Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission.

CVE-2022-34784: Jenkins Security Advisory 2022-06-30

Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34791: Jenkins Security Advisory 2022-06-30

There is an object injection vulnerability in swfupload plugin for wordpress.

Copy link

Member

** **nacin** commented Jul 3, 2013**

From an email sent by @nealpoole:

> Do you have a proposed fix for the "object injection" issue? My initial thought is that the buttonImageURL parameter is working exactly as intended. The behavior is similar to a message board that allows you to embed images from third party websites. We could try to artificially constrain the image to the same domain as the SWF, but with open redirects and increased use of CDNs that change seems likely to break backwards compatibility and not serve as a complete fix.

From an email sent by me:

> We agree with Neal that the image injection issue is more or less intended behavior, especially since fixing the XSS prevents a potential problem where the image can be used with XSS to help trick a user. The original reporter indicated a link between these issues as well, and we don't really see the image injection as a vulnerability in itself.
> 
> There are three ways to resolve this: 1) Remove support for buttonImageURL entirely. 2) Enforce the same domain for buttonImageURL. 3) Do nothing. None of these are perfect. Doing nothing does not entirely resolve the issue of trust, as you could use this to serve sketchy images from a trusted domain. The other options (removing buttonImageURL or enforcing the same domain) would indeed break current behavior, but the goal of our fork is for SWFUpload to be secure, not necessarily pretty and functional. But, having a button image is still pretty important. I've spoken to a few members of the WP security team and we're leaning toward WONTFIX for this, or if consensus ends up being same-domain, we can do that too.

From an email sent by Szymon Gruszecki:

> consider another way to resolve "the issue": disable passing app parameters by URL. As I can see in current SWFUpload source code there are JS callbacks that allows to set these values - only parameter "moveName" cannot be set in another way than by FlashVars.

for the time being those looking for a immediate solution just use below in .htaccess  
<files swfupload.swf> order allow,deny deny from all </files>

If you need to keep swfupload.swf accessible but want to prevent the use of the buttonImageURL parameter, something like this might work...

    RewriteCond %{QUERY_STRING} (?:^|&)buttonImageURL=([^&]+) [NC]
    RewriteRule ^wp-includes/js/swfupload/swfupload.swf$ - [R=404,L]
    

Copy link

Member

** **nacin** commented Jul 19, 2013**

Please take discussion to oss-security so Steve/Andrew/etc can see it.

CVE-2013-4144: Image object injection vulnerability via 'buttonImageURL' parameter · Issue #1 · WordPress/secure-swfupload

New web targets for the discerning hacker

New web targets for the discerning hacker

Bounty hunting remains a popular business, with a report this month revealing that the vast majority of ethical hackers would like to do more.

The survey, from Belgian bug bounty platform **Intigriti**, found that 96% were keen to spend more time bounty hunting, with two thirds considering it as a full-time career. The biggest draw is the money, cited by nearly half, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart malicious hackers.

Currently, more than half of bug bounty hunters are also in full-time employment elsewhere, and around a third are students. More than one in five, though, get more than a quarter of their total income from bounty payouts.

And for those keen to get stuck in, there’s a new invite-only bug bounty program for the French government’s identity authentication application, **France Identité**, launched earlier this year to complement the country’s new electronic identity cards.

Hosted by Paris-based ethical hacking platform **YesWeHack**, the program has recruited 30 ethical hackers so far, with specific skills relating to the application, particularly cryptography. It will eventually be opened to all, and will run for the mobile app’s lifetime.

Finally, **Google**’s been generous lately, paying out more than $300,000 for reports on a variety of flaws in Google Cloud Platform (GCP) during last year.

Security researcher Sebastian Lutz took first prize, with an award of $133,337, for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources. Second place, meanwhile, went to Hungarian researcher Imre Rad, who earned $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.

The program, which kicked off in 2019, now represents a fair chunk of the total $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.

**The latest bug bounty programs for July 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Animal Friends**

**Program provider:**  
Independent

**Program type:**  
Public

**Max reward:**  
£400 ($480)

**Outline:**  
UK pet insurance company Animal Friends has launched a public bug bounty program that’s focused on securing its corporate website, customer portal, vet portal, and sales platform.

**Notes:**  
Discussing the new program, the insurance provider said: “No system is ever perfect, and therefore Animal Friends believes that working with skilled security researchers around the world is crucial to identify and fix any weaknesses.”

Check out the Animal Friends bug bounty page for more details

**ClickHouse**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
ClickHouse is an open source, column-oriented OLAP database management system that allows users to generate analytical reports using SQL queries in real time.

**Notes:**  
The main focus of the public program is the open source version of the ClickHouse platform.

Check out the ClickHouse bug bounty page at Bugcrowd for more details

**France Identité**

**Program provider:**  
YesWeHack

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The French government has launched an invite-only bug bounty program for its newly launched identity authentication application, ‘France Identité’.

