IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 is vulnerable to server-side request forgery, caused by improper input of application server registration function. A remote attacker could exploit this vulnerability using the host address and port fields of the application server registration form in the portal UI to enumerate and attack services that are running on those hosts. IBM X-Force ID: 214441.

  

**Summary**

IBM Spectrum Copy Data Management is vulnerable to Slowloris HTTP denial of service, HTTP header injection, cross-site scripting (XSS), and server-side request forgery (CSRF) attacks.

**Vulnerability Details**

**CVEID:**   CVE-2022-22354  
**DESCRIPTION:**   IBM Spectrum Protect Plus and IBM Spectrum Copy Data Management do not limit the length of a connection which could allow for a Slowloris HTTP denial of service attack to take place. This can cause the Admin Console to become unresponsive.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220485 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-22344  
**DESCRIPTION:**   IBM Spectrum Copy Data Management is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.  
CVSS Base score: 4.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220038 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2021-39055  
**DESCRIPTION:**   IBM Spectrum Copy Data Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214534 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2021-39051  
**DESCRIPTION:**   IBM Spectrum Copy Data Management is vulnerable to server-side request forgery, caused by improper input of application server registration function. A remote attacker could exploit this vulnerability using the host address and port fields of the application server registration form in the portal UI to enumerate and attack services that are running on those hosts.  
CVSS Base score: 4.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214441 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Spectrum Copy Data Management

2.2.0.0-2.2.14.3

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

11 March 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU010","label":"Systems - Storage"},"Product":{"code":"STDJ4J","label":"IBM Spectrum Copy Data Management"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"2.2","Edition":""}\]

CVE-2021-39051: Security Bulletin: IBM Spectrum Copy Data Management is vulnerable to Slowloris, HTTP header injection, XSS, and CSRF (CVE-2022-22354, CVE-2022-22344, CVE-2021-39055, CVE-2021-39051)

Stored XSS viva .webma file upload in GitHub repository star7th/showdoc prior to 2.10.4.

@@ -54,10 +54,10 @@ public function deleteFile($file\_id){ }  
//上传文件，返回url public function upload($\_files , $file\_key , $uid , $item\_id = 0 , $page\_id = 0 ){ public function upload($\_files , $file\_key , $uid , $item\_id = 0 , $page\_id = 0 , $check\_filename = true ){ $uploadFile = $\_files\[$file\_key\] ;  
if( !$this\->isAllowedFilename($\_files\[$file\_key\]\['name'\]) ){ if( $check\_filename && !$this\->isAllowedFilename($\_files\[$file\_key\]\['name'\]) ){ return false; }  
@@ -324,14 +324,12 @@ public function isDangerFilename($filename){ public function isAllowedFilename($filename){ $allow\_array = array( '.jpg','.jpeg','.png','.bmp','.gif','.ico','.webp', '.mp3','.wav','.mp4', '.mov','.webmv','.flac','.mkv', '.mp3','.wav','.mp4','.mov','.flac','.mkv', '.zip','.tar','.gz','.tgz','.ipa','.apk','.rar','.iso', '.pdf','.ofd','.swf','.epub','.xps', '.doc','.docx','.wps', '.pdf','.epub','.xps','.doc','.docx','.wps', '.ppt','.pptx','.xls','.xlsx','.txt','.psd','.csv', '.cer','.ppt','.pub','.json','.css', ) ; ) ;  
$ext = strtolower(substr($filename,strripos($filename,'.')) ); //获取文件扩展名（转为小写后） if(in\_array( $ext , $allow\_array ) ){

CVE-2022-0962: Upload file vulnerability · star7th/showdoc@3caa323

The Simple Quotation WordPress plugin through 1.3.2 does not have CSRF check when creating or editing a quote and does not sanitise and escape Quotes. As a result, attacker could make a logged in admin create or edit arbitrary quote, and put Cross-Site Scripting payloads in them

CVE-2022-22734

Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.

CVE-2022-0960

Zenario CMS 9.0.54156 is vulnerable to Cross Site Scripting (XSS) via upload file to *.SVG. An attacker can send malicious files to victims and steals victim's cookie leads to account takeover. The person viewing the image of a contact can be victim of XSS.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-41952: XSS upload file to *.SVG in Zenario CMS 9.0.54156 · Issue #1 · hieuminhnv/Zenario-CMS-9.0-last-version

The Advanced Product Labels for WooCommerce WordPress plugin before 1.2.3.7 does not sanitise and escape the tax_color_set_type parameter before outputting it back in the berocket_apl_color_listener AJAX action's response, leading to a Reflected Cross-Site Scripting

**advanced-product-labels-for-woocommerce/trunk/berocket/assets/popup/br\_popup.js**

r2336545

r2678919

 

347

347

348

348

            element.on('animationend', handleAnimationEnd);

 

349

            setTimeout(function() {

 

350

                element.trigger('animationend');

 

