An improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiSandbox version 4.4.0 and 4.2.0 through 4.2.4, and 4.0.0 through 4.0.4 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.4 through 3.0.7 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

** PSIRT Advisories**

**FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint**

**Summary**

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability \[CWE-79\] in FortiSandbox may allow an authenticated attacker to perform a cross-site scripting attack via crafted HTTP requests.

Version

Affected

Solution

FortiSandbox 4.4

4.4.0

Upgrade to 4.4.2 or above

FortiSandbox 4.2

4.2.0 through 4.2.4

Upgrade to 4.4.2 or above

FortiSandbox 4.0

4.0 all versions

Migrate to a fixed release

FortiSandbox 3.2

3.2 all versions

Migrate to a fixed release

FortiSandbox 3.1

3.1 all versions

Migrate to a fixed release

FortiSandbox 3.0

3.0.4 through 3.0.7

Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

**Acknowledgement**

Internally discovered and reported by Adham El karn of Fortinet Product Security team.

**Timeline**

2023-10-13: Initial publication

CVE-2023-41836: Fortiguard

A stored cross-site scripting (XSS) vulnerability in the Create A New Employee function of Granding UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter.

**GRANDING UTime Master - Stored XSS**

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v UTime Master\_9.0.7-Build:Apr 4,2023).

UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser.

1.  Login to UTime Master using admin account
2.  Click on Personnel > Employee Management >Employee
3.  Select Any employee or create a new employee
4.  In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)>

_XSS payload embedded in EMP NAME field._

Save the employee details, Once the page refreshed it will execute your payload.

_our payload executed successfully._

_I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc._

XSS has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

**Popular posts from this blog**

**ZKT Eco ADMS - Stored XSS**

 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

CVE-2023-45391: GRANDING UTime Master - Stored XSS

An indirect object reference (IDOR) in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie.

**GRANDING UTime Master - IDOR**

 Hi All,

I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v UTime Master\_9.0.7-Build:Apr 4,2023). 

UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser.

Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees.

1.  Login to UTime Master using any account.
2.  Capture the request in burpsuite with the valid cookies.
3.  modify the URL to "/base/adminlog/table/?page=1&limit=200"
4.  Forward the request and it will fetch all the admin logs.

  

XSS has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.

**Popular posts from this blog**

**ZKT Eco ADMS - Stored XSS**

 Hi All, I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users. Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213 Technical details Login to ZKT Eco ADMS (default admin/admin) Click on System and click on Employee Click on Append button to add new Employee In Emp Name field Add your XSS payload. For testing I have used a non malicious code "/><img src=a onerror=alert('stored-XSS');> Click on Submit button, it will redirect you to the employee list, and our payload will be executed. XSS payload embedded in EMP NAME field. our payload executed successfully. XSS has been fixed in latest versions after 3.1-164.

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

CVE-2023-45393: GRANDING UTime Master - IDOR

WordPress Core versions prior to 6.3.2 suffer from arbitrary shortcode execution, cross site scripting, denial of service, and information leakage vulnerabilities. Versions prior to 6.3.2 are vulnerable.

The newest WordPress patch includes fixes for 8 Medium-Severity security issues, several of which are trivial to exploit.

WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While all of the vulnerabilities are of Medium severity, several of them are impactful enough to potentially allow site takeover, and thus the 6.3.2 update has the most significant security fixes we’ve seen in a while.

Many of these patches have been backported to every version of WordPress since 4.1, with just a few being backported to the major version in which the functionality was released. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.

The Wordfence Threat Intelligence Team released two new firewall rules today to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities patched, and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023.

If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.

Technical Analysis and Overview

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

No More ShortCode Abuse

Description: WordPress Core <= 6.3.1 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

Affected Versions: WordPress Core < 6.3.2

Researcher: James Golovich & WhiteCyberSec 

CVE ID: Pending

CVSS Score: 5.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to arbitrary shortcode execution in versions up to, and including, 6.3.1 due to a lack of input validation on the ‘shortcode’ parameter in the parse_media_shortcode AJAX function. This allows authenticated attackers, with subscriber-level privileges and above, to execute arbitrary shortcodes.

