The notification module displaying flash messages unscapes HTML coming from the server, resulting in XSS vulnerabilities with various names and labels of entities (eg. workspace title or media title). This however means you must be a logged in user with respective rights in the first place to leverage the attack vector.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-jfxf-4frr-9j3q

**XSS in various backend modules due to (un)escaping in JS notification module**

**Package**

**Affected versions**

\>= 3.3, < 5.3.10

\>= 7.0.0, < 7.0.9

\>= 7.1.0, < 7.1.7

\>= 7.2.0, < 7.2.6

\>= 7.3.0, < 7.3.4

\>= 8.0.0, < 8.0.2

**Patched versions**

5.3.10

7.0.9

7.1.7

7.2.6

7.3.4

8.0.2

**Description**

**Weaknesses**

**GHSA ID**

GHSA-jfxf-4frr-9j3q

**Source code**

Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.

GHSA-jfxf-4frr-9j3q: XSS in various backend modules due to (un)escaping in JS notification module

Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin <= 1.8.7 at WordPress.

 Not fixed

**4.7**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Vulnerable versions

<= 1.8.7

PSID 

acdd9e726151

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Can be exploited remotely without any authentication

Credits

 BEE-K (Patchstack)

Publicly disclosed

2022-04-21

**Details**

Persistent Cross-Site Scripting (XSS) vulnerability discovered in Advanced Contact form 7 DB plugin (versions <= 1.8.7) by BEE-K.

**Solution**

Deactivate the plugin.

**References**

Plugin page Changelog CVE-2022-29408

CVE-2022-29408: WordPress Advanced Contact form 7 DB plugin <= 1.8.7 - Persistent Cross-Site Scripting (XSS) vulnerability - Patchstack

When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.

CVE-2021-32989

Academy-LMS v4.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the SEO panel.

    # Exploit Title: Academy-LMS 4.3 - Stored XSS
    # Date: 19/12/2020
    # Vendor page: https://academy-lms.com/
    # Version: 4.3
    # Tested on Win10 and Google Chrome
    # Exploit Author: Vinicius Alves
    
    # XSS Payload: "><h1>STORED XSS</h1> (Scripts tag blocked)
    
    1) Access LMS and log in to admin panel
    2) Access courses page
    3) Open course manager and SEO menu
    4) Paste the XSS Payload tag and Submit
    5) Access the course page on frontend
    6) Exploited!

CVE-2022-29380: Offensive Security’s Exploit Database Archive

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8

The Apache Archiva team is pleased to announce the release of Archiva 2.2.8. Archiva is available for download from the web site.

Archiva is an application for managing one or more remote repositories, including administration, artifact handling, browsing and searching.

This is a security fix release. Users are advised to update their systems to the new version as soon as possible.

For further information see: https://archiva.apache.org/security.html

If you have any questions, please consult:

*   the web site: https://archiva.apache.org/
*   the archiva-user mailing list: https://archiva.apache.org/mailing-lists.html

**New in Archiva 2.2.8**

Apache Archiva 2.2.8 is a security fix release:

**Compatibility Changes**

*   There are no compatibility changes

**New Feature**

*   There are no new features in this release.

**Improvements**

*   There are no improvements

**Bug/Security Fix**

*   CVE-2022-29405 Apache Archiva Arbitrary user password reset vulnerability

**Previous Release Notes**

**Release Notes for Archiva 2.2.7**

Apache Archiva 2.2.7 is a security fix release:

Released: 2022-12-22

**Compatibility Changes**

*   \[MRM-2021\] There is a new flag 'literalVersion=true/false' for service archivaServices/searchService/artifact which allows to change the behaviour for v=LATEST search.

**New Feature**

*   There are no new features in this release.

**Improvements**

*   There are no improvements

**Bug/Security Fix**

*   \[MRM-2027\] Update of the log4j2 version to 2.17.0
*   \[MRM-2020\] Fixed the behaviour of the startup script, if ARCHIVA\_BASE is set (separating installation and data directory)
*   \[MRM-2022\] Fixed the handling of X-XSRF-TOKEN header in Javascript calls

**Release Notes for Archiva 2.2.6**

Apache Archiva 2.2.6 is a security fix release:

Released: 2021-12-15

**Compatibility Changes**

*   No API changes or known side effects.

**New Feature**

*   There are no new features in this release.

