In createQuickShareAction of SaveImageInBackgroundTask.java, there is a possible way to trigger a background activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "109e58b62dc9fedcee93983678ef9d4931e72afa", "tree": "7ef156a2d1225c1cb3d43620732bf609091ed48a", "parents": \[ "05b1ada4ed1326d7ad781142f4fff0de70dffeff" \], "author": { "name": "Miranda Kephart", "email": "mkephart@google.com", "time": "Fri Apr 28 10:58:46 2023 -0400" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:30:22 2023 +0000" }, "message": "\[DO NOT MERGE\] Update quickshare intent rather than recreating\\n\\nCurrently, we extract the quickshare intent and re-wrap it as a new\\nPendingIntent once we get the screenshot URI. This is insecure as\\nit leads to executing the original with SysUI\\u0027s permissions, which\\nthe app may not have. This change switches to using Intent.fillin\\nto add the URI, keeping the original PendingIntent and original\\npermission set.\\n\\nBug: 278720336\\nTest: manual (to test successful quickshare), atest\\nSaveImageInBackgroundTaskTest (to verify original pending intent\\nunchanged)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:02938e8ccae910d96578475a19dff0a5e746b03d)\\nMerged-In: Icad3d5f939fcfb894e2038948954bc2735dbe326\\nChange-Id: Icad3d5f939fcfb894e2038948954bc2735dbe326\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "50ee1f7ba97aabd377d1838b2cb3e17c46a909c9", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java", "new\_id": "f4a257fdd3ec7b6b5c97b8e6252f6ddf7059ddcc", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SaveImageInBackgroundTask.java" }, { "type": "modify", "old\_id": "5b6e5ce95b1483c83098f72fa5cb7051bb92425d", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/ScreenshotController.java", "new\_id": "5928c9ec608589e9b245e5a4950db5077bb75c2c", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/ScreenshotController.java" }, { "type": "modify", "old\_id": "f703058f4a0fb6251bcf51e099b79bb58d1e82a2", "old\_mode": 33188, "old\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SmartActionsReceiver.java", "new\_id": "ecc13ee747c8b4e116310436832ba03599c137c6", "new\_mode": 33188, "new\_path": "packages/SystemUI/src/com/android/systemui/screenshot/SmartActionsReceiver.java" }, { "type": "add", "old\_id": "0000000000000000000000000000000000000000", "old\_mode": 0, "old\_path": "/dev/null", "new\_id": "03f8c93942184a59caa0ba86a737fa45e043b24e", "new\_mode": 33188, "new\_path": "packages/SystemUI/tests/src/com/android/systemui/screenshot/SaveImageInBackgroundTaskTest.kt" } \] }

CVE-2023-35676

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "7428962d3b064ce1122809d87af65099d1129c9e", "tree": "1deeadc22093f2abd0eb83df703d39bb3ebd04d5", "parents": \[ "375227708b825b70a1b50f0feb0355036d0058fb" \], "author": { "name": "Achim Thesmann", "email": "achim@google.com", "time": "Tue May 23 00:26:33 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:30:03 2023 +0000" }, "message": "Ignore virtual presentation windows - RESTRICT AUTOMERGE\\n\\nWindows of TYPE\_PRESENTATION on virtual displays should not be counted\\nas visible windows to determine if BAL is allowed.\\n\\nTest: manual test, atest BackgroundActivityLaunchTest\\nBug: 264029851, 205130886\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4c40b187cd5277c27d20758c675865bf89180c7a)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:5bf9607bec3f1224158cfcff7dd91ac558b46c0f)\\nMerged-In: I08b16ba1c155e951286ddc22019180cbd6334dfa\\nChange-Id: I08b16ba1c155e951286ddc22019180cbd6334dfa\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "4c32edc6d709debe9792f88c5680652a38d4c5ce", "old\_mode": 33188, "old\_path": "services/core/java/com/android/server/wm/WindowState.java", "new\_id": "8a14c93c1d3844e8fe9a705f688ef2934404b4d9", "new\_mode": 33188, "new\_path": "services/core/java/com/android/server/wm/WindowState.java" } \] }

