Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php.

Hello,

I would like to report for possible XSS vulnerability.

In file https://github.com/serghey-rodin/vesta/blob/master/web/api/v1/upload/UploadHandler.php

the source in function post

    public function post($print\_response = true) {
        //....
        // the source $\_FILES\[$this->options\['param\_name'\]\]
        $upload = isset($\_FILES\[$this\->options\['param\_name'\]\]) ? $\_FILES\[$this\->options\['param\_name'\]\] : null;
        // ....
        foreach ($upload\['tmp\_name'\] as $index => $value) {
            // $files will have the source which return from handle\_file\_upload
            $files\[\] = $this\->handle\_file\_upload(
                $upload\['tmp\_name'\]\[$index\],
                $file\_name ? $file\_name : $upload\['name'\]\[$index\],
                $size ? $size : $upload\['size'\]\[$index\],
                $upload\['type'\]\[$index\], // The source
                $upload\['error'\]\[$index\],
                $index,
                $content\_range
            );
        }
        //.....
        // call generate\_response and pass the source in the array in $files
        return $this\->generate\_response(
            array($this\->options\['param\_name'\] => $files),
            $print\_response
        );
    }

function handle\_file\_upload

    protected function handle\_file\_upload($uploaded\_file, $name, $size, $type, $error,
        //.....
        // the source in $file->type
        $file\->type = $type;
        //....
        return $file;
    }

function generate\_response

    protected function generate\_response($content, $print\_response = true) {
        if ($print\_response) {
            $json = json\_encode($content);
            //.....
            $this\->body($json);
        }
    }

Finally, the sink in function body

protected function body($str) {
        // the sink
        echo $str;
    }

CVE-2022-36305: Possible XSS Vulnerability · Issue #2252 · serghey-rodin/vesta

IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 223127.

CVE-2022-22417: IBM Sterling Partner Engagement Manager cross-site scripting CVE-2022-22417 Vulnerability Report

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system.

**Reporting a vulnerability**

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

*   **Contact information and availability**
*   **Affected product including model and version number**
*   **Classification of the vulnerability** (buffer overflow, XSS, …)
*   **Detailed description of the vulnerability** (with verification if possible)
*   **Effect of the vulnerability** (if know)
*   **Current level of awareness of the vulnerability** (are there plans to disclose it?)
*   **(Company) affiliation of the reporter** (if reporter is prepared to provide such information)
*   **CVSS score** (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.

CVE-2021-32504: The SICK Product Security Incident Response Team (SICK PSIRT)

Ubuntu Security Notice 5522-1 - Several security issues were discovered in WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    =========================================================================Ubuntu Security Notice USN-5522-1July 18, 2022webkit2gtk vulnerabilities=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, aremote attacker could exploit a variety of issues related to web browsersecurity, including cross-site scripting attacks, denial of service attacks,and arbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.4-0ubuntu0.22.04.1  libjavascriptcoregtk-4.1-0      2.36.4-0ubuntu0.22.04.1  libwebkit2gtk-4.0-37            2.36.4-0ubuntu0.22.04.1  libwebkit2gtk-4.1-0             2.36.4-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.4-0ubuntu0.20.04.1  libwebkit2gtk-4.0-37            2.36.4-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5522-1  CVE-2022-22677, CVE-2022-26710Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.4-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.4-0ubuntu0.20.04.1

Ubuntu Security Notice USN-5522-1

A GPS device from MiCODUS has six security bugs that could allow attackers to monitor 1.5 million vehicles that use the tracker, or even remotely disable vehicles.

Six vulnerabilities have been found in a GPS tracking device used by businesses to monitor vehicle fleets, and by consumers as an anti-theft device. If exploited, they could allow attackers to widely disrupt fleet operations and track individual vehicles.

That's according to cybersecurity firm BitSight, which stated in a Tuesday advisory that the device, the MiCODUS MV720, has vulnerabilities in both the device and the back-end service. These pave the way for man-in-the-middle (MitM) attacks, authentication bypasses, and location tracking. The vulnerabilities include a hard-coded device password that allows access via SMS requests, and a default password on the API server, BitSight found.