351

            }, 1500);

349

352

        };

350

353

        this.print = function() {

**advanced-product-labels-for-woocommerce/trunk/berocket/framework.php**

r2670502

r2678919

 

36

36

    load\_plugin\_textdomain('BeRocket\_domain', false, dirname( plugin\_basename( \_\_FILE\_\_ ) ) . '/languages/');

37

37

    class BeRocket\_Framework {

38

 

        public static $framework\_version = '2.7.5';

39

 

        public $plugin\_framework\_version = '2.7.5';

 

38

        public static $framework\_version = '2.7.6';

 

39

        public $plugin\_framework\_version = '2.7.6';

40

40

        public static $settings\_name = '';

41

41

        public $addons;

**advanced-product-labels-for-woocommerce/trunk/berocket/framework\_version.php**

r2670502

r2678919

 

1

1

<?php

2

 

$framework\_version\_current = '2.7.5';

 

2

$framework\_version\_current = '2.7.6';

3

3

if( version\_compare($framework\_version\_current, $framework\_version, '>') ) {

4

4

    $framework\_version = $framework\_version\_current;

**advanced-product-labels-for-woocommerce/trunk/includes/better\_position.php**

r2664533

r2678919

 

542

542

            if ( current\_user\_can( 'manage\_options' ) ) {

543

543

                foreach( $\_POST\['tax\_color\_set'\] as $key => $value ) {

544

 

                    update\_metadata( 'berocket\_term', $key, $\_POST\['tax\_color\_set\_type'\], $value );

 

544

                    update\_metadata( 'berocket\_term', sanitize\_text\_field($key), sanitize\_text\_field($\_POST\['tax\_color\_set\_type'\]), sanitize\_text\_field($value) );

545

545

                }

546

546

                unset( $\_POST\['tax\_color\_set'\] );

547

547

            }

548

548

        } elseif( defined('DOING\_AJAX') && DOING\_AJAX ) {

549

 

            echo self::color\_list\_view( $\_POST\['tax\_color\_set\_type'\], $\_POST\['tax\_color\_set\_name'\], true );

 

549

            echo self::color\_list\_view( sanitize\_text\_field($\_POST\['tax\_color\_set\_type'\]), sanitize\_text\_field($\_POST\['tax\_color\_set\_name'\]), true );

550

550

            wp\_die();

551

551

        }

…

…

 

563

563

        }

564

564

        $html .= '</h3>';

565

 

        $html .= '<input type="hidden" name="tax\_color\_set\_type" value="' . $type . '">';

566

 

        $html .= '<input type="hidden" name="tax\_color\_set\_name" value="' . $taxonomy\_name . '">';

 

565

        $html .= '<input type="hidden" name="tax\_color\_set\_type" value="' . esc\_attr($type) . '">';

 

566

        $html .= '<input type="hidden" name="tax\_color\_set\_name" value="' . esc\_attr($taxonomy\_name) . '">';

567

567

        $html .= '<table>';

568

568

        if( is\_array($terms) ) {

…

…

 

570

570

                $html .= '<tr>';

571

571

                $meta = get\_metadata('berocket\_term', $term->term\_id, $type);

 

572

                $meta = br\_get\_value\_from\_array($meta, 0);

 

573

                $meta = esc\_attr($meta);

572

574

                $html .= '<th>' . $term->name . '</th>';

573

575

                if( $type == 'color' ) {

574

576

                    $function = 'br\_color\_picker';

575

577

                    $default = 'ffffff';

576

 

                    $html .= '<td>' . $function('tax\_color\_set\[' . $term->term\_id . '\]', br\_get\_value\_from\_array($meta, 0), $default, array('extra' => "data-term\_id='".$term->term\_id."' data-term\_name='".$term->name."'")) . '</td>';

 

578

                    $html .= '<td>' . $function('tax\_color\_set\[' . $term->term\_id . '\]', $meta, $default, array('extra' => "data-term\_id='".$term->term\_id."' data-term\_name='".$term->name."'")) . '</td>';

577

579

                } else {

578

580

                    $function = 'br\_fontawesome\_image';

579

581

                    $default = '';

580

 

                    $html .= '<td>' . $function('tax\_color\_set\[' . $term->term\_id . '\]', br\_get\_value\_from\_array($meta, 0), array('extra' => "data-term\_id='".$term->term\_id."' data-term\_name='".$term->name."'")) . '</td>';

 

582

                    $html .= '<td>' . $function('tax\_color\_set\[' . $term->term\_id . '\]', $meta, array('extra' => "data-term\_id='".$term->term\_id."' data-term\_name='".$term->name."'")) . '</td>';

581

583

                }

582

584

                $html .= '</tr>';

**advanced-product-labels-for-woocommerce/trunk/includes/style\_generate.php**

r2670502

r2678919

 

9

9

    public function get\_labels\_ids() {

10

10

        $custom\_posts\_class = BeRocket\_products\_label::getInstance();

