The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.

CVE-2022-1756

Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/facturascripts prior to 2022.06.

@@ -127,8 +127,7 @@ public function getFile(): bool

$allowedFolders = \['node\_modules', 'vendor', 'Dinamic', 'Core', 'Plugins', 'MyFiles/Public'\];

foreach ($allowedFolders as $folder) {

if ('/' . $folder === substr($uri, 0, 1 + strlen($folder))) {

header('Content-Type: ' . $this\->getMime($filePath));

readfile($filePath);

$this\->download($filePath);

return true;

}

}

@@ -137,14 +136,7 @@ public function getFile(): bool

$token = filter\_input(INPUT\_GET, 'myft');

$fixedFilePath = substr(urldecode($uri), 1);

if ('/MyFiles/' === substr($uri, 0, 9) && $token && MyFilesToken::validate($fixedFilePath, $token)) {

header('Content-Type: ' . $this\->getMime($filePath));

  

// disable the buffer if enabled

if (ob\_get\_contents()) {

ob\_end\_flush();

}

  

readfile($filePath);

$this\->download($filePath);

return true;

}

  

@@ -205,6 +197,23 @@ private function deploy()

}

}

  

private function download(string $filePath)

{

header('Content-Type: ' . $this\->getMime($filePath));

  

// disable the buffer if enabled

if (ob\_get\_contents()) {

ob\_end\_flush();

}

  

// force to download svg files to prevent XSS attacks

if (strpos($filePath, '.svg') !== false) {

header('Content-Disposition: attachment; filename="' . basename($filePath) . '"');

}

  

readfile($filePath);

}

  

/\*\*

\* Return the mime type from given file.

\*

CVE-2022-2065: Force to download SVG files to prevent security problems. · NeoRazorX/facturascripts@1d1edb4

Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/facturascripts prior to 2022.06.

Permalink

Browse files

Sanitized username when showing user not found message.

\------
Saneado nombre de usuario al mostrar el mensaje de usuario no encontrado.

*   Loading branch information

1 parent 298eb4b commit 73a6595ca85984d65f656c6356fabb23d1936c54

Showing **1 changed file** with **1 addition** and **1 deletion**.

@@ -287,7 +287,7 @@ private function userAuth()

}

  

$this\->ipWarning();

ToolBox::i18nLog()->warning('login-user-not-found', \['%nick%' => $nick\]);

ToolBox::i18nLog()->warning('login-user-not-found', \['%nick%' => htmlspecialchars($nick)\]);

return false;

}

  

**0 comments on commit 73a6595**

Please sign in to comment.

CVE-2022-2066: Sanitized username when showing user not found message. · NeoRazorX/facturascripts@73a6595

Researchers at DIVD found vulnerabilities in ITarian products and worked with the vendor to develop patches. These patches are now available.
The post Serious vulnerabilities found in ITarian software, patches available for SaaS products appeared first on Malwarebytes Labs.

Dutch research group DIVD has identified multiple vulnerabilities in ITarian products. In cooperation with DIVD, ITarian has made patches available to deal with these vulnerabilities for its SaaS platform.

Software as a service (SaaS) is a software distribution model in which a cloud provider hosts applications and makes them available to end users over the internet.

**ITarian**

ITarian is a remote access and IT management solution, which helps organizations connect and communicate with their clients and employees. It’s typically the sort of tool that Managed Service Providers (MSPs) use to remotely manage their clients.

**DIVD**

The Dutch Institute for Vulnerability Disclosure (DIVD) reports vulnerabilities it finds in digital systems to the people who can fix them. It has a global reach, and tries to resolve the vulnerabilities by collaborating with the affected parties. Its services are free and most of the staff work in their free time.

You may have heard about DIVD in our reports about the Kaseya supply chain attack, or when Victor Gevers, chair of DIVD, appeared as a guest in our Lock and Code podcast about Kaseya.

**Affected products**

The vulnerabilities affect the following products:

*   ITarian SaaS platform (version < 3.49.0): CVE-2022-25151,  CVE-2022-25152 and a Cross-Site Scripting (XSS) vulnerability in the helpdesk function.
*   ITarian on-premise (version 6.35.37347.20040): CVE-2022-25151 and CVE-2022-25152.
*   Endpoint Manager Communication Client (version < 7.0.42012.22030): CVE-2022-25153

**The vulnerabilities**

**CVE-2022-25151**: Within the Service Desk module of the ITarian platform (both SaaS and on-premise), a remote attacker can obtain sensitive information, caused by the failure to set the HTTP Only flag. A remote attacker could exploit this vulnerability to gain access to the management interface by using this vulnerability in combination with a successful XSS attack on a user.

CVE-2022-25152: The ITarian platform (both SaaS and on-premise) offers the possibility to run code on agents via a function called procedures. It is possible to require a mandatory approval process. Due to a vulnerability in the approval process, present in any version prior to 6.35.37347.20040, a malicious actor, with a valid session token, can create a procedure, bypass approval, and execute the procedure. This results in the ability for any user with a valid session token to perform arbitrary code execution and full system take-over on all agents.

