CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds.

Mar 16/2022

**Security Updates:**

*   Fixed an XSS vulnerability in the core module reported by GitHub Security Lab team member Kevin Backhouse.
    
    Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing a JavaScript code. See CVE-2022-24728 for more details.
    
*   Fixed a Regular expression Denial of Service (ReDoS) vulnerability in dialog plugin discovered by the CKEditor 4 team during our regular security audit.
    
    Issue summary: The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. See CVE-2022-24729 for more details.
    

You can read more details in the relevant security advisory and contact us if you have more questions.

**An upgrade is highly recommended!**

**Highlights:**

Web Spell Checker ended support for WebSpellChecker Dialog on December 31st, 2021. This means the plugin is not supported any longer. Therefore, we decided to deprecate and remove the WebSpellChecker Dialog plugin from CKEditor 4 presets.

We strongly encourage everyone to choose one of the other available spellchecking solutions - Spell Check As You Type (SCAYT) or WProofreader.

Fixed issues:

*   #5097: \[Chrome\] Fixed: Incorrect conversion of points to pixels while using `CKEDITOR.tools.convertToPx()`.
*   #5044: Fixed: `select` elements with `multiple` attribute had incorrect styling. Thanks to John R. D'Orazio!

Other changes:

*   #5093: Deprecated and removed WebSpellChecker Dialog from presets.
*   #5127: Deprecated the `CKEDITOR.rnd` property to discourage using it in a security-sensitive context.
*   #5087: Improved the jQuery adapter by replacing a deprecated jQuery API with existing counterparts. Thanks to Fran Boon!
*   #5128: Improved the Emoji definitions encoding set by the `config.emoji_emojiListUrl` configuration option.

CVE-2022-24729: CKEditor 4.18.0

The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper sanitization in sanitizeUrl function.

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

**Types of attacks**

There are a few methods by which XSS can be manipulated:

Type

Origin

Description

**Stored**

Server

The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.

**Reflected**

Server

The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.

**DOM-based**

Client

The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.

**Mutated**

The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

**Affected environments**

The following environments are susceptible to an XSS attack:

*   Web servers
*   Application servers
*   Web application environments

**How to prevent**

This section describes the top best practices designed to specifically protect your code:

*   Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
*   Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
*   Give users the option to disable client-side scripts.
*   Redirect invalid requests.
*   Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
*   Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
*   Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

CVE-2021-23648: Cross-site Scripting (XSS) in @braintree/sanitize-url | CVE-2021-23648 | Snyk

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `&lt`; and `>` can be coded as `&gt`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

**Types of attacks**

There are a few methods by which XSS can be manipulated:

Type

Origin

Description

**Stored**

Server

The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.

**Reflected**

Server

The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.

**DOM-based**

Client

The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.

**Mutated**

The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

**Affected environments**

The following environments are susceptible to an XSS attack:

*   Web servers
*   Application servers
*   Web application environments

**How to prevent**

This section describes the top best practices designed to specifically protect your code:

*   Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
*   Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.
*   Give users the option to disable client-side scripts.
*   Redirect invalid requests.
*   Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
*   Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
*   Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.

**Description**

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.

**Proof of concept: (POC)**

The following vulnerability was discovered in X2CRM version 8.0.

**Issue:** Stored Cross-Site Scripting

1.  Login to the X2CRM as administrator.
    
2.  Go to the “Administrator” tool and click on the “User Interface Management’’ submenu and select “Add Top Bar Link”.
    

![](https://lh6.googleusercontent.com/MA_PLSx9idnQ37N7TDLoWhPTZZcvjVzv5b1w63ePY2RlCG17q92o4rg6RbkuCx2N5qsy5hRWvbSRKWHUWRP3yHPFesVzfF_bSP5B4hW7YFyvAmvqhnIfAsm9sj02qaZAkVjyOH0U)

_**Figure 1: Add Top Bar Page**_

3.  Enter “<script>alert(“XSS”)</script>” in the “Link Name” field and submit the request.
    

![](https://lh5.googleusercontent.com/pxnAePhXdg4pXwkfoia2oe34ppsdsvFJraDOJw0xP6N8RgzW8ur-XqdrPxGD01dMB11LosR6pK4nKFzlrxptXD2Fi7yHzLztptigPjXS7r9Pu-RLoWKRBTHXnsoUN2NCsJTaTqVW)

_**Figure 2: Payload injected in “Link Name” field**_

4.  By accessing any page within the CRM, the payload will be executed.
    

![](https://lh3.googleusercontent.com/RITH-kLXuB1EhQffBmX2R649FmQGTe2l3tyXsbQHvpEUcgAVvdpGGs2Iv7kstBpwrs1llC5cMDnUNetq6X-EeH2miksQgmjVm4y9ynT7NM0Sp0MkuhiV6eNoCIt2tEtVCNC632Sn)

_**Figure 3: XSS Payload Triggered**_

**Impact**

An attacker can perform the following -

*   Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.
    
