Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-74q2-6jp4-3rqq: Krayin CRM vulnerable to Cross Site Scripting (XSS) via the organization name

Krayin CRM v1.3.0 is vulnerable to Cross Site Scripting (XSS) via the organization name field in `/admin/contacts/organizations/edit/2`.

ghsa
#xss#vulnerability#web#auth
GHSA-632q-77qj-c89q: LimeSurvey Cross Site Scripting vulnerability

Cross Site Scripting vulnerability in LimeSurvey before 6.5.0+240319 allows a remote attacker to execute arbitrary code via a lack of input validation and output encoding in the Alert Widget's message component.

Large scale Google Ads campaign targets utility software

Malicious Google sponsored results disguised as software downloads lead to malware.

Malicious Chrome Extensions Skate Past Google's Updated Security

Google's Manifest V3 offers better privacy and security controls for browser extensions than the previous M2, but too many lax permissions and gaps remain.

GHSA-6hwr-6v2f-3m88: XXE in PHPSpreadsheet's XLSX reader

### Summary The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. ### Details The security scan function in `src/PhpSpreadsheet/Reader/Security/XmlScanner.php` contains a flawed XML encoding check to retrieve the input file's XML encoding in the `toUtf8` function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. ``` $patterns = [ '/encoding="([^"]*]?)"/', "/encoding='([^']*?)'/", ]; ``` This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the `=` in the attribute definition. ### PoC Needed: - ...

GHSA-r8w8-74ww-j4wh: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

### Summary `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. ### PoC Example target script: ``` <?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); ``` Save this file in the same directory: [book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15099763/book.xlsx) Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.

GHSA-w9xv-qf98-ccq4: PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled

### Summary It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer->setEmbedImages(true);` those files will be included in the output as `data:` URLs, regardless of the file's type. Also URLs can be used for embedding, resulting in a Server-Side Request Forgery vulnerability. ### Details XLSX files allow embedding or linking media. When In `xl/drawings/drawing1.xml` an attacker can do e.g.: ```xml <a:blip cstate="print" r:link="rId1" /> ``` And then, in `xl/drawings/_rels/drawing1.xml.rels` they can set the path to anything, such as: ```xml <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="/etc/passwd" /> ``` or ```xml <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="http://example.org" /> ``` When the HTML writer is outputting the...

GHSA-5gpr-w2p5-6m37: PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file

### Summary It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL. Note that this vulnerability is different from [GHSA-w9xv-qf98-ccq4](https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4), and resides in a different component. ### Details When an XLSX file is opened, the XLSX reader calls `setPath()` with the path provided in the `xl/drawings/_rels/drawing1.xml.rels` file in the XLSX archive: ```php if (isset($images[$embedImageKey])) { // ...omit irrelevant code... } else { $linkImageKey = (string) self::getArrayItem( $blip->attributes('http://schemas.openxmlformats.org/officeDocument/2006/relationships'), 'link' ); if (isset($images[$linkImag...

GHSA-pf56-h9qf-rxq4: Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page

### Summary Event log data is not properly sanitized leading to stored Cross-Site Scripting (XSS) vulnerability. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/eventlog.js#L445 ```js router.get( "/:id", isAdmin, error_catcher(async (req, res) => { const { id } = req.params; const ev = await EventLog.findOneWithUser(id); send_events_page({ [...] contents: { type: "card", contents: [...] ) + div( { class: "eventpayload" }, ev.payload ? pre(JSON.stringify(ev.payload, null, 2)) : "" //<--- ), }, }); }) ``` ### PoC The following PoC demonstrates how a non-admin user with permission to read/write on a table can inject malicious javascript code that will be executed in the event log admin panel if event logs are enabled. To demonstrate this issue, we need to prepare some components. The following steps should be ...

GHSA-43f3-h63w-p6f6: Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability

### Summary A logged-in user with any role can delete arbitrary files on the filesystem by calling the `sync/clean_sync_dir` endpoint. The `dir_name` POST parameter is not validated/sanitized and is used to construct the `syncDir` that is deleted by calling `fs.rm`. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.15/packages/server/routes/sync.js#L337-L346 ```js router.post( "/clean_sync_dir", error_catcher(async (req, res) => { const { dir_name } = req.body; // [1] source try { const rootFolder = await File.rootFolder(); const syncDir = path.join( rootFolder.location, "mobile_app", "sync", dir_name // [2] ); await fs.rm(syncDir, { recursive: true, force: true }); // [3] sink res.status(200).send(""); } catch (error) { getState().log(2, `POST /sync/clean_sync_dir: '${error.message}'`); res.status(400).json({ error: error.message || error }); } }) ); ``` ### Po...