Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \n\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.

**Description**

Chatwoot relies on the rack\_attack.rb file to defend the application against various brute force attacks. The Chatwoot application fails to prevent brute force attacks against the listed paths when strings are appended to the end of POST directory names. Some protection still exists, primarily where more than 300 requests are made in a minute, which appears to be a default rule for the application and configuration. Provided an attacker keeps attacks within 300 per minute it is possible to bypass the configured rules.

The vulnerability was discovered in all tested directories, including:  
\-- /auth/sign\_in.json  
\-- /api/v1/accounts.json  
\-- /super\_admin/sign\_in.json

As I cannot configure the environment to test the other parameters, I am unsure if they are vulnerable, however the directories do accept random strings appended to the end. NOTE - Any arbitrary add on to the end of the directory can bypass the restrictions.

Note that I have tested a possible fix for the issue locally by modifying existing rack\_attack rules.

**Proof of Concept**

    POST /auth/sign_in.json HTTP/1.1
    Host: 192.168.1.3:3000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.1.3:3000/app/login
    Content-Type: application/json
    Content-Length: 74
    Origin: http://192.168.1.3:3000
    DNT: 1
    Connection: close
    Cookie: _chatwoot_session=isHDBFZBkWRHKTcjNmQPFlXVrtaswMNx7FNWeWpiULOnK%2FQakqLzHkfvY33zDMNhewz%2FBgh6VeEqUYoj3a6UA1HjD9WcQW3M0m2pM5N9Jmv88sSRp%2BiEA9dOAP9rhF3WHOIzL%2FI1BA0yWrYOMVZs6IpkAPD%2Fm3kz9E27rxzJ9%2B5fESTBmcJ0LEMT1nB8DvVRj8ULgac0RrjJOjEwySniIbg7HMOKNfP5PeF3FoodUKrhFZE%2F3SReiAt7q2FlHKVVzlwjTdjcz1sYcDTkblkVPRAFt1tYvV6oCA%3D%3D--flwWFZDdAvtdfTYe--tihOFN%2Bg9HKViJZPwD27jQ%3D%3D; user.id=eyJfcmFpbHMiOnsibWVzc2FnZSI6Ik1RPT0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS51c2VyLmlkIn19--d46f4e34d21234bf149d8e35067adec84d9de555; user.expires_at=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqSXdNakl0TURZdE1UQlVNakE2TWprNk1qZ3VORGszV2lJPSIsImV4cCI6bnVsbCwicHVyIjoiY29va2llLnVzZXIuZXhwaXJlc19hdCJ9fQ%3D%3D--d6b05039464d992e99ff7641408f22cb998b6899
    
