Stored XSS via file upload in GitHub repository star7th/showdoc prior to v2.10.4.

**Description**

Hello Team,

  
This is a bypass to the report in https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/.  
The upload feature allows the files with the extension `.xxhtml` which leads to Stored XSS.

**Proof of Concept**

    filename="poc.xxhtml"
    
    <script>alert(1)</script>
    

**Steps to Reproduce**

1.Login into showdoc.com.cn.  
2.Navigate to file library (https://www.showdoc.com.cn/attachment/index)  
3.In the File Library page, click the Upload button and choose the `poc.xxhtml`  
4.After uploading the file, click on the check button to open that file in a new tab.

XSS will trigger when the attachment is opened in a new tab.

**POC URL:** `https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=f79c619fb54bf22255af3797e25cfcfc`

**Impact**

An attacker can perform social engineering on users by redirecting them from a real website to a fake one. a hacker can steal their cookies etc.

CVE-2022-0938: Stored XSS via file upload in showdoc

Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.12.

CVE-2022-0341

Stored xss in showdoc through file upload in GitHub repository star7th/showdoc prior to 2.10.4.

@@ -300,6 +300,7 @@ public function isDangerFilename($filename){

$isDangerStr($filename , ".php")

|| $isDangerStr($filename , ".svg")

|| $isDangerStr($filename , ".htm")

|| $isDangerStr($filename , ".shtm")

|| $isDangerStr($filename , "%")

|| $isDangerStr($filename , ".xml")

) {

CVE-2022-0937: file upload bug · star7th/showdoc@42c0d98

phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows parameter (aka num or number).

Issue #399 new

![](https://d301sr5gafysq2.cloudfront.net/c77c17ee2419/img/default_avatar/user_blue.svg)

110013 created an issue 2021-08-21

Hi, we found one XSS vulnerability in phpLiteAdmin/index.php.

Line 2667 in index.php assigns $\_GET to variablele _$number_ if the $\_GET is set. Line 2670 then echo variable $number directly.

            if(isset($\_GET\['newRows'\]))
                $num = $\_GET\['newRows'\];
            else
                $num = 1;
            echo "<input type='hidden' name='newRows' value='".$num."'/>";
            for($j=0; $j<$num; $j++)

The $number is inside a input tag, the attacker can set $\_GET to `3'/> <script> alert(1) </script>'/>` to perform XSS attack.

