Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Expand Up @@ -390,34 +390,14 @@ if (typeof String.prototype.utf8Decode == 'undefined') { }; }  
function fieldSanitizeStep1( field, bHtml\=true, bSvg\=true, bSvgFilters\=true, text\='' function simplePurifier( text, bHtml \= false, bSvg \= false, bSvgFilters \= false ) { if (field \=== undefined ||field \=== '') { return false; } let string \= ''; text \= (text \=== '') ? $(field).val() : text; /\* // Sanitize string var tagsToReplace = { '&': '&amp;', '<': '&lt;', '>': '&gt;', "'" : '&#39;', '"' : '&quot;' }; text = text.replace(/\[&<>'"\]/g, function(tag) { return tagsToReplace\[tag\] || tag; }); \*/ // Purify string string \= DOMPurify.sanitize( return DOMPurify.sanitize( text .replaceAll('&lt;', '<') .replaceAll('&gt;', '>') Expand All @@ -426,12 +406,129 @@ function fieldSanitizeStep1( .replaceAll('&#39;', "'"), {USE\_PROFILES: {html:bHtml, svg:bSvg, svgFilters: bSvgFilters}} ); }  
/\*\* \* Permits to purify the content of a string using domPurify \* @param {\*} field \* @param {\*} bHtml \* @param {\*} bSvg \* @param {\*} bSvgFilters \* @param {\*} text \* @returns bool||string \*/ function fieldDomPurifier( field, bHtml \= false, bSvg \= false, bSvgFilters \= false, text \= '' ) { if (field \=== undefined ||field \=== '') { return false; } let string \= ''; text \= (text \=== '') ? $(field).val() : text;  
// Purify string string \= simplePurifier(text, bHtml, bSvg, bSvgFilters);  
// Clear field if string is empty and warn user if (string \=== '' && text !== '') { $(field).val(''); return false; }  
return string; }  
/\*\* \* Permits to get all fields of a class and purify them \* @param {\*} elementClass \* @returns array \*/ function fieldDomPurifierLoop(elementClass) { let purifyStop \= false, arrFields \= \[\]; $.each($(elementClass), function(index, element) { purifiedField \= fieldDomPurifier( '#' + $(element).attr('id'), $(element).hasClass('purifyHtml') \=== true ? true : false, $(element).hasClass('purifySvg') \=== true ? true : false, $(element).hasClass('purifySvgFilter') \=== true ? true : false, typeof $(element).data('purify-text') !== undefined ? $(element).data('purify-text') : '' );  
if (purifiedField \=== false) { // Label is empty toastr.remove(); toastr.warning( 'XSS attempt detected. Please remove all special characters from your input.', 'Error', { timeOut: 5000, progressBar: true } ); $('#' + $(element).attr('id')).focus(); purifyStop \= true; return { 'purifyStop' : purifyStop, 'arrFields' : arrFields }; } else { $(element).val(purifiedField); arrFields\[$(element).data('field')\] \= purifiedField; } });  
// return return { 'purifyStop' : purifyStop, 'arrFields' : arrFields }; }  
/\*\* \* Permits to purify the content of a string using domPurify \* @param {\*} field \* @param {\*} bHtml \* @param {\*} bSvg \* @param {\*} bSvgFilters \* @returns bool||string \*/ function fieldDomPurifierWithWarning( field, bHtml \= false, bSvg \= false, bSvgFilters \= false, ) { if (field \=== undefined || field \=== '') { return false; } if ($(field).val() \=== '') { return ''; } let string \= '';  
// Purify string string \= simplePurifier($(field).val(), bHtml, bSvg, bSvgFilters);  
// Clear field if string is empty and warn user if (string \=== '') { toastr.remove(); toastr.warning( 'XSS attempt detected. Please remove all special characters from your input.', 'Error', { timeOut: 5000, progressBar: true } ); $(field).focus(); return false; }  
return string; }

CVE-2023-3191: 3.0.9 · nilsteampassnet/TeamPass@241dbd4

NOTE: rails-ujs is part of Rails/actionview since 5.1.0.

There is a potential DOM based cross-site scripting issue in rails-ujs
which leverages the Clipboard API to target HTML elements that are
assigned the contenteditable attribute. This has the potential to
occur when pasting malicious HTML content from the clipboard that
includes a data-method, data-remote or data-disable-with attribute.

This vulnerability has been assigned the CVE identifier CVE-2023-23913.