CVE-2023-35674

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to control other running activities due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "f810d81839af38ee121c446105ca67cb12992fc6", "tree": "b2589522f06167da4811d58d8b9a0bc6f4357734", "parents": \[ "109e58b62dc9fedcee93983678ef9d4931e72afa" \], "author": { "name": "Dmitry Dementyev", "email": "dementyev@google.com", "time": "Wed Jul 05 10:45:04 2023 -0700" }, "committer": { "name": "Duy Truong", "email": "duytruong@google.com", "time": "Wed Jul 19 17:51:46 2023 -0700" }, "message": "Update AccountManagerService checkKeyIntentParceledCorrectly.\\n\\nBug: 265798288\\nTest: manual\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8476b140eed0235df4e8f07d94420a1471191b55)\\nMerged-In: Ia2030a9dc371dccadd4e188a529351ac4232bb4f\\nChange-Id: Ia2030a9dc371dccadd4e188a529351ac4232bb4f\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "639f35e1ae13895c1c785e78b1f99ffa3ac414e0", "old\_mode": 33188, "old\_path": "services/core/java/com/android/server/accounts/AccountManagerService.java", "new\_id": "7a19d034c2c820b6197c6c37ae94cbada72926a2", "new\_mode": 33188, "new\_path": "services/core/java/com/android/server/accounts/AccountManagerService.java" } \] }

CVE-2023-35669

In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "d8355ac47e068ad20c6a7b1602e72f0585ec0085", "tree": "f8cac26c332efe2eea5230b368e944cfd75b4582", "parents": \[ "185bd5b809d252a866952cec5b97897fd261447b" \], "author": { "name": "Matías Hernández", "email": "matiashe@google.com", "time": "Mon Jun 05 18:24:04 2023 +0200" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Fri Jul 14 17:31:24 2023 +0000" }, "message": "Don\\u0027t hide approved NLSes in Settings\\n\\nNote that an NLS that shouldn\\u0027t be approvable (because its name is too long) but was already approved (either before the max length check was introduced, or through other means) will disappear from the list if the user revokes its access. This might be somewhat confusing, but since this is a very-edge case already it\\u0027s fine.\\n\\nBug: 282932362\\nTest: manual\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ff255c6eda1528f01a167a9a65b7f8e414d28584)\\nMerged-In: I4c9faea68e6d16b1a4ec7f472b5433cac1704c06\\nChange-Id: I4c9faea68e6d16b1a4ec7f472b5433cac1704c06\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "56d3f0e445c773b94df4971107f6755ded8d7d32", "old\_mode": 33188, "old\_path": "src/com/android/settings/notification/NotificationAccessSettings.java", "new\_id": "369c4f6dfaf81bcd91d764eff38c6309c16504bb", "new\_mode": 33188, "new\_path": "src/com/android/settings/notification/NotificationAccessSettings.java" }, { "type": "modify", "old\_id": "150dbe0483d208bd64bf5892f7b48ecc32add162", "old\_mode": 33188, "old\_path": "src/com/android/settings/notification/NotificationBackend.java", "new\_id": "cbc3e72e224cb8347af1437cd7b7629178946de9", "new\_mode": 33188, "new\_path": "src/com/android/settings/notification/NotificationBackend.java" }, { "type": "add", "old\_id": "0000000000000000000000000000000000000000", "old\_mode": 0, "old\_path": "/dev/null", "new\_id": "e644c2975b71fecf26e47754f6d77f4aab142a3a", "new\_mode": 33188, "new\_path": "tests/robotests/src/com/android/settings/notification/NotificationAccessSettingsTest.java" } \] }

CVE-2023-35667

The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.

CVE-2023-4294

ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.

**Autocomplete <select>**Edit this page

**Autocomplete <select>**

Transform your EntityType, ChoiceType or _any_ <select> element into an Ajax-powered autocomplete smart UI control (leveraging Tom Select):

**Installation**

Before you start, make sure you have StimulusBundle configured in your app.