‌

CVE-2021-46709: XSS vulnerability

An issue was discovered in PONTON X/P Messenger before 3.11.2. The navigation tree that is shown on the left side of every page of the web application is vulnerable to XSS: it allows injection of JavaScript into its nodes. Creating such nodes is only possible for users who have the role Configuration Administrator or Administrator.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-079 Product: PONTON X/P Messenger Manufacturer: PONTON GmbH Affected Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Tested Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Vulnerability Type: Persistent Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed in release of version 3.11.2 Manufacturer Notification: 2022-01-25 Solution Date: 2022-02-07 Public Disclosure: 2022-03-11 CVE Reference: CVE-2021-45888 Author of Advisory: Stefan Walter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see \[1\]): > The PONTON X/P Messenger (or PONTON X/P for short) is PONTON’s > high-quality B2B integration solution with a proven track-record in > several industries since 2001. PONTON X/P is a highly configurable > ebXML, AS/1, AS/2, AS/3 and AS/4 compliant messaging software. It > provides additional features to deal with typical B2B integration > issues (such as a listener component for the DMZ, certificate > management and non-repudiation of messages). PONTON X/P is typically > used as communication layer in a business consortium or as an (OEM) > communication extension of an existing software application. The tested version was not the most recent one. The current versions 4.X were not affected. The vulnerability can only be exploited by authorisation with a user of the Ponton X/P web UI which is normally only accessible on the internal network. The vulnerability is fixed with Ponton X/P Version 3.11.2. Please upgrade to the Version 3.11.2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Several functions are vulnerable to persistent cross-site scripting. For testing purposes, a local installation was set up using the application binaries provided at \[2\] and the instructions at \[3\]: $ wget 'https://www.ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip' $ unzip PontonXP-Messenger-3.10.0-Linux.zip -d PontonXP-Messenger-3.10.0-Linux $ cd PontonXP-Messenger-3.10.0-Linux $ ./pontonxp start Afterwards, the web application is reachable at https://localhost:8443. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The navigation tree that is shown on the left side of every page of the web application is vulnerable and allows the injection of JavaScript in its nodes. Creating such nodes is only possible for users who have the roles "Configuration Administrator" or "Administrator". For this PoC, SySS GmbH chose the creation of hotfolder adapters under Configuration - -> Hot Folders -> Hot Folder Adapters -> Create Hot Folder. Note that there is a length limit for the names in place, but that is only enforced in the browser / on the client side and not on the server. A malicious JavaScript payload can be stored using the following request to create a hotfolder: POST /pontonxp/private/hotfolder/AddNewHFA.do HTTP/1.1 Host: localhost:8443 Cookie: SESSIONID8443=node019w12orq0koubog78ix5lenq87.node0; clickedFolder=F890761339%5EF118222018%5EF20696059%5EF1686229420%5EF1412411424%5E Content-Type: application/x-www-form-urlencoded Content-Length: 123 ... csrfToken=b5175d71-1f4d-47dc-9300-7c4295290ed0&adapterID=PXSS+Demo&ok.x=51&ok.y=8 The payload is executed by navigating to any URL on the page and by expanding the offending node in order to make the hotfolders in the navigation tree visible. The following excerpt of the server reply shows how the code is injected into the page:

PXSS Demo![](https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/x)

\~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vulnerability has been fixed with Ponton X/P version 3.11.2. More information: https://www.ponton.de/downloads/xp/3.11/documents/ReleaseNotes3112.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-06: Vulnerability discovered 2022-01-25: Vulnerability reported to manufacturer 2022-02-07: Fixed version 3.11.2 released by manufacturer 2022-03-11: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for PONTON X/P MESSENGER https://www.ponton.de/products/xpmessenger/ \[2\] PONTON X/P MESSENGER 3.10.0 download https://ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip \[3\] PONTON X/P MESSENGER 3.10.0 documentation https://ponton.de/downloads/xp/3.10/documents/MessengerDocumentation310.pdf \[4\] SySS Security Advisory SYSS-2021-079 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-079.txt \[5\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Stefan Walter of SySS GmbH. E-Mail: stefan.walter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan\_Walter.asc Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmIogvoACgkQvguzEdo/ PhZodRAAmTZkKjMPV+1ET/sG9hxBDWh1imjikvmz8G3U7KMpQErei4wOnrf8wZK4 ORiq/rt1fmuFNMHxlF7CIQ352M+2ddXbQLgyaq3DH3Ui7MYdr2TySZbp8V2gG8eL 4AA5bspmHxq07KjCh+b7/GulIab3FqoOVLIvQe8EHvwF12AN6nvNVcyTtxHk8bJm lF8qBYCk1ZkYyilIbe/0piZUoIsLw/3H9nfQatJ6TYrsW/+ruHDye1FeUuWiNVtE biRE0aGS2sd9Sm4YM2fw81Wd//wwptcYdWWhdqzY5DW2F2IZhfrImlqnJyk5hh9o 9isfpZ7zfGZxF3h+iJiAC4WFC4hoR7knWjuTCfMJ1k5msWs9F5DeQOMKx9ydnKmN x7TRJnSZBwBEQ8CW/Ql72M9KHMwENSJ+XUB7HjPXkXLbvZvCpZudcP76gQy2FnYx c4EME6FHHNGD1wFhkPmle04z1UGcWdhlFFS3umaGHJRBj/FGpbjuH8s+K82uOo5l qZuHGMKy47vQaqRbsjxrR7INLrC+v6MK5JpxahCa/p8rCHmqYq1flw/lx3M85/vo 722SwuTVnLlhalFi5xtWwNE5uxcMJlAETgaI5spuiajlGXoDQ4vv7bLilhtmMWm3 68wcbz+OhXXX7Id3rwGKviXVS1j0RWfik7e1oGFtF+OuedZn8OI= =v2mW -----END PGP SIGNATURE-----

