Jenkins Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1, does not escape the name and description of Credentials parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Credentials Plugin
*   CVS Plugin
*   Extended Choice Parameter Plugin
*   Gerrit Trigger Plugin
*   Git Parameter Plugin
*   Google Compute Engine Plugin
*   Jira Plugin
*   Job Generator Plugin
*   Mask Passwords Plugin
*   Node and Label parameter Plugin
*   Pipeline: Shared Groovy Libraries Plugin
*   promoted builds Plugin
*   Publish Over FTP Plugin
*   Subversion Plugin

**Descriptions****Stored XSS vulnerabilities in multiple plugins providing additional parameter types**

**SECURITY-2617 / CVE-2022-29036 (Credentials), CVE-2022-29037 (CVS), CVE-2022-29038 (Extended Choice Parameter), CVE-2022-29039 (Gerrit Trigger), CVE-2022-29040 (Git Parameter), CVE-2022-29041 (Jira), CVE-2022-29042 (Job Generator), CVE-2022-29043 (Mask Passwords), CVE-2022-29044 (Node and Label Parameter), CVE-2022-29045 (promoted builds), CVE-2022-29046 (Subversion)**

Multiple plugins do not escape the name and description of the parameter types they provide:

*   Credentials Plugin 1111.v35a\_307992395 and earlier (SECURITY-2690 / CVE-2022-29036)
    
*   CVS Plugin 2.19 and earlier (SECURITY-2700 / CVE-2022-29037)
    
*   Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier (SECURITY-2704 / CVE-2022-29038)
    
*   Gerrit Trigger Plugin 2.35.2 and earlier (SECURITY-2703 / CVE-2022-29039)
    
*   Git Parameter Plugin 0.9.15 and earlier (SECURITY-2699 / CVE-2022-29040)
    
*   Jira Plugin 3.7 and earlier (SECURITY-2691 / CVE-2022-29041)
    
*   Job Generator 1.22 and earlier (SECURITY-2263 / CVE-2022-29042)
    
*   Mask Passwords Plugin 3.0 and earlier (SECURITY-2701 / CVE-2022-29043)
    
*   Node and Label parameter Plugin 1.10.3 and earlier (SECURITY-2702 / CVE-2022-29044)
    
*   promoted builds Plugin 873.v6149db\_d64130 and earlier (SECURITY-2692 / CVE-2022-29045)
    
*   Subversion Plugin 2.15.3 and earlier (SECURITY-2698 / CVE-2022-29046)
    

This results in stored cross-site scripting (XSS) vulnerabilities exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, the following plugins have been updated to list parameters in a way that prevents exploitation by default.

*   Maven Release Plugin 0.16.3 (SECURITY-2669)
    
*   Pipeline: Build Step Plugin 2.17 and 2.15.2 (SECURITY-2611)
    
*   Pipeline: Input Step Plugin 447.v95e5a\_6e3502a\_ and 2.12.1 (SECURITY-2674)
    
*   promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1 (SECURITY-2670)
    
*   Rebuilder Plugin 1.33.1 (SECURITY-2671)
    
*   Release Plugin 2.14 (SECURITY-2672)
    

Older releases of these plugins allow exploitation of the vulnerabilities listed above.

As of publication of this advisory, the following plugins have not yet been updated to list parameters in a way that prevents exploitation of these vulnerabilities:

*   Coordinator Plugin (SECURITY-2668)
    
*   Show Build Parameters Plugin (SECURITY-2325)
    
*   Unleash Maven Plugin (SECURITY-2673)
    

These are not vulnerabilities in these plugins. Only plugins defining parameter types can be considered to be vulnerable to this issue.

Note

Some plugins both define parameter types and implement a page listing parameters, so they can appear in multiple lists and may have both a security fix and a security hardening applied.

The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified:

*   Credentials Plugin 1112.vc87b\_7a\_3597f6, 1087.1089.v2f1b\_9a\_b\_040e4, 1074.1076.v39c30cecb\_0e2, and 2.6.1.1
    
*   CVS Plugin 2.19.1
    
*   Gerrit Trigger Plugin 2.35.3
    
*   Git Parameter Plugin 0.9.16
    
*   Jira Plugin 3.7.1 and 3.6.1
    
*   Mask Passwords Plugin 3.1
    
*   Node and Label parameter Plugin 1.10.3.1
    
*   promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1
    
*   Subversion Plugin 2.15.4
    

As of publication of this advisory, there is no fix available for the following plugins:

*   Extended Choice Parameter Plugin (SECURITY-2704 / CVE-2022-29038)
    
*   Job Generator (SECURITY-2263 / CVE-2022-29042)
    

**Untrusted users can modify some Pipeline libraries in Pipeline: Shared Groovy Libraries Plugin**

**SECURITY-1951 / CVE-2022-29047**

Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definition. In that case, Jenkins will just use the Pipeline definition in the pull request’s destination branch instead.

