**

*   The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
    

**

Source

**

*   Cisco would like to thank Ahmad Ali Almegbas for reporting this vulnerability.
    

**

Cisco Security Vulnerability Policy

**

*   To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
    

**

Related to This Advisory

**

**

URL

**

**

Revision History

**

*   Version
    
    Description
    
    Section
    
    Status
    
    Date
    
    1.0
    
    Initial public release.
    
    \-
    
    Final
    
    2022-JUL-20
    
    Show Less
    

**

Legal Disclaimer

**

*   THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
    
    A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
    

**

Feedback

**

CVE-2022-20916: Cisco Security Advisory: Cisco IoT Control Center Cross-Site Scripting Vulnerability

By Deeba Ahmed
The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back…
This is a post from HackRead.com Read the original post: Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

****The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back in September 2021 yet it has not fixed the issue.****

Cybersecurity startup BitSight has identified six flaws in the GPS tracker MV720 manufactured by China-based MiCODUS. According to the IT security researchers at BitSight the critical security vulnerabilities were present in MV720 GPS trackers, used primarily for tracking vehicle fleets. The vulnerabilities can allow hackers to track, stop, and control vehicles remotely.

For your information, MV720 is a hardwired GPS tracker worth around $20. The Shenzhen-based MiCODUS electronics maker claims that 1.5 million of its GPS trackers are currently in use by over 420,000 customers across 169 countries.

Furthermore, its clients include several Fortune 50 companies, shipping, aerospace, government, military, critical infrastructure, law enforcement agencies, and a nuclear power plant operator.

**Vulnerabilities Details**

BitSight has detected six severe vulnerabilities in the abovementioned tracker, which can be easily exploited remotely to track a vehicle in real-time, get information about previous routes, and even cut the vehicles’ engines when in motion.

BitSight’s principal security researcher and report author, Pedro Umbelino, explained that the vulnerabilities’ easy exploitation raises “significant questions” about the company’s products as the bugs may not be restricted to one GPS tracker model. He believes the same flaws are present in other tracker models.

MV720 GPS tracker

**Dangers Posed by the Flaws**

According to BitSight’s blog post, one flaw in MV720 is in unencrypted HTTP communications, allowing hackers to remotely conduct adversary-in-the-middle attacks (AiTM) to intercept/change the requests exchanged between the servers and the mobile application.

Another flaw is found in the tracker’s authentication mechanism in the mobile app, which lets attackers access the hardcoded key to lock down the trackers and use a custom IP address. This enables hackers to monitor and control communications to and from the device.

The vulnerability tracked as CVE-2022-2107 is assigned a severity rating of 9.8 out of 10. It is a hardcoded password that MiCODUS trackers use as a master password. If obtained by hackers, they can use this passcode to log into the web server and pose as an authentic user to send commands to the tracker via SMS communications.

Hence, they can fully control any GPS tracker, access location details, disarm the alarm, change routes and geofences, and cut off vehicles’ fuel.

Another vulnerability tracked as CVE-2022-2141 enables a broken authentication state in the protocol used by the tracker to communicate with the MiCODUS server. Then there’s a reflected cross-site scripting error identified in the Web server. Tracking designations of other vulnerabilities are CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.

In its technical write-up , BitSight warned MiCODUS in September 2021 about the flaws. However, after the company’s lukewarm response, CISA and BitSight decided to make the findings public. The vulnerabilities are still unpatched. BitSight recommends that all organizations and individuals using MV720 GPS trackers immediately disable the devices until they are patched.

> Organizations and individuals using MV720 devices in their vehicles are at risk. Leveraging our proprietary data sets, BitSight discovered MiCODUS devices used in 169 countries by organizations including government agencies, military, and law enforcement, as well as businesses spanning a variety of sectors and industries including aerospace, energy, engineering, manufacturing, shipping, and more. Given the impact and severity of the vulnerabilities found, it is highly recommended that users immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available.
> 
> BitSight

1.  Woman Follows GPS, Goes Straight into Lake
2.  600,000 GPS child trackers found vulnerable to location tracking
3.  Security Flaws in GPS Trackers Puts Millions of Devices’ Data at Risk
4.  Shoddy security of smartwatch lets hackers access your child’s location
5.  Strava’s Global Heat Map Exposes User Locations Including Military Bases

Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

The Monroe Electronics / Digital Alert Systems OneNet SE DASDEC Emergency Alert System Appliance suffers from cross site scripting and html injection vulnerabilities.