Then install the bundle using Composer and Symfony Flex:

If you're using WebpackEncore, install your assets and restart Encore (not needed if you're using AssetMapper):

**Usage in a Form (without Ajax)**

Any ChoiceType or EntityType can be transformed into a Tom Select-powered UI control by adding the autocomplete option:

That's all you need! When you refresh, the Autocomplete Stimulus controller will transform your select element into a smart UI control:

**Usage in a Form (with Ajax)**

In the previous example, the autocomplete happens "locally": all of the options are loaded onto the page and used for the search.

If you're using an EntityType with _many_ possible options, a better option is to load the choices via AJAX. This also allows you to search on more fields than just the "displayed" text.

To transform your field into an Ajax-powered autocomplete, you need to create a new "form type" class to represent your field. If you have MakerBundle installed, you can run:

Or, create the field by hand:

There are 3 important things:

1.  The class needs the #[AsEntityAutocompleteField] attribute so that it's noticed by the autocomplete system.
2.  The getParent() method must return ParentEntityAutocompleteType.
3.  Inside configureOptions(), you can configure your field using whatever normal EntityType options you need plus a few extra options (see Form Options Reference).

After creating this class, use it in your form:

Caution

Avoid passing any options to the 3rd argument of the ->add() method as these won't be used during the Ajax call to fetch results. Instead, include all options inside the custom class (FoodAutocompleteField).

Congratulations! Your EntityType is now Ajax-powered!

**Styling Tom Select**

In your assets/controllers.json file, you should see a line that automatically includes a CSS file for Tom Select which will give you basic styles.

If you're using Bootstrap, set tom-select.default.css to false and tom-select.bootstrap5.css to true:

To further customize things, you can override the classes with your own custom CSS and even control how individual parts of Tom Select render. See Tom Select Render Templates.

**Form Options Reference**

All ChoiceType, EntityType and TextType fields have the following new options (these can also be used inside your custom Ajax autocomplete classes, e.g. FoodAutocompleteField from above):

autocomplete (default: false)

Set to true to activate the Stimulus plugin on your select element.

tom_select_options (default: [])

Use this to set custom Tom Select Options. If you need to set an option using JavaScript, see Extending Tom Select.

options_as_html (default: false)

Set to true if your options (e.g. choice_label) contain HTML. Not needed if your autocomplete is AJAX-powered.

autocomplete_url (default: null)

Usually you don't need to set this manually. But, you _could_ manually create an autocomplete-Ajax endpoint (e.g. for a custom ChoiceType), then set this to change the field into an AJAX-powered select.

no_results_found_text (default: 'No results found')

Rendered when no matching results are found. This message is automatically translated using the AutocompleteBundle domain.

no_more_results_text (default: 'No more results')

Rendered at the bottom of the list after showing matching results. This message is automatically translated using the AutocompleteBundle domain.

For the Ajax-powered autocomplete field classes (i.e. those whose getParent() returns ParentEntityAutocompleteType), in addition to the options above, you can also pass:

searchable_fields (default: null)

Set this to an array of the fields on your entity that should be used when searching for matching options. By default (i.e. null), _all_ fields on your entity will be searched. Relationship fields can also be used - e.g. category.name if your entity has a category relation property.

security (default: false)

Secures the Ajax endpoint. By default, the endpoint can be accessed by any user. To secure it, pass security to a string role (e.g. ROLE_FOOD_ADMIN) that should be required to access the endpoint. Or, pass a callback and return true to grant access or false to deny access:

filter_query (default: null)

If you want to completely control the query made for the "search results", use this option. This is incompatible with searchable_fields:

max_results (default: 10)

Allow you to control the max number of results returned by the automatic autocomplete endpoint.

min_characters (default: 3)

Allow you to control the min number of characters to load results.

preload (default: focus)

Set to focus to call the load function when control receives focus. Set to true to call the load upon control initialization (with an empty search).

**Using with a TextType Field**

All of the above options can also be used with a TextType field:

This <input> field won't have any autocomplete, but it _will_ allow the user to enter new options and see them as nice "items" in the box. On submit, all of the options - separated by the delimiter - will be sent as a string.

You _can_ add autocompletion to this via the autocomplete_url option - but you'll likely need to create your own custom autocomplete endpoint.

**Customizing the AJAX URL/Route**

2.7

The ability to specify the route was added in Twig Components 2.7.