CVE-2021-45888

An issue was discovered in PONTON X/P Messenger before 3.11.2. Several functions are vulnerable to reflected XSS, as demonstrated by private/index.jsp?partners/ShowNonLocalPartners.do?localID= or private/index.jsp or private/index.jsp?database/databaseTab.jsp or private/index.jsp?activation/activationMainTab.jsp or private/index.jsp?communication/serverTab.jsp or private/index.jsp?emailNotification/notificationTab.jsp.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-078 Product: PONTON X/P Messenger Manufacturer: PONTON GmbH Affected Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Tested Version(s): 3.8.0 (Build 201909201204), 3.10.0 (Build 202009171429) Vulnerability Type: Reflected Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed in release of version 3.11.2 Manufacturer Notification: 2022-01-25 Solution Date: 2022-02-07 Public Disclosure: 2022-03-11 CVE Reference: CVE-2021-45889 Author of Advisory: Stefan Walter, Thibaud Kehler, Tarek Awadallah (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see \[1\]): > The PONTON X/P Messenger (or PONTON X/P for short) is PONTON’s > high-quality B2B integration solution with a proven track-record in > several industries since 2001. PONTON X/P is a highly configurable > ebXML, AS/1, AS/2, AS/3 and AS/4 compliant messaging software. It > provides additional features to deal with typical B2B integration > issues (such as a listener component for the DMZ, certificate > management and non-repudiation of messages). PONTON X/P is typically > used as communication layer in a business consortium or as an (OEM) > communication extension of an existing software application. The tested version was not the most recent one. The current versions 4.X were not affected. The vulnerability can only be exploited by authorisation with a user of the Ponton X/P web UI which is normally only accessible on the internal network. The vulnerability is fixed with Ponton X/P Version 3.11.2. Please upgrade to the Version 3.11.2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Several functions are vulnerable to reflected cross-site scripting. For testing purposes, a local installation was set up using the application binaries provided at \[2\] and the instructions at \[3\]: $ wget 'https://www.ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip' $ unzip PontonXP-Messenger-3.10.0-Linux.zip -d PontonXP-Messenger-3.10.0-Linux $ cd PontonXP-Messenger-3.10.0-Linux $ ./pontonxp start Afterwards, the web application is reachable at https://localhost:8443. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH identified three different categories of reflected cross-site scripting: The first category can be triggered by visiting, for example, https://localhost:8443/pontonxp/private/index.jsp?partners/ShowNonLocalPartners.do?localID=%27-prompt(%22SySS%20RXSS%20PoC%22)//. As can be seen in the following excerpt of the server response, the payload is injected directly into a JavaScript context: The second category can be triggered by visiting https://localhost:8443/pontonxp/private/index.jsp?javascript:alert(%27SySS\_RXSS\_PoC%27). As can be seen in the following excerpt of the server response, the payload is injected into the iframe src and then executed: The third category can be triggered by visiting either one of the following URLs (the list is non-exhaustive): \* https://localhost:8443/pontonxp/private/index.jsp?database/databaseTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E \* https://localhost:8443/pontonxp/private/index.jsp?activation/activationMainTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E \* https://localhost:8443/pontonxp/private/index.jsp?communication/serverTab.jsp?syss%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E \* https://localhost:8443/pontonxp/private/index.jsp?emailNotification/notificationTab.jsp?ucbgm%22%3E%3C/iframe%3E%3Cscript%3Ealert(%22SySS%20RXSS%20PoC%22);%3C/script%3E As can be seen in the following excerpt of the server response for the first request in the list, the payload is used to break out of the iframe src and to execute code by inserting a new script tag: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vulnerability has been fixed with Ponton X/P version 3.11.2. More information: https://www.ponton.de/downloads/xp/3.11/documents/ReleaseNotes3112.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-06: Vulnerability discovered 2022-01-25: Vulnerability reported to manufacturer 2022-02-07: Fixed version 3.11.2 released by manufacturer 2022-03-11: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for PONTON X/P MESSENGER https://www.ponton.de/products/xpmessenger/ \[2\] PONTON X/P MESSENGER 3.10.0 download https://ponton.de/downloads/xp/3.10/PontonXP-Messenger-3.10.0-Linux.zip \[3\] PONTON X/P MESSENGER 3.10.0 documentation https://ponton.de/downloads/xp/3.10/documents/MessengerDocumentation310.pdf \[4\] SySS Security Advisory SYSS-2021-078 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-078.txt \[5\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Stefan Walter, Thibaud Kehler, and Tarek Awadallah of SySS GmbH. E-Mail: stefan.walter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan\_Walter.asc Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16 E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud\_Kehler.asc Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A E-Mail: tarek.awadallah@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tarek\_Awadallah.asc Key Fingerprint: 2F33 D0ED F453 D931 177B 847B 4F87 A6B9 28A6 61F0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmIogvoACgkQvguzEdo/ PhYsmg//WqCyEN2Y5YrAoKLoZ0rW7Be08rcuLTNvnTFXqkerjgO6xxlLyfa5cPBT gFBnv3cXic00K+1NgvKSPrLDhHMHxS6xV+jsSQ2y8OVsn8BjPuoEOLnWqnP9SI3o eB0WfY4OtaipZ+EMXqTm3A7P2i3hNSiv1wXK8lUVw4a48wzicQrYoyb9n0ONdlRz bFB4X8eHBKrhlyGaN60OpOfu9frL6qiqXSzoEYvFI//38uHmMGu0113icBt2ELqQ 1dusLfSaOn9yLP+H+7tB2QLrzQkK0LYEBT2o8zmZ7l3ORRTe/EnhYG1yEpM8ZQ4p /PR0+WoC7lPtQYjfQlmphkHhd4RPge38DTCDs7i5u2mpjIieCaN93vsvtSeXdKEF nEZGCYSFUXHrSW6orP5kyKQ0F7FlXHvwjST5d+QxvSr3fEq2N2ePXzg5q/XJfBcc UxuLDfoGSosMka+rJe5tm9ZAg+SGzEEWHdQwkq+ckou3WbY6QlAV4HF+6NFBN8t8 kaT6gz5luk5X3O7u9o7nlv9cgUJ2e36HJ1FinUH0REQqRS15ZvMCkWIhIL3+cI2J 11nWk0/OvlB8AbD4YJuI2ItU9qOBOWf/6v6wRraQjbMCvSOyz4t3cb7xGW4mBYuy 0QRFbX4ZvKPEqGatKp4UwocbFO5DIBIMdMo3bFcemIJQvs6xBow= =NHRK -----END PGP SIGNATURE-----