In Pipeline: Shared Groovy Libraries Plugin 564.ve62a\_4eb\_b\_e039 and earlier the same protection does not apply to uses of the `library` step with a `retriever` argument pointing to a library in the current build’s repository and branch (e.g., `library(…, retriever: legacySCM(scm))`). This allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the library behavior in their pull request, even if the Pipeline is configured to not trust them.

Pipeline: Shared Groovy Libraries Plugin 566.vd0a\_a\_3334a\_555 and 2.21.3 aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted.

**CSRF vulnerability in Subversion Plugin**

**SECURITY-2075 / CVE-2022-29048**

Subversion Plugin 2.15.3 and earlier does not require POST requests for several form validation methods, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to connect to an attacker-specified URL.

Subversion Plugin 2.15.4 requires POST requests for the affected form validation methods.

**Promotion names in promoted builds Plugin are not validated when using Job DSL**

**SECURITY-2655 / CVE-2022-29049**

promoted builds Plugin provides dedicated support for defining promotions using Job DSL Plugin.

promoted builds Plugin 873.v6149db\_d64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a result, the promotion name could be used for cross-site scripting (XSS) or to replace other `config.xml` files.

promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1 validates the name of promotions.

**CSRF vulnerability and missing permission checks in Publish Over FTP Plugin**

**SECURITY-2321 / CVE-2022-29050 (CSRF), CVE-2022-29051 (missing permission check)**

Publish Over FTP Plugin 1.16 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Publish Over FTP Plugin 1.17 requires POST requests and appropriate permissions for the affected form validation methods.

**Private key stored in plain text by Google Compute Engine Plugin**

**SECURITY-2045 / CVE-2022-29052**

Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent `config.xml` files on the Jenkins controller as part of its configuration.

These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system.

Google Compute Engine Plugin 4.3.9 stores private keys encrypted.

**Severity**

*   SECURITY-1951: High
*   SECURITY-2045: Medium
*   SECURITY-2075: Medium
*   SECURITY-2321: Medium
*   SECURITY-2617: High
*   SECURITY-2655: High

**Affected Versions**

*   **Credentials Plugin** up to and including 1111.v35a\_307992395
*   **CVS Plugin** up to and including 2.19
*   **Extended Choice Parameter Plugin** up to and including 346.vd87693c5a\_86c
*   **Gerrit Trigger Plugin** up to and including 2.35.2
*   **Git Parameter Plugin** up to and including 0.9.15
*   **Google Compute Engine Plugin** up to and including 4.3.8
*   **Jira Plugin** up to and including 3.7
*   **Job Generator Plugin** up to and including 1.22
*   **Mask Passwords Plugin** up to and including 3.0
*   **Node and Label parameter Plugin** up to and including 1.10.3
*   **Pipeline: Shared Groovy Libraries Plugin** up to and including 564.ve62a\_4eb\_b\_e039
*   **promoted builds Plugin** up to and including 873.v6149db\_d64130
*   **Publish Over FTP Plugin** up to and including 1.16
*   **Subversion Plugin** up to and including 2.15.3

**Fix**

*   **Credentials Plugin** should be updated to version 1112.vc87b\_7a\_3597f6, 1087.1089.v2f1b\_9a\_b\_040e4, 1074.1076.v39c30cecb\_0e2, or 2.6.1.1
*   **CVS Plugin** should be updated to version 2.19.1
*   **Gerrit Trigger Plugin** should be updated to version 2.35.3
*   **Git Parameter Plugin** should be updated to version 0.9.16
*   **Google Compute Engine Plugin** should be updated to version 4.3.9
*   **Jira Plugin** should be updated to version 3.7.1 or 3.6.1
*   **Mask Passwords Plugin** should be updated to version 3.1
*   **Node and Label parameter Plugin** should be updated to version 1.10.3.1
*   **Pipeline: Shared Groovy Libraries Plugin** should be updated to version 566.vd0a\_a\_3334a\_555 or 2.21.3
*   **promoted builds Plugin** should be updated to version 876.v99d29788b\_36b\_ or 3.10.1
*   **Publish Over FTP Plugin** should be updated to version 1.17
*   **Subversion Plugin** should be updated to version 2.15.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Extended Choice Parameter Plugin
*   Job Generator Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2045
*   **James Nord, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.** for SECURITY-2075
*   **James Nord, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-1951
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2655
*   **Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-2617
*   **Kevin Guerroudj, Justin Philip, Marc Heyries** for SECURITY-2321