The default route for the Ajax calls used by the Autocomplete component is /autocomplete/{alias}/. Sometimes it may be useful to customize this URL - e.g. so that the URL lives under a specific firewall.

To use another route, first declare it:

Then specify this new route on the attribute:

**Extending Tom Select**

The easiest way to customize Tom Select is via the tom_select_options option that you pass to your field. This works great for simple things like Tom Select's loadingClass option, which is set to a string. But other options, like onInitialize, must be set via JavaScript.

To do this, create a custom Stimulus controller and listen to one or both events that the core Stimulus controller dispatches:

Note

The extending controller should be loaded eagerly (remove /* stimulusFetch: 'lazy' */), so it can listen to events dispatched by the original controller.

Then, update your field configuration to use your new controller (it will be used in addition to the core Autocomplete controller):

Or, if using a custom Ajax class, add the attr option to your configureOptions() method:

**Advanced: Creating an Autocompleter (with no Form)**

If you're not using the form system, you can create an Ajax autocomplete endpoint and then initialize the Stimulus controller manually. This only works for Doctrine entities: see Manually using the Stimulus Controller if you're autocompleting something other than an entity.

To expose the endpoint, create a class that implements Symfony\UX\Autocomplete\EntityAutocompleterInterface and tag this service with ux.entity_autocompleter, including an alias option:

Thanks to this, your can now autocomplete your Food entity via the ux_entity_autocomplete route and alias route wildcard:

Usually, you'll pass this URL to the Stimulus controller, which is discussed in the next section.

**Manually using the Stimulus Controller**

This library comes with a Stimulus controller that can activate Tom Select on any select or input element. This can be used outside of the Form component. For example:

That's it! If you want the options to be autocompleted via Ajax, pass a url value, which works well if you create a custom autocompleter:

Note

If you want to create an AJAX autocomplete endpoint that is _not_ for an entity, you will need to create this manually. The only requirement is that the response returns JSON with this format:

for using Tom Select Option Group the format is as follows

Once you have this, generate the URL to your controller and pass it to the url value of the stimulus_controller() Twig function, or to the autocomplete_url option of your form field. The search term entered by the user is passed as a query parameter called query.

Beyond url, the Stimulus controller has various other values, including tomSelectOptions. See the controller.ts file for the full list.

**Unit testing**

When writing unit tests for your form, using the TypeTestCase class, you consider registering the needed type extension AutocompleteChoiceTypeExtension like so:

**Known Issue when using with Live Component**

You _can_ use autocomplete inside of a Live Component: the autocomplete JavaScript widget should work normally and even update if your element changes (e.g. if you add or change <option> elements. Internally, a MutationObserver inside the UX autocomplete controller detects these changes and forwards them to TomSelect.

However, if you use the multiple option, due to complexities in TomSelect, the autocomplete widget _will_ work, but it will not update if you change any options. For example, if your change the "options" for a select during re-render, those will not update on the frontend.

CVE-2023-41336: Symfony UX Autocomplete Documentation

Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attacks in several locations, allowing an attacker to store a JavaScript payload.

**Abstract Advisory Information**

The feature, to attach a document to a post, is prone to stored Cross-site Scripting (XSS) attacks in several locations allowing an attacker to store a JavaScript payload.

Author: Dominique Righetto

**Version affected**

Name: Interact Software

Versions: 7.9.79.5

**Common Vulnerability Scoring System**

CVSS SCORE 5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

**Patch**

No patch available

**References**

CVE – CVE-2023-41103 (mitre.org)