**Improvements**

*   There are no improvements

**Bug/Security Fix**

*   Update of the log4j2 version to mitigate the log4j2 vulnerability (CVE-2021-44228)
*   Deactivated directory listings by the file servlet

**Release Notes for Archiva 2.2.5**

Apache Archiva 2.2.5 is a bug fix release:

Released: 2020-06-19

**Compatibility Changes**

*   No API changes or known side effects.

**New Feature**

*   There are no new features in this release.

**Improvements**

*   There are no improvements

**Bug Fix**

*   \[MRM-2008\] Fix for group names with slashes
*   Better handling of LDAP filter

**Release Notes for Archiva 2.2.4**

Apache Archiva 2.2.4 is a bug fix release:

*   Fixes for handling of artifacts
*   Improved validation of REST calls

**Compatibility Changes**

No API changes or known side effects.

Released: 2019-04-30

**New Feature**

*   There are no new features in this release.

**Improvements**

*   Adding additional validation to REST service calls for artifact upload

**Bug Fix**

*   \[MRM-1972\] Stored XSS in Web UI Organization Name
*   \[MRM-1966\] Repository-purge not working
*   \[MRM-1958\] Purge by retention count deletes files but leaves history on website.
*   \[MRM-1929\] Repository purge is not reflected in index

**Release Notes for Archiva 2.2.3**

**New in Archiva 2.2.3**

Apache Archiva 2.2.3 is a bug fix release:

*   Some fixes for the REST API were added to detect requests from unknown origin
*   Some bugfixes were added

**Compatibility Changes**

*   The REST services are now checking for the origin of the requests by analysing Origin and Referer header of the HTTP requests and adding an validation token to the Header. This prevents requests from malicious sites if they are open in the same browser. If you use the REST services from other clients you may change the behaviour with the new configuration properties for the redback security (rest.csrffilter.\*, rest.baseUrl). For more information see Archiva Security Configuration and the Redback REST documentation .
    
    **Note:** If your archiva installation is behind a reverse proxy or load balancer, it may be possible that the Archiva Web UI does not load after the upgrade. If this is the case you may access the WebUI via localhost or edit archiva.xml manually. In the "Redback Runtime Configuration" properties you have to enter the base URLs of your archiva installation to the rest.baseUrl field.
    
*   Archiva uses redback for authentication and authorization in version 2.6

**Change List**

Released: **2017-05-13**

**New Feature**

**Improvement**

*   \[MRM-1925\] - Make User-Agent header configurable for HTTP requests
*   \[MRM-1861\], \[MRM-1924\] - Increasing timeouts for repository check
*   \[MRM-1937\] - Prevent creating initial admin user with wrong name.
*   Adding origin header validation checks for REST requests

**Bug Fix**

*   \[MRM-1859\] - Error upon viewing 'Artifacts' tab when browsing an artifact
*   \[MRM-1874\] - Login Dialog triggers multiple events (+messages)
*   \[MRM-1908\] - Logged on users can write any repository
*   \[MRM-1909\] - Remote repository check fails for https://repo.maven.apache.org/maven2
*   \[MRM-1923\] - Fixing bind issue with certain ldap servers, when user not found
*   \[MRM-1926\] - Invalid checksum files in Archiva repository after download from remote repository
*   \[MRM-1928\] - Bad redirect URL when using Archiva through HTTP reverse proxy
*   \[MRM-1933\] - No message body writer has been found for class org.apache.archiva.rest.services.ArchivaRestError
*   \[MRM-1940\] - Slashes appended to remote repo url

**Release Notes for Archiva 2.2.1**

**New in Archiva 2.2.1**

Apache Archiva 2.2.1 is a bugs fix release:

NOTE: jdk 1.7 is now prerequisite with Apache Archiva 2.2.1

**Compatibility Changes**

If using the Cassandra backend, the metadatafacet column 'key' has been renamed to 'facetKey' in 2.2.0 so you should copy the data to the new column manually. If upgrading from earlier versions of Archiva, the list of libraries in wrapper.conf has changed. If you have customized your copy of wrapper.conf, please update it for compatibility with the version distributed with the current release. As the database storage has been removed, you can remove the JNDI entry for jdbc/archiva.

Refer to the Upgrading Archiva guide for more information.

