HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28919: Possible XSS vulnerability · Issue #3651 · splitbrain/dokuwiki

Tieba-Cloud-Sign v4.9 was discovered to contain a cross-site scripting (XSS) vulnerability via the function strip_tags.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Possible XSS vulnerability #156**

Open

enferas opened this issue

Apr 6, 2022

· 3 comments

**Comments**

Hello,

I would like to report for XSS vulnerability.

In file https://github.com/MoeNetwork/Tieba-Cloud-Sign/blob/master/templates/control.php line 53.

case 'setplug':
  $plug = strip\_tags($\_GET\['plug'\]);
  $pluginfo = getPluginInfo($plug);

Then, there is an echo in line 62.

echo '<a href="'.$pluginfo\['plugin'\]\['url'\].'" target="\_blank">';

strip\_tags is not secure in this case. If you can look to this code example the alert will be printed when you press on the link.

<?php
$x = "'javascript:alert()'";
$y = strip\_tags($x);
echo "<a href=$x>ClickMe</a>";

if (ROLE != 'admin') msg('权限不足！');

if (!file\_exists($path . $plugin . '.php')) {

return false;

}

这是一个没有想象中严重的漏洞，我们在前面设置了权限检查挡住了非admin用户的访问，此外文件存在性检查会确保不存在的插件不会被加载，因此触发这个漏洞的需要：

*   用户为**管理员**
*   使用了带有恶意外部链接的插件

**感谢您的反馈，我们将会在晚些时候进行修复**

_translated by deepl.com_

if (ROLE != 'admin') msg('权限不足！');

if (!file\_exists($path . $plugin . '.php')) {

return false;

}

This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability

*   The user is an **administrator**
*   A plugin with a malicious url is used

**Thank you for your feedback, we will fix it later**

> if (ROLE != 'admin') msg('权限不足！');
> 
> if (!file\_exists($path . $plugin . '.php')) {
> 
> return false;
> 
> }
> 
> 这是一个没有想象中严重的漏洞，我们在前面设置了权限检查挡住了非admin用户的访问，此外文件存在性检查会确保不存在的插件不会被加载，因此触发这个漏洞的需要：
> 
> *   用户为**管理员**
> *   使用了带有恶意外部链接的插件
> 
> **感谢您的反馈，我们将会在晚些时候进行修复**
> 
> _translated by deepl.com_
> 
> if (ROLE != 'admin') msg('权限不足！');
> 
> if (!file\_exists($path . $plugin . '.php')) {
> 
> return false;
> 
> }
> 
> This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability
> 
> *   The user is an **administrator**
> *   A plugin with a malicious url is used
> 
> **Thank you for your feedback, we will fix it later**

礼貌问询deepl.com中译英和英译中效果怎么样

Copy link

Collaborator

** **n0099** commented May 16, 2022**

> 礼貌问询deepl.com中译英和英译中效果怎么样

您已经看到了

CVE-2022-28920: Possible XSS vulnerability · Issue #156 · MoeNetwork/Tieba-Cloud-Sign

**Comments**

Hello,

I would like to report for XSS vulnerability.

In file https://github.com/MoeNetwork/Tieba-Cloud-Sign/blob/master/templates/control.php line 53.

case 'setplug':
  $plug = strip\_tags($\_GET\['plug'\]);
  $pluginfo = getPluginInfo($plug);

Then, there is an echo in line 62.

echo '<a href="'.$pluginfo\['plugin'\]\['url'\].'" target="\_blank">';

strip\_tags is not secure in this case. If you can look to this code example the alert will be printed when you press on the link.

<?php
$x = "'javascript:alert()'";
$y = strip\_tags($x);
echo "<a href=$x>ClickMe</a>";

if (ROLE != 'admin') msg('权限不足！');

if (!file\_exists($path . $plugin . '.php')) {

return false;

}

这是一个没有想象中严重的漏洞，我们在前面设置了权限检查挡住了非admin用户的访问，此外文件存在性检查会确保不存在的插件不会被加载，因此触发这个漏洞的需要：

*   用户为**管理员**
*   使用了带有恶意外部链接的插件

**感谢您的反馈，我们将会在晚些时候进行修复**

_translated by deepl.com_

if (ROLE != 'admin') msg('权限不足！');

if (!file\_exists($path . $plugin . '.php')) {

return false;

}

This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability

*   The user is an **administrator**
*   A plugin with a malicious url is used

**Thank you for your feedback, we will fix it later**

This advisory contains mitigations for Improper Neutralization of Parameter/Argument Delimiters, Cleartext Transmission of Sensitive Information, Cross-site Scripting, Missing Authentication for Critical Function, Authentication Bypass by Capture-replay, and Improper Authentication vulnerabilities in Siemens SICAM P850 and SICAM P855.

Siemens SICAM P850 and SICAM P855

A vulnerability affecting F-Secure SAFE browser was discovered. An attacker can potentially exploit Javascript window.open functionality in SAFE Browser which could lead address bar spoofing attacks.