**Vulnerability Disclosure Timeline**

*   *   20/05/2022: Vulnerability discovery
    *   22/05/2022: Vulnerability Report to CERT-XLM
    *   05/06/2022: Vulnerability Report to Vendor through investigation
    *   05/06/2022: Vulnerability Report to Vendor through investigation
    *   13/06/2022: Vulnerability Report to Vendor through investigation
    *   20/06/2022: Community account creation asked to InteractSoftware to contact their technical departement
    *   20/06/2022: Vulnerability Report to Vendor through investigation
    *   20/06/2022: Urge vendor to reply via twitter
    *   04/07/2023: Update asking to vendor through investigation
    *   04/07/2023: Update asking to vendor for the community account creation
    *   15/07/2023: Ticket for a community account creation closed
    *   17/07/2023: Reply to help@interact-intranet.com asking for an update
    *   19/07/2023: Reply to help@interact-intranet.com asking for an update
    *   01/08/2023: Phonecall to +1 (646) 564 5775, gave vendor information for them to reach us back
    *   01/08/2023: Phonecall to +1 (646) 564 5775
    *   16/08/2023: Phonecall to +1 (646) 564 5775, got redirected to help@interactsoftware.com.
    *   16/08/2023: Update asked to help@interactsoftware.com.
    *   16/08/2023: Request CVE ID to Mitre
    *   23/08/2023: CVE IDs assigned : CVE-2023-41103
    *   24/08/2023: Vulnerabilty disclosure

Our website uses cookies technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, to enable you to use the social media functionalities and assist with our promotional and marketing efforts, and provide content from third parties. You may choose to opt-out from all non-essential cookies or allow them for a better browsing experience.  
For more information on the use of cookies, Please check our Privacy Notice ACCEPT REJECT SETTINGS

CVE-2023-41103: CVE-2023-41103 - Excellium Services

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\UserDesktop\themes.

    # Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions
    # Date: 2023-08-09
    # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
    # Vendor Homepage: https://tsplus.net/
    # Version: Up to 16.0.0.0
    # Tested on: Windows
    # CVE : CVE-2023-31068
    
    With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single 
    sign-on web portal and remote desktop gateway that enables users to 
    remotely access the console session of their office PC.
    The solution comes with an embedded web server to allow remote users to 
    easely connect remotely.
    However, insecure file and folder permissions are set, and this could 
    allow a malicious user to manipulate file content (e.g.: changing the 
    code of html pages or js scripts) or change legitimate files (e.g. 
    Setup-RemoteWork-Client.exe) in order to compromise a system or to gain 
    elevated privileges.
    
    This is the list of insecure files and folders with their respective 
    permissions:
    
    Permission: Everyone:(OI)(CI)(F)
    
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\locales
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log
    
    -------------------------------------------------------------------------------------------
    
    Permission: Everyone:(F)
    
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js
    C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\index.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js
    C:\Program Files 
    (x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js

CVE-2023-31068: OffSec’s Exploit Database Archive

An issue was discovered in TSplus Remote Access through 16.0.2.14. There are Full Control permissions for Everyone on some directories under %PROGRAMFILES(X86)%\TSplus\Clients\www.

    # Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions
    # Date: 2023-08-09
    # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia
    # Vendor Homepage: https://tsplus.net/
    # Version: Up to 16.0.2.14
    # Tested on: Windows
    # CVE : CVE-2023-31067
    
    TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and 
    Microsoft RDS for remote desktop access and Windows application 
    delivery. Web-enable your legacy apps, create SaaS solutions or remotely 
    access your centralized corporate tools and files.
    The TSplus Remote Access solution comes with an embedded web server to 
    allow remote users to easely connect remotely.
    However, insecure file and folder permissions are set and this could 
    allow a malicious user to manipulate file content (e.g.: changing the 
    code of html pages or js scripts) or change legitimate files (e.g. 
    Setup-VirtualPrinter-Client.exe) in order to compromise a system or to 
    gain elevated privileges.
    
    This is the list of insecure files and folders with their respective 
    permissions:
    Everyone:(OI)(CF)(F) and Everyone(F)
    Permission: Everyone:(OI)(CI)(F)
    
    C:\Program Files (x86)\TSplus\Clients\www
    C:\Program Files (x86)\TSplus\Clients\www\addons
    C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient
    C:\Program Files (x86)\TSplus\Clients\www\downloads
    C:\Program Files (x86)\TSplus\Clients\www\prints
    C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient
    C:\Program Files (x86)\TSplus\Clients\www\software
    C:\Program Files (x86)\TSplus\Clients\www\var
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp
    C:\Program Files (x86)\TSplus\Clients\www\downloads\shared
    C:\Program Files (x86)\TSplus\Clients\www\software\java
    C:\Program Files (x86)\TSplus\Clients\www\software\js
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\images\bramus
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\js\prototype
    C:\Program Files (x86)\TSplus\Clients\www\var\log
    C:\Program Files (x86)\TSplus\UserDesktop\themes
    C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Default
    C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon
    C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless
    C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient
    C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista
    