    {"email":"joe@mayorsec.com","password":"Password123!","sso_auth_token":""}
    

    POST /super_admin/sign_in.json HTTP/1.1
    Host: 192.168.1.3:3000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.1.3:3000/super_admin/sign_in
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 234
    Origin: http://192.168.1.3:3000
    DNT: 1
    Connection: close
    Cookie: _chatwoot_session=1eo0NEleyD9vD3SZGSC5fmQ8%2FqjqauSZabHRTb79DXjlOr4U8zLfpx%2BWEarESorlTjxkoyywq1dQuYez%2BflouTKpf1kCnbrgpQUO0Ejxp2WcS4eX1xfvCwTmQ6mC3FplGhEhGxMYFiyUycwvh7%2Ba5gsmDLSlyNmLBQX%2FdzZY4VSgqJOvP2ttep5hMRorsoSsqBW4z8Sf6u5rCRGJxpMxCS2rL%2BgzCNpurXoswGmIVZ5soMtONk9x7wt42fynVbd2v5ukPwmf%2B%2BneGCXv6QUOI2TbXF7wC18NtKNjtEekVAP2kX8ZkyIS%2B%2FadCrtVcFVg6N4ZLwf7OK2VTiXuHynATmNbjQ2XFUhA0nH7b9yweJ8fGRpUfSv0E8Qpl%2F6r1uQCgdsVTx%2BXjtTpi0gVAIV%2F2%2BqDSzxQmD%2BR5AJQ7KZGnpYFNVYA1Nhje6i8zCwYzd9fTCTjd%2Bh2NZ4tvN6kpQ%3D%3D--7VQsNUvJAAZPOI0f--W7uERdZvn2dJqbk%2FLiftLg%3D%3D; user.id=eyJfcmFpbHMiOnsibWVzc2FnZSI6Ik1RPT0iLCJleHAiOm51bGwsInB1ciI6ImNvb2tpZS51c2VyLmlkIn19--d46f4e34d21234bf149d8e35067adec84d9de555; user.expires_at=eyJfcmFpbHMiOnsibWVzc2FnZSI6IklqSXdNakl0TURZdE1UQlVNakE2TWprNk1qZ3VORGszV2lJPSIsImV4cCI6bnVsbCwicHVyIjoiY29va2llLnVzZXIuZXhwaXJlc19hdCJ9fQ%3D%3D--d6b05039464d992e99ff7641408f22cb998b6899; cw_d_session_info={%22access-token%22:%225KrfuMPZEbhzLOJ6cgSUdA%22%2C%22cache-control%22:%22max-age=0%2C%20private%2C%20must-revalidate%22%2C%22client%22:%22FyV_LCCm8MdrctlhgnT6Tg%22%2C%22connection%22:%22close%22%2C%22content-length%22:%22595%22%2C%22content-type%22:%22application/json%3B%20charset=utf-8%22%2C%22etag%22:%22W/%5C%227dd1dcb51fcc95eae77b2ec9c6ad96ce%5C%22%22%2C%22expiry%22:%221660161568%22%2C%22referrer-policy%22:%22strict-origin-when-cross-origin%22%2C%22token-type%22:%22Bearer%22%2C%22uid%22:%22joe@mayorsec.com%22%2C%22x-content-type-options%22:%22nosniff%22%2C%22x-download-options%22:%22noopen%22%2C%22x-frame-options%22:%22SAMEORIGIN%22%2C%22x-permitted-cross-domain-policies%22:%22none%22%2C%22x-request-id%22:%22b90b4747-6fea-44e2-a677-ebe87930ab16%22%2C%22x-runtime%22:%220.249821%22%2C%22x-xss-protection%22:%221%3B%20mode=block%22}
    Upgrade-Insecure-Requests: 1
    
    authenticity_token=WWh5xWO3jgXwVKZb3zWM94qL52osMpbCpFFeuxRsdlgb%2B7OtMdtb%2F4FjNpY68ZA4Q67TDc0iV6OsDsS5O4d8OQ%3D%3D&super_admin%5Bemail%5D=JOANNE%40mayorsec%2ecom&super_admin%5Bpassword%5D=Password123%21&super_admin%5Bremember_me%5D=0 
    

    POST /api/v1/accounts.json HTTP/1.1
    Host: 192.168.1.3:3000
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.1.3:3000/app/auth/signup
    Content-Type: application/json
    Content-Length: 144
    Origin: http://192.168.1.3:3000
    DNT: 1
    Connection: close
    Cookie: _chatwoot_session=pOArRsb8vDx6%2FpQuywQLE3E0lznJlbGrnqLLNMT9ySqt7YR4eh%2BSdWTMW6dmES79X13k5aCblM30KNbNhw7mCnpqV26eYv2LrM6XrnIu8KDwl3pubsrWEKxO0iM%2F6uUxdnY3J2Qryff78SF8vn7HPkYvS00yyAQ6JFGAcOlUL38tU7C1LxVmlLPo958m47gmGwgYruLnFPn7Rur9Oz6NMTVlmLe2maTpqv4TFB%2FvKc6kP38fZunPGVeRxPwKasUAE4%2BXyUJkb5Z6MXhrqi8PENPlbkQ1dDkFRQ%3D%3D--Cu1By7B2Un6rncH9--wgscGhl5IJUSIrAiD5e0AQ%3D%3D
    
    {"account_name":"KATHRINE","user_full_name":"KATHRINE","email":"KATHRINE@mayorsec.com","password":"Password123!","h_captcha_client_response":""}
    

**Impact**

Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification.

For the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.

**Occurrences**

**References**

*   CWE-307 Improper Restriction of Excessive Authentication Attempts
*   OWASP OAT-019 Account Creation
*   OWASP Top 10 - A2:2017 Broken Authentication

CVE-2022-3741: Chatwoot's Misconfigured Rack_Attack.rb Does Not Appropriately Protect Against Brute Force Attacks in chatwoot

Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1

CVE-2022-0072: openlitespeed/httpserver.cpp at v1.7.16 · litespeedtech/openlitespeed

Softr v2.0 was discovered to contain a Cross-Site Scripting (XSS) vulnerability via the First Name parameter under the Create A New Account module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2022-32407

Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system.