Not affected: < 5.1.0
Versions Affected: >= 5.1.0
Fixed Versions: 6.1.7.3, 7.0.4.3

Impact
  If the specified malicious HTML clipboard content is provided to a
  contenteditable element, this could result in the arbitrary execution
  of javascript on the origin in question.

Releases
  The FIXED releases are available at the normal locations.

Workarounds
  We recommend that all users upgrade to one of the FIXED versions.
  In the meantime, users can attempt to mitigate this vulnerability
  by removing the contenteditable attribute from elements in pages
  that rails-ujs will interact with.

Patches
  To aid users who aren’t able to upgrade immediately we have provided
  patches for the two supported release series. They are in git-am
  format and consist of a single changeset.

* rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series
* rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are
supported at present, and 6.0.Z for severe vulnerabilities.

Users of earlier unsupported releases are advised to upgrade as
soon as possible as we cannot guarantee the continued availability
of security fixes for unsupported releases.

Credits
  We would like to thank ryotak 15 for reporting this!

* rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)
* rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)
* rails-ujs-data-method-contenteditable-main.patch (8.9 KB)


NOTE: rails-ujs is part of Rails/actionview since 5.1.0.

There is a potential DOM based cross-site scripting issue in rails-ujs  
which leverages the Clipboard API to target HTML elements that are  
assigned the contenteditable attribute. This has the potential to  
occur when pasting malicious HTML content from the clipboard that  
includes a data-method, data-remote or data-disable-with attribute.

This vulnerability has been assigned the CVE identifier CVE-2023-23913.

Not affected: < 5.1.0  
Versions Affected: >= 5.1.0  
Fixed Versions: 6.1.7.3, 7.0.4.3

Impact  
If the specified malicious HTML clipboard content is provided to a  
contenteditable element, this could result in the arbitrary execution  
of javascript on the origin in question.

Releases  
The FIXED releases are available at the normal locations.

Workarounds  
We recommend that all users upgrade to one of the FIXED versions.  
In the meantime, users can attempt to mitigate this vulnerability  
by removing the contenteditable attribute from elements in pages  
that rails-ujs will interact with.

Patches  
To aid users who aren’t able to upgrade immediately we have provided  
patches for the two supported release series. They are in git-am  
format and consist of a single changeset.

*   rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series
*   rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are  
supported at present, and 6.0.Z for severe vulnerabilities.

Users of earlier unsupported releases are advised to upgrade as  
soon as possible as we cannot guarantee the continued availability  
of security fixes for unsupported releases.

Credits  
We would like to thank ryotak 15 for reporting this!

*   rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB)
*   rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB)
*   rails-ujs-data-method-contenteditable-main.patch (8.9 KB)

**References**

*   rails/rails@5037a13
*   rails/rails@73009ea
*   https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
*   https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2023-23913.yml

GHSA-xp5h-f8jf-rc8q: rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements

Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.

Pega continually works to implement security controls designed to protect client environments. With this focus, Pega has recently identified a security vulnerability that is rated High on the CVSS scale. We would like to thank **Maciej Piechota** **and** **Adam Simuntis** **from** **SECFORCE** for finding this vulnerability. 

Issue 

Description 

Impact

A23

Reflected Cross Site Script (XSS) vulnerability  

Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.    

Clients with internet-facing applications should update or apply the local change.  Clients running their own infrastructure should consult their security teams. 

 

 

 

We are not aware of any of our clients being compromised as a result of this vulnerability. 

For all clients, guidance is being provided to address the issue with a local change. The remediation for this issue will be included as part of the product in the 8.7.5 and 8.8.2 patch releases and the Infinity 23’ release of the Pega Platform.  

It is very important to keep your Pega systems current on the latest patch releases. The local change remediation is detailed in your **Client Advisory, \[CAD-\] case** that was provided to your **security and administrator contacts** on **Mar 2, 2023,** in My Support Portal.  

**CVE Details**

CVE Details 

A23 

Software/Product 

Pega Platform 

Affected Version(s) 

From 7.2 to 8.8.1 

CVE ID 

CVE-2023-26465 

CVSS Rating 

8.0 

Description 

Reflected Cross-Site Script (XSS) vulnerability

CVE-2023-26465: Support Center

A Cross Site Scripting (XSS) vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /auth_pic.cgi.