While this patch does not address a specific vulnerability, it blocks a common vector that enables attackers to exploit vulnerabilities that use shortcodes. Before WordPress 6.3.2, any authenticated user, including subscribers could execute any shortcode by calling the built-in ‘parse-media-shortcode’ AJAX handler.

The changeset in WordPress 6.3.2 restricts this AJAX handler to media shortcodes, and requires the ’embed’ shortcode to be associated with an active post ID that the user can access.

This means that a large range of SQL Injection, Sensitive Information Disclosure, and Remote Code Execution vulnerabilities that required only an active user login can now only be exploited by Contributor-level users or above.

You can find several of the shortcode-based vulnerabilities we reference by searching the Wordfence Intelligence vulnerability database.

Previously our team could not add a firewall rule to prevent the execution of arbitrary shortcodes due to the varying use cases. Fortunately, with this patch and change, the expected behavior of the parse-media-shortcode action has been restricted by WordPress Core, so we were able to create a generic firewall rule that will prevent arbitrary execution of shortcodes that are not in the allowlist from the function. Wordfence Premium, Care, and Response customers received this rule today, while those still on the free version of Wordfence will receive this rule after a 30 day delay on November 11th, 2023.

Reflected Cross-Site Scripting via Application Passwords

Description: WordPress Core 5.6-6.3.1 – Reflected Cross-Site Scripting via Application Password Requests

Affected Versions: WordPress Core < 6.3.2

Researcher: mascara7784 

CVE ID: Pending

CVSS Score: 6.1(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Reflected Cross-Site Scripting via the ‘success_url’ and ‘reject_url’ parameters when requesting application passwords in versions between 5.6 and 6.3.1 due to insufficient input sanitization and output escaping of pseudo protocol URIs. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link and accepting or rejecting the application password.

WordPress allows applications to request application passwords to be generated for them. WordPress before 6.3.2 fails to validate the redirect URIs used when a password is authorized or rejected, which means that an attacker could generate a URL for an application password request containing data: and javascript: pseduo protocol redirects. If the victim visits this URL on their site and approves or rejects the application password request, they could be redirected to a URI that executes JavaScript on their browser. WordPress 6.3.2 contains a patch for this issue.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors.

All Wordfence users, including Wordfence free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Additionally, Wordfence disables application passwords by default.

Comment Visibility

Description: WordPress Core <= 6.3.1 – Authenticated(Contributor+) Sensitive Information Exposure via Comments on Protected Posts

Affected Versions: WordPress Core < 6.3.2

Researcher: JB Audras(WordPress Security Team) & Rafie Muhammad(Patchstack) 

CVE ID: Pending

CVSS Score: 4.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.3.1 via the comments listing. This allows authenticated users, with contributor-level privileges or above, to view comments on protected posts.

Prior to WordPress 6.3.2, it was possible for users to view comments on posts even when they did not have access to those posts. While this is in most cases a relatively low-impact issue, WordPress 6.3.2 contains a patch protecting the privacy of comments on private or protected posts.

Removing POP Chains

While WordPress Core has not had a known Object Injection vulnerability for some time, Object Injection vulnerabilities in various plugins and themes are regularly discovered by researchers, including Wordfence’s own in-house Threat Intelligence team.

All Object Injection vulnerabilities require POP chains in order to be successful. Prior to WordPress 6.3.2, potential POP chains were present in the WP_Theme, WP_Block_Type_Registry, WP_Block_Patterns_Registry, Requests/Session, Request/Iri, and Requests/Hooks classes. While we were unable to develop a functioning exploit for these in the time available, the patches involved indicate that they are designed to prevent unexpected Object Unserialization that could lead to Remote Code Execution. Credit to Marc Montpas of Automattic for discovering the vulnerable POP chains.

The Wordfence Threat Intelligence Team will continue reverse engineering this patch to determine if a firewall rule will be necessary, but at this time it has not received an official vulnerability entry because it is not technically a vulnerability on its own.

No More Searching By Email

Description: WordPress Core 4.7.0-6.3.1 – Sensitive Information Exposure via User Search REST Endpoint

Affected Versions: WordPress Core < 6.3.2

Researcher: Marc Montpas(Automattic) 

CVE ID: Pending

CVSS Score: 5.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Sensitive Information Exposure in versions between 4.7.0 and 6.3.1 via the User REST endpoint. While the search results do not display user email addresses unless the requesting user has the ‘list_users’ capability, the search is applied to the user_email column. This can allow unauthenticated attackers to brute force or verify the email addresses of users with published posts or pages on the site.

