An issue was discovered in Joomla! 3.7.0 through 3.10.6. Lack of input validation could allow an XSS attack using com_fields.

**Security Announcements**

**\[20220304\] - Core - Missing input validation within com\_fields class inputs**

*   **Project:** Joomla!
*   **SubProject:** CMS
*   **Impact:** Moderate
*   **Severity:** Low
*   **Probability:** Low
*   **Versions:** 3.7.0 - 3.10.6
*   **Exploit type:** XSS
*   **Reported Date:** 2021-05-06
*   **Fixed Date:** 2022-03-29
*   **CVE Number:** CVE-2022-23796

**Description**

Lack of input validation could allow an XSS attack using com\_fields

**Affected Installs**

Joomla! CMS versions 3.7.0 - 3.10.6

**Solution**

Upgrade to version 3.10.7

**Contact**

The JSST at the Joomla! Security Centre.

**Reported By:** Hoàng Nguyễn

*   
*

CVE-2022-23796: Joomla! Developer Network

There is a stored XSS vulnerability in ZTE home gateway product. An attacker could modify the gateway name by inserting special characters and trigger an XSS attack when the user views the current topology of the device through the management page.

**Original release date****:** March 30, 2022

**CVE ID**

CVE-2022-23136

**CVSS 3.****1** **Base Score**

4.3  Medium (AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

**Description**

There is a stored XSS vulnerability in ZTE home gateway product. An attacker could modify the gateway name by inserting special characters and trigger an XSS attack when the user views the current topology of the device through the management page.

**Affected Products and Fixes**

Product Name

Affected Version

Resolved Version

ZXHN F680

 V6.0.10P3N20

 V6.0.10P1N34

**Source**

The vulnerability was found by ZTE's internal test.

**Update Records**

 March 30, 2022, initial. 

**Version Update Method**

Please contact ZTE Global Customer Support Center to obtain the upgraded version.

**Global Customer Support Center**

http://support.zte.com.cn/support/web/Contact.aspx?\_langType=en

**ZTE PSIRT**

https://www.zte.com.cn/global/cybersecurity/ztepsirt.html

CVE-2022-23136: Security Bulletin Details

A specially crafted TCP/IP packet may cause a camera recovery image telnet interface to crash. It may also cause a buffer overflow which could enable remote code execution. The recovery image can only be booted with administrative rights or with physical access to the camera and allows the upload of a new firmware in case of a damaged firmware.

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-478243-BT
*   **CVE Numbers and CVSS v3.1 Scores:**
    *   CVE-2021-23847
        *   Base Score: 9.8 (Critical)
    *   CVE-2021-23848
        *   Base Score: 8.3 (High)
    *   CVE-2021-23852
        *   Base Score: 4.9 (Medium)
    *   CVE-2021-23853
        *   Base Score: 8.3 (High)
    *   CVE-2021-23854
        *   Base Score: 8.3 (High)
*   **Published:** 09 Jun 2021
*   **Last Updated:** 09 Jun 2021

**Summary**

Multiple vulnerabilities for Bosch IP cameras have been discovered in a Penetration Test from Kaspersky ICS CERT during a certification effort from Bosch.

Bosch rates these vulnerabilities with CVSSv3.1 base scores from 9.8 (Critical) to 4.9 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment.

Customers are strongly advised to upgrade to the fixed versions.

These vulnerabilities were discovered by Alexander Nochvay and Andrey Muravitsky from Kaspersky ICS CERT.

**Affected Products**

*   Bosch CPP Firmware on: CPP4, CPP6, CPP7, CPP7.3, CPP13
    *   CVE-2021-23848
    *   CVE-2021-23852
    *   CVE-2021-23853
*   Bosch CPP Firmware 7.62 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.70 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.72 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.75 on: CPP13
    *   CVE-2021-23854
*   Bosch CPP Firmware 7.76 on: CPP13
    *   CVE-2021-23854
*   Bosch CPP Firmware < 7.80 B128 on: CPP6, CPP7, CPP7.3
    *   CVE-2021-23847

**Solution and Mitigations****Software Updates**

The recommended approach is to update the affected Bosch firmware to a fixed version. If an update is not possible in timely manner, users are recommended to follow the mitigations and workarounds described in the following section.

Platform

Affected/revoked firmware

Fixed firmware

CPP4

7.10

7.10.0095

CPP6

7.60, 7.61

7.62.0005

7.70, 7.80

7.80.0129

AVIOTEC

7.61, 7.72

7.72.0013

CPP7

7.60, 7.61

7.62.0005

7.70, 7.72, 7.80

7.80.0129

CPP7.3

7.60, 7.61, 7.62

7.62.0005

7.70, 7.72, 7.73, 7.80

7.80.0129

CPP13

7.75

7.75.0008

**Firewalling**

Disallowing connections from insecure networks to the camera by means of a firewall prevents the attacker from accessing the vulnerable interface.

