Jenkins Agent Server Parameter Plugin 1.1 and earlier does not escape the name and description of Agent Server parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34183: Jenkins Security Advisory 2022-06-22

A cross-site request forgery (CSRF) vulnerability in Jenkins Beaker builder Plugin 1.10 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2022-34207: Jenkins Security Advisory 2022-06-22

A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

CVE-2022-34204: Jenkins Security Advisory 2022-06-22

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.

CVE-2022-34179: Jenkins Security Advisory 2022-06-22

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

CVE-2022-34177: Jenkins Security Advisory 2022-06-22

A vulnerability was found in File Manager Plugin 3.0.1. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Bugtraq mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:03:30 +0100  

\------------------------------------------------------------------------
Cross-Site Request Forgery in File Manager WordPress plugin
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery (CSRF) vulnerability was found in the File
Manager WordPress Plugin. Among others, this issue can be used to upload
arbitrary PHP files to the server.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0029

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the File Manager WordPress Plugin
version 3.0.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_request\_forgery\_in\_file\_manager\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

**Current thread:**

*   **Cross-Site Request Forgery in File Manager WordPress plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20091: Cross-Site Request Forgery in File Manager WordPress plugin

A vulnerability has been found in Atahualpa Theme and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to basic cross site scripting. The attack can be launched remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:08:41 +0100  

\------------------------------------------------------------------------
Cross-Site Scripting in Atahualpa WordPress Theme
------------------------------------------------------------------------
Spyros Gasteratos, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A number of Cross-Site Scripting vulnerabilities were found in the
Atahualpa WordPress Theme. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to use the CSRF vulnerability
described in SFY20160759 to trick the admin into storing malicious
input.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Atahualpa WordPress Theme
WordPress Theme.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_scripting\_in\_atahualpa\_wordpress\_theme.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Cross-Site Scripting in Atahualpa WordPress Theme** _Summer of Pwnage (Feb 28)_

CVE-2017-20085: Cross-Site Scripting in Atahualpa WordPress Theme

The SAP Fiori launchpad suffers from a cross site scripting vulnerability. Various component versions are affected.

    # Onapsis Security Advisory 2022-0005: Cross-Site Scripting (XSS)vulnerability in SAP Fiori launchpad## Impact on BusinessImpact depends on the victim's privileges. In most cases, a successfulattackallows an attacker to hijack a session, or force the victim to performundesiredrequests in the SAP System (CSRF) as well as redirected to arbitrary website(Open Redirect).## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0005- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SAP\_UI 753  - SAP\_UI 754  - SAP\_UI 755  - SAP\_UI 756  - SAP\_BASIS 787  (Check SAP Note 3149805 for detailed information on affected releases)- Vulnerability Class: CWE-79- CVSS v3 score: 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N- Risk Level: High- Assigned CVE: CVE-2022-26101- Vendor patch Information: SAP Security NOTE 3149805## Affected Components DescriptionSAP Fiori launchpad is the entry point to ABAP platform for SAP Fiori appsonmobile and desktop devices.## Vulnerability DetailsDuring the navigation in SAP Fiori Launchpad, it is possible to provide acustomtheme name using the url parameter ```sap-theme```. This parameter has anoption to provide the path to a .css file, which it is used directly in thepagegeneration. This optional input is not sufficiently sanitized, allowing anattacker tocontrol and craft any kind of html payload in the page requested.## SolutionSAP has released SAP Note 3149805 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3149805.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/09/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26101- Vendor Patch:https://launchpad.support.sap.com/#/notes/3149805- Vendor FAQ:https://launchpad.support.sap.com/#/notes/3157089## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP Fiori Launchpad Cross Site Scripting

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.4.