"The exploitation of these vulnerabilities could have disastrous and even life-threatening implications," BitSight states in the report. "For example, an attacker could exploit some of the vulnerabilities to cut fuel to an entire fleet of commercial or emergency vehicles. Or, the attacker could leverage GPS information to monitor and abruptly stop vehicles on dangerous highways."

The vulnerabilities include a hard-coded password that could allow commands to be sent to devices, the ability to use administrator privileges for commands, and a default password of 123456. Flaws of lesser severity include a reflected cross-site scripting (XSS) issue and the ability to directly access parts of the application. Five of the vulnerabilities have been assigned identifiers under the Common Vulnerabilities and Exposures (CVE) program: CVE-2022-2107, CVE-2022-2141, CVE-2022-2199, CVE-2022-34150, and CVE-2022-33944. The default password security weakness was not considered a vulnerability, and so did not get a CVE identifier.

**GPS Bugs Remain Unpatched**

While the company has not observed any signs that the vulnerabilities have been exploited, the Chinese firm that manufacturers the device, MiCODUS, has not responded to attempts at discussing the issues, says Stephen Boyer, co-founder and CTO for BitSight.

BitSight originally contacted MiCODUS about the problems in September 2021, and after an initial request for more information, the company refused subsequent attempts to communicate, according to the firm. MiCODUS did not immediately respond to a request for comment from Dark Reading.

"Unfortunately, the hard-coded password means that the only real remediation strategy is to remove the MV720 device or remove the SIM card from the device," he says. The firm shared the bug information with the Department of Homeland Security, he added, in hopes that it could develop an appropriate remediation strategy.

"IoT devices are full of vulnerabilities, and this will not change going into the future no matter how many of these stories come out," Roger Grimes, data-driven defense evangelist at KnowBe4, said via email. "IoT devices are particularly hard to patch. They should all be auto-patching, but most aren't. Most require end-user interaction, and many times a physical connection."

He added, "If you think it's hard to patch regular software, it's ten times as hard to patch IoT devices. I'm purely guessing here, but I'd speculate that 90% of vulnerable GPS tracking devices will remain vulnerable and exploitable if and when the vendor actually decides to fix them. Hackers love those odds."

**IoT: Still No Security by Design, Widespread Threat**

The vulnerabilities underscore the risks posed by Internet of Things (IoT) devices that have not benefited from adequate attention to security design and audits. Connected devices typically have less security, but are distributed throughout many companies' infrastructure and handle physical processes — such as entry access and power control — unlike traditional information technology. 

Concerned with the lack of security, the US government has established requirements for IoT device security.

    

MiCODUS GPS trackers are used by businesses and individuals in 169 countries. Source: BitSight

IoT devices often are also far more widespread than most business users recognize. As shown by the BitSight research, for example, GPS devices in general are used in vehicles belonging to at least five Fortune 50 companies, as well as energy utilities and governments in the Middle East, Europe, and North America.  

BitSight could not determine the prevalence of the MiCODUS MV720 specifically, but noted that MiCODUS claims that 1.5 million devices are used globally. In addition, BitSight saw nearly 2.4 million connections to the MiCODUS API server from 169 countries worldwide. The MiCODUS MV720 is a basic model sold for $20 online, but other models could account for some, or even most, of the IoT manufacturer's installed base.  

The BitSight report notes that two broad use cases exist for the devices. In some countries, data suggests that the devices are used to manage fleets of vehicles. However, in other countries, the large number of individual connections per capita suggests that individuals are using the devices for anti-theft applications.

"Indonesia has many unique IP addresses communicating with the MiCODUS server, but mostly in the GPS tracker port," BitSight states in the advisory. "This may suggest there are a small number of users with a high number of devices, which is typical in a fleet-management scenario. By comparison, Mexico has a very high number of connections to the web and mobile ports, which could indicate individuals are using the GPS tracker as an anti-theft device."

Mexico, Russia, and Uzbekistan are the countries with the most individual users, the company estimates. Russia, Morocco, and Chile appear to have the greatest number of actual devices.