While WordPress prior to 6.3.2 did not directly display user email addresses to users without the “list_users” capability, it still searched the user email column in wp_users. This meant that it was possible to brute-force search or verify the email address of any user with a published post or page by including the partial email address in the search parameter, potentially impacting user privacy. The patch for this limits the search columns for users without the “list_users” capability to only the columns displayed.

Cache Poisoning Denial of Service

Description: WordPress Core 4.7.0-6.3.1 – Denial of Service via Cache Poisoning

Affected Versions: WordPress Core < 6.3.2

Researcher: s5s & raouf_maklouf 

CVE ID: Pending

CVSS Score: 5.3(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Denial of Service via Cache Poisoning in versions between 4.7.0 and 6.3.1. In cases where the X-HTTP-Method-Override header was sent in a request to a REST endpoint and the endpoint returned a 4xx error, the error could be cached, resulting in denial of service.

Responses to REST API requests are not cached for logged-in users, but WordPress Core before 6.3.2 had an edge case where, in heavily cached configurations, an unauthenticated attacker could send a request to the REST API using the X-HTTP-Method-Override header to a public endpoint and receive a 4xx error, either because the endpoint restricts access to those methods or does not support them at all. In cases where the error is cached, any other unauthenticated visitors attempting to retrieve data from that endpoint would see the cached 4xx error.

Contributor+ Stored Cross-Site Scripting in Footnotes

Description: WordPress Core 6.3-6.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Footnotes Block

Affected Versions: WordPress Core < 6.3.2

Researcher: Jorge Costa(WordPress Core Team) 

CVE ID: Pending

CVSS Score: 6.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Stored Cross-Site Scripting via the footnotes block in versions between 6.3 and 6.3.1 due to insufficient input sanitization and output escaping on the footnotes block. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress prior to 6.3.2 did not adequately sanitize the content of footnote blocks, allowing authenticated users, with Contributor-level privileges or above, to insert JavaScript that would execute when a page containing the footnotes was visited. While input is partially escaped on the client-side, it is possible to intercept a request and add unescaped script tags to the footnote metadata. WordPress has released a patch for this vulnerability in 6.3.2.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors.

We have released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response users against this vulnerability, and free Wordfence users will receive the same protection in 30 days, on November 11th, 2023.

Contributor+ Stored Cross-Site Scripting in Navigation Links

Description: WordPress Core 5.9-6.3.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via navigation attributes

Affected Versions: WordPress Core 5.9-6.3.1

Researcher: Rafie Muhammad & Edouard L of Patchstack 

CVE ID: Pending

CVSS Score: 6.4(Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fully Patched Version: 6.3.2

Wordfence Intelligence Reference 

WordPress Core is vulnerable to Stored Cross-Site Scripting via the arrow navigation block attributes in versions between 5.9 and 6.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level privileges and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress Core’s Block Editor includes a navigation block that includes arrows or chevrons to display previous and next posts. WordPress before 6.3.2 failed to adequately check or sanitize the attribute defining whether to use an arrow or a chevron. As a result, any user with access to the post editor could insert malicious JavaScript into the arrow navigation element, which would be executed whenever a visitor accessed that page.

As with all Cross-Site Scripting vulnerabilities, this can be used to take over a site by creating malicious administrators and backdoors. We were unable to successfully exploit this vulnerability at the time of publication, but will update this post if we are able to achieve a proof of concept, along with a firewall rule if needed to protect our users.

Conclusion

WordPress 6.3.2 includes patches for 5 Medium-Severity vulnerabilities as well as hardening against separate Object Injection vulnerabilities found in third-party plugins and themes. Several of these vulnerabilities are trivial to exploit and we recommend updating immediately if your site has not yet automatically done so.

We have released firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers against the most impactful vulnerabilities and these rules will be available to free Wordfence users in 30 days, on November 11th, 2023.