CVE-2021-45889

File upload filter bypass leading to stored XSS in GitHub repository microweber/microweber prior to 1.2.12.

@@ -1020,7 +1020,7 @@ function get\_dangerous\_files\_extentions() 'private', 'srl', 'zhtml', 'vbhtml', 'vbhtml', 'hypetemplate', 'obml15', 'hypesymbol', @@ -1109,6 +1109,28 @@ public function is\_dangerous\_file($file\_name)  
}  
public function is\_allowed\_file($fileName) { $allowedImages = $this\->get\_allowed\_files\_extensions\_for\_upload('images'); $allowedVideos = $this\->get\_allowed\_files\_extensions\_for\_upload('videos'); $allowedAudios = $this\->get\_allowed\_files\_extensions\_for\_upload('audios'); $allowedFiles = $this\->get\_allowed\_files\_extensions\_for\_upload('files'); $allowedDocuments = $this\->get\_allowed\_files\_extensions\_for\_upload('documents'); $allowedArchives = $this\->get\_allowed\_files\_extensions\_for\_upload('archives');  
$allowed = array\_merge\_recursive($allowedImages,$allowedVideos,$allowedAudios,$allowedFiles,$allowedDocuments,$allowedArchives);  
$isExt = get\_file\_extension($fileName); $isExt = strtolower($isExt);  
if (in\_array($isExt, $allowed)) { return true; }  
return false; }  
  