Unpatched GPS Tracker Security Bugs Threaten 1.5M Vehicles With Disruption

markdown-it-decorate adds attributes, IDs and classes to Markdown, and the most recent version 1.2.2 was published in 2017. All versions are currently vulnerable to cross-site scripting (XSS) and there is no fixed version at this time.

**markdown-it-decorate vulnerable to cross-site scripting (XSS)**

Moderate severity GitHub Reviewed Published Jul 19, 2022 • Updated Jul 19, 2022

GHSA-rhf5-2378-3w3w: markdown-it-decorate vulnerable to cross-site scripting (XSS)

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiEDR version 5.1.0, 5.0.0 through 5.0.3 Patch 6 and 4.0.0 allows a remote authenticated attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload into the Management Console via various endpoints.

** PSIRT Advisories**

**FortiEDR - Cross Site Scripting (XSS) vulnerabilities over the Management Console**

**Summary**

An improper neutralization of input during web page generation vulnerability \[CWE-79\] in FortiEDR Central Manager may allow a remote authenticated attacker to perform a reflected cross site scripting attack (XSS) via injecting a malicious payload into the Management Console through various endpoints.

**Affected Products**

At least  
FortiEDR Central Manager version 4.0.0  
FortiEDR Central Manager version 5.0.0 through 5.0.3 Patch 6  
FortiEDR Central Manager version 5.1.0

**Solutions**

Please upgrade FortiEDR Central Manager to version 5.2.0 and above,

Please upgrade FortiEDR Central Manager to version 5.0.3 Patch 7 and above.

CVE-2022-29057: Fortiguard

This advisory contains mitigations for Use of Hard-coded Credentials, Improper Authentication, Cross-site Scripting, and Authorization Bypass Through User-controlled Key vulnerabilities in the MiCODUS MV720 GPS tracker.

MiCODUS MV720 GPS tracker

Two client-side risks dominate the problems with data loss and data exfiltration: improperly placed trackers on websites and web applications and malicious client-side code pulled from third-party repositories like NPM. 
Client-side security researchers are finding that improperly placed trackers, while not intentionally malicious, are a growing problem and have clear and significant privacy

Two client-side risks dominate the problems with data loss and data exfiltration: improperly placed trackers on websites and web applications and malicious client-side code pulled from third-party repositories like NPM.

Client-side security researchers are finding that improperly placed trackers, while not intentionally malicious, are a growing problem and have clear and significant privacy implications when it comes to both compliance/regulatory concerns, like HIPAA or PCI DSS 4.0. To highlight the risks with misplaced trackers, a recent study by The Markup (a non-profit news organization) examined Newsweek's top 100 hospitals in America. They found a Facebook tracker on one-third of the hospital websites which sent Facebook highly personal healthcare data whenever the user clicked the "schedule appointment" button. The data was not necessarily anonymized, because the data was connected to an IP address, and both the IP address and the appointment information get delivered to Facebook.

Journalists and client-side security researchers aren't the only ones looking at data privacy issues. Last week, the FTC announced its plans to crack down on tech companies' improper or illegal use and sharing of highly sensitive data. The FTC indicated they also plan to target false claims about data anonymization. The government agency points out that sensitive health information combined with the shadowy data security practices used by technology companies is extremely problematic, with most customers having little or no knowledge of how their data is collected, what data is collected, how it is used, or how it is protected.

The security industry has repeatedly proven how easy it is to re-identify anonymized data by combining several datasets to create a clear picture of the end user's identity.

In addition to improperly placed web trackers, client-side security researchers are warning about the risks associated with JavaScript code pulled from third-party repositories, like NPM. Recent research found that package managers containing obfuscated and malicious JavaScript was being used to harvest sensitive information from websites and web applications. Using sources like NPM, malicious threat actors target organizations via a JavaScript software supply chain attack using rogue components to exfiltrate data entered into forms by users on websites that include this malicious code.