**Notes:**  
Hosted by Paris-based ethical hacking platform YesWeHack, the program will eventually be opened up to all security researchers and then run for the mobile app’s lifetime.

Check out our recent coverage for more details

**MetaMask**

**Program provider:**  
HackerOne

**Program type:**  
Public

**Max reward:**  
$50,000

**Outline:**  
MetaMask, one of the most widely used wallets for interacting with distributed applications, has launched a bug bounty program offering rewards of up to $50,000 for critical vulnerabilities.

**Notes:**  
MetaMask is particularly seeking reports demonstrating how an attacker could extract the secret recovery phrase or a private key from a wallet, or make a user’s wallet behave in “unexpected ways”.

Check out the MetaMask bug bounty page at HackerOne for more details

**Opera**

**Program provider:**  
Independent

**Program type:**  
Private

**Max reward:**  
Undisclosed

**Outline:**  
The developers behind the Opera web browser have launched a private bug bounty program to accompany the existing public program that’s housed on the Bugcrowd platform.

**Notes:**  
There are currently few details relating to this private program, although anyone expressing an interest must already have a Bugcrowd ID.

Check out Opera’s private bug bounty page for more details

**Phemex**

**Program provider:**  
Bugcrowd

**Program type:**  
Public

**Max reward:**  
$2,500

**Outline:**  
Cryptocurrency trading platform Phemex has partnered with Bugcrowd to launch a bug bounty program.

**Notes:**  
Researchers have been tasked with finding bugs in the Phemex website and mobile apps. Cross-site scripting (XSS) and denial-of-service (DoS) exploits are out of scope.

Check out the Phemex bug bounty page at Bugcrowd for more details

**Other bug bounty and VDP news this month**

*   The 2022 **President’s Cup Cybersecurity Competition** is due to launch later this summer. Hosted by CISA, the annual national cyber competition aims to identify and reward the best cybersecurity talent in the federal executive workforce. Registration is now open for eligible participants.
*   **GameStop**, **Oanda**, and **PlanetArt** have launched (unpaid) VDPs on HackerOne.
*   Security pro Quinten Bowen has launched a **malware analysis capture-the-flag** (CTF) competition. Registration is free, and the CTF has “beginner to intermediate level flags” associated with static and dynamic analysis.

Curated by James Walker. Introduction by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for June 2022

Bug Bounty Radar // The latest bug bounty programs for July 2022

This advisory contains mitigations for a Cross-site Scripting, and OS Command Injection vulnerabilities in the Distributed Data Systems WebHMI SCADA system.

Distributed Data Systems WebHMI

The device suffers from multiple vulnerabilities including: Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.

Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal  
Advisory ID: ZSL-2022-5709  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information  
Risk: (4/5)  
Release Date: 30.06.2022

**Summary**

pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems.

**Description**

The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

**Vendor**

CAREL INDUSTRIES S.p.A. - https://www.carel.com

**Affected Version**

Firmware: A2.1.0 - B2.1.0  
Application Software: 2.15.4A  
Software version: v16 13020200

**Tested On**

GNU/Linux 4.11.12 (armv7l)  
thttpd/2.29

**Vendor Status**

\[10.05.2022\] Vulnerability discovered.  
\[27.05.2022\] Vendor contacted.  
\[27.05.2022\] Vendor responds creating request ID 00027344. Will come back soon with an answer.  
\[29.06.2022\] No response from the vendor.  
\[30.06.2022\] Public security advisory released.

**PoC**

carelpco\_dir.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[30.06.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the `tagName` property of an `Ember.View` was inserted into such a string without being sanitized. This means that if an application assigns a view's `tagName` to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). This vulnerability only affects applications that assign or bind user-provided content to `tagName`.

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

ֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

**Types of attacks**

There are a few methods by which XSS can be manipulated:

Type

Origin

Description

**Stored**

Server

The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.

**Reflected**

Server

The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.

**DOM-based**

Client

The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.

**Mutated**

The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

**Affected environments**

The following environments are susceptible to an XSS attack:

*   Web servers
*   Application servers
*   Web application environments

**How to prevent**

This section describes the top best practices designed to specifically protect your code:

*   Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
*   Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
*   Give users the option to disable client-side scripts.
*   Redirect invalid requests.
*   Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
*   Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
*   Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

CVE-2013-4170: Cross-site Scripting (XSS) in ember-source | CVE-2013-4170 | Snyk

A cross-site scripting (XSS) vulnerability in the batch add function of Urtracker Premium v4.0.1.1477 allows attackers to execute arbitrary web scripts or HTML via a crafted excel file.