@@ -203,7 +203,12 @@ function mainRoutes (router, middleware, controllers) {

router.get('/tickets/print/:uid', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.print)

router.get('/tickets/:id', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.single)

// router.post('/tickets/postcomment', middleware.redirectToLogin, controllers.tickets.postcomment);

router.post('/tickets/uploadattachment', middleware.redirectToLogin, controllers.tickets.uploadAttachment)

router.post(

'/tickets/uploadattachment',

middleware.redirectToLogin,

middleware.csrfCheck,

controllers.tickets.uploadAttachment

)

router.post('/tickets/uploadmdeimage', middleware.redirectToLogin, controllers.tickets.uploadImageMDE)

  

// Messages

CVE-2022-2128: fix(attachments): file type security fix · polonel/trudesk@fb2ef82

SIEMENS-SINEMA Remote Connect versions 3.0.1.0-01.01.00.02 and below suffer from a cross site scripting vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220614-0 >  
=======================================================================  
               title: Reflected Cross Site Scripting  
             product: SIEMENS-SINEMA Remote Connect  
  vulnerable version: <=V3.0.1.0-01.01.00.02  
       fixed version: V3.1.0  
          CVE number: CVE-2022-29034  
              impact: medium  
            homepage: https://siemens.com  
               found: 2022-03-01  
                  by: S. Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Siemens is a technology company focused on industry, infrastructure,  
transport, and healthcare.  
 From more resource-efficient factories, resilient supply chains, and smarter  
buildings and grids, to cleaner and more comfortable transportation as well as  
advanced healthcare, we create technology with purpose adding real value for  
customers. By combining the real and the digital worlds, we empower our  
customers to transform their industries and markets, helping them to transform  
the everyday for billions of people."

"SINEMA Remote Connect is the management platform for remote networks. It is a  
server application that enables the simple management of tunnel connections  
(VPN) between headquarters, service technicians, and installed machines or  
plants."

Source: https://www.siemens.com  
Source:   
https://new.siemens.com/global/en/products/automation/industrial-communication/industrial-remote-communication/remote-networks/sinema-remote-connect-access-service.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Reflected Cross Site Scripting (CVE-2022-29034)  
The application contains a reflected cross-site-scripting vulnerability that  
can be used to execute JavaScript code in the victim's browser.

Proof of concept:  
-----------------  
1) Reflected Cross Site Scripting (CVE-2022-29034)  
The error occurs when setting the syslog server to an illegal IP address. An  
error message will pop up and will reflect the supplied IP address. However,  
the popup message does not use the proper JQuery method, and thus allows to  
inject JavaScript code. Note that dots can not be used in the JavaScript  
payload, as they will get filtered by the IP parser that runs beforehand.  
This was circumvented by supplying the JavaScript code in base64.

Following request can be used to trigger the XSS:

POST /services/syslog_client_settings HTTP/1.1  
Host: $host  
Cookie: sessionid=708xmctjzk39og596jp4q4r1udfom4l5;  
csrftoken=sP8NzwJozla1k18xrRzsXiY0zq16IyBddtlDA1C5BC1Orf0oGcqUPr2bpUv1VGLu  
Content-Length: 153  
X-Requested-With: XMLHttpRequest  
X-Csrftoken: U5AQMbPh3JTcdfdBkgIvaLtoitpS7jUVFJNGNGIY50KZkt5szBzX2Uxz8XTNkr4c  
Referer: https://$host/services/syslog_client_settings  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

address=127.0.0.1.<script>eval(atob("YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="))</script>&port=1234&pr  
otocol=tcp&client_authentication=false&certificate=62&mode=

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* V3.0.1.0-01.01.00.02

Vendor contact timeline:  
------------------------  
2022-04-01: Sending advisory via productcert@siemens.com  
2022-04-01: Issue tracked by Siemens under case #29947  
2022-04-19: Siemens confirms vulnerability. Patch available mid May.  
             Coordinated advisory release date for 2022-06-14.  
2022-06-07: Asking for fixed versions & CVE numbers.  
2022-06-14: Coordinated advisory release.

Solution:  
---------  
Version V3.1.0 fixes our identified issues as well as other security  
vulnerabilities according to the vendor. The firmware can be downloaded here:  
https://support.industry.siemens.com/cs/ww/en/view/109811169/

The vendor published a security advisory as well:  
https://cert-portal.siemens.com/productcert/html/ssa-484086.html

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz / @2022

Tag

#csrf