11

 

        return $custom\_posts\_class->get\_labels\_ids();

 

11

        $args = apply\_filters('berocket\_labels\_get\_args\_styles', array(

 

12

            'suppress\_filters' => true

 

13

        ));

 

14

        return $custom\_posts\_class->custom\_post->get\_custom\_posts\_frontend( $args );

12

15

    }

13

16

    function get\_styles() {

**advanced-product-labels-for-woocommerce/trunk/main.php**

r2664533

r2678919

 

492

492

        wp\_enqueue\_style( 'berocket\_widget-colorpicker-style' );

493

493

        wp\_enqueue\_style( 'berocket\_font\_awesome' );

 

494

        do\_action('berocket\_apl\_load\_admin\_edit\_scripts');

494

495

    }

495

496

    public function product\_edit\_tab () {

**advanced-product-labels-for-woocommerce/trunk/readme.txt**

r2670502

r2678919

 

6

6

Requires at least: 5.0

7

7

Tested up to: 5.9

8

 

Stable tag: 1.2.3.6

 

8

Stable tag: 1.2.3.7

9

9

License: GPLv2 or later

10

10

License URI: http://www.gnu.org/licenses/gpl-2.0.html

…

…

 

144

144

\== Changelog ==

145

145

 

146

\= 1.2.3.7 =

 

147

\* Enhancement - Compatibility version: WooCommerce 6.2

 

148

\* Fix - XSS Vulnerability for admin area

 

149

\* Fix - JavaScript files load on admin pages where not needed

 

150

\* Fix - Label styles do not work on some pages with WPML

 

151

146

152

\= 1.2.3.6 =

147

153

\* Fix - XSS Vulnerability

**advanced-product-labels-for-woocommerce/trunk/woocommerce-advanced-products-labels.php**

r2670502

r2678919

 

4

4

 \* Plugin URI: https://berocket.com/product/woocommerce-advanced-product-labels?utm\_source=free\_plugin&utm\_medium=plugins&utm\_campaign=products\_label

5

5

 \* Description: Promote your products! Show “Free Shipping” or other special attributes with your products.

6

 

 \* Version: 1.2.3.6

 

6

 \* Version: 1.2.3.7

7

7

 \* Author: BeRocket

8

8

 \* Requires at least: 5.0

…

…

 

10

10

 \* Text Domain: BeRocket\_products\_label\_domain

11

11

 \* Domain Path: /languages/

12

 

 \* WC tested up to: 6.1

 

12

 \* WC tested up to: 6.2

13

13

 \*/

14

 

define( "BeRocket\_products\_label\_version", '1.2.3.6' );

 

14

define( "BeRocket\_products\_label\_version", '1.2.3.7' );

15

15

define( "BeRocket\_products\_label\_file", \_\_FILE\_\_ );

16

16

include\_once('main.php');

CVE-2022-0399: Changeset 2678919 – WordPress Plugin Repository

Stored XSS viva cshtm file upload in GitHub repository star7th/showdoc prior to v2.10.4.

CVE-2022-0946

Stored XSS due to Unrestricted File Upload in GitHub repository star7th/showdoc prior to v2.10.4.

**Description**

Stored XSS via uploading files in `.xsl` format.

**Proof of Concept**

    filename="poc.xsl"
    
    <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>
    

**Steps to Reproduce**

1.Login into showdoc.com.cn.  
2.Navigate to file library (https://www.showdoc.com.cn/attachment/index)  
3.In the File Library page, click the Upload button and choose the `poc.xsl` file.  
4.After uploading the file, click on the check button to open that file in a new tab.

XSS will trigger when the attachment is opened in a new tab.

**POC URL:** `https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=73b27c6f38a6d5daed4df8e9d3b86185`

**Impact**

An attacker can perform social engineering on users by redirecting them from a real website to a fake one. a hacker can steal their cookies etc.

CVE-2022-0941: Stored XSS due to Unrestricted File Upload in showdoc

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.

CVE-2022-22721: Apache HTTP Server 2.4 vulnerabilities

Permalink

Browse files

Merge pull request #1629 from ajaysenr/master

Update AttachmentModel.class.php

*   Loading branch information

![@star7th](https://avatars.githubusercontent.com/u/2200494?s=40&v=4)

2 parents 830c89a + 52d1d90 commit 78522520892d4e29cc94148c6ec84a204a607b73

Showing with **1 addition** and **0 deletions**.

1.  +1 −0 server/Application/Api/Model/AttachmentModel.class.php

@@ -304,6 +304,7 @@ public function isDangerFilename($filename){

|| $isDangerStr($filename , "%")

|| $isDangerStr($filename , ".xml")

|| $isDangerStr($filename , ".xxhtml")

|| $isDangerStr($filename , ".aspx")

) {

return true;

}

**0 comments on commit `7852252`**

Please sign in to comment.

Tag

#xss