#xss

### Summary Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowing any user to insert arbitrary HTML into the DOM by editing a page. ### Details The description provided by the user via the `{{SHORTDESC:}}` parser function is insufficiently sanitized by the `sanitize()` function, as html entities are decoded: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159 Via JS, the short description is then passed to `mw.util.addSubtitle`, which inserts it as raw HTML: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8 https://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563 ### PoC 1. Enable ShortDescription 2. Make sure `$wgSho...

### Summary Short descriptions set via the [ShortDescription extension](https://www.mediawiki.org/wiki/Extension:ShortDescription) are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. ### Details The `shortdesc` property, which contains unsanitized user input, is retrieved from the OutputPage and returned as the tagline: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/includes/Components/CitizenComponentPageHeading.php#L249-L251 The tagline is then provided to the template data: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/includes/Components/CitizenComponentPageHeading.php#L270-L275 The template then inserts the tagline into raw HTML without doing any escaping: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/templates/PageHeading.mustache#L12 ...

### Summary Page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. ### Details The descriptions, which are unsanitized, are inserted as raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d4dfc3697a82948b3b9c4d44e9a273c79bc86b87/resources/skins.citizen.search/templates/TypeaheadListItem.mustache#L18 ### PoC All of the reproduction methods require the command palette to be disabled via `$wgCitizenEnableCommandPalette = false;`. Additionally, the action API must be used as the Search Gateway via `$wgCitizenSearchGateway = 'mwActionApi';`. #### TextExtracts as the description source * Enable the TextExtracts extension * Add `$wgCitizenSearchDescriptionSource = 'textextracts';` to your LocalSettings.php * Create a page called `CitizenXSSTextExtracts` and insert `<img src="" onerror="alert('citizen search xss')">` into it * Open the search modal and search for `CitizenXSSTextExtracts` ![ima...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Modular Switchgear Monitoring (MSM) Vulnerability: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to execute untrusted code, potentially leading to unauthorized actions or system compromise. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports the following products are affected: Hitachi Energy MSM: Version 2.2.9 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e., .html(), .append(), and others) may result in the execution of untrusted code. CVE-2020-11022 has b...

### Summary Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. ### Details The `args` provided within the wikitext as attributes to the `<tabber>` tag are passed to the TabberComponentTabs class: https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Tabber.php#L76 In TabberComponentTabs, the attributes are validated before being supplied to the Tabs template. https://github.com/StarCitizenTools/mediawiki-extensions-TabberNeue/blob/3a23b703ce36cfc4128e7921841f68230be4059a/includes/Components/TabberComponentTabs.php#L15-L31 However, the validation is insufficient. What `Sanitizer::validateTagAttributes` does is call `validateAttributes`, which ``` * - Discards attributes not on the given list * - Unsafe style attributes are discarded * - Invalid id attributes are re-encoded ``` However, the attribute values are expected to be escaped when inserte...

## Summary ## The Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser ## Impact ## A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed. Malicious actions that are possible include: * Obtaining a user's session token * Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights) ## Vulnerability Description ## Most Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called `xss.md` with the following content: ```markdown # Hallo <b>foo</b> <img src="xx" onerror=alert(9)> <i>bar</i> ``` Bold and italic text ...

FBI tracked IntelBroker as UK’s Kai West using an email address, crypto trails, YouTube activity and forum posts after dozens of high-profile data breaches and darknet activity.

### Summary A stored XSS is present in Gogs which allows client-side Javascript code execution. ### Details Gogs Version: ``` docker images REPOSITORY TAG IMAGE ID CREATED SIZE gogs/gogs latest fe92583bc4fe 10 hours ago 99.3MB ``` Application version: `0.14.0+dev` Local setup using: ```bash # Pull image from Docker Hub. docker pull gogs/gogs # Create local directory for volume. sudo mkdir -p /var/gogs # Use `docker run` for the first time. docker run --name=gogs -p 10022:22 -p 10880:3000 -v /var/gogs:/data gogs/gogs ``` The vulnerability is caused by the usage of a vulnerable and outdated component: `pdfjs-1.4.20` under public/plugins/. Read more about this vulnerability at [codeanlabs - CVE-2024-4367](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/). ### PoC 1. Upload the Proof of Concept file hosted at https://codeanlabs.com/wp-content/uploads/2024/05/poc_generalized_CVE-2024-4367.pdf in a repository. 2. ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Parsons Equipment: AccuWeather and Custom RSS widget Vulnerability: Cross-site Scripting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to insert a malicious link that users might access through the RSS feed. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of AccuWeather and Custom RSS widget are affected: Parsons Utility Enterprise Data Management: Version 5.18 Parsons Utility Enterprise Data Management: Version 5.03 Parsons Utility Enterprise Data Management: Versions 4.02 through 4.26 Parsons Utility Enterprise Data Management: Version 3.30 AclaraONE Utility Portal: versions prior to 1.22 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79 A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthentica...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: EVLink WallBox Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to gain remote control of the charging station. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: EVLink WallBox: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability exists, which could cause arbitrary file writes when an unauthenticated user on ...