Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

By uploading SVG files, the users can perform Stored XSS attack.

**Payload**

Copy the following code and save as filename.svg. <x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

**Proof of Concept**

\[1\] Login as admin.

\[2\] upload the payload injected SVG file at https://demo.microweber.org/demo/admin/view:modules/load_module:files

\[3\] Copy the uploaded svg file url and open in new tab.

\[4\] XSS!

**Impact**

If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies.

CVE-2022-2495: Stored XSS via SVG File  in microweber

By Deeba Ahmed
The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back…
This is a post from HackRead.com Read the original post: Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

****The MV720 GPS tracker is manufactured by a China-based company MiCODUS which was informed about the flaws back in September 2021 yet it has not fixed the issue.****

Cybersecurity startup BitSight has identified six flaws in the GPS tracker MV720 manufactured by China-based MiCODUS. According to the IT security researchers at BitSight the critical security vulnerabilities were present in MV720 GPS trackers, used primarily for tracking vehicle fleets. The vulnerabilities can allow hackers to track, stop, and control vehicles remotely.

For your information, MV720 is a hardwired GPS tracker worth around $20. The Shenzhen-based MiCODUS electronics maker claims that 1.5 million of its GPS trackers are currently in use by over 420,000 customers across 169 countries.

Furthermore, its clients include several Fortune 50 companies, shipping, aerospace, government, military, critical infrastructure, law enforcement agencies, and a nuclear power plant operator.

**Vulnerabilities Details**

BitSight has detected six severe vulnerabilities in the abovementioned tracker, which can be easily exploited remotely to track a vehicle in real-time, get information about previous routes, and even cut the vehicles’ engines when in motion.

BitSight’s principal security researcher and report author, Pedro Umbelino, explained that the vulnerabilities’ easy exploitation raises “significant questions” about the company’s products as the bugs may not be restricted to one GPS tracker model. He believes the same flaws are present in other tracker models.

MV720 GPS tracker

**Dangers Posed by the Flaws**

According to BitSight’s blog post, one flaw in MV720 is in unencrypted HTTP communications, allowing hackers to remotely conduct adversary-in-the-middle attacks (AiTM) to intercept/change the requests exchanged between the servers and the mobile application.

Another flaw is found in the tracker’s authentication mechanism in the mobile app, which lets attackers access the hardcoded key to lock down the trackers and use a custom IP address. This enables hackers to monitor and control communications to and from the device.

The vulnerability tracked as CVE-2022-2107 is assigned a severity rating of 9.8 out of 10. It is a hardcoded password that MiCODUS trackers use as a master password. If obtained by hackers, they can use this passcode to log into the web server and pose as an authentic user to send commands to the tracker via SMS communications.

Hence, they can fully control any GPS tracker, access location details, disarm the alarm, change routes and geofences, and cut off vehicles’ fuel.

Another vulnerability tracked as CVE-2022-2141 enables a broken authentication state in the protocol used by the tracker to communicate with the MiCODUS server. Then there’s a reflected cross-site scripting error identified in the Web server. Tracking designations of other vulnerabilities are CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944.

In its technical write-up , BitSight warned MiCODUS in September 2021 about the flaws. However, after the company’s lukewarm response, CISA and BitSight decided to make the findings public. The vulnerabilities are still unpatched. BitSight recommends that all organizations and individuals using MV720 GPS trackers immediately disable the devices until they are patched.

> Organizations and individuals using MV720 devices in their vehicles are at risk. Leveraging our proprietary data sets, BitSight discovered MiCODUS devices used in 169 countries by organizations including government agencies, military, and law enforcement, as well as businesses spanning a variety of sectors and industries including aerospace, energy, engineering, manufacturing, shipping, and more. Given the impact and severity of the vulnerabilities found, it is highly recommended that users immediately stop using or disable any MiCODUS MV720 GPS trackers until a fix is made available.
> 
> BitSight

1.  Woman Follows GPS, Goes Straight into Lake
2.  600,000 GPS child trackers found vulnerable to location tracking
3.  Security Flaws in GPS Trackers Puts Millions of Devices’ Data at Risk
4.  Shoddy security of smartwatch lets hackers access your child’s location
5.  Strava’s Global Heat Map Exposes User Locations Including Military Bases

Critical Vulnerability in Popular GPS Tracker Lets Hackers Remotely Control Vehicles

The Monroe Electronics / Digital Alert Systems OneNet SE DASDEC Emergency Alert System Appliance suffers from cross site scripting and html injection vulnerabilities.

