#js

The framework suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'content' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

The ABB Cylon Aspect BMS/BAS controller is vulnerable to session fixation, allowing an attacker to set a predefined PHPSESSID value. An attacker can leverage an unauthenticated reflected XSS vulnerability in jsonProxy.php to inject a crafted request, forcing the victim to adopt a fixated session.

The ABB Cylon FLXeon BACnet controller is vulnerable to an authenticated JSON flooding attack, leading to uncontrolled resource consumption and a denial-of-service (DoS) condition. The /api/serialConfig endpoint allows an authenticated attacker to abuse an unrestricted loop to create a large number of JSON objects by sending specially crafted requests through the ports JSON array. This results in excessive memory and CPU usage, causing resource exhaustion and potential service failure.

The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact.

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

### Summary While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine that the application is running on. ### Details WhoDB allows users to connect to Sqlite3 databases. By default, the databases must be present in `/db/` (or alternatively `./tmp/` if development mode is enabled). Source: https://github.com/clidey/whodb/blob/ba6eb81d0ca40baead74bca58b2567166999d6a6/core/src/plugins/sqlite3/db.go#L14-L20 If no databases are present in the default directory, the UI indicates that the user is unable to open any databases:  The database file is an user-controlled value. This value is used in `.Join()` with the default directory, in order to get the full path of the database file to open. Source: https://github.co...

### Summary An unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the `javascript:` protocol scheme in the URL. ### Details The parsing logic implement at [https://github.com/nuxt-modules/mdc/blob/main/src/runtime/parser/utils/props.ts#L16](https://github.com/nuxt-modules/mdc/blob/main/src/runtime/parser/utils/props.ts#L16) maintains a deny-list approach to filtering potential malicious payload. It does so by matching protocol schemes like `javascript:` and others. Specifically, this is the code from the mdc library's parser that is not secure enough: ```js export const unsafeLinkPrefix = [ 'javascript:', 'data:text/html', 'vbscript:', 'data:text/javascript', 'data:text/vbscript', 'data:text/css', 'data:text/plain', 'data:text/xml' ] export const validateProp = (attribute: string, value: string) => { if (attribute.startsWith('on')) { return false } if (attribute === 'href' || ...

UAC-0006, a financially motivated threat actor, targets PrivatBank customers with advanced phishing attacks. CloudSEK’s research reveals malicious emails…

A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.