CVE-2022-29036: Jenkins Security Advisory 2022-04-12

Missing permission checks in Jenkins Publish Over FTP Plugin 1.16 and earlier allow attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

CVE-2022-29051: Jenkins Security Advisory 2022-04-12

An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.

 ![Strapi logo](https://camo.githubusercontent.com/b25f65a5c408dcaeef14b726f979f704a243779bfc87649bf8bb989128306513/68747470733a2f2f7374726170692e696f2f6173736574732f7374726170692d6c6f676f2d6461726b2e737667)![Strapi logo](https://camo.githubusercontent.com/7b181416931b19e4f5c19a139a9f8609621f9b8350f266f543bf19f93c7bf219/68747470733a2f2f7374726170692e696f2f6173736574732f7374726170692d6c6f676f2d6c696768742e737667)

**API creation made simple, secure and fast.**

The most advanced open-source headless CMS to build powerful APIs with no effort.

Try live demo

 ![NPM Version](https://camo.githubusercontent.com/aac2f800b4cf4086f7a228638389a16988fcc910098191c206d55fd885c0b837/68747470733a2f2f696d672e736869656c64732e696f2f6e706d2f762f407374726170692f7374726170692f6c61746573742e737667)![Tests](https://github.com/strapi/strapi/actions/workflows/tests.yml/badge.svg?branch=master) ![Strapi on Discord](https://camo.githubusercontent.com/78d3787edf60450ff576c1042086f935a56e4d8b024ba4d1e69b4a5e1de0af3c/68747470733a2f2f696d672e736869656c64732e696f2f646973636f72642f3831313938393136363738323032313633333f6c6162656c3d446973636f7264)

![Administration panel](https://raw.githubusercontent.com/strapi/strapi/0bcebf77b37182fe021cb59cc19be8f5db4a18ac/public/assets/administration_panel.png)

Strapi is a free and open-source headless CMS delivering your content anywhere you need.

*   **Keep control over your data**. With Strapi, you know where your data is stored, and you keep full control at all times.
*   **Self-hosted**. You can host and scale Strapi projects the way you want. You can choose any hosting platform you want: AWS, Render, Netlify, Heroku, a VPS, or a dedicated server. You can scale as you grow, 100% independent.
*   **Database agnostic**. Strapi works with SQL databases. You can choose the database you prefer: PostgreSQL, MySQL, MariaDB, and SQLite.
*   **Customizable**. You can quickly build your logic by fully customizing APIs, routes, or plugins to fit your needs perfectly.

**Getting Started**

Read the Getting Started tutorial or follow the steps below:

**⏳ Installation**

Install Strapi with this **Quickstart** command to create a Strapi project instantly:

*   (Use **yarn** to install the Strapi project (recommended). Install yarn with these docs.)

yarn create strapi-app my-project --quickstart

**or**

*   (Use npm/npx to install the Strapi project.)

npx create-strapi-app my-project --quickstart

This command generates a brand new project with the default features (authentication, permissions, content management, content type builder & file upload). The **Quickstart** command installs Strapi using a **SQLite** database which is used for prototyping in development.

Enjoy 🎉

**🖐 Requirements**

Complete installation requirements can be found in the documentation under Installation Requirements.

**Supported operating systems**:

*   Ubuntu LTS/Debian 9.x
*   CentOS/RHEL 8
*   macOS Mojave
*   Windows 10
*   Docker - Docker-Repo

(Please note that Strapi may work on other operating systems, but these are not tested nor officially supported at this time.)