**Vulnerability title:  
**

Bypassing the xss defense by uploading files at the user-added place causes the storage of xss

**Affected versions:  
**

Premium v4.0.1.1477

**Discovery time:  
**

2022/06/07

**Found by:  
**

jerryflag

**analysis report:  
**

0x01:  
First, I found that this program is vulnerable to stored xss attacks. When I communicated with the program provider, I was told that the program has xss protection, so I bypassed the xss protection through further attempts and made my xss attack effective   
0x02:  
It was observed that the program has a batch add function, so add the payload to the excel file, simulate the batch add user function, bypass the xss protection, and make the xss attack take effect.  poc:  
<img src=1 onerror=alert(1)>  
<img src=1 onerror=alert(2)>  0x03:  
The page automatically loads and triggers XSS  
The final xss effective result  
   

**Fixes:  
**

Make xss protection fully effective

**illustrate**

(1) http://www.urtracker.cn/ ,

**Introduction to URTracker**

"URTracker transaction tracking tracking system" is a general problem (Issue Tracking) software for these problems. It is used to help businesses and teams create various types of processes, manage all of them and keep track of recorded processes, and has a built-in workbench for sharing issues.  
(2) Reproduce the demo url：http://www.1.urtracker.cn/Accounts/login.aspx?ReturnUrl=%2fdefault.aspx  
account/passwprd：admin/123456

CVE-2022-33043: vim/core_tmp.md at main · chen-jerry-php/vim

Fixed bug could allow attackers to extract sensitive information

Ben Dickson 30 June 2022 at 10:20 UTC

Fixed bug could allow attackers to extract sensitive information

  

A recently-patched security hole in Chromium browsers allowed attackers to bypass safeguards against dangling markup injection’, an attack that extracts sensitive information from webpages.

While dangling markup injection is well-known and -addressed in Chromium browsers, the new attack took advantage of an unaddressed case in how the browser upgrades unsafe HTTP connections.

**Extracting sensitive markup**

Dangling markup injection captures data cross-domain in situations where full cross-site scripting (XSS) attacks aren’t possible.

If an application doesn’t sanitize user-supplied data before integrating it into the markup, an attacker can take advantage to force the page to send some of the page’s markup to their own server.

For example, the attacker can inject HTML markup that includes a specially crafted element that invokes a resource on the attacker’s server and sends HTML markup on the page as the query string to the server.

The Chromium team has been patching dangling markup injection bugs since 2017 and has added restrictions to escape or remove HTML markup inserted into URL strings.

**Safe connection, unsafe markup**

Chromium also has another security feature that upgrades unsafe HTTP protocols used in the HTML markup.

For example, if the src attribute of an tag refers to an HTTP address, the browser automatically upgrades it to HTTPS to enforce encrypted connections.

SeungJu Oh, the security researcher who reported the new bug, discovered that when the browser upgrades an in-page URL from HTTP to HTTPS, it bypasses the dangling markup injection safeguards.

As a result, if an attacker provides a dangling markup injection string that uses the HTTP scheme, it will not go through the dangling markup injection sanitization process when the URL is upgraded to HTTPS.

Oh provided a proof of concept with an tag, but also said that the same scheme works with audio, video, and possibly more tags.

“This allows attackers to get personal information by leaking the user’s content when \[the\] script is unavailable due to security elements such as CSP,” Oh writes.

According to the conversation thread in the Chromium bug report platform, the function that switches the URL protocol to HTTPS causes the dangling markup flag to become false, which in turn bypasses the security checks on the URL string. The bug has been patched in the new version of Chromium-based browsers.

The findings further highlight the necessity to sanitize user input before integrating it into the markup.

It is also a reminder of the complexities of managing the security of products that have many moving parts.

Sometimes, a security fix in one part of the program can break the safeguards in another, as Chromium’s latest dangling markup injection vulnerability shows.

YOU MAY ALSO LIKE UnRAR path traversal flaw can lead to RCE in Zimbra

Chromium browsers vulnerable to dangling markup injection

A vulnerability classified as problematic was found in Bitrix Site Manager 12.06.2015. Affected by this vulnerability is an unknown functionality of the component Contact Form. The manipulation of the argument text with the input <img src="http://1"; on onerror="$(’p').text(’Hacked’)" /> leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: "MustLive" <mustlive () websecurity com ua>  
_Date_: Tue, 31 Jan 2017 23:55:21 +0200  

Hello list!

There is Cross-Site Scripting vulnerability in Bitrix Site Manager.

-------------------------
Affected products:
-------------------------

Vulnerable was the last version of Bitrix Site Manager at 12.06.2015, when I found this vulnerability on web site of Russian terrorists. At that time I wrote at Facebook about hack by Ukrainian Cyber Forces of that site http://on.fb.me/1H05ccm and published results of our work with it.

You can read about work of Ukrainian Cyber Forces (http://lists.webappsec.org/pipermail/websecurity\_lists.webappsec.org/2017-January/010833.html).

\----------
Details:
----------

Cross-Site Scripting (WASC-08):

This is persistent XSS in field "text" in contact form (captcha protected):

<img src="http://1"; on onerror="$(’p').text(’Hacked’)" />

At 31.12.2016 I disclosed it at my site (http://websecurity.com.ua/7826/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site

http://websecurity.com.ua

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Cross-Site Scripting vulnerability in Bitrix Site Manager** _MustLive (Feb 01)_

Tag

#xss