Algoo Tracim before 4.4.2 allows XSS via HTML file upload.

**usd-2022-0048 | Tracim 4.4.2 - Stored Cross-Site Scripting**

  
**Advisory ID**: usd-2022-0048  
**Affected Product**: Tracim  
**Affected Version**: 4.4.2 (properly others too)  
**Vulnerability Type**: Cross-Site Scripting (CWE-79)  
**Security Risk**: Critical  
**Vendor URL**: https://tracim.fr  
**Vendor Acknoledged Vulnerability**: No  
**Vendor Status**: Not fixed  
**CVE-ID**: CVE-2022-45144  

_The following behavior was reported to Tracim in November 2022. After several contact attempts, the usd AG Responsible Disclosure Team did not receive any response. In order to inform the users of Tracim about the unresolved vulnerability, the advisory was published in accordance with our Responsible Disclosure Policy.  
_

**Description**

Tracim is a collaborative platform software that allows teams to share and work on various types of data and documents. The application allows uploads of HTML files, which leads to a stored Cross-Site-Scripting attack.

Additionally to the stored XSS vulnerability, the impact can be increased by using a HTML injection in the comments feature. This endpoint usually blocks XSS attempts using a CSP, which can be bypassed. The tested version was Tracim 4.4.2.

**Proof of Concept (PoC)**

The application allows to upload HTML files, which can be viewed in "raw" using a link similar to the one below:

http://localhost:8080/api/workspaces/1/files/19/raw/test.html

This upload functionality makes the application vulnerable to a stored XSS, because the uplaoded file is rendered in the context of the application.

Tracim implements the following CSP:

Content-Security-Policy: script-src 'unsafe-eval' 'nonce-67c3972badf9a5c68a68fb5b107ab5f0ce1c8d0b15e6b9342d68b53f56cd4238'; style-src 'unsafe-inline' 'self'; connect-src 'self'; font-src data: blob: \*; img-src data: blob: \*; media-src data: blob: \*; frame-src \* 'self'; object-src 'none'; default-src 'self'

To attack more users from inside the application one needs to bypass the CSP and embed the uploaded file in a commonly visited place. Tracim allows injection of HTML into a comment. The endpoint uses a CSP to block XSS attempts. However, the CSP can be bypassed using our uploaded HTML file as an iframe source.

POST /api/workspaces/1/contents/22/comments HTTP/1.1  
Host: localhost:8080  
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0  
Accept: application/json  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost:8080/ui/workspaces/1/publications  
X-Tracim-ClientToken: ed6ba1bc-fae7-49cd-9490-8c38dd33ba13  
Content-Type: application/json  
Content-Length: 164  
Origin: http://localhost:8080

\[...\]

{"raw\_content":"<iframe src=\\"http://localhost:8080/api/workspaces/1/files/19/raw/test.html\\"></iframe>","content\_namespace":"publication"}

**Fix**

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. Also it is recommended to restrict the allowed file types in the file upload function.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45144

**Timeline**

*   **2022-11-10**: This vulnerability was identified by Christian Pöschl.
*   **2022-11-10**: Initial contact to vendor via e-mail.
*   **2022-12-16**: Second attempt to contact vendor.
*   **2023-02-17**: Third attempt to contact vendor.
*   **2023-04-24**: Fourth attempt to contact vendor with notification about upcoming release plans for advisory.
*   **2023-05-15**: Security advisory released by usd AG.

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2022-45144: Security Advisory usd-2022-0048 | usd HeroLab

The MoroSystems EasyMind - Mind Maps plugin before 2.15.0 for Confluence allows persistent XSS when saving a Mind Map with the hyperlink parameter.

CVE-2023-30452: EasyMind - Mind Maps for Confluence - Version history

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.24. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to execute AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-2528: Contact Form by Supsystic <= 1.7.24 - Cross-Site Request Forgery via AJAX action — Wordfence Intelligence

Cyberattckers can easily exploit a command-injection bug in the popular device, but Belkin has no plans to address the security vulnerability.

The Wemo Mini Smart Plug V2, which allows users to remotely control anything plugged into it via a mobile app, has a security vulnerability that allows cyberattackers to throw the switch on a variety of bad outcomes. Those include remotely turning electronics on and off, and the potential for moving deeper into an internal network, or hop-scotching to additional devices.

Used by consumers and businesses alike, the Smart Plug plugs into an existing outlet, and connects to an internal Wi-Fi network and to the broader Internet using Universal Plug-n-Play (UPNP) ports. Users can then control the device via a mobile app, essentially offering a way to make old-school lamps, fans, and other utility items "smart." The app integrates with Alexa, Google Assistant, and Apple Home Kit, while offering additional features like scheduling for convenience. 

The flaw (CVE-2023-27217) is a buffer-overflow vulnerability that affects model F7C063 of the device and allows remote command injection, according to researchers at Sternum who discovered it. Unfortunately, when they tapped the device maker, Belkin, for a fix, they were told that no firmware update would be forthcoming since the device is end-of-life.