**Node:**

*   NodeJS >= 12 <= 16
*   NPM >= 6.x

**Database:**

*   MySQL >= 5.7.8
*   MariaDB >= 10.2.7
*   PostgreSQL >= 10
*   SQLite >= 3

**We recommend always using the latest version of Strapi to start your new projects**.

**Features**

*   **Modern Admin Panel:** Elegant, entirely customizable and a fully extensible admin panel.
*   **Secure by default:** Reusable policies, CORS, CSP, P3P, Xframe, XSS, and more.
*   **Plugins Oriented:** Install the auth system, content management, custom plugins, and more, in seconds.
*   **Blazing Fast:** Built on top of Node.js, Strapi delivers amazing performance.
*   **Front-end Agnostic:** Use any front-end framework (React, Vue, Angular, etc.), mobile apps or even IoT.
*   **Powerful CLI:** Scaffold projects and APIs on the fly.
*   **SQL databases:** Works with PostgreSQL, MySQL, MariaDB, and SQLite.

**See more on our website**.

**Contributing**

Please read our Contributing Guide before submitting a Pull Request to the project.

**Community support**

For general help using Strapi, please refer to the official Strapi documentation. For additional help, you can use one of these channels to ask a question:

*   Discord (For live discussion with the Community and Strapi team)
*   GitHub (Bug reports, Contributions)
*   Community Forum (Questions and Discussions)
*   ProductBoard (Roadmap, Feature requests)
*   Twitter (Get the news fast)
*   Facebook
*   YouTube Channel (Learn from Video Tutorials)

**Migration**

Follow our migration guides on the documentation to keep your projects up-to-date.

**Roadmap**

Check out our roadmap to get informed of the latest features released and the upcoming ones. You may also give us insights and vote for a specific feature.

**Documentation**

See our dedicated repository for the Strapi documentation, or view our documentation live:

*   Developer docs
*   User guide

**Try live demo**

See for yourself what's under the hood by getting access to a hosted Strapi project with sample data.

**License**

See the LICENSE file for licensing information.

CVE-2022-27263: GitHub - strapi/strapi: 🚀 Open source Node.js Headless CMS to easily build customisable APIs

PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.