**List of Changes**

**Improvement**

*   \[MRM-1201\] - Artifact upload success message should mention the classifier
*   \[MRM-1906\] - Allowing filtering of LDAP groups

**Bug Fix**

*   \[MRM-1873\] - archiva doesn't recognise ldap-group to ldap-users mapping
*   \[MRM-1877\] - Checksum files always recreated
*   \[MRM-1879\] - Bug in create-missing-checksum consumer
*   \[MRM-1886\] - View Artifact Content Action does not Work
*   \[MRM-1887\] - Syntax error in DOAP file release section; wrong bug- database URL
*   \[MRM-1892\] - Only One Page of Proxy Connector Rules Shown
*   \[MRM-1893\] - Please delete old releases from mirroring system
*   \[MRM-1896\] - Invalid link to license
*   \[MRM-1914\] - Maven cannot find dependency

**Release Notes for Archiva 2.2.0**

**New in Archiva 2.2.0**

Apache Archiva 2.2.0 is a bugs fix release:

NOTE: jdk 1.7 is now prerequisite with Apache Archiva 2.2.0

**Compatibility Changes**

If using the Cassandra backend, the metadatafacet column 'key' has been renamed to 'facetKey' in 2.2.0 so you should copy the data to the new column manually. If upgrading from earlier versions of Archiva, the list of libraries in wrapper.conf has changed. If you have customized your copy of wrapper.conf, please update it for compatibility with the version distributed with the current release. As the database storage has been removed, you can remove the JNDI entry for jdbc/archiva. After upgrading from a previous version, you will have to run a full scan to populate the new JCR Repository. This will be done on first start of Archiva.

Refer to the Upgrading Archiva guide for more information.

**List of Changes in Archiva 2.2.0**

**New Feature**

*   \[MRM-1867\] - Adding a find jar by checksum functionality to the REST api

**Improvement**

*   \[MRM-1390\] - Generic metadata should be searcheable in Archiva search
*   \[MRM-1844\] - Allow LDAP groupOfNames

**Bug Fix**

*   \[MRM-770\] - Archiva web client does not recognize classifier
*   \[MRM-813\] - Audit log is reporting "Modify File (proxied)" when no proxy connectors exist and the file has not changed
*   \[MRM-837\] - Cannot download SNAPSHOT version
*   \[MRM-935\] - Archiva doesn't supports artifact with _version_SNAPSHOT_/version_
*   \[MRM-1145\] - RSS tests do not correctly check responses
*   \[MRM-1311\] - Logging in ArtifactMissingChecksumsConsumer does not appear in the logs even if configured properly
*   \[MRM-1486\] - ldap.config.mapper.attribute.user.filter using ldap not working correctly with commas.
*   \[MRM-1767\] - When selecting a specific repository to browse, I get an error that I don't have sufficient privileges.
*   \[MRM-1807\] - Archiva wrapper fail to start
*   \[MRM-1810\] - LDAP - groups config not available in Users Runtime Configuration - Properties
*   \[MRM-1811\] - Users - Manage section: pagination needs to change
*   \[MRM-1846\] - Regression in 2.0.1 : uniqueVersion false not supported
*   \[MRM-1848\] - download links for files mult-dot extensions incorrect in Browse view
*   \[MRM-1851\] - generic metadata GUI broken
*   \[MRM-1860\] - ClassNotFound exception with JBoss
*   \[MRM-1863\] - RepositoryGroup URL is not build using the Application URL
*   \[MRM-1864\] - Default configuration for central should now use SSL
*   \[MRM-1871\] - ConcurrentModificationException in DefaultRepositoryProxyConnectors
*   \[MRM-1873\] - archiva doesn't recognise ldap-group to ldap-users mapping

**Task**

*   \[MRM-1359\] - Remove Maven 1.x functionality
*   \[MRM-1865\] - remove isPermanent from Consumer API

**History**

Archiva was started in November 2005, building a simple framework on top of some existing repository conversion tools within the Maven project. Initial development focused on repository conversion, error reporting, and indexing. From January 2006 a web application was started to visualise the information and to start incorporating functionality from the unmaintained maven-proxy project.

Development continued through many stops and starts. Initial versions of Archiva were built from source by contributors, and the first alpha version was not released until April 2007. Some significant changes were made to improve performance and functionality in June 2007 and over the next 6 months and a series of alpha and beta releases, a concerted effort was made to release the 1.0 version.

Archiva became an Apache "top level project" in March 2008.

CVE-2022-29405: Archiva Documentation – Release Notes for Archiva 2.2.8

A stored cross-site scripting (XSS) vulnerability in /scas/?page=clubs/application_form&id=7 of School Club Application System v0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the firstname parameter.