DASDEC Cross Site Scripting / HTML Injection

Authenticated (custom plugin role) Arbitrary File Read via Export function vulnerability in GiveWP's GiveWP plugin <= 2.20.2 at WordPress.

CVE-2022-31475: GiveWP – Donation Plugin and Fundraising Platform

Authenticated Stored Cross-Site Scripting (XSS) vulnerability in Florent Maillefaud's WP Maintenance plugin <= 6.0.7 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

The WP Maintenance plugin allows you to put your website on the waiting time for you to do maintenance or launch your website. Personalize this page, pictures and countdown with:

**Features**

*   Choice texts colors and fonts
*   Upload logo picture
*   Upload background picture or pattern
*   Countdown
*   Custom Code Header for Analytics ready
*   Social Networks ready
*   Customize CSS
*   Insert for shorcode (Newletter or Contact form)
*   Enable “503 Service temporarily unavailable”
*   Choose access by Roles and Capabilities
*   Choose access by IP address
*   Choose access by ID Pages

wp-maintenance.pot file available

1.  Upload the full directory into your ‘/wp-content/plugins’ directory
2.  Activate the plugin at the plugin administration page

You will find ‘WP Maintenance’ menu in your WordPress admin panel

**WP Maintenance Needs Your Support**

It is hard to continue development and support for this free plugin without contributions from users like you. If you enjoy using WP Maintenance and find it useful, please consider making a donation. Your donation will help encourage and support the plugin’s continued development and better user support.

**I have activated plugin and don’t see any changes, looks like plugin is not working.**

This is normal because you are logged in as an administrator. Try a different browser or use the preview link. If you have registered as a wordpress user, you see the site in normal mode.

**I have disabled plugin but I don’t see any changes, I have always the maintenance page, looks like plugin is not working.**

You have a cache plugin ? Try to purge it and try again.

**Where can I find out the login page to get to the site?**

You can use your administrator access or create new user in wordpress dashboard  
https://yousite.com/wp-admin/

**Can I change the plugin code?**

Yes. Thank you for submitting your changes to update the plugin.

**Translations**

You can translate WP Maintenance on **translate.wordpress.org**.

très bon plugin, seul bémol il ne fonctionne pas sur les mobiles, impossible de l'activer sur les mobiles

Propre, efficace, maintenue, gratuite, que demander de + ? Merci au dev !

Efficace et pratique. Merci à l'Auteur

Je pensais avoir trouvé un super widget avec celle-ci, mais elle réagit vraiment bizarrement au point ou parfois on perd du temps pour savoir si des choses marchent. La page rs notamment. On dit que l'on peut mettre ses propres images rs. Cela ne marche pas... et je ne sais pas pourquoi... d'autant que l'appli semble vous aider en ajoutant l'url du dossier de destination. Mais quand vous complétez le chemin et enregistrez... ben il commence forcement l'enregistrement par https... parmi les icônes proposées une série fonctionne pas... tout ça est bien dommage. Enfin si l'auteur peut déjà "clarifier" et comment on met ses propres icones ce serait cool.

Отличный дизайн плагина и полный перевод на русский язык. Спасибо!

3 mn chrono pour ma page ! Bravo.

Read all 71 reviews

“WP Maintenance” is open source software. The following people have contributed to this plugin.

Contributors

*    Florent Maillefaud

CVE-2022-30536: WP Maintenance

Jira, Bamboo, Bitbucket, Confluence, Fisheye/Crucible, and Questions for Confluence affected

Jira, Bamboo, Bitbucket, Confluence, Fisheye/Crucible, and Questions for Confluence affected

Atlassian has addressed a hardcoded credential flaw in Questions for Confluence and servlet filter bypasses in multiple other products.

The Australian vendor of software development and collaboration tools issued security advisories with instructions for applying updates and mitigations yesterday (July 20).

**Servlet filter bypasses**

The servlet filter bypass flaws affect multiple versions of Bamboo Server and Data Center, Bitbucket Server and Data Center, Confluence Server and Data Center, Crowd Server and Data Center, Fisheye and Crucible, Jira Server and Data Center, and Jira Service Management Server and Data Center.

Fixes have been deployed to Atlassian Cloud sites.

Servlet filters intercept and process HTTP requests before a client request is sent to a backend resource, and from a backend resource before they’re sent to a client.

A vulnerability tracked as CVE-2022-26136 allowed an unauthenticated attacker to bypass servlet filters used by as-yet unspecified first- and third-party apps.