If you know someone who uses WordPress and isn’t keeping it automatically updated, we recommend sharing this advisory with them to ensure their site remains secure, as several of these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Special thanks to the security researchers who responsibly disclosed these vulnerabilities, as well as to Threat Intelligence Lead Chloe Chamberland for her assistance with this article and for writing the firewall rules to protect Wordfence customers.

WordPress Core 6.3.1 XSS / DoS / Arbitrary Shortcode Execution

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.

**Description**

Stored HTML Injection: A Hidden Web Threat. Learn how attackers exploit input fields to inject malicious code into web applications, jeopardizing user data and site integrity. Discover crucial prevention measures to safeguard against this insidious vulnerability.

#Step to reproduce

      1. Login to froxlor as admin
      2. Under the resource go to Hosting plans  and Add new plan  
      3. In the plan name field  add the HTML payload and save it  
      4. once after saving the plan we can see that  the payload is working 
    

**Proof of Concept**

    https://drive.google.com/file/d/1zAKGmVoxwmzXZbi6S4TZs9ZA3A7VhXxJ/view?usp=sharing
    
    

**Impact**

The impact of stored HTML injection can be severe and far-reaching, affecting both website owners and their users. Here are some of the key impacts:

Compromised User Data: Stored HTML injection allows attackers to access and manipulate sensitive user data stored in the application's database. This can include personal information, passwords, financial details, and other confidential data, leading to identity theft and fraud.

Malicious Code Execution: Attackers can inject harmful scripts into the web application, leading to the execution of arbitrary code on users' browsers. This can result in unauthorized actions, data theft, or the installation of malware on users' devices.

Loss of Trust: When users' data is compromised due to stored HTML injection, it erodes their trust in the website and the organization behind it. Loss of trust can lead to a decline in user engagement, decreased customer loyalty, and damage to the company's reputation.

Financial Loss: A successful attack can have financial repercussions, including costs associated with data breaches, legal liabilities, and the expenses of recovering and securing the compromised system.

Business Disruption: If a website is affected by stored HTML injection, it may become inaccessible or experience performance issues, leading to a disruption in services and potential loss of revenue.

Regulatory Compliance Issues: Depending on the nature of the compromised data, organizations may face legal consequences and regulatory penalties for failing to protect user information adequately.

Negative SEO Impact: A compromised website may be used to host malicious content, leading search engines to flag the site as unsafe, resulting in a negative impact on its search engine rankings.

Long-term Damage: The aftermath of a successful stored HTML injection attack can be long-lasting. Rebuilding user trust and restoring the website's reputation can be a time-consuming and challenging process

CVE-2023-4829: Stored HTML injection in froxlor

The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'calendly' shortcode in versions up to, and including, 3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-4995: Embed Calendly <= 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

Cross-site Scripting (XSS) - Stored in GitHub repository hestiacp/hestiacp prior to 1.8.6.