**IP Filtering**

The camera has the possibility to whitelist networks or IP addresses to only allow access from trusted networks or IPs, preventing an attacker from accessing the camera.

**Using certificate based authentication**

To mitigate the critical vulnerability CVE-2021-23847, certificate based user authentication for the camera can be used as the SSL based authentication happens, before the vulnerable component can be accessed. This prevents an unauthenticated attacker from accessing the interface.

**Secure Configuration Environment**

It is advised to use a Bosch tool like the Configuration Manager to configure the camera, that does not allow for issues like XSS.

When using the web based configuration interface and currently being logged in as administrator, some security precautions can be taken to mitigate XSS vulnerabilities:

*   No other websites or email content should be opened as long as the session to the camera is active
    
*   No links should be clicked from an untrusted external source that link back to the camera.
    
*   Use a different browser than the system default browser to open a session to the camera as there is no XSS between browsers.
    
*   Always log out and/or close the browser (not only the tab) to clear any session data
    

**Vulnerability Details****CVE-2021-23847**

CVE description: A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device.

Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.

*   Problem Type:
    *   CWE-287 Improper Authentication
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    *   Base Score: 9.8 (Critical)

**CVE-2021-23848**

CVE description: An error in the URL handler may lead to a reflected cross site scripting (XSS) in the web-based interface. An attacker with knowledge of the camera address can send a crafted link to a user, which will execute javascript code in the context of the user.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**CVE-2021-23852**

CVE description: An authenticated attacker with administrator rights can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service (DoS).

*   Problem Type:
    *   CWE-400 Uncontrolled Resource Consumption
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
    *   Base Score: 4.9 (Medium)

**CVE-2021-23853**

CVE description: Improper validation of the HTTP header allows an attacker to inject arbitrary HTTP headers through crafted URLs.

*   Problem Type:
    *   CWE-20 Improper Input Validation
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**CVE-2021-23854**

CVE description: An error in the handling of a page parameter may lead to a reflected cross site scripting (XSS) in the web-based interface.

This issue only affects versions 7.7x and 7.6x. All other versions are not affected.

*   Problem Type:
    *   CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
    *   Base Score: 8.3 (High)

**Remark**

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

*   \[1\] Firmware Download Area: https://downloadstore.boschsecurity.com/index.php?type=FW

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

*   09 Jun 2021: Correction of build version number of fixed firmware
*   09 Jun 2021: Initial Publication

**Appendix****Affected Plattforms and Cameras**

**CPP13**

*   AUTODOME inteox 7000i
    
*   MIC inteox 7100i
    

**CPP7.3**

*   AUTODOME IP 4000i
    
*   AUTODOME IP 5000i
    
*   AUTODOME IP starlight 5000i (IR)
    
*   AUTODOME IP starlight 7000i
    
*   DINION IP 3000i
    
*   DINION IP bullet 4000i
    
*   DINION IP bullet 5000
    
*   DINION IP bullet 5000i
    
*   DINION IP bullet 6000i
    
*   FLEXIDOME IP 3000i
    
*   FLEXIDOME IP 4000i
    
*   FLEXIDOME IP 5000i
    
*   FLEXIDOME IP starlight 5000i (IR)
    