CVE-2022-25153: The ITarian Endpoint Manage Communication Client, prior to version 6.43.41148.21120, is compiled using insecure OpenSSL settings. Due to this setting, a malicious actor with low privileges access to a system can escalate his privileges to SYSTEM abusing an insecure openssl.conf lookup.

OpenSSL is an open source implementation of the SSL/TLS protocol. Applications use this library to secure communications over computer networks against eavesdropping, or to identify the party at the other end.

**Cooperation and responsible disclosure**

The consequences of these vulnerabilities could have been severe. By chaining the XSS in the helpdesk function with CVE-2022-25152, an attacker would theoretically be able to create a service desk ticket that, when viewed by a user with a valid session token, would execute a workflow on all clients with superuser privileges.

It took a bit of back and forth, but once the DIVD researchers and ITarian’s software engineering team connected directly, a solution for the issues quickly came about. On 18 Feb 2022, the vulnerability in the Endpoint Manager Communications Client was resolved. The other vulnerabilities saw a solution come to live on May 19, 2022.

Planning for the full disclosure by DIVD indicates a date of July 1, 2022. The waiting time before full disclosure is to give users enough time to take appropriate measures.

**Mitigation**

Version v3.49.0 includes patches for the vulnerabilities in the SaaS service. ITarian controls the upgrade to this version, so it requires no user action.

It is important to note that CVE-2022-25151 and CVE-2022-25152 are still present in the on-premise version of the ITarian platform. Even though ITarian still offers the software for download, this version of the software was discontinued over 2 years ago and ITarian has informed DIVD that it will not be updated. Given the severity (9.9 out of 10) of the vulnerability listed as CVE-2022-25152, users of the on-premise version should look for alternative solutions since this solution has reached end-of-life (EOL).

Serious vulnerabilities found in ITarian software, patches available for SaaS products

Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/dolibarr prior to 16.0.

@@ -446,7 +446,7 @@ print "</tr>\\n";  
// Date of birth if ($user\->rights\->hrm\->read\_personal\_information\->read || $user\->rights\->hrm\->write\_personal\_information\->write) { if ($user\->hasRight('hrm', 'read\_personal\_information', 'read') || $user\->hasRight('hrm', 'write\_personal\_information', 'write')) { print '<tr>'; print '<td>'; print $form\->editfieldkey("DateOfBirth", 'birth', $object\->birth, $object, $user\->rights\->user\->user\->creer); @@ -457,7 +457,7 @@ }  
// Personal email if ($user\->rights\->hrm\->read\_personal\_information\->read || $user\->rights\->hrm\->write\_personal\_information\->write) { if ($user\->hasRight('hrm', 'read\_personal\_information', 'read') || $user\->hasRight('hrm', 'write\_personal\_information', 'write')) { print '<tr class="nowrap">'; print '<td>'; print $form\->editfieldkey("UserPersonalEmail", 'personal\_email', $object\->personal\_email, $object, $user\->rights\->user\->user\->creer || $user\->rights\->hrm\->write\_personal\_information\->write); @@ -468,7 +468,7 @@ }  
// Personal phone if ($user\->rights\->hrm\->read\_personal\_information\->read || $user\->rights\->hrm\->write\_personal\_information\->write) { if ($user\->hasRight('hrm', 'read\_personal\_information', 'read') || $user\->hasRight('hrm', 'write\_personal\_information', 'write')) { print '<tr class="nowrap">'; print '<td>'; print $form\->editfieldkey("UserPersonalMobile", 'personal\_mobile', $object\->personal\_mobile, $object, $user\->rights\->user\->user\->creer || $user\->rights\->hrm\->write\_personal\_information\->write); @@ -533,7 +533,7 @@ }  
// Employee Number if ($user\->rights\->hrm\->read\_personal\_information\->read || $user\->rights\->hrm\->write\_personal\_information\->write) { if ($user\->hasRight('hrm', 'read\_personal\_information', 'read') || $user\->hasRight('hrm', 'write\_personal\_information', 'write')) { print '<tr class="nowrap">'; print '<td>'; print $form\->editfieldkey("RefEmployee", 'ref\_employee', $object\->ref\_employee, $object, $user\->rights\->user\->user\->creer || $user\->rights\->hrm\->write\_personal\_information\->write); @@ -544,7 +544,7 @@ }  
// National registration number if ($user\->rights\->hrm\->read\_personal\_information\->read || $user\->rights\->hrm\->write\_personal\_information\->write) { if ($user\->hasRight('hrm', 'read\_personal\_information', 'read') || $user\->hasRight('hrm', 'write\_personal\_information', 'write')) { print '<tr class="nowrap">'; print '<td>'; print $form\->editfieldkey("NationalRegistrationNumber", 'national\_registration\_number', $object\->national\_registration\_number, $object, $user\->rights\->user\->user\->creer || $user\->rights\->hrm\->write\_personal\_information\->write);

CVE-2022-2060: Merge branch 'develop' of git@github.com:Dolibarr/dolibarr.git into d… · Dolibarr/dolibarr@2b5b995

A vulnerability was found in Navetti PricePoint 4.6.0.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to basic cross site scripting (Reflected). It is possible to initiate the attack remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component.