Submitted by oretnom23 on Thursday, April 7, 2022 - 17:48.

****Introduction****

This simple project is a **School Clubs Application System**. This is a web-based application project developed in **PHP** and **MySQL Database**. this application provides an online platform for exploring the different clubs in certain schools and submitting a membership application. This project has a simple and pleasant user interface using **Material Kit 2 Template** and **Bootstrap 5 Framework**. It consists of user-friendly features and functionalities.

****About the School Clubs Application System****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Google Material Icon**
*   **Material Kit 2 Template**

This **School Clubs Application System** is accessible to the **School Management, Club's Admin/Staff, and Students**. The **Management Site** is the side of the system where the school management has the privilege to access and manage the list of the school's student clubs. This site requires the **Admin Type** user credentials in order to gain access to the features and functionalities of this site. The **admin users** are the only ones who can register the **Club's Admin/Staff Users**. The **Club's Admin/Staff site** is the side of the application where the admin or staff of a certain club can manage the membership applications to their club submitted on the system. They can also update the application status. They can also view the basic information of the applicant including their contact information where they can reach back to the application according to their application. The students can access only the public site of the application where they are allowed to explore the active clubs of the school and read the information about each club.

****Features********Admin-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Club Management**
    *   Add New Club
    *   List All Clubs
    *   View Club Details
    *   Edit Club Details
    *   Delete Club Details
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Delete User Details
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Club's Admin/Staff-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Application Management**
    *   Add New Application
    *   List All Applications
    *   View Application Details
    *   Edit Application Details
    *   Delete Application Details
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Public-Side****

*   **Home Page**
    *   Display the Welcome Content.
*   **'About Us' Content**
*   **List All Active Clubs**
*   **View Club's Details**
*   **Club's Application Form**
*   **Submit Application**
*   **Login and Logout**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Public-Side's Club List****

****Admin-Side Home Page****

****Club Details (Admin-Side)****

****User Details (Admin-Side)****

****Club's Admin/Staff-Side Home Page****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)
*   **Download** the project assets at https://www.dropbox.com/s/tocky9atdwtk1gs/scas\_assets.zip?dl=1

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Extract** the **downloaded assets **zip** file**.
6.  **Copy** the extracted assets folder and **paste** it into the **source code** root path.
7.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
8.  **Create** a **new database** naming ****scas\_db****.
9.  **Import** the provided ****SQL**** file. The file is known as ****scas\_db.sql**** located inside the **database** folder.
10.  **Browse** the **School Clubs Application System** in a **browser**. i.e. ****http://localhost/scas/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **School Clubs Application System** in **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   1578 views

CVE-2022-29359: School Club Application System in PHP/OOP Free Source Code

A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.

@@ -2,8 +2,7 @@ <div class\='pagetitle h3'\><?php eT('Confirm uploaded plugin'); ?></div\>  
<?php // Only show config summary if config could be found. ?> <?php if (isset($config)): ?>  
<?php if (isset($config)) : ?> <?php echo CHtml::form( Yii::app()->getController()->createUrl( '/admin/pluginmanager', @@ -16,14 +15,14 @@  
<input type\="hidden" name\="isUpdate" value\="<?php echo json\_encode($isUpdate); ?>" />  
<?php if ($isUpdate): ?> <?php if ($isUpdate) : ?> <div class\='alert alert-info'\> <p\> <i class\='fa fa-info'\></i\>&nbsp; <?php eT('The following plugin will be updated. Please click "Update" to update the plugin, or "Abort" to abort.'); ?> </p\> </div\> <?php else: ?> <?php else : ?> <div class\='alert alert-info'\> <p\> <i class\='fa fa-info'\></i\>&nbsp; @@ -35,33 +34,33 @@  <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Name:"); ?></label\> <div class\="col-sm-4"\><?php echo $config\->getName(); ?></div\> <div class\="col-sm-4"\><?\=htmlentities($config\->getName()); ?></div\> </div\>  
 <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Description:"); ?></label\> <div class\="col-sm-8"\><?php echo $config\->getDescription(); ?></div\> <div class\="col-sm-8"\><?\=htmlentities($config\->getDescription()); ?></div\>

**This comment has been minimized.**

Copy link

****Shnoulle** Apr 20, 2022**

Collaborator

Hu … some plugin have HTML or markdown in descrition.