1.  Search vulnerable products on internet  
    Go to https://hunter.qianxin.com/, and use this syntax to search potential vulnerable products existing on internet:web.body="<title id="login\_title">D-Link路由器管理页</title>"  
    

A list of vulnerable targets are as follows:  
http://59.173.74.242:88/  
http://183.195.116.54:8888/  
http://125.119.243.164:8888/  
http://222.160.124.147:8081/  
http://58.49.36.134:88/  
http://59.173.75.201:88/  
http://39.175.53.231:9000/  
http://222.160.127.22:8081/  
http://221.232.194.41:88/  
http://120.196.58.120:88/  
http://221.232.195.128:88/

2.  Login with default credential  
    The default credential is admin : admin  
    

Login successful.

3.  Upload your payloads  
    Firstly, click on "认证管理",  
    Secondly, click on "认证页面管理",  
    Then, we click to browse the file and need to upload a file with the suffix ". jpg", ". png", or ". gif" ,  
    Finally, click on upload and we will use BurpSuite to intercept  
      
    

We need to change the suffix ". png" marked in the figure to ". html" and then send out the request package,  

Finally, we can trigger by clicking on this link  
  

It is important that victims can access this url without login in.

CVE-2023-34856: Stored Cross-Site Scripting (XSS) Vulnerability in 友讯电子设备(上海) D-Link Routing Management Page Version: DI-7500G-CI-19.05.29A1 · Issue #2 · hashshfza/Vulnerability

Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via the username, password, and language cookies parameter.

**Anti-Phishing**

Machine Learning and Computer Vision analyze textual, contextual, and visual email elements to identify malicious phishing links and webpages.

**Anti-Spear Phishing**

Natural Language Processing and sender spoofing algorithms identify behavioral, textual, and organizational anomalies to block spear phishing and business email compromise.

**Anti-Malware & Ransomware**

Predictive algorithms analyze email, URL, webpage, and file behavior to block malware-laden emails, webpages, attachments, and hosted files.

CVE-2023-29714: Vade | AI-Powered, Collaborative Email Security

Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via a crafted payload to the GET request after the /css/ directory.

*   Home
*   Blog
*   Advisories
*   Careers

*   Home
*   CVE-2023-29713 – Reflected XSS in Vade Secure Gateway

**Severity: High**

A **Reflected Cross Site Scripting** vulnerability found in **Vade Secure Gateway <= 3.0** allows a remote attacker to execute arbitrary JavaScript code on the victim’s browser via the URL.

© copyright 2022. All Rights Reserved.

CVE-2023-29713: CVE-2023-29713 - Reflected XSS in Vade Secure Gateway

Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.

**Hashicorp Vault vulnerable to Cross-site Scripting**

Moderate severity GitHub Reviewed Published Jun 9, 2023 to the GitHub Advisory Database • Updated Jun 9, 2023

GHSA-gq98-53rq-qr5h: Hashicorp Vault vulnerable to Cross-site Scripting

Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via a crafted payload to the X-Rewrite-URL parameter.

*   Home
*   Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)

Back to Posts

**Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)**

Reading Time: 4 minutes

**Vade Secure Gateway**

During a penetration test activity, several reflected cross-site scripting (XSS) vulnerabilities were found on an application developed by the French Company **Vade Secure**. The vulnerable application is Vade Secure Gateway which is an email box scanning and processing tool for spam removal that can be managed via a web page.

Once we identified the vulnerabilities and found that they had not been previously disclosed by someone else before, we made several attemps to establish contact with the Company to report the issue both via email and chat, but no contact could be established.

**Software Popularity**

Since we had no previous knowledge about this software, we wanted to verify its spread on the Internet.

We used fav-up to calculate the hash of the favicon, and we combined the result with Shodan, which allows to search for specific favicon hashes with the query

 http.favicon.hash:{HashFavicon}

The following picture highlights the number of detected products instances grouped by country.

**Version identification**

Even though there is no precise reference on the vendor site, it was possible to deduce the version via the release document found on the Vade Secure support page.

Given the changes made in version 3.0, we can infer that this is the target’s version.

**\*\*Since it was not possible to establish contact with the Company to identify a solution to these problems, we decided to hide the parameters and payloads in this article. However, we are always available in case Vade Secure wants to set up a collaboration with us, giving the opportunity to integrate the present article with information on future patches that solve the problems reported.\*\***

**Technical Recap**

Three vulnerabilities were identified in this application, broken down as follows:

*   one **Reflected XSS** vulnerability (**CVE-2023-29713**) \[**High**\]
*   two **DOM-based XSS** vulnerabilities (**CVE-2023-29712, CVE-2023-29714**) \[**Medium**\]

These types of attacks allow an unauthorized user to inject Javascript or HTML code within the victim’s browser to steal information or induce to perform certain operations through social engineering techniques.