*   FLEXIDOME IP starlight 8000i
    
*   MIC IP starlight 7000i
    
*   MIC IP starlight 7100i
    
*   MIC IP ultra 7100i
    
*   MIC IP fusion 9000i
    

**CPP7**

*   DINION IP starlight 6000
    
*   DINION IP starlight 7000
    
*   DINION IP thermal 8000
    
*   FLEXIDOME IP starlight 6000
    
*   FLEXIDOME IP starlight 7000
    
*   DINION IP thermal 9000 RM
    

**CPP6**

*   DINION IP starlight 8000 12MP
    
*   DINION IP ultra 8000 12MP
    
*   DINION IP ultra 8000 12MP with C/CS mount telephoto lens
    
*   FLEXIDOME IP panoramic 6000 12MP 180
    
*   FLEXIDOME IP panoramic 6000 12MP 360
    
*   FLEXIDOME IP panoramic 6000 12MP 180 IVA
    
*   FLEXIDOME IP panoramic 6000 12MP 360 IVA
    
*   FLEXIDOME IP panoramic 7000 12MP 180
    
*   FLEXIDOME IP panoramic 7000 12MP 360
    
*   FLEXIDOME IP panoramic 7000 12MP 180 IVA
    
*   FLEXIDOME IP panoramic 7000 12MP 360 IVA
    

**CPP4**

*   AUTODOME IP 4000 HD
    
*   AUTODOME IP 5000 HD
    
*   AUTODOME IP 5000 IR
    
*   AUTODOME 7000 series
    
*   DINION HD 1080p
    
*   DINION HD 1080p HDR
    
*   DINION HD 720p
    
*   DINION imager 9000 HD
    
*   DINION IP bullet 4000
    
*   DINION IP bullet 5000
    
*   DINION IP 4000 HD
    
*   DINION IP 5000 HD
    
*   DINION IP 5000 MP
    
*   DINION IP starlight 7000 HD
    
*   FLEXIDOME corner 9000 MP
    
*   FLEXIDOME HD 1080p
    
*   FLEXIDOME HD 1080p HDR
    
*   FLEXIDOME HD 720p
    
*   Vandal-proof FLEXIDOME HD 1080p
    
*   Vandal-proof FLEXIDOME HD 1080p HDR
    
*   Vandal-proof FLEXIDOME HD 720p
    
*   FLEXIDOME IP micro 2000 HD
    
*   FLEXIDOME IP micro 2000 IP
    
*   FLEXIDOME IP indoor 4000 HD
    
*   FLEXIDOME IP indoor 4000 IR
    
*   FLEXIDOME IP outdoor 4000 HD
    
*   FLEXIDOME IP outdoor 4000 IR
    
*   FLEXIDOME IP indoor 5000 HD
    
*   FLEXIDOME IP indoor 5000 MP
    
*   FLEXIDOME IP micro 5000 MP
    
*   FLEXIDOME IP outdoor 5000 HD
    
*   FLEXIDOME IP outdoor 5000 MP
    
*   FLEXIDOME IP panoramic 5000
    
*   IP bullet 4000 HD
    
*   IP bullet 5000 HD
    
*   IP micro 2000
    
*   IP micro 2000 HD
    
*   MIC IP dynamic 7000
    
*   MIC IP starlight 7000
    
*   TINYON IP 2000 family

CVE-2021-23850: Multiple vulnerabilities in Bosch IP cameras

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Group Functionality of Profelis IT Consultancy SambaBox allows AUTHENTICATED user to cause execute arbitrary codes on the vulnerable server. This issue affects: Profelis IT Consultancy SambaBox 4.0 version 4.0 and prior versions on x86.

Skip to content

*   SambaBox
    *   Kurumsal Dizin Çözümü
    *   Güvenlik
    *   Bireysel Parola Servisi
    *   SambaBox’a Geçiş
    *   Karşılaştırma Tablosu
*   Kimler İçin?
    *   Kamu Kurumları
    *   Üniversiteler
    *   Kurumsal Şirketler
    *   Çözüm ve Ürün Üreticiler
    *   Bulut ve Servis Sağlayıcılar
*   Kaynaklar
    *   Güncellemeler
    *   Sertifikalar
    *   Dokümanlar
    *   Entegrasyonlar
    *   Web Seminerleri
    *   Videolar
    *   Başarı Hikayeleri
    *   SSS
*   Belgeler
*   Partner Portal
*   İletişim
*   TR

*   SambaBox
    *   Kurumsal Dizin Çözümü
    *   Güvenlik
    *   Bireysel Parola Servisi
    *   SambaBox’a Geçiş
    *   Karşılaştırma Tablosu
*   Kimler İçin?
    *   Kamu Kurumları
    *   Üniversiteler
    *   Kurumsal Şirketler
    *   Çözüm ve Ürün Üreticiler
    *   Bulut ve Servis Sağlayıcılar
*   Kaynaklar
    *   Güncellemeler
    *   Sertifikalar
    *   Dokümanlar
    *   Entegrasyonlar
    *   Web Seminerleri
    *   Videolar
    *   Başarı Hikayeleri
    *   SSS
*   Belgeler
*   Partner Portal
*   İletişim
*   TR

*   SambaBox
    *   Kurumsal Dizin Çözümü
    *   Güvenlik
    *   Bireysel Parola Servisi
    *   SambaBox’a Geçiş
    *   Karşılaştırma Tablosu
*   Kimler İçin?
    *   Kamu Kurumları
    *   Üniversiteler
    *   Kurumsal Şirketler
    *   Çözüm ve Ürün Üreticiler
    *   Bulut ve Servis Sağlayıcılar
*   Kaynaklar
    *   Güncellemeler
    *   Sertifikalar
    *   Dokümanlar
    *   Entegrasyonlar
    *   Web Seminerleri
    *   Videolar
    *   Başarı Hikayeleri
    *   SSS
*   Belgeler
*   Partner Portal
*   İletişim
*   TR

Page load link

CVE-2022-25620: SambaBox Sürüm 4.0

DouPHP v1.6 Release 20220121 is affected by Cross Site Scripting (XSS) through /admin/login.php in the background, which will lead to JavaScript code execution.