@@ -52,6 +52,31 @@ jQuery.PrivateBin = (function($, RawDeflate) { \*/ let z;  
/\*\* \* DOMpurify settings for HTML content \* \* @private \*/ const purifyHtmlConfig \= { ALLOWED\_URI\_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|magnet):)/i, SAFE\_FOR\_JQUERY: true, USE\_PROFILES: { html: true } };  
/\*\* \* DOMpurify settings for SVG content \* \* @private \*/ const purifySvgConfig \= { USE\_PROFILES: { svg: true, svgFilters: true } };  
/\*\* \* CryptoData class \* @@ -409,7 +434,8 @@ jQuery.PrivateBin = (function($, RawDeflate) { element.html().replace( /(((https?|ftp):\\/\\/\[\\w?!=&.\\/\-;#@~%+\*-\]+(?!\[\\w\\s?!&.\\/;#~%"=-\]\>))|((magnet):\[\\w?=&.\\/\-;#@~%+\*-\]+))/ig, '<a href="$1" rel="nofollow noopener noreferrer">$1</a>' ) ), purifyHtmlConfig ) ); }; @@ -2536,7 +2562,8 @@ jQuery.PrivateBin = (function($, RawDeflate) { // let showdown convert the HTML and sanitize HTML \*afterwards\*! $plainText.html( DOMPurify.sanitize( converter.makeHtml(text) converter.makeHtml(text), purifyHtmlConfig ) ); // add table classes from bootstrap css @@ -2752,6 +2779,34 @@ jQuery.PrivateBin = (function($, RawDeflate) { $dropzone;  
/\*\* \* get blob URL from string data and mime type \* \* @name AttachmentViewer.getBlobUrl \* @private \* @function \* @param {string} data - raw data of attachment \* @param {string} data - mime type of attachment \* @return {string} objectURL \*/ function getBlobUrl(data, mimeType) { // Transform into a Blob const buf \= new Uint8Array(data.length); for (let i \= 0; i < data.length; ++i) { buf\[i\] \= data.charCodeAt(i); } const blob \= new window.Blob( \[buf\], { type: mimeType } );  
// Get Blob URL return window.URL.createObjectURL(blob); }  
/\*\* \* sets the attachment but does not yet show it \* \* @name AttachmentViewer.setAttachment @@ -2761,44 +2816,39 @@ jQuery.PrivateBin = (function($, RawDeflate) { \*/ me.setAttachment \= function(attachmentData, fileName) { // data URI format: data:\[<mediaType\>\]\[;base64\],<data> // data URI format: data:\[<mimeType\>\]\[;base64\],<data>  
// position in data URI string of where data begins const base64Start \= attachmentData.indexOf(',') + 1; // position in data URI string of where mediaType ends const mediaTypeEnd \= attachmentData.indexOf(';'); // position in data URI string of where mimeType ends const mimeTypeEnd \= attachmentData.indexOf(';');  
// extract mediaType const mediaType \= attachmentData.substring(5, mediaTypeEnd); // extract mimeType const mimeType \= attachmentData.substring(5, mimeTypeEnd); // extract data and convert to binary const rawData \= attachmentData.substring(base64Start); const decodedData \= rawData.length \> 0 ? atob(rawData) : '';  
// Transform into a Blob const buf \= new Uint8Array(decodedData.length); for (let i \= 0; i < decodedData.length; ++i) { buf\[i\] \= decodedData.charCodeAt(i); } const blob \= new window.Blob(\[ buf \], { type: mediaType });  
// Get Blob URL const blobUrl \= window.URL.createObjectURL(blob);  
// IE does not support setting a data URI on an a element // Using msSaveBlob to download if (window.Blob && navigator.msSaveBlob) { $attachmentLink.off('click').on('click', function () { navigator.msSaveBlob(blob, fileName); }); } else { $attachmentLink.attr('href', blobUrl); } let blobUrl \= getBlobUrl(decodedData, mimeType); $attachmentLink.attr('href', blobUrl);  
if (typeof fileName !== 'undefined') { $attachmentLink.attr('download', fileName); }  
me.handleBlobAttachmentPreview($attachmentPreview, blobUrl, mediaType); // sanitize SVG preview // prevents executing embedded scripts when CSP is not set and user // right-clicks/long-taps and opens the SVG in a new tab - prevented // in the preview by use of an img tag, which disables scripts, too if (mimeType.match(/image\\/svg/i)) { const sanitizedData \= DOMPurify.sanitize( decodedData, purifySvgConfig ); blobUrl \= getBlobUrl(sanitizedData, mimeType); }  
me.handleBlobAttachmentPreview($attachmentPreview, blobUrl, mimeType); };  
/\*\* @@ -3665,7 +3715,14 @@ jQuery.PrivateBin = (function($, RawDeflate) { for (let i \= 0; i < $head.length; ++i) { newDoc.write($head\[i\].outerHTML); } newDoc.write('</head><body><pre>' + DOMPurify.sanitize(Helper.htmlEntities(paste)) + '</pre></body></html>'); newDoc.write( '</head><body><pre>' + DOMPurify.sanitize( Helper.htmlEntities(paste), purifyHtmlConfig ) + '</pre></body></html>' ); newDoc.close(); }  
@@ -5394,11 +5451,6 @@ jQuery.PrivateBin = (function($, RawDeflate) { // first load translations I18n.loadTranslations();  
DOMPurify.setConfig({ ALLOWED\_URI\_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|magnet):)/i, SAFE\_FOR\_JQUERY: true });  
// Add a hook to make all links open a new window DOMPurify.addHook('afterSanitizeAttributes', function(node) { // set all elements owning target to target=\_blank

CVE-2022-24833: Sanitize SVG preview, preventing script execution in instance context… · PrivateBin/PrivateBin@2a4d572

Stored XSS viva .svg file upload in GitHub repository polonel/trudesk prior to v1.2.0.

CVE-2022-1045

Cross-site Scripting (XSS) - Stored in GitHub repository autolab/autolab prior to 2.8.0.

@@ -44,8 +44,9 @@ def show

flash\[:error\] \= "Error loading #{@attachment.name} from #{@attachment.filename}"

redirect\_to(\[@course, :attachments\]) && return

end

\# Set to application/octet-stream to force download

send\_file(filename, disposition: "inline",

type: @attachment.mime\_type, filename: @attachment.filename) && return

type: "application/octet-stream", filename: @attachment.filename) && return

end

  

action\_auth\_level :edit, :instructor

CVE-2022-0936: Force download of attachments (#1490) · autolab/Autolab@02d76ab

A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the File Manager feature.