*   Modify the code and get the session information of other users.
    
*   Compromise the user machine.
    

**Remediations**

*   Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.
    
*   Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.
    
*   Explicitly set the character set encoding for each page generated by the webserver.
    
*   Encode dynamic output elements and filter specific characters in dynamic elements.
    

**Timeline**

**November 11, 2021:** Discovered in X2CRM 8.0\` Product

**December 1, 2021:** CSW team reported to Vendor about the vulnerability.

**January 20, 2022:** X2CRM team postponed the release of X2CRM 8.5.

**February 1, 2022:** Vendor fixed the issue.

**February 1, 2022:** CSW assigned the CVE Identifier (CVE-2021-33853).

**Discovered by**

Cyber Security Works Pvt. Ltd.

CVE-2021-33853: CSW Zero Days | Stored Cross-Site Scripting in X2CRM

There is a stored Cross Site Scripting (XSS) vulnerability in maccms v10 through adding videos. XSS code can be inserted at parameter positions including name and remarks.

网站后台添加视频处，包括名称、备注等参数位置均可插入xss代码

（There is a Storage XSS vulnerability in adding videos，XSS code can be inserted at parameter positions including name and remarks……）

![image](https://user-images.githubusercontent.com/37065209/141251731-da7148b1-efa0-406f-99f7-a2eb14e8175c.png)

插入的xss代码也会在前台被执行，它将影响访问该网站的所有用户

（The inserted XSS code will executed in the foreground，It will affect all users who visit the site）

![image](https://user-images.githubusercontent.com/37065209/141252001-98ad49f9-5743-4f82-a0d2-3a0e06c187a9.png)

虽然这个存储型xss位于后台，但该漏洞一旦被利用会导致前台众多用户都会收到攻击

另外，后台添加文章处也有相同问题

CVE-2021-45787: 网站后台添加视频处存在存储型XSS漏洞(There is a cross-site scripting (XSS) vulnerability in adding videos) · Issue #746 · magicblack/maccms10

Cross-site Scripting (XSS) vulnerability in ArchivistaBox webclient allows an attacker to craft a malicious link, executing JavaScript in the context of a victim's browser. This issue affects all ArchivistaBox versions prior to 2022/I.

Im Zuge eines Kundenprojekts konnte das Research Team der it.sec GmbH eine bisher unbekannte Schwachstelle im Archivista DMS identifizieren und auszunutzen. Hierbei handelte es sich um die Manipulation eines Requests beim WebDMS und WebAdmin. Die Schwachstelle wurde als Cross Site Scripting (XSS) deklariert.

Die Schwachstelle befand sich in den jeweiligen Login-Formularen der Applikationen.

Die folgende Abbildung zeigt die Anfrage und die Antwort des Servers mit eingeschleustem JavaScript Code an den Archivista WebClient.

![](https://it-sec.de/wp-content/uploads/2022/03/XSSclean-1024x670.png)

Der Proof of Concept Code lautet wie folgt:

ocr=1&workflow=&target=\_top&statussearch=&host=  
localhost**„><script>alert(„XSS1“)</script>**&db=  
**„><script>alert(„XSS2“)</script>**&uid=  
**„><script>alert(„XSS3“)</script>**&pwd=passwort&lang=de

Im Browser wurde der JavaScript Code wie folgt ausgeführt:

![](https://it-sec.de/wp-content/uploads/2022/03/xss1clean-1024x539.png)

Eine kurze Recherche hat gezeigt, dass im Internet erreichbare Instanzen des WebDMS und des WebAdmin diverser Nutzer, anfällig für diese Schwachstellen waren. Die neuste identifizierte Version war dabei 2021/I.

Laut Archivista GmbH wurde die Schwachstelle CVE-2021-42552 bereits behoben und die Vertragspartner über das Update informiert. Betroffen sind alle Versionen des Archivista DMS < 2022/I.

Wir raten allen Nutzern der Software, ohne offiziellen Wartungsvertrag, diese selbstständig zu aktualisieren, sich mit der Archivista GmbH bzgl. eines Updates in Verbindung zu setzen oder andere mitigierende Maßnahmen zu implementieren.

_Ihr it.sec Research Team_

CVE-2021-42552: it.sec Security Team findet unbekannte Schwachstelle in Archivista DMS - it.sec GmbH

Reflected Cross-site Scripting (XSS) Vulnerability in GitHub repository hestiacp/hestiacp prior to 1.5.11.