Since this plugin part are PHP system and can not be updated by simple user. I really think it's a bad idea …

**This comment has been minimized.**

Copy link

****Shnoulle** Apr 20, 2022 •**

Collaborator

Oups : only upload confirm. Maybe then …  
But htmlentities : striptags or filter …

</div\>  
 <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Version:"); ?></label\> <div class\="col-sm-4"\><?php echo $config\->getVersion(); ?></div\> <div class\="col-sm-4"\><?\=htmlentities($config\->getVersion()); ?></div\> </div\>  
 <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Author:"); ?></label\> <div class\="col-sm-4"\><?php echo $config\->getAuthor(); ?></div\> <div class\="col-sm-4"\><?\=htmlentities($config\->getAuthor()); ?></div\> </div\>  
 <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\><?php eT("Compatible"); ?></label\> <?php if ($config\->isCompatible()): ?> <?php if ($config\->isCompatible()) : ?> <div class\="col-sm-4"\><span class\="fa fa-check text-success"\></span\></div\> <?php else: ?> <?php else : ?> <div class\="col-sm-4"\><span class\="fa fa-times text-warning"\></span\></div\> <?php endif; ?> </div\> @@ -70,9 +69,9 @@ <div class\="form-group col-sm-12"\> <label class\="col-sm-4 control-label"\></label\> <div class\="col-sm-4"\> <?php if ($isUpdate): ?> <?php if ($isUpdate) : ?> <input type\="submit" class\="btn btn-success" value\="<?php eT("Update");?>" /> <?php else: ?> <?php else : ?> <input type\="submit" class\="btn btn-success" value\="<?php eT("Install");?>" /> <?php endif; ?> <a href\="<?php echo $abortUrl; ?>" class\="btn btn-warning" data-dismiss\="modal"\><?php eT("Abort");?></a\> @@ -81,8 +80,7 @@  
</form\>  
<?php else: ?>  
<?php else : ?> <div class\='alert alert-warning'\> <p\> <i class\='fa fa-warning'\></i\>&nbsp;

CVE-2022-29710: Fixed issue: [security] Minor XSS issue in plugin overview - reported… · LimeSurvey/LimeSurvey@f7b3561

kkFileView v4.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the url parameter at /controller/OnlinePreviewController.java.

kkFileview v4.0.0 has an XSS vulnerability, which may lead to the leakage of website cookies.

kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件59行，url参数用户可控，且没有过滤特殊字符就输出到了页面

The vulnerability code is located at line 59 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java , The url parameter is user-controllable, and it is output to the page without filtering special characters

        public String onlinePreview(String url, Model model, HttpServletRequest req) {
            String fileUrl;
            try {
                fileUrl = new String(Base64.decodeBase64(url), StandardCharsets.UTF_8);
            } catch (Exception ex) {
                String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "url");
                return otherFilePreview.notSupportedFile(model, errorMsg);
            }
            if (!allowPreview(fileUrl)) {
                return otherFilePreview.notSupportedFile(model, "该文件不允许预览：" + fileUrl);
            }
            FileAttribute fileAttribute = fileHandlerService.getFileAttribute(fileUrl, req);
            model.addAttribute("file", fileAttribute);
            FilePreview filePreview = previewFactory.get(fileAttribute);
            logger.info("预览文件url：{}，previewType：{}", fileUrl, fileAttribute.getType());
            return filePreview.filePreviewHandle(fileUrl, model, fileAttribute);
        }

CVE-2022-29349: XSS Vulnerability · Issue #347 · kekingcn/kkFileView

A cross-site scripting (XSS) vulnerability in /navigation/create?ParentID=%23 of ZKEACMS v3.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ParentID parameter.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-29362: There is XSS vulnerability that can be able to obtain sensitive user information in the foreground · Issue #457 · SeriaWei/ZKEACMS

But there was a substantial drop in the overall number of critical vulnerabilities that the company disclosed last year, new analysis shows.

The number of privilege escalation bugs in Microsoft's products increased for the second year in a row in 2021, highlighting the growing risk this vulnerability category poses for organizations.

BeyondTrust recently analyzed data from Microsoft vulnerability disclosures in 2021 and found that 588 — or 49% — of the total 1,212 bugs that the company disclosed gave attackers a way to elevate privileges on compromised systems and networks. The number represented a 5% increase from the 559 privilege escalation bugs in Microsoft products that BeyondTrust counted in 2020, when such bugs also eclipsed all other categories of vulns in the company's technologies.