CVE-2022-42055: GL.iNET MT300N-V2 Vulnerabilities and Hardware Teardown

Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-454166-BT
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2022-40183
        *   Base Score: 5.8 (Medium)
    *   CVE-2022-40184
        *   Base Score: 5.1 (Medium)
*   **Published:** 19 Oct 2022
*   **Last Updated:** 19 Oct 2022

**Summary**

The possibility for a reflected Cross Site Scripting (XSS) and stored Cross Site Scripting (XSS) attack was discovered in the Bosch VIDEOJET multi 4000.

For more details please see the description of the vulnerability in this advisory.

Bosch rates this vulnerability with CVSSv3.1 base score 5.8 (medium) and 5.1 (medium), where the final rating depends on the customer’s environment.

Customers are advised to follow listed mitigations until an update is available.

**Affected Products**

*   Bosch VIDEOJET multi 4000 <= 6.31.0010

**Solution and Mitigations****Secure Configuration Environment**

It is advised to use a Bosch tool like the Configuration Manager to configure the encoder, that is not vulnerable to issues like XSS (Cross Site Scripting) or CSRF (Cross Site Request Forgery).

When using the web based configuration interface and currently being logged in as an administrator, some security precautions can be taken to mitigate XSS or CSRF vulnerabilities:

*   No other websites or email content should be opened as long as the session to the encoder is active.
    
*   No links should be clicked from an untrusted external source that link back to the encoder.
    
*   Use a different browser than the system default browser to open a session to the encoder as there is no XSS or CSRF between browsers.
    
*   Always log out and/or close the browser (not only the tab) to clear any session data.
    

**Secure Administration**

A stored XSS attack is only possible when an user with administrative rights is able to save malicious JavaScript code on the device. Only trusted users should have access to the administrative interface and common security rules for administrative credentials should be followed (e.g. using strong, unique passwords).

**Vulnerability Details****CVE-2022-40183**

CVE description: An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
    *   Base Score: 5.8 (Medium)

**CVE-2022-40184**

CVE description: Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
    *   Base Score: 5.1 (Medium)

**Remarks****Security Update Information**

With respect to Directive (EU) 2019/770 and Directive (EU) 2019/771 and their national transposition laws, please note:

It is your responsibility to download and/or install any security updates provided by us, for example to maintain product or data security. If you fail to install a security update provided to you within a reasonable period of time, we will not be liable for any product defect solely due to the absence of such security update.

Alternatively, we are entitled to directly download and/or install security updates regardless of your settings. In these cases, we will provide you with the relevant information, e.g. in this security advisory.

**CVSS Scoring**

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   19 Oct 2022: Initial Publication

**Appendix****Affected Products****Bosch VIDEOJET multi 4000**

Affected VIDEOJET multi 4000 firmware

Name of version to fix the vulnerability

6.31.0010 and earlier

VIDEOJET multi Download Area

**Material Lists****VIDEOJET multi 4000**

Family Name

CTN

SAP#

Material description

VIDEOJET multi 4000

VJM-4016

F.01U.298.670

VIDEOJET multi 4000

VIDEOJET multi 4000 EU

VJM-4016-EU

F.01U.296.122

VIDEOJET multi 4000 EU

VIDEOJET multi 4000 US

VJM-4016-US

F.01U.298.556

VIDEOJET multi 4000 US

CVE-2022-40184: Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000

Password Storage Application v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Setup page.

CVE-2022-42993

Multiple stored cross-site scripting (XSS) vulnerabilities in Train Scheduler App v1.0 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Train Code, Train Name, and Destination text fields.

Privacy Policy - Copyright © 2022 Reflex Publishing, Inc. All Rights Reserved.

Book discount hotel and motel rooms at Motels.com

CVE-2022-42992: Train.com

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this [commit](https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4). There are no known workarounds for this issue.

**Cross-site Scripting in actionpack**

Low severity GitHub Reviewed Published Oct 27, 2022 • Updated Oct 28, 2022

GHSA-9chr-4fjh-5rgw: Cross-site Scripting in actionpack

A vulnerability classified as problematic was found in SourceCodester Online Medicine Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /omos/admin/?page=user/list. The manipulation of the argument First Name/Middle Name/Last Name leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-212347.

CVE-2022-3716

Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnerability.

Tag

#xss