"Meanwhile, it's safe to assume that many of these devices are still deployed in the wild," they explained in an analysis on May 16, citing the 17,000 reviews and the four-star rating the Smart Plug has on Amazon. "The total sales on Amazon alone should be in the hundreds of thousands."

Igal Zeifman, vice president of marketing for Sternum, tells Dark Reading that's a low estimate for the attack surface. "That's us being very conservative," he notes. "We had three in our lab alone when the research started. Those are now unplugged."

    

The Wemo Smart Plug turns regular lamps and such into "smart" devices.

He adds, "If businesses are using this version of the Wemo Plugin inside their network, they should stop or (at the very least) make sure that the Universal Plug-n-Play (UPNP) ports are not exposed to remote access. If that device plays a critical role or is connected to a critical network or asset, you are not in great shape."  

**CVE-2023-27217: What's in a Name?**

The bug exists in the way the firmware handles the naming of the Smart Plug. While "Wemo mini 6E9" is the default name of the device out of the box, users can rename it as they wish using what's designated in the firmware as the "FriendlyName" variable — changing it to "kitchen outlet" for example or similar.

"This option for user input already had our Spidey senses tingling, especially when we saw that changing the name in the app came with some guardrails, \[specifically a 30-character limit\]," Sternum researchers noted. "For us, this immediately raised two questions: 'Says who?' and 'What happens if we manage to make it more than 30 characters?'"

When the mobile app didn't allow them to create a name longer than 30 characters, they decided to connect directly to the device via pyWeMo, an open-source Python module for the discovery and control of WeMo devices. They found that circumventing the app allowed them to get around the guardrail, in order to successfully input a longer name.

"The restriction was only enforced by the app itself and not by the firmware code," they noted. "Input validation like this should not be managed just on the 'surface' level."

Observing how the overstuffed 'FriendlyName' variable was handled by the memory structure, the researchers saw that the metadata of the heap was being corrupted by any name longer than 80 characters. Those corrupted values were then being used in subsequent heap operations, thus leading to short crashes. This resulted in a buffer overflow and the ability to control the resulting memory re-allocation, according to the analysis.

"It's a good wake-up call about the risk of using connected devices without any on-device security, which is 99.9% of devices today," Zeifman says.

**Watch Out for Easy Exploitation**

While Sternum isn't releasing a proof-of-concept exploit or enumerating what a real-world attack flow would look like in practice, Zeifman says the vulnerability isn't difficult to exploit. An attacker would need either network access, or remote Universal Plug-n-Play access if the device is open to the Internet.

"Outside of that, it's a trivial buffer overflow on a device with an executable heap," he explains. "Harder bastions have fallen."

He noted that it's likely that attacks could be carried out via Wemo's cloud infrastructure option as well.

"Wemo products also implement a cloud protocol (basically a STUN tunnel) that was meant to circumvent network address traversal (NAT) and allow the mobile app to operate the outlet through the Internet," Zeifman says. "While we didn't look too deeply into Wemo's cloud protocol, we wouldn't be surprised if this attack could be implemented that way as well."

In the absence of a patch, device users do have some mitigations they can take; for instance, as long as the Smart Plug is not exposed to the Internet, the attacker would have to obtain access to the same network, which makes exploitation more complicated.

Sternum detailed the following common-sense recommendations:

*   Avoid exposing the Wemo Smart Plug V2 UPNP ports to the Internet, either directly or via port forwarding.
*   If you are using the Smart Plug V2 in a sensitive network, you should ensure that it is properly segmented, and that device cannot communicate with other sensitive devices on the same subnet.

**IoT Security Continues to Lag**

As far as broader takeaways from the research, the findings showcase the fact that Internet of Things (IoT) vendors are still struggling with security by design — which organizations should take into account when installing any smart device.

"I think this is the key point of this story: This is what happens when devices are shipped without any on-device protection," Zeifman notes. "If you only rely on responsive security patching, as most device manufacturers do today, two things are certain. One, you will always be one step behind the attacker; and two, one day those patches will stop coming."

IoT devices should be equipped with "the same level of endpoint security that we expect other assets to have, our desktops, laptops, servers, etc.," he says. "If your heart monitor is less secure than the gaming laptop, something has gone horribly wrong – and it has."

Unpatched Wemo Smart Plug Bug Opens Countless Networks to Cyberattacks

A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2023-2195: Jenkins Security Advisory 2023-05-16

A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.

CVE-2023-2196: Jenkins Security Advisory 2023-05-16

Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.

CVE-2023-2633: Jenkins Security Advisory 2023-05-16

Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

CVE-2023-33001: Jenkins Security Advisory 2023-05-16

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.

CVE-2023-33005: Jenkins Security Advisory 2023-05-16

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Tag

#perl