  
function get\_allowed\_files\_extensions\_for\_upload($fileTypes = 'images') { @@ -1119,11 +1141,15 @@ function get\_allowed\_files\_extensions\_for\_upload($fileTypes = 'images') case 'img': case 'image': case 'images': $are\_allowed .= ',png,gif,jpg,jpeg,tiff,bmp,svg'; $are\_allowed .= ',png,gif,jpg,jpeg,tiff,bmp,svg,webp,ico'; break; case 'audio': case 'audios': $are\_allowed .= ',mp3,mp4,ogg,wav,flac'; break; case 'video': case 'videos': $are\_allowed .= ',avi,asf,mpg,mpeg,mp4,flv,mkv,webm,ogg,wma,mov,wmv'; $are\_allowed .= ',avi,asf,mpg,mpeg,mp4,flv,mkv,webm,ogg,ogv,3gp,3g2,wma,mov,wmv'; break; case 'file': case 'files':

CVE-2022-0930: make plupload only allowed files · microweber/microweber@33eb4cc

XSS on dynamic_text module in GitHub repository microweber/microweber prior to 1.2.11.

Permalink

Browse files

Update build-and-upload.yml

*   Loading branch information

![@bobimicroweber](https://avatars.githubusercontent.com/u/50577633?s=40&v=4)

bobimicroweber committed

Mar 11, 2022

1 parent 095b1bc commit de6d17b52d261902653fbdd2ecefcaac82e54256

Showing with **0 additions** and **1 deletion**.

1.  +0 −1 .github/workflows/build-and-upload.yml

1 .github/workflows/build-and-upload.yml

Show comments View file

@@ -6,7 +6,6 @@ on:

jobs:

microweber-test-before-build:

runs-on: ubuntu-latest

needs: stop-previous-runs

steps:

\- uses: actions/checkout@v2

  

**0 comments on commit `de6d17b`**

Please sign in to comment.

CVE-2022-0929: Update build-and-upload.yml · microweber/microweber@de6d17b

Permalink

Browse files

Update Files.php

*   Loading branch information

![@bobimicroweber](https://avatars.githubusercontent.com/u/50577633?s=40&v=4)

1 parent 077b1e2 commit 89200cfcc2cfefe5554721e7fa3cf52f6a2a9120

Showing with **254 additions** and **2 deletions**.

1.  +254 −2 src/MicroweberPackages/Utils/System/Files.php

@@ -834,10 +834,262 @@ function get\_dangerous\_files\_extentions()

'xqt', // SuperCalc Macro File',

'xys', // XYplorer Script File',

'zl9', // ZoneAlarm Quarantined EXE File

  

  

'swf', // Flash File

  