**CVE ID** **DATE ISSUED** **ADVISORY TITLE** **AFFECTED PRODUCTS** CVE-2022-28873  
12-May-2022 Multiple Address Bar Spoofing Vulnerabilities in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28872  
12-May-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28871 25-Apr-2022 Denial-of-Service (DoS) Vulnerability All F-Secure endpoint protection products on Windows and Mac CVE-2022-28870 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28869 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28868 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2021-44751 25-Mar-2022 F-Secure SAFE Browser vulnerable to USSD attacks F-Secure SAFE Browser for Android Version 18.5 and below CVE-2021-44750 09-Mar-2022 Arbitrary Code Execution F-Secure FREEDOME VPN, F-Secure SAFE, F-Secure KEY, and F-Secure Internet Security/Anti-Virus CVE-2021-44749 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5 CVE-2021-44748 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5

CVE-2022-28873: Security advisories | F-Secure

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails in a loop.

**CVE ID** **DATE ISSUED** **ADVISORY TITLE** **AFFECTED PRODUCTS** CVE-2022-28874 23-May-2022 Multiple Denial-of-Service (DoS) Vulnerabilities All F-Secure endpoint protection products for Windows and Mac CVE-2022-28873  
12-May-2022 Multiple Address Bar Spoofing Vulnerabilities in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28872  
12-May-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 19.0 and below CVE-2022-28871 25-Apr-2022 Denial-of-Service (DoS) Vulnerability All F-Secure endpoint protection products for Windows and Mac CVE-2022-28870 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28869 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2022-28868 14-Apr-2022 Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android F-Secure SAFE Browser for Android Version 18.6 and below CVE-2021-44751 25-Mar-2022 F-Secure SAFE Browser vulnerable to USSD attacks F-Secure SAFE Browser for Android Version 18.5 and below CVE-2021-44750 09-Mar-2022 Arbitrary Code Execution F-Secure FREEDOME VPN, F-Secure SAFE, F-Secure KEY, and F-Secure Internet Security/Anti-Virus CVE-2021-44749 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5 CVE-2021-44748 03-Mar-2022 Universal Cross-Site Scripting Vulnerability in F-Secure SAFE Browser Protection for Android F-Secure SAFE Browser for Android Version 18.5

CVE-2022-28872: Security advisories | F-Secure

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw. 
Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw._ 

Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones. 

The InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall. 

The router can be managed mainly in two ways: through the web interface, and through a router console accessible by telnet or, if enabled, SSH. The router does not provide access in any way to the Linux system beneath the router functionalities. 

The chart below, which includes only a subset of all the discovered vulnerabilities, shows the different paths an attacker could take to obtain root access after the user clicks on an attacker-controlled link. It would be possible to chain the vulnerabilities discovered in several ways to obtain root access on the device:

Cisco Talos worked with InHand Networks to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.  

To avoid the exploitation of these vulnerabilities, users are encouraged to update InHand Networks InRouter302, version 3.5.4 and 3.5.37 to version 3.5.45. Note that most vulnerabilities exist in both versions, however, several vulnerabilities are unique to 3.5.37 due to newly introduced functionality. See below for details. Talos tested and confirmed these versions are affected by these vulnerabilities. For more information on each of these issues, read their full advisories, which are linked in the blog post below.

Additionally, the following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 59125, 59151, 59153, 59224-59225, 59247, 59270 – 59272, 59287, 59288, 59294, 59295 and 59414. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org. 

Talos hypothesizes a scenario where the attacker would start the chain attack from a malicious link. This can be achieved through social engineering attacks, such as phishing. 

If a victim clicks the malicious link their session cookie can be exfiltrated: 

*   TALOS-2022-1469, together with TALOS-2022-1470: The webserver uses for its web pages a template language. One of the web pages that use this template language executes one parameter set internally by the webserver as JavaScript during the handling of a request. These issues are related to the possibility to provide in the request the value of this parameter, effectively allowing to execute arbitrary JavaScript with an HTTP request. This enables an attacker to execute a cross-site scripting attack (XSS). Because no HttpOnly flag is set, the attacker could exfiltrate the session cookie, exploiting the XSS. 

At this point, the attacker has either the cookie of a non-privileged user or a privileged one. In both scenarios, there are direct paths to root: 

*   TALOS-2022-1477: The router console, the binary users interact with when they SSH/telnet into the device, has a hidden command. When provided with a specific password, this command will spawn a root shell. The provided password is compared with a string that will be decrypted using AES, but because the AES key is in the library used, the encrypted password can be decrypted. 
*   TALOS-2022-1478: In the same hidden command within the router console, if a different password is provided, it will spawn a new binary. This binary is vulnerable to a command injection vulnerability, leading to the execution of OS commands as root. 
*   TALOS-2022-1481: It is also possible to upload a bulk router configuration. If the import is performed with this method, no check on the configuration entries value is performed. This leads to break assumptions where these values are used and can cause buffer overflows that can lead to remote code execution. 