**Advisory – CVE-2023-29712**

DOM-based XSS in Vade Secure Gateway

Medium

Description

Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via a crafted payload to the \*\*\*\* parameter.

Remediations

See the section “recommendations”

Category

OWASP Top 10: A3 – Injection

CVSS v3.1

Base Score: 6.1  
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected product

Vade Secure Gateway <= v3.0

Account

Unauthenticated

Vulnerable resources

   **REDACTED**

Proof of Concept

See the picture below

**Advisory – CVE-2023-29713**

Reflected XSS in Vade Secure Gateway

High

Description

Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via a crafted payload to the GET request after the \*\*\*\* directory.

Remediations

See the section “recommendations”

Category

OWASP Top 10: A3 – Injection

CVSS v3.1

Base Score: 8.1  
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Affected product

Vade Secure Gateway <= v3.0

Account

Unauthenticated

Vulnerable resources

  **REDACTED**

Proof of Concept

See the picture below

**Advisory – CVE-2023-29714**

DOM-based XSS in Vade Secure Gateway

Medium

Description

Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via the \*\*\*\*, \*\*\*\*, and \*\*\*\* cookies parameter.

Remediations

See the section “recommendations”

Category

OWASP Top 10: A3 – Injection

CVSS v3.1

Base Score: 6.1  
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected product

Vade Secure Gateway <= v3.0

Account

Unauthenticated

Vulnerable resources

  **REDACTED**

Proof of Concept

See the picture below

**Recommendiations**

Since there is no known update to fix the following vulnerabilities, we recommend adopting a WAF and tuning it in order to mitigate the attacks listed above. Also, if a direct contact with the supplier is available, please advise them of these issues.

**Disclosure Timeline**

*   14/03/2022 → Identification of the vulnerabilities
*   27/07/2022 → First email contact with Vade Secure (no reply)
*   05/08/2022 → Second email contact with Vade Secure (no reply)
*   03/02/2023 → Contacted via site chat and sent Vulnerability Disclosure Policy (we received a reply and they said they had turned the issue over to the relevant department)
*   06/03/2023 → Sent emails with XSS vulnerability testimonials and Vulnerability Disclosure Policy (no reply)
*   08/03/2023 → Requested CVEs
*   08/03/2023 → Sent email to Vede Secure to inform that we have applied for CVEs assignment (no reply)
*   16/03/2023 → Sent email with proof of concept of the vulnerabilities to Vade Secure (no reply)
*   09/05/2023 → Assignment of CVEs by MITRE
*   23/05/2023 → Sent an email to request cooperation again to resolve the issues and to inform that the proof of concept will not be published (no reply)

**Resources & References**

*   Vade | AI-Powered, Collaborative Email Security
*   Vade Secure Gateway
*   Vade Secure Gateway Release Notes
*   CVE-2023-29712
*   CVE-2023-29713
*   CVE-2023-29714

**Author**

**Nico Trionfetti** is a member of the **Yarix’s Red Team**, graduated from UNICAM with a degree in IT. He is passionate on Penetration testing with a focus on the web and outside of the cybersecurity he is passionate on films and tv series and outdoor activities.

**Author**

**Ylabs**

Back to Posts

CVE-2023-29712: Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)

Movierocket version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/32650/                                      ││  Vendor   : Bwiresoft                                                                  ││  Software : Movierocket 1.0                                                            ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /search_catalogGET parameter 'keywords' is vulnerable to RXSShttps://website/search_catalog?keywords=sz83n<script>alert(1)</script>k8jqbPath: /loginGET parameter 'red' is vulnerable to RXSShttps://website/login?red=bol85"><script>alert(1)</script>fdg21 [-] Done

Movierocket 1.0 Cross Site Scripting

Codemonkey Multi Vendor Digital Product Mart version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/39478/                                      ││  Vendor   : Bwiresoft                                                                  ││  Software : Codemonkey Multi Vendor Digital Product Mart 1.0                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'keyword' is vulnerable to RXSShttps://website/search?keyword=ohv4i<script>alert(1)</script>f6pt8&category=allPath: /loginGET parameter 'red' is vulnerable to RXSShttps://website/login?red=vp6bx"><script>alert(1)</script>ik2tx[-] Done

Tag

#xss