    ------------------------------------------------------------------------------
    
    Permission: Everyone:(F)
    
    C:\Program Files (x86)\TSplus\Clients\www\all.min.css
    C:\Program Files (x86)\TSplus\Clients\www\custom.css
    C:\Program Files (x86)\TSplus\Clients\www\popins.css
    C:\Program Files (x86)\TSplus\Clients\www\robots.txt
    C:\Program Files 
    (x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config
    C:\Program Files 
    (x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config
    C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html
    C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\common.css
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar
    C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\exitlist.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\exitupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\getlist.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\getupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\postupload.html
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\html5\own\uploaderr.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html
    C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js
    C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js
    C:\Program Files 
    (x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js
    C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js

CVE-2023-31067: OffSec’s Exploit Database Archive

Multiple cross-site scripting (XSS) vulnerabilities in Dairy Farm Shop Management System Using PHP and MySQL v1.1 allow attackers to execute arbitrary web scripts and HTML via a crafted payload injected into the Category and Category Field parameters.

In this section, we'll explain what cross-site scripting is, describe the different varieties of cross-site scripting vulnerabilities, and spell out how to find and prevent cross-site scripting.

**What is cross-site scripting (XSS)?**

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

**How does XSS work?**

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.

**Labs**

If you're already familiar with the basic concepts behind XSS vulnerabilities and just want to practice exploiting them on some realistic, deliberately vulnerable targets, you can access all of the labs in this topic from the link below.

*   View all XSS labs

**XSS proof of concept**

You can confirm most kinds of XSS vulnerability by injecting a payload that causes your own browser to execute some arbitrary JavaScript. It's long been common practice to use the alert() function for this purpose because it's short, harmless, and pretty hard to miss when it's successfully called. In fact, you solve the majority of our XSS labs by invoking alert() in a simulated victim's browser.

Unfortunately, there's a slight hitch if you use Chrome. From version 92 onward (July 20th, 2021), cross-origin iframes are prevented from calling alert(). As these are used to construct some of the more advanced XSS attacks, you'll sometimes need to use an alternative PoC payload. In this scenario, we recommend the print() function. If you're interested in learning more about this change and why we like print(), check out our blog post on the subject.

As the simulated victim in our labs uses Chrome, we've amended the affected labs so that they can also be solved using print(). We've indicated this in the instructions wherever relevant.

**What are the types of XSS attacks?**

There are three main types of XSS attacks. These are:

*   Reflected XSS, where the malicious script comes from the current HTTP request.
*   Stored XSS, where the malicious script comes from the website's database.
*   DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

**Reflected cross-site scripting**

Reflected XSS is the simplest variety of cross-site scripting. It arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Here is a simple example of a reflected XSS vulnerability:

https://insecure-website.com/status?message=All+is+well.
<p>Status: All is well.</p>

The application doesn't perform any other processing of the data, so an attacker can easily construct an attack like this:

https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>
<p>Status: <script>/* Bad stuff here... */</script></p>

If the user visits the URL constructed by the attacker, then the attacker's script executes in the user's browser, in the context of that user's session with the application. At that point, the script can carry out any action, and retrieve any data, to which the user has access.

**Stored cross-site scripting**

Stored XSS (also known as persistent or second-order XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

The data in question might be submitted to the application via HTTP requests; for example, comments on a blog post, user nicknames in a chat room, or contact details on a customer order. In other cases, the data might arrive from other untrusted sources; for example, a webmail application displaying messages received over SMTP, a marketing application displaying social media posts, or a network monitoring application displaying packet data from network traffic.