Client-side security researchers advise several approaches for identifying and mitigating these two primary risks. Client-side attack surface monitoring is the most comprehensive and fully protects end users and businesses from the risk of data theft due to Magecart, e-skimming, cross-site scripting, and JavaScript injection attacks. Other tools, like web application firewalls (WAFs), protect some aspects of the client-side attack surface but fail to protect activities happening on dynamic web pages. Content security policies (CSPs) are another good client-side security tool, but CSPs are cumbersome. Manual code reviews to identify problems with CSPs can mean long hours (or days) scouring through thousands of lines of web application script.

Security professionals can also explore client-side attack surface mapping solutions that incorporate threat intelligence, access insights (which assets are accessing what data), and privacy (is any of the data being shared to external sources inappropriately).

Client-side attack surface monitoring solutions are a relatively new cybersecurity technology that automatically discovers all of a company's web assets and reports on their data access. These solutions use headless browsers to navigate through all the JavaScript contained on the website and web application pages. They gather real-time information about how the scanned website works from the end user's perspective.

A key technological component in client-side attack surface monitoring solutions are synthetic users, deployed during threat detection crawls to interact the way a real human would on dynamic web pages. These synthetic users can complete a variety of activities, including clicking active links, submitting forms, solving Captchas, and entering financial information. Synthetic user interaction is logged and monitored, followed by behavioral analyses and logic injection into each page to gather the information that is difficult to collect manually, including form data, the data third-party scripts have access to, trackers that are deployed and their activities, and any forms or third-party scripts transferring data across national boundaries.

Solutions should also be able to operationalize any issues discovered in the identification or client-side mapping process through the use of allowlists and blocklists and through post-scan informational analyses to obtain synthesized intelligence to secure web applications from harm.

Security professionals with expertise on the client side are strongly advising organizations in industries such as financial services, media/entertainment, e-commerce, healthcare, and technology/SaaS that have multiple front-end web applications to understand client-side security and how client-side risks may impact their business.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Security Experts Warn of Two Primary Client-Side Risks Associated with Data Exfiltration and Loss

Silence of the LAM

An unauthenticated arbitrary object instantiation vulnerability in LDAP Account Manager (LAM) has been discovered during an internal penetration test.

LAM is a PHP web application for managing entries such as users, groups, or DHCP settings in LDAP directories via a user-friendly web front end, and is one of the alternatives to FreeIPA. Its included in Debian repositories.

But a vulnerability discovered by researcher Arseniy Sharoglazov could allow an attacker to create arbitrary objects and achieve remote code execution (RCE) in one request, and without any out-of-band connections.

**Under construction**

The technique depends on exploiting the construction , with the variable standing for the class name that the object will be created for, and the variable standing for the first argument that will be passed to the object’s constructor.

“When you code in any programming language, you can use good or bad programming practices. The usage of the construction new , which instantiates arbitrary objects, is a bad practice, if and come from a non-controlled input,” Sharoglazov tells _The Daily Swig_.

"It’s a dodgy construction. However, no one showed that it’s really dangerous, so some people think that everything should be alright.”

While the technique requires the Imagick extension, he says, this is usually present in larger websites, including the LAM system itself.

Read more of the latest infosec research news

Sharoglazov says that similar arbitrary object instantiation vulnerabilities have been around for quite some time, but aren’t usually reported as such.

“For example, you might read about an SSRF in a commercial software. If you knew the PoC, you would see that it’s actually an arbitrary object instantiation with the usage of the SoapClient class, for instance. But for the public it will be just SSRF,” he says.

“Or you might read about an SQL injection. But it’s actually an arbitrary object instantiation exploited via a user-defined class which has an SQL injection. This technique, which I found and described, shows how to exploit an arbitrary object instantiation directly to RCE.”

**Coordinated disclosure**

Sharoglazov says the disclosure process went quickly and efficiently. He first reported the flaw on 16 June, with LAM 8.0.1 released on June 29, Debian packages updated on July 5 and public disclosure on July 14.

“I wrote to Roland Gruber, the developer of LAM, and I got an initial reply in just one hour,” he says.

“We discussed what needs to be done to fix the vulnerabilities, and the hardening process that will make LAM way more secure. Afterwards, we did a coordinated disclosure with him and Debian.”

**RECOMMENDED** Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

Tag

#xss