'key',

'asax',

'btapp',

'xd',

'fwtemplate',

'crdownload',

'whtt',

'ssp',

'fmp',

'jspa',

'obml16',

'a5w',

'crt',

'vrt',

'website',

'p7c',

'dll',

'php',

'mjs',

'dhtml',

'xul',

'bml',

'download',

'cshtml',

'vsdisco',

'codasite',

'webbookmark',

'rjs',

'wsdl',

'dml',

'aro',

'dcr',

'shtml',

'dochtml',

'dwt',

'spc',

'a4p',

'htaccess',

'ascx',

'pac',

'p7b',

'xhtm',

'oam',

'site',

'kit',

'aspx',

'zul',

'tpl',

'htm',

'seam',

'svr',

'pem',

'url',

'dap',

'appcache',

'chm',

'wbs',

'htc',

'ewp',

'gsp',

'asr',

'der',

'master',

'stc',

'ap',

'html',

'p12',

'xpd',

'fwp',

'epibrw',

'strm',

'xss',

'node',

'disco',

'gsp',

'pro',

'rss',

'gne',

'sdb',

'compressed',

'asp',

'browser',

'php2',

'sites2',

'dothtml',

'bok',

'axd',

'nzb',

'vdw',

'obml',

'mhtml',

'ashx',

'con',

'rhtml',

'alx',

'opml',

'web',

'chat',

'csr',

'do',

'sht',

'asa',

'cha',

'h5p',

'qf',

'olp',

'hyperesources',

'sparkle',

'razor',

'php4',

'cms',

'mml',

'jnlp',

'har',

'br',

'webloc',

'srf',

'cer',

'uhtml',

'pptmhtml',

'phtml',

'xbel',

'cfm',

'fwtemplateb',

'jspx',

'jsp',

'xfdl',

'zhtml',

'stml',

'jsonl',

'maff',

'dbm',

'aex',

'crl',

'mht',

'wml',

'sass',

'xht',

'awm',

'page',

'hdml',

'webmanifest',

'itms',

'sitemap',

'shtm',

'wpp',

'jss',

'oth',

'ucf',

'prf',

'freeway',

'edge',

'iqy',

'vrml',

'mvc',

'wdgt',

'discomap',

'psp',

'hxs',

'adr',

'hype',

'csp',

'xhtml',

'webarchive',

'qbo',

'jhtml',

'svc',

'phtm',

'rw3',

'tpl',

'stl',

'wbxml',

'p7',

'ndjson',

'ognc',

'fwtb',

'muse',

'vbd',

'sites',

'rt',

'esproj',

'private',

'srl',

'zhtml',

'vbhtml',

'hypetemplate',

'obml15',

'hypesymbol',

'pub',

'ece',

'mspx',

'docmhtml',

'xws',

'wgp',

'tvpi',

'woa',

'asmx',

'xbl',

'webhistory',

'idc',

'jws',

'lbc',

'att',

'tvvi',

'zvz',

'php3',

'webarchivexml',

'widget',

'swz',

'qrm',

'bwp',

'atom',

'cdf',

'map',

'hdm',

'php5',

'rwsw',

'wgt',

'nod',

'rflw',

'htx',

'mvr',

'an',

'rwp',

'lasso',

'vlp',

'stp',

'nxg',

'faces',

'kcmsf',

'ptw',

'less',

'saveddeck',

'ccbjs',

'wn',

'ppthtml',

'jcz',

'jvs',

'rwtheme',

'jst',

'mapx',

'cpg',

'wpx',

'qbx',

'suck',

'iwdgt',

'public',

'cphd',

'moz',

'zfo',

'stm',

'fcgi',

'itpc',

'cfml'

);

  

  

**0 comments on commit `89200cf`**

Please sign in to comment.

CVE-2022-0926: Update Files.php · microweber/microweber@89200cf

Cross-site Scripting (XSS) - Stored in GitHub repository star7th/showdoc prior to 2.10.2.

Permalink

Browse files

file upload bug

*   Loading branch information

![@star7th](https://avatars.githubusercontent.com/u/2200494?s=40&v=4)

1 parent 85af5ab commit 818d7fe731f452acccacf731ce47ec27ad68049c

Showing with **1 addition** and **0 deletions**.

1.  +1 −0 server/Application/Api/Model/AttachmentModel.class.php

@@ -301,6 +301,7 @@ public function isDangerFilename($filename){

|| $isDangerStr($filename , ".svg")

|| $isDangerStr($filename , ".htm")

|| $isDangerStr($filename , "%")

|| $isDangerStr($filename , ".xml")

) {

return true;

}

**0 comments on commit `818d7fe`**

Please sign in to comment.

Tag

#xss