The impact depends on which filters an app uses and how they are used, said Atlassian.

Catch up with the latest security vulnerability news

“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences,” reads the security advisory.

Atlassian has ascertained that unauthenticated attackers could send a specially crafted HTTP request to bypass custom servlet filters and authentication used by third party apps to enforce authentication, or to bypass the servlet filter used to validate legitimate Atlassian Gadgets and achieve cross-site scripting (XSS).

Another vulnerability allows an unauthenticated attacker to cause additional servlet filters to be invoked when the application processes requests or responses (CVE-2022-26137).

Atlassian said it has addressed the only known, related security issue – a cross-origin resource sharing (CORS) bypass whereby a specially crafted HTTP request could invoke the servlet filter used to respond to CORS requests.

**Questions for Confluence**

The hardcoded credential in Questions for Confluence, a forum-style app for enterprise wiki platform Confluence, is created for a user account with the username , which supports administrators in migrating data from the app to Confluence Cloud.

The account “is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default”, reads the corresponding security advisory.

“A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.”

“While Atlassian has not received any reports of this issue being exploited in the wild, the hardcoded password is trivial to obtain,” said Atlassian.

The flaw (CVE-2022-26138) applies when the Questions for Confluence app is enabled on Confluence Server or Data Center. Confluence Cloud is unaffected.

Atlassian has warned that uninstalling the Questions for Confluence app does not alone remediate the vulnerability, since doing do fails to remove the account.

Instead, users must either manually deactivate or delete these accounts or update Questions for Confluence to version 2.7.38 or 3.0.5, which removes as well as stops creating the user account in question.

Users can determine whether the flaw has been exploited on their instance by reviewing users’ last logon times. “If the last authentication time for is null, that means the account exists but no one has ever logged into it,” said Atlassian.

RELATED Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

Atlassian patches batch of critical vulnerabilities across multiple products

Researchers have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular automotive tracking device.
The post Vulnerabilities in GPS tracker could have “life-threatening” implications appeared first on Malwarebytes Labs.

Researchers at BitSight have discovered six vulnerabilities in the MiCODUS MV720 GPS tracker, a popular vehicle tracking device.

The vulnerabilities are severe enough for the Cybersecurity & Infrastructure Security Agency (CISA) to publish a Security Advisory titled ICSA-22-200-01: MiCODUS MV720 GPS Tracker.

**What’s happened?**

The MiCODUS MV720 is a hardwired GPS tracker that offers anti-theft, fuel cut off, remote control and geofencing capabilities. In total, there are 1.5 million of these devices in use today across 420,000 customers, including government, military, law enforcement agencies, and Fortune 1000 companies.

If the vulnerabilities are successfully exploited, an attacker could take control of the tracker, giving them access to location, routes, and fuel cutoff commands, as well as the ability to disarm various features like alarms. The found vulnerabilities are very diverse and would imply that the application was not built with security in mind. Or certainly not top of mind.

**The vulnerabilities****Hard coded credentials**

CVE-2022-2107: The API server has an authentication mechanism that allows devices to use a hard-coded master password. This may allow an attacker to send SMS commands directly to the GPS tracker as if they were coming from the GPS owner’s mobile number.

**Improper authentication**

CVE-2022-2141: SMS-based GPS commands can be executed without authentication.

**Improper neutralization of input during web page generation**

CVE-2022-21999: The main web server has a reflected cross-site scripting (XSS) vulnerability that could allow an attacker to gain control by tricking a user into making a request.

**Authorization bypass through user-controlled key**

CVE-2022-34150: The main web server has an authenticated insecure direct object reference vulnerability on endpoint and parameter device IDs, which accept arbitrary device IDs without further verification.

**Another authorization bypass through user-controlled key**

CVE-2022-33944: The main web server has an authenticated insecure direct object references vulnerability on endpoint and POST parameter “Device ID,” which accepts arbitrary device IDs.

Exploiting these vulnerabilities could potentially put drivers in danger and disrupt supply chains. In fact, there are many possible scenarios which could result in loss of life, property damage, privacy intrusions, and threaten national security.

**Mitigation**

Since MiCODUS has not provided updates or patches to mitigate these vulnerabilities, users are advised to turn the vulnerable devices off.

The researchers first contacted MiCODUS about the vulnerabilities in September 2021, and due to a lack of response CISA and BitSight decided to publish their research.