DASDEC Cross Site Scripting / HTML Injection

Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.

CVE-2022-31475: GiveWP – Donation Plugin and Fundraising Platform

Authenticated Stored Cross-Site Scripting (XSS) vulnerability in Florent Maillefaud's WP Maintenance plugin <= 6.0.7 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

The WP Maintenance plugin allows you to put your website on the waiting time for you to do maintenance or launch your website. Personalize this page, pictures and countdown with:

**Features**

*   Choice texts colors and fonts
*   Upload logo picture
*   Upload background picture or pattern
*   Countdown
*   Custom Code Header for Analytics ready
*   Social Networks ready
*   Customize CSS
*   Insert for shorcode (Newletter or Contact form)
*   Enable “503 Service temporarily unavailable”
*   Choose access by Roles and Capabilities
*   Choose access by IP address
*   Choose access by ID Pages

wp-maintenance.pot file available

1.  Upload the full directory into your ‘/wp-content/plugins’ directory
2.  Activate the plugin at the plugin administration page

You will find ‘WP Maintenance’ menu in your WordPress admin panel

**WP Maintenance Needs Your Support**

It is hard to continue development and support for this free plugin without contributions from users like you. If you enjoy using WP Maintenance and find it useful, please consider making a donation. Your donation will help encourage and support the plugin’s continued development and better user support.

**I have activated plugin and don’t see any changes, looks like plugin is not working.**

This is normal because you are logged in as an administrator. Try a different browser or use the preview link. If you have registered as a wordpress user, you see the site in normal mode.

**I have disabled plugin but I don’t see any changes, I have always the maintenance page, looks like plugin is not working.**

You have a cache plugin ? Try to purge it and try again.

**Where can I find out the login page to get to the site?**

You can use your administrator access or create new user in wordpress dashboard  
https://yousite.com/wp-admin/

**Can I change the plugin code?**

Yes. Thank you for submitting your changes to update the plugin.

**Translations**

You can translate WP Maintenance on **translate.wordpress.org**.

très bon plugin, seul bémol il ne fonctionne pas sur les mobiles, impossible de l'activer sur les mobiles

Propre, efficace, maintenue, gratuite, que demander de + ? Merci au dev !

Efficace et pratique. Merci à l'Auteur

Je pensais avoir trouvé un super widget avec celle-ci, mais elle réagit vraiment bizarrement au point ou parfois on perd du temps pour savoir si des choses marchent. La page rs notamment. On dit que l'on peut mettre ses propres images rs. Cela ne marche pas... et je ne sais pas pourquoi... d'autant que l'appli semble vous aider en ajoutant l'url du dossier de destination. Mais quand vous complétez le chemin et enregistrez... ben il commence forcement l'enregistrement par https... parmi les icônes proposées une série fonctionne pas... tout ça est bien dommage. Enfin si l'auteur peut déjà "clarifier" et comment on met ses propres icones ce serait cool.

Отличный дизайн плагина и полный перевод на русский язык. Спасибо!

3 mn chrono pour ma page ! Bravo.

Read all 71 reviews

“WP Maintenance” is open source software. The following people have contributed to this plugin.

Contributors

*    Florent Maillefaud

CVE-2022-30536: WP Maintenance

Jira, Bamboo, Bitbucket, Confluence, Fisheye/Crucible, and Questions for Confluence affected

Jira, Bamboo, Bitbucket, Confluence, Fisheye/Crucible, and Questions for Confluence affected

Atlassian has addressed a hardcoded credential flaw in Questions for Confluence and servlet filter bypasses in multiple other products.

The Australian vendor of software development and collaboration tools issued security advisories with instructions for applying updates and mitigations yesterday (July 20).