CVE-2017-20044

A vulnerability was found in Navetti PricePoint 4.6.0.0 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting (Persistent). The attack may be launched remotely. Upgrading to version 4.7.0.0 is able to address this issue. It is recommended to upgrade the affected component.

CVE-2017-20043

Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product.

CVE-2022-27231: WP Statistics

Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with the administrative privilege.

 

**API creation made simple, secure and fast.**

The most advanced open-source headless CMS to build powerful APIs with no effort.

Try live demo

  

Strapi is a free and open-source headless CMS delivering your content anywhere you need.

*   **Keep control over your data**. With Strapi, you know where your data is stored, and you keep full control at all times.
*   **Self-hosted**. You can host and scale Strapi projects the way you want. You can choose any hosting platform you want: AWS, Render, Netlify, Heroku, a VPS, or a dedicated server. You can scale as you grow, 100% independent.
*   **Database agnostic**. Strapi works with SQL databases. You can choose the database you prefer: PostgreSQL, MySQL, MariaDB, and SQLite.
*   **Customizable**. You can quickly build your logic by fully customizing APIs, routes, or plugins to fit your needs perfectly.

**Getting Started**

Read the Getting Started tutorial or follow the steps below:

**⏳ Installation**

Install Strapi with this **Quickstart** command to create a Strapi project instantly:

*   (Use **yarn** to install the Strapi project (recommended). Install yarn with these docs.)

yarn create strapi-app my-project --quickstart

**or**

*   (Use npm/npx to install the Strapi project.)

npx create-strapi-app my-project --quickstart

This command generates a brand new project with the default features (authentication, permissions, content management, content type builder & file upload). The **Quickstart** command installs Strapi using a **SQLite** database which is used for prototyping in development.

Enjoy 🎉

**🖐 Requirements**

Complete installation requirements can be found in the documentation under Installation Requirements.

**Supported operating systems**:

*   Ubuntu LTS/Debian 9.x
*   CentOS/RHEL 8
*   macOS Mojave
*   Windows 10
*   Docker - Docker-Repo

(Please note that Strapi may work on other operating systems, but these are not tested nor officially supported at this time.)

**Node:**

*   NodeJS >= 12 <= 16
*   NPM >= 6.x

**Database:**

*   MySQL >= 5.7.8
*   MariaDB >= 10.2.7
*   PostgreSQL >= 10
*   SQLite >= 3

**We recommend always using the latest version of Strapi to start your new projects**.

**Features**

*   **Modern Admin Panel:** Elegant, entirely customizable and a fully extensible admin panel.
*   **Secure by default:** Reusable policies, CORS, CSP, P3P, Xframe, XSS, and more.
*   **Plugins Oriented:** Install the auth system, content management, custom plugins, and more, in seconds.
*   **Blazing Fast:** Built on top of Node.js, Strapi delivers amazing performance.
*   **Front-end Agnostic:** Use any front-end framework (React, Vue, Angular, etc.), mobile apps or even IoT.
*   **Powerful CLI:** Scaffold projects and APIs on the fly.
*   **SQL databases:** Works with PostgreSQL, MySQL, MariaDB, and SQLite.

**See more on our website**.

**Contributing**

Please read our Contributing Guide before submitting a Pull Request to the project.

**Community support**

For general help using Strapi, please refer to the official Strapi documentation. For additional help, you can use one of these channels to ask a question:

*   Discord (For live discussion with the Community and Strapi team)
*   GitHub (Bug reports, Contributions)
*   Community Forum (Questions and Discussions)
*   Feedback section (Roadmap, Feature requests)
*   Twitter (Get the news fast)
*   Facebook
*   YouTube Channel (Learn from Video Tutorials)

**Migration**

Follow our migration guides on the documentation to keep your projects up-to-date.

**Roadmap**

Check out our roadmap to get informed of the latest features released and the upcoming ones. You may also give us insights and vote for a specific feature.

**Documentation**

See our dedicated repository for the Strapi documentation, or view our documentation live:

*   Developer docs
*   User guide

**Try live demo**

See for yourself what's under the hood by getting access to a hosted Strapi project with sample data.

**License**

See the LICENSE file for licensing information.

CVE-2022-29894: GitHub - strapi/strapi: 🚀 Open source Node.js Headless CMS to easily build customisable APIs

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution.

Tag

#xss