If the cookie exfiltrated is of a non-privileged user, and we do not consider that we can already obtain root from that level of privilege, the attacker can perform a privilege escalation to obtain the “privileged user” state: 

*   TALOS-2022-1472: The non-privileged user can upload the router configurations, change the privileged user password, and place its credential in a known state. 
*   TALOS-2022-1474: The non-privileged user can download the router configurations as a file. In it, there is the privileged user AES encrypted password, but because the AES password is contained in the library used by the device to encrypt and decrypt, the AES encrypted password can be decrypted by the attacker, that will obtain the privileged user credentials. 

The privileged user can then perform more functionalities than the non-privileged user, but it still does not have access to the Linux system of the router. From the “privileged user” state, there are several vulnerabilities that lead to root and some, in common with the “non-privileged user” state, were discussed earlier. Still, the following ones are unique for the “privileged user”: 

*   TALOS-2022-1475: Inside the router console, there is a “privileged view” only accessible using the privileged user password. In this view, there is a hidden command that is vulnerable to command injection. 
*   TALOS-2022-1476: In the same hidden command within the router console, there is a buffer overflow vulnerability that can lead to remote code execution. 

These examples show a few possible routes that these vulnerabilities could be leveraged to go from a single click to root access within the device. Once root access to the router is obtained any number of effects can be achieved including, but not limited to, injecting, dropping, or inspecting packets, DNS poisoning, or further pivoting into the network. 

Additional vulnerabilities have been identified (TALOS-2022-1468, TALOS-2022-1471, TALOS-2022-1473, TALOS-2022-1495) that are not part of a chain shown: 

*   TALOS-2022-1468: An issue that allows an attacker to upload arbitrary files. With this capability, an attacker could perform several malicious actions. For instance, for both non-privileged and privileged users, the attacker could change the file that forces the router console to spawn when connecting to telnet or SSH, specifying instead to spawn a root shell. 
*   TALOS-2022-1471: This is a file-parsing issue. The functionality exposed starts the parsing of a file that is assumed to be a standard ping output. If an attacker has the ability to control the content of this file, they could trigger a buffer overflow that can lead to remote code execution. This vulnerability is reachable only by a privileged user. 
*   TALOS-2022-1473: If a specific web page is requested, a specific router configuration is taken and used as part of an OS command. Leading to command injection vulnerability. 
*   TALOS-2022-1495: The binary that manages the firmware upgrade only checks its CRC. Is possible, for both non-privileged and privileged users, to perform a firmware update with any firmware that has a valid CRC. 

During our disclosure to the vendor a new firmware, version 3.5.37, was released, and we discovered TALOS-2022-1496, TALOS-2022-1499, TALOS-2022-1500, TALOS-2022-1501, in this new firmware. These problems are related to a new “privileged view” in the router console. The password for accessing it was hardcoded in the same way as TALOS-2022-1477. This view introduced new functionalities, although three of them contained command injection vulnerabilities. 

TALOS-2022-1496 (CVE-2022-27172) is a vulnerability in the hard-coded password on the device, while the other three vulnerabilities all exist in different functions of the router’s software.

Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access 

Reflected Xss using url based payload in GitHub repository neorazorx/facturascripts prior to 2022.07. Xss can use to steal user's cookies which lead to Account takeover or do any malicious activity in victim's browser

@@ -24,6 +24,7 @@

use FacturaScripts\\Core\\Base\\DataBase\\DataBaseWhere;

use FacturaScripts\\Core\\Lib\\Widget\\VisualItemLoadEngine;

use FacturaScripts\\Dinamic\\Model\\CodeModel;

use FacturaScripts\\Dinamic\\Model\\Page;

use FacturaScripts\\Dinamic\\Model\\PageOption;

use FacturaScripts\\Dinamic\\Model\\User;

use Symfony\\Component\\HttpFoundation\\Response;

@@ -121,7 +122,7 @@ public function privateCore(&$response, $user, $permissions)

parent::privateCore($response, $user, $permissions);

$this\->model = new PageOption();

$this\->loadSelectedViewName();

$this\->backPage = $this\->request\->get('url') ?: $this\->selectedViewName;

$this\->setBackPage();

$this\->selectedUser = $this\->user\->admin ? $this\->request\->get('nick') : $this\->user\->nick;

$this\->loadPageOptions();

  

@@ -275,6 +276,22 @@ private function loadPageOptionsForUser(): bool

return true;

}

  

private function setBackPage()

{

// check if the url is a real controller name

$url = $this\->request\->get('url', '');

$pageModel = new Page();

foreach ($pageModel\->all(\[\], \[\], 0, 0) as $page) {

if (substr($url, 0, strlen($page\->name)) === $page\->name) {

$this\->backPage = $url;

return;

}

}

  

// set the default back page

$this\->backPage = $this\->selectedViewName;

}

  

/\*\*

\* @param array $column

\* @param string $name

Tag

#xss