The trend is important because organizations sometimes tend to pay less attention to privilege escalation vulnerabilities than other bugs because often, they can only be exploited after an attacker has already compromised a system. "Elevation of privilege bugs do not get the same attention from organizations" as some other vulnerabilities, says Tim McGuffin, director of adversarial engineering at LARES Consulting. Most organizations focus on preventing initial compromise, which can come from remote code execution vulnerabilities and other flaws, he says. "But \[they\] often de-prioritize patches for EoP vulns and wait until quarterly or annual patch cycles."

**A New Trend**

The number of privilege escalation vulnerabilities in Microsoft's technologies increased last year even as the overall number of reported bugs in the company's products declined for the first time in years. The 1,212 bugs that Microsoft disclosed in 2021 was about 5% lower than the 1,268 bugs it reported in 2020. That was in sharp contrast to the previous four years, which saw a near doubling in bugs — from 451 in 2016 to 858 in 2019.

BeyondTrust also observed a 47% decrease in the number of critical vulnerabilities that Microsoft disclosed in 2021 — 104 compared to 196 in 2020. The number of Windows OS vulnerabilities, too, dropped dramatically in 2021 — from a record 907 vulnerabilities across Windows 7, Windows RT, Windows 8/8.1, and Windows 10 to just 507 last year.

Remote code execution vulnerabilities, which were the most common type of security issue in Microsoft products until 2019, ranked second last year at 326, followed by information disclosure vulnerabilities (119), spoofing (66), and denial of service bugs (55). Microsoft reported a total of 44 security bypass vulnerabilities last year and 3 issues related to tampering. BeyondTrust observed declines in other vulnerabilities such as in overflow, memory corruption, and cross-site scripting flaws in Microsoft technologies. Cumulatively, there were 215 fewer vulnerabilities across these three categories in 2021 compared to the prior year.

The vendor ascribed several likely reasons for the Microsoft vulnerability reductions last year, including better security and coding practices on Microsoft's part; end of life of Windows 7 and other products: and the shift of more enterprise workloads and services to the cloud.

**Fewer Critical Vulnerabilities**

"A drop in critical vulnerabilities reported from 196 to 104 is great news," says Richard Stiennon, chief research analyst at IT-Harvest. "Yet it's hard to derive insights from just the numbers."

The increase in privilege escalation vulnerabilities, for instance, is significant because it indicates that researchers are looking harder for these flaws in Microsoft products. "These are critical because an attacker will use them to ultimately get admin privileges and thus complete control of a system," Stiennon says. "APT groups usually have some sort of escalation exploits in their toolboxes to compromise their targets."

Microsoft's late-2021 adoption of the industry-standard CVSS format for reporting vulnerabilities also made it impossible to determine how many of the critical vulnerabilities it disclosed last year could have been mitigated by removing admin rights on user systems, BeyondTrust said.

The CVSS is derived from data that is designed to produce a numerical score relative to the severity of a vulnerability, says Christopher Hills, chief security strategist at BeyondTrust. "This is great for the overall audience in seeing which vulnerabilities have the highest severity," he says. "But it provides camouflage for those vulnerabilities that leverage privilege elevation because those are now buried in the report."

Between 2015 and 2020, some 75% of critical Microsoft vulnerabilities could have been mitigated by removing admin rights on user systems. There's little reason to believe that the situation has changed a whole lot now, according to BeyondTrust.

"With end user systems and remote access being the top attack vector for bad actors, there truly is no valid reason why users should have standing rights or admin rights on end user systems," Hills says. Removal of admin rights has the potential to impact end user productivity and foster a bad user experience, he admits: "But with today’s technology and the solutions available, there is no amount of end user productivity that could outweigh the cost of a breach or compromise."

McGuffin says the decline in reported Microsoft vulnerabilities last year could also have to do with other reasons. Some countries have modified their vulnerability disclosure processes so that newly discovered vulnerabilities must be reported to the government first — and only then can be reported to the vendor, he notes. "Those same countries have also restricted citizens' ability to participate in competitions like Pwn2Own, where vulnerabilities would be publicly disclosed after the competition," he notes.

And because researchers sometimes focus on specific areas and technologies, that also can have an impact on the number of vulnerabilities discovered in a particular category, McGuffin says. "As an example, one vulnerability in the \[Windows\] print spooler service prompted several other researchers to dig deeper, and we're up to over a dozen RCE and PrivEsc vulns in the spooler now," he says.

Tag

#xss