Expand Up @@ -512,7 +512,7 @@ class="form-control js-password-input" class\="form-control" name\="v\_mysql\_url" id\="v\_mysql\_url" value\="<?= $\_SESSION\["DB\_PMA\_ALIAS"\] ?>" value\="<?= htmlentities($\_SESSION\["DB\_PMA\_ALIAS"\]); ?>" \> </div\> <div class\="u-mb10"\> Expand Down Expand Up @@ -618,7 +618,7 @@ class="form-control" <label for\="v\_pgsql\_url" class\="form-label"\> <?= \_("phpPgAdmin Alias") ?> </label\> <input type\="text" class\="form-control" name\="v\_pgsql\_url" id\="v\_pgsql\_url" value\="<?= $\_SESSION\["DB\_PGA\_ALIAS"\] ?>"\> <input type\="text" class\="form-control" name\="v\_pgsql\_url" id\="v\_pgsql\_url" value\="<?= htmlentities($\_SESSION\["DB\_PGA\_ALIAS"\]) ?>"\> </div\> <?php } ?> <?php if ($v\_pgsql == "yes") { Expand Down Expand Up @@ -727,7 +727,7 @@ class="u-ml5" class\="form-control" name\="v\_backup\_dir" id\="v\_backup\_dir" value\="<?= trim($v\_backup\_dir, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_dir, "'")) ?>" disabled \> </div\> Expand Down Expand Up @@ -785,7 +785,7 @@ class="form-select" class\="form-control" name\="v\_backup\_host" id\="v\_backup\_host" value\="<?= trim($v\_backup\_host, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_host, "'")) ?>" \> </div\> <div class\="u-mb20"\> Expand All @@ -797,7 +797,7 @@ class="form-control" class\="form-control" name\="v\_backup\_port" id\="v\_backup\_port" value\="<?= trim($v\_backup\_port, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_port, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -809,7 +809,7 @@ class="form-control" class\="form-control" name\="v\_backup\_username" id\="v\_backup\_username" value\="<?= trim($v\_backup\_username, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_username, "'")) ?>" \> </div\> <div class\="u-mb20"\> Expand All @@ -822,7 +822,7 @@ class="form-control" class\="form-control js-password-input" name\="v\_backup\_password" id\="v\_backup\_password" value\="<?= trim($v\_backup\_password, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_password, "'")) ?>" \> </div\> </div\> Expand All @@ -835,7 +835,7 @@ class="form-control js-password-input" class\="form-control" name\="v\_backup\_bpath" id\="v\_backup\_bpath" value\="<?= trim($v\_backup\_bpath, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_bpath, "'")) ?>" \> </div\> </div\> Expand All @@ -849,7 +849,7 @@ class="form-control" class\="form-control" name\="v\_backup\_bucket" id\="v\_backup\_bucket" value\="<?= trim($v\_backup\_bucket, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_bucket, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -861,7 +861,7 @@ class="form-control" class\="form-control" name\="v\_backup\_application\_id" id\="v\_backup\_application\_id" value\="<?= trim($v\_backup\_application\_id, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_application\_id, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -873,7 +873,7 @@ class="form-control" class\="form-control" name\="v\_backup\_application\_key" id\="v\_backup\_application\_key" value\="<?= trim($v\_backup\_application\_key, "'") ?>" value\="<?= htmlentities(trim($v\_backup\_application\_key, "'")) ?>" \> </div\> </div\> Expand All @@ -887,7 +887,7 @@ class="form-control" class\="form-control" name\="v\_rclone\_host" id\="v\_rclone\_host" value\="<?= trim($v\_rclone\_host, "'") ?>" value\="<?= htmlentities(trim($v\_rclone\_host, "'")) ?>" \> </div\> <div class\="u-mb10"\> Expand All @@ -899,7 +899,7 @@ class="form-control" class\="form-control" name\="v\_rclone\_path" id\="v\_rclone\_path" value\="<?= trim($v\_rclone\_path, "'") ?>" value\="<?= htmlentities(trim($v\_rclone\_path, "'")) ?>" \> </div\> </div\> Expand Down Expand Up @@ -946,33 +946,33 @@ class="form-control u-min-height100 u-console" <ul class\="values-list"\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Issued To") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_subject ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_subject) ?></span\> </li\> <?php if ($v\_ssl\_aliases) { ?> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Alternate") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_aliases ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_aliases) ?></span\> </li\> <?php } ?> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Not Before") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_not\_before ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_not\_before) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Not After") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_not\_after ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_not\_after) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Signature") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_signature ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_signature) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Key Size") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_pub\_key ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_pub\_key) ?></span\> </li\> <li class\="values-list-item"\> <span class\="values-list-label"\><?= \_("Issued By") ?></span\> <span class\="values-list-value"\><?= $v\_ssl\_issuer ?></span\> <span class\="values-list-value"\><?= htmlentities($v\_ssl\_issuer) ?></span\> </li\> </ul\> </div\> Expand Down

CVE-2023-4517: Security patch for XSS in Edit server (#3946) · hestiacp/hestiacp@d30e3ed

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.

**Solution**

 Fixed

Update the WordPress WordPress wordpress to the latest available version (at least 6.3.2).

Found this useful? Thank Rafie Muhammad (Patchstack) for reporting this vulnerability. Buy a coffee ☕

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.3.2.

**Other vulnerabilities in this WordPress core**

 1 present

 287 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38000: WordPress core < 6.3.2 - Contributor+ Stored XSS in Navigation Links Block vulnerability - Patchstack

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Uncontrolled Resource Consumption vulnerability that could lead in minor application denial-of-service. Exploitation of this issue does not require user interaction.