**..| XSS\_to\_Command\_Injection2 |..****Description :**

**Exploiting a Reflected Cross-Site Scripting (XSS) attack to get a Command Injection through the Webmin's File Manager feature  
**  

**Tested Version :****Webmin 1.973 ( GitHub's latest version 07/03/2021 )**  
**Attack Type:****Remote**  
**Impact :  
****Command Execution****eXploit's C0de POC :**

![](https://github.com/Mesh3l911/CVE-2021-32161/raw/main/exploitPOC.png)

**Vendor of Product :**`https://www.webmin.com`**Additional Information :****`"Webmin is a web-based system administration tool for Unix-like servers, and services with over 1,000,000 installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more"` According to Webmin's GitHub****Discoverers :****Mesh3l\_911 & Z0ldyck  
Twitter: `@mesh3l_911` ,`@electronicbots`  
**

CVE-2021-32161: GitHub - Mesh3l911/CVE-2021-32161: Exploiting a Reflected Cross-Site Scripting (XSS) attack to get a Command Injection through the Webmin's File Manager feature

A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 through the Add Users feature.

**..| XSS to Privileged user |..****Description :**

**Exploiting a Reflected Cross-Site Scripting (XSS) attack to create a privileged user through the Webmin's add users feature then getting a reverse shell through the Webmin's running process feature  
**  

**Tested Version :****Webmin 1.973 ( GitHub's latest version 07/03/2021 )**  
**Attack Type:****Remote**  
**Impact :  
****Remote Command Execution****eXploit's C0de POC :**

![](https://github.com/Mesh3l911/CVE-2021-32160/raw/main/exploitPOC.png)

**Vendor of Product :**`https://www.webmin.com`**Additional Information :****`"Webmin is a web-based system administration tool for Unix-like servers, and services with over 1,000,000 installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more"` According to Webmin's GitHub****Discoverers :****Mesh3l\_911 & Z0ldyck  
Twitter: `@mesh3l_911` ,`@electronicbots`  
**

CVE-2021-32160: GitHub - Mesh3l911/CVE-2021-32160: Exploiting a Reflected Cross-Site Scripting (XSS) attack to create a privileged user through the Webmin's add users feature then getting a reverse shell through the 

A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.

**..| XSS to RCE CRON|..****Description :**

**Exploiting a Reflected Cross-Site Scripting (XSS) attack to get a Remote Command Execution (RCE) through the Webmin's Scheduled Cron Jobs feature  
**  

**Tested Version :****Webmin 1.973 ( GitHub's latest version 07/03/2021 )**  
**Attack Type:****Remote**  
**Impact :  
****Remote Command Execution****eXploit's C0de POC :**

![](https://github.com/Mesh3l911/CVE-2021-32157/raw/main/exploitPOC.png)

  
**Vendor of Product :**`https://www.webmin.com`**Additional Information :****`"Webmin is a web-based system administration tool for Unix-like servers, and services with over 1,000,000 installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more"` According to Webmin's GitHub****Discoverers :****Mesh3l\_911 & Z0ldyck  
Twitter: `@mesh3l_911` , `@electronicbots`  
**

CVE-2021-32157: GitHub - Mesh3l911/CVE-2021-32157: Exploiting a Reflected Cross-Site Scripting (XSS) attack to get a Remote Command Execution (RCE) through the Webmin's Scheduled Cron Jobs feature

A Cross-Site Scripting (XSS) vulnerability exists in Webmin 1.973 via the Upload and Download feature.

**..| XSS\_to\_Command\_Injection1 |..****Description :**

**Exploiting a Reflected Cross-Site Scripting (XSS) attack to get a Command Injection through the Webmin's Upload and Download feature  
**  

**Tested Version :****Webmin 1.973 ( GitHub's latest version 07/03/2021 )**  
**Attack Type:****Remote**  
**Impact :  
****Command Execution****eXploit's C0de POC :**

![](https://github.com/Mesh3l911/CVE-2021-32158/raw/main/exploitPOC.png)

**Vendor of Product :**`https://www.webmin.com`**Additional Information :****`"Webmin is a web-based system administration tool for Unix-like servers, and services with over 1,000,000 installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more"` According to Webmin's GitHub****Discoverers :****Mesh3l\_911 & Z0ldyck  
Twitter: `@mesh3l_911` ,`@electronicbots`  
**

CVE-2021-32158: GitHub - Mesh3l911/CVE-2021-32158: Exploiting a Reflected Cross-Site Scripting (XSS) attack to get a Command Injection through the Webmin's Upload and Download feature

Tag

#xss