Vulnerabilities in GPS tracker could have “life-threatening” implications

Cisco on Wednesday released security patches for 45 vulnerabilities affecting a variety of products, some of which could be exploited to execute arbitrary actions with elevated permissions on affected systems.
Of the 45 bugs, one security vulnerability is rated Critical, three are rated High, and 41 are rated Medium in severity. 
The most severe of the issues are CVE-2022-20857, CVE-2022-20858,

Cisco on Wednesday released security patches for 45 vulnerabilities affecting a variety of products, some of which could be exploited to execute arbitrary actions with elevated permissions on affected systems.

Of the 45 bugs, one security vulnerability is rated Critical, three are rated High, and 41 are rated Medium in severity.

The most severe of the issues are CVE-2022-20857, CVE-2022-20858, and CVE-2022-20861, which impact Cisco Nexus Dashboard for data centers and cloud network infrastructures and could enable an "unauthenticated remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack."

*   **CVE-2022-20857** (CVSS score: 9.8) - Cisco Nexus Dashboard arbitrary command execution vulnerability
*   **CVE-2022-20858** (CVSS score: 8.2) - Cisco Nexus Dashboard container image read and write vulnerability
*   **CVE-2022-20861** (CVSS score: 8.8) - Cisco Nexus Dashboard cross-site request forgery (CSRF) vulnerability

All the three vulnerabilities, which were identified during internal security testing, affect Cisco Nexus Dashboard 1.1 and later, with fixes available in version 2.2(1e).

Another high-severity flaw relates to a vulnerability in the SSL/TLS implementation of Cisco Nexus Dashboard (CVE-2022-20860, CVSS score: 7.4) that could permit an unauthenticated, remote attacker to alter communications with associated controllers or view sensitive information.

"An attacker could exploit this vulnerability by using man-in-the-middle techniques to intercept the traffic between the affected device and the controllers, and then using a crafted certificate to impersonate the controllers," the company said in an advisory.

"A successful exploit could allow the attacker to alter communications between devices or view sensitive information, including Administrator credentials for these controllers."

Another set of five shortcomings in the Cisco Nexus Dashboard products concerns a mix of four privilege escalation flaws and an arbitrary file write vulnerability that could permit an authenticated attacker to gain root permissions and write arbitrary files to the devices.

Elsewhere resolved by Cisco are 35 vulnerabilities in its Small Business RV110W, RV130, RV130W, and RV215W routers that could equip an adversary already in possession of valid Administrator credentials with capabilities to run arbitrary code or cause a denial-of-service (DoS) condition by sending a specially crafted request to the web-based management interface.

Rounding off the patches is a fix for a cross-site scripting (XSS) vulnerability in the web-based management interface of Cisco IoT Control Center that, if successfully weaponized, could enable an unauthenticated, remote attacker to stage an XSS attack against a user.

"An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link," Cisco said. "A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information."

Although none of the aforementioned vulnerabilities are said to be maliciously put to use in real-world attacks, it's imperative that users of the affected appliances move quickly to apply the patches.

The updates also arrived less than two weeks after Cisco rolled out patches for 10 security flaws, including an arbitrary critical file overwrite vulnerability in Cisco Expressway Series and Cisco TelePresence Video Communication Server (CVE-2022-20812) that could lead to absolute path traversal attacks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Cisco Releases Patches for Critical Flaws Impacting Nexus Dashboard for Data Centers

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

**Package**

npm jquery-ui (npm)

**Affected versions**

<1.13.2

**Impact**

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label\>
	<input id\="test-input"\>
	&lt;img src=x onerror="alert(1)"&gt;
</label\>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label\>
	
	<input id\="test-input"\>
	<img src\=x onerror\="alert(1)"\>
</label\>

and the alert will get executed.

**Patches**

The bug has been patched in jQuery UI 1.13.2.

**Workarounds**

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label\>
	<input id\="test-input"\>
	<span\>&lt;img src=x onerror="alert(1)"&gt;</span\>
</label\>

**References**

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

**For more information**

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

CVE-2022-31160

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in René Hermenau's Social Media Share Buttons plugin <= 3.8.1 at WordPress.

 Verified

 Not fixed

**3.4**

CVSS 3.1 score Low severity

Monitoring Coming soon

Vulnerable versions

<= 3.8.1

PSID 

cf86e8d15058

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires high role user authentication like admin.

Publicly disclosed

2022-06-16

**Details**

Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas (Patchstack Alliance) in WordPress Social Media Share Buttons plugin (versions <= 3.8.1).

**Solution**

No patched version available. No reply from the vendor.

**References**

Tag

#xss