Permalink

Browse files

Patch out XSS in edit server (#2471)

*   Loading branch information

![@jaapmarcus](https://avatars.githubusercontent.com/u/9754650?s=40&v=4)

1 parent 91081b0 commit fd42196718a6fa7fe17b37fab0933d3cbcb3db0d

Showing with **5 additions** and **1 deletion**.

1.  +1 −0 web/edit/db/index.php
2.  +1 −0 web/edit/dns/index.php
3.  +1 −0 web/edit/mail/index.php
4.  +1 −0 web/edit/web/index.php
5.  +1 −1 web/templates/pages/edit\_server.html

@@ -15,6 +15,7 @@

// Edit as someone else?

if (($\_SESSION\['userContext'\] === 'admin') && (!empty($\_GET\['user'\]))) {

$user\=escapeshellarg($\_GET\['user'\]);

$user\_plain\=htmlentities($\_GET\['user'\]);

}

  

// List datbase

@@ -15,6 +15,7 @@

// Edit as someone else?

if (($\_SESSION\['userContext'\] === 'admin') && (!empty($\_GET\['user'\]))) {

$user\=escapeshellarg($\_GET\['user'\]);

$user\_plain\=htmlentities($\_GET\['user'\]);

}

  

// List ip addresses

@@ -15,6 +15,7 @@

// Edit as someone else?

if (($\_SESSION\['userContext'\] === 'admin') && (!empty($\_GET\['user'\]))) {

$user\=escapeshellarg($\_GET\['user'\]);

$user\_plain\=htmlentities($\_GET\['user'\]);

}

  

$v\_username = $user;

@@ -16,6 +16,7 @@

// Edit as someone else?

if (($\_SESSION\['userContext'\] === 'admin') && (!empty($\_GET\['user'\]))) {

$user\=escapeshellarg($\_GET\['user'\]);

$user\_plain\=htmlentities($\_GET\['user'\]);

}

  

// Get all user domains

@@ -857,7 +857,7 @@

<tr\>

<td class\="vst-text step-top"\>

<?=\_('SSL Certificate');?\>

<span id\="generate-csr"\> / <a class\="generate" target\="\_blank" href\="/generate/ssl/?domain=<?=$v\_hostname?>"\><?=\_('Generate CSR');?\></a\></span\>

<span id\="generate-csr"\> / <a class\="generate" target\="\_blank" href\="/generate/ssl/?domain=<?=htmlentities(trim($v\_hostname,'"'));?\>"\><?=\_('Generate CSR');?\></a\></span\>

</td\>

</tr\>

<tr\>

**0 comments on commit `fd42196`**

Please sign in to comment.

CVE-2022-0986: Patch out XSS  in edit server (#2471) · hestiacp/hestiacp@fd42196

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.

**Description**

The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of Abbreviation, Longname, Converter Service at "Settings" => "Data Objects" => "Quantity Value" in the pimcore service.

**Proof of Concept**

    XSS POC : "><img src=x onerror=alert(document.domain)>
    
    1. Open the https://10.x-dev.pimcore.fun/admin/login?perspective=
    2. After login, Go to "Settings" => "Data Objects" => "Quantity Value"
    3. Change the value of Abbreviation, Longname, Converter service to XSS PoC
    4. Reflesh
    
    Video : https://www.youtube.com/watch?v=c8waBKF5VAQ
    

**Impact**

Through this vulnerability, an attacker is capable to execute malicious scripts.

CVE-2022-0705: Cross-site Scripting (XSS) - Stored in pimcore

**Description**

Cross site scripting vulnerability in pimcore,pimcore field, it is fixed in this commit 832c34 , but still it is executing xss .Icon field in events and news

**Proof of Concept**

1 . Login to the demo account https://10.x-dev.pimcore.fun/admin/

2.  Go to settings -->data objects --> classes --> Events icon field --> add payload and click save
    
3.  Go to data objects tab which is located at the bottom, go to events folder and extend alert will trigger .
    
4.  payload = "><iMg SrC="x" oNeRRor="alert(1);">
    

**Impact**

This vulnerability is capable of stolen the user cookie

CVE-2022-0704: Cross-site Scripting (XSS) - Stored in pimcore

**Description**

pimcore datahub is vulnerable to Stored XSS in multiple places including:

(1) Field-Collections in Data Objects

(2) Objectbricks in Data Objects

**Proof of Concept (for both 1 & 2)**

Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login.

Step 2: Click Settings > Data Objects > Field-Collections / Objectbricks > Add

Step 3: Input aaa so as to capture legitimate POST request in Burp Suite

Step 4: Modify value of the "key" parameter in the body of POST request as below, which is URL encoded

"><img+src%3dx+onerror%3dalert(document.domain)>

Step 5: Forward the request

You will see the an alert box prompt whenever you access Field-Collections / Objectbricks

**Impact**

This vulnerability is capable for letting attacker potentially steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

Tag

#xss