Security update available for Adobe Commerce | APSB23-50  

Bulletin ID

Date Published

Priority

APSB23-50

October 10, 2023  

3

**Summary**

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass and application denial-of-service.

**Affected Versions**

**Product**

**Version**

**Platform**

 Adobe Commerce  

2.4.7-beta1 and earlier  
2.4.6-p2 and earlier  
2.4.5-p4 and earlier  
2.4.4-p5 and earlier  
2.4.3-ext-4 and earlier\*  
2.4.2-ext-4 and earlier\*  
2.4.1-ext-4 and earlier\*  
2.4.0-ext-4 and earlier\*  
2.3.7-p4-ext-4 and earlier\*  

All

Magento Open Source

2.4.7-beta1 and earlier  
2.4.6-p2 and earlier  
2.4.5-p4 and earlier  
2.4.4-p5 and earlier  

All

**Note: For clarity, the affected versions listed are now listed for each release line instead of only the most recent versions.  
\* These versions are only applicable to customers participating in the** Extended Support Program

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Installation Instructions

Adobe Commerce  

2.4.7-beta2 for 2.4.7-beta1 and earlier  
2.4.6-p3 for 2.4.6-p2 and earlier  
2.4.5-p5 for 2.4.5-p4 and earlier  
2.4.4-p6 for 2.4.4-p5 and earlier  
2.4.3-ext-5 for 2.4.3-ext-4 and earlier\*  
2.4.2-ext-5 for 2.4.2-ext-4 and earlier\*  
2.4.1-ext-5 for 2.4.1-ext-4 and earlier\*  
2.4.0-ext-5 for 2.4.0-ext-4 and earlier\*  
2.3.7-p4-ext-5 for 2.3.7-p4-ext-4 and earlier\*  

All  

3

2.4.x release notes

Magento Open Source   

2.4.7-beta2 for 2.4.7-beta1 and earlier  
2.4.6-p3 for 2.4.6-p2 and earlier  
2.4.5-p5 for 2.4.5-p4 and earlier  
2.4.4-p6 for 2.4.4-p5 and earlier  

All  

3

**Note: \* These versions are only applicable to customers participating in the** Extended Support Program

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

Authentication required to exploit?

Exploit requires admin privileges?  

**CVSS base score**  

**CVSS vector**  

CVE number(s)

Improper Input Validation (CWE-20)  

Privilege escalation  

Critical

No

No

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  

CVE-2023-38218  

Cross-site Scripting (Stored XSS) (CWE-79)  

Privilege escalation  

Critical

Yes

Yes

8.4

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H  

CVE-2023-38219  

Improper Authorization (CWE-285)  

Security feature bypass  

Critical

Yes

No

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  

CVE-2023-38220  

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)  

Arbitrary code execution  

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  

CVE-2023-38221  

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)  

Arbitrary code execution  

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  

CVE-2023-38249  

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)  

Arbitrary code execution  

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H  

CVE-2023-38250  

Information Exposure (CWE-200)  

Arbitrary code execution  

Critical  

Yes

Yes

7.6

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L  

CVE-2023-26367  

Uncontrolled Resource Consumption (CWE-400)  

Application denial-of-service  

Important

No

No

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L  

CVE-2023-38251  

Server-Side Request Forgery (SSRF) (CWE-918)  

Arbitrary file system read  

Important  

Yes

Yes

6.8

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N  

CVE-2023-26366  

Cross-site Scripting (XSS) (CWE-79)  

Arbitrary code execution  

Important  

Yes

Yes

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N  

CVE-2023-26368  

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.

  
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

**Acknowledgements**

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

*   wohlie - CVE-2023-38220, CVE-2023-38221, CVE-2023-38249, CVE-2023-38250, CVE-2023-38251, CVE-2023-26367  
    
*   Blaklis - CVE-2023-38219
*   fqdn - CVE-2023-38218
*   Sebastien Cantos (truff) - CVE-2023-26366
*   Yim Bryan H.T. (CITD) - CVE-2023-26368  
    

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.  

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2023-38251: Adobe Security Bulletin

Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.

**Cross-site Scripting (XSS) in froxlor/froxlor**

Moderate severity GitHub Reviewed Published Oct 13, 2023 to the GitHub Advisory Database • Updated Oct 13, 2023

Tag

#xss