**Servlet filter bypasses**

The servlet filter bypass flaws affect multiple versions of Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Fisheye and Crucible, Jira Server and Data Center, and Jira Service Management Server and Data Center.

Fixes have been deployed to Atlassian Cloud sites.

Servlet filters intercept and process HTTP requests before a client request is sent to a backend resource, and from a backend resource before they’re sent to a client.

A vulnerability tracked as CVE-2022-26136 allowed an unauthenticated attacker to bypass servlet filters used by as-yet unspecified first- and third-party apps.

The impact depends on which filters an app uses and how they are used, said Atlassian.

Catch up with the latest security vulnerability news

“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences,” reads the security advisory.

Atlassian has ascertained that unauthenticated attackers could send a specially crafted HTTP request to bypass custom servlet filters and authentication used by third party apps to enforce authentication, or to bypass the servlet filter used to validate legitimate Atlassian Gadgets and achieve cross-site scripting (XSS).

Another vulnerability allows an unauthenticated attacker to cause additional servlet filters to be invoked when the application processes requests or responses (CVE-2022-26137).

Atlassian said it has addressed the only known, related security issue – a cross-origin resource sharing (CORS) bypass whereby a specially crafted HTTP request could invoke the servlet filter used to respond to CORS requests.

**Questions for Confluence**

The hardcoded credential in Questions for Confluence, a forum-style app for enterprise wiki platform Confluence, is created for a user account with the username , which supports administrators in migrating data from the app to Confluence Cloud.

The account “is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default”, reads the corresponding security advisory.

“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.”

“While Atlassian has not received any reports of this issue being exploited in the wild, the hardcoded password is trivial to obtain,” said Atlassian.

The flaw (CVE-2022-26138) applies when the Questions for Confluence app is enabled on Confluence Server or Data Center. Confluence Cloud is unaffected.

Atlassian has warned that uninstalling the Questions for Confluence app does not alone remediate the vulnerability, since doing do fails to remove the account.

Instead, users must either manually deactivate or delete these accounts or update Questions for Confluence to version 2.7.38 or 3.0.5, which removes as well as stops creating the user account in question.

Users can determine whether the flaw has been exploited on their instance by reviewing users’ last logon times. “If the last authentication time for is null, that means the account exists but no one has ever logged into it,” said Atlassian.

RELATED Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

Atlassian patches batch of critical vulnerabilities across multiple products

Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device.
The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.

Researchers at BitSight have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device.

The vulnerabilities are severe enough for the Cybersecurity & Infrastructure Security Agency (CISA) to publish a Security Advisory titled ICSA-22-200-01: MiCODUS MV720 GPS Tracker.

**What’s happened?**

The MiCODUS MV720 is a hardwired GPS tracker that offers anti-theft, fuel cut off, remote control and geofencing capabilities. In total, there are 1.5 million of these devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.

If the vulnerabilities are successfully exploited, an attacker could take control of the tracker, giving them access to location, routes, and fuel cutoff commands, as well as the ability to disarm various features like alarms. The found vulnerabilities are very diverse and would imply that the application was not built with security in mind. Or certainly not top of mind.

**The vulnerabilities****Hard coded credentials**

CVE-2022-2107: The API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.

**Improper authentication**

CVE-2022-2141: SMS-based GPS commands can be executed without authentication.

**Improper neutralization of input during web page generation**

CVE-2022-21999: The main web server has a reflected cross-site scripting (XSS) vulnerability that could allow an attacker to gain control by tricking a user into making a request.

**Authorization bypass through user-controlled key**

CVE-2022-34150: The main web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.

**Another authorization bypass through user-controlled key**

CVE-2022-33944: The main web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs.

Exploiting these vulnerabilities could potentially put drivers in danger and disrupt supply chains. In fact, there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.

**Mitigation**

Since MiCODUS has not provided updates or patches to mitigate these vulnerabilities, users are advised to turn the vulnerable devices off.

The researchers first contacted MiCODUS about the vulnerabilities in September 2021, and due to a lack of response CISA and BitSight decided to publish their research.

Tag

#xss