Here is a simple example of a stored XSS vulnerability. A message board application lets users submit messages, which are displayed to other users:

<p>Hello, this is my message!</p>

The application doesn't perform any other processing of the data, so an attacker can easily send a message that attacks other users:

<p><script>/* Bad stuff here... */</script></p>

**DOM-based cross-site scripting**

DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

In the following example, an application uses some JavaScript to read the value from an input field and write that value to an element within the HTML:

var search = document.getElementById('search').value;
var results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search;

If the attacker can control the value of the input field, they can easily construct a malicious value that causes their own script to execute:

You searched for: <img src=1 onerror='/* Bad stuff here... */'>

In a typical case, the input field would be populated from part of the HTTP request, such as a URL query string parameter, allowing the attacker to deliver an attack using a malicious URL, in the same manner as reflected XSS.

**What can XSS be used for?**

An attacker who exploits a cross-site scripting vulnerability is typically able to:

*   Impersonate or masquerade as the victim user.
*   Carry out any action that the user is able to perform.
*   Read any data that the user is able to access.
*   Capture the user's login credentials.
*   Perform virtual defacement of the web site.
*   Inject trojan functionality into the web site.

**Impact of XSS vulnerabilities**

The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:

*   In a brochureware application, where all users are anonymous and all information is public, the impact will often be minimal.
*   In an application holding sensitive data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
*   If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.

**How to find and test for XSS vulnerabilities**

The vast majority of XSS vulnerabilities can be found quickly and reliably using Burp Suite's web vulnerability scanner.

Manually testing for reflected and stored XSS normally involves submitting some simple unique input (such as a short alphanumeric string) into every entry point in the application, identifying every location where the submitted input is returned in HTTP responses, and testing each location individually to determine whether suitably crafted input can be used to execute arbitrary JavaScript. In this way, you can determine the context in which the XSS occurs and select a suitable payload to exploit it.

Manually testing for DOM-based XSS arising from URL parameters involves a similar process: placing some simple unique input in the parameter, using the browser's developer tools to search the DOM for this input, and testing each location to determine whether it is exploitable. However, other types of DOM XSS are harder to detect. To find DOM-based vulnerabilities in non-URL-based input (such as document.cookie) or non-HTML-based sinks (like setTimeout), there is no substitute for reviewing JavaScript code, which can be extremely time-consuming. Burp Suite's web vulnerability scanner combines static and dynamic analysis of JavaScript to reliably automate the detection of DOM-based vulnerabilities.

**Content security policy**

Content security policy (CSP) is a browser mechanism that aims to mitigate the impact of cross-site scripting and some other vulnerabilities. If an application that employs CSP contains XSS-like behavior, then the CSP might hinder or prevent exploitation of the vulnerability. Often, the CSP can be circumvented to enable exploitation of the underlying vulnerability.

**Dangling markup injection**

Dangling markup injection is a technique that can be used to capture data cross-domain in situations where a full cross-site scripting exploit is not possible, due to input filters or other defenses. It can often be exploited to capture sensitive information that is visible to other users, including CSRF tokens that can be used to perform unauthorized actions on behalf of the user.

**How to prevent XSS attacks**

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:

*   **Filter input on arrival.** At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
*   **Encode data on output.** At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
*   **Use appropriate response headers.** To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
*   **Content Security Policy.** As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

**Common questions about cross-site scripting**

**How common are XSS vulnerabilities?** XSS vulnerabilities are very common, and XSS is probably the most frequently occurring web security vulnerability.

**How common are XSS attacks?** It is difficult to get reliable data about real-world XSS attacks, but it is probably less frequently exploited than other vulnerabilities.

**What is the difference between XSS and CSRF?** XSS involves causing a web site to return malicious JavaScript, while CSRF involves inducing a victim user to perform actions they do not intend to do.

**What is the difference between XSS and SQL injection?** XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application's database.

**How do I prevent XSS in PHP?** Filter your inputs with a whitelist of allowed characters and use type hints or type casting. Escape your outputs with htmlentities and ENT_QUOTES for HTML contexts, or JavaScript Unicode escapes for JavaScript contexts.

**How do I prevent XSS in Java?** Filter your inputs with a whitelist of allowed characters and use a library such as Google Guava to HTML-encode your output for HTML contexts, or use JavaScript Unicode escapes for JavaScript contexts.

Tag

#java