XSS vulnerability exists in douphp background adding articles.

Official demo site, administrator login. https://demo.douphp.com/admin/login.php

Source download address. https://down.douphp.com/DouPHP\_1.6\_Release\_20220121.zip

Log in to the background and add articles. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/1.png)

Insert XSS code at the article name,Submit.

<script>alert(document.cookie)</script>

![image](https://github.com/zpxlz/douphp/raw/gh-pages/2.png)

Cookie pops up in the background. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/3.png)

The foreground will also trigger vulnerabilities. ![image](https://github.com/zpxlz/douphp/raw/gh-pages/4.png)

CVE-2022-24131: GitHub - zpxlz/douphp: douphp

Cross-site Scripting (XSS) - Stored in GitHub repository mineweb/minewebcms prior to next.

@@ -96,12 +96,12 @@

<div class\="form-group"\>

<label\><?= $Lang\->get('NAVBAR\_\_LINK\_NAME') ?></label\>

<input type\="text" class\="form-control name\_of\_nav"

value\="<?= urldecode($name) ?>" name\="name\_of\_nav"\>

value\="<?= $name ?>" name\="name\_of\_nav"\>

</div\>

<div class\="form-group"\>

<label\><?= $Lang\->get('URL') ?></label\>

<input type\="text" class\="form-control url\_of\_nav"

value\="<?= urldecode($url) ?>"

value\="<?= $url ?>"

placeholder\="<?= $Lang\->get('NAVBAR\_\_CUSTOM\_URL') ?>" name\="url"\>

</div\>

<a href\="#"

@@ -238,9 +238,9 @@

url \= {};

for (var key in test \= names) {

var l \= test\[key\].split('=');

l \= l\[1\];

l \= decodeURIComponent(l\[1\]);

var p \= urls\[key\].split('=');

p \= p\[1\];

p \= decodeURIComponent(p\[1\]);

url\[l\] \= p;

}

}

CVE-2022-1163: improv. fix xss with navbar · MineWeb/MineWebCMS@06ce52c

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete.

*   Edit Task

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

Risk Rating

Low

Author Affiliation

Wikimedia Communities

*   Task Graph
*   Mentions

**Event Timeline**

Restricted Application added a subscriber: Aklapper.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Low.

Reedy renamed this task from Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

Reedy renamed this task from CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

CVE-2022-28202: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

**

CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete

Closed, ResolvedPublicSecurity



**

*   Edit Task
*   Edit Related Tasks...
*   Edit Related Objects...

*   Mute Notifications
*   Protect as security issue
*   Award Token
*   Flag For Later

**List of steps to reproduce** (step by step, including full links if applicable):

*   Be sure your wiki has files uploaded (non-pdfs)
*   Go to \[\[MediaWiki:Widthheight\]\] and append "<script>alert('XSS widthheight');</script>"
*   Go to index.php?title=Special:NewFiles&limit=2 and you will get the alerts

This is from ImageHandler::getDimensionsString and also includes "widthheightpage" for pdfs.  
It affects all gallery which shows dimensions, that is not true for parser/wikitext.  
The default depends on $wgGalleryOptions.  
Categories with files are affected  
Special:Uncategorizedimages and Special:Unusedimages and Special:Mostimages are affected.

A second case:

*   Log in as sysop
*   Go to Special:ListFiles and select a file with a 2 or higher in the Versions column
*   In the file history click "(change visibility)" and you will get the alert.

For the second case the escaped is also missing for message "nbytes" in RevDelFileItem::getHTML

**What happens?**:  
javascript alerts are shown.

**What should have happened instead?**:  
No javascript alert should be shown. The script tag must be presented as visible text.

**Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc**: current master

Risk Rating

Low

Author Affiliation

Wikimedia Communities

*   Task Graph

**Event Timeline**

Comment Actions

Only priviliged user can edit messages, but the use of Special:RevisionDelete also affects oversights.

I am not sure if problems with message escaping should be public or better private like this. Feel free to change as needed.

Comment Actions

Thanks for filling the task. Definitely let's keep this private (at least for now) – this is an active vulnerability (although it requires sysop rights to exploit).

Comment Actions

We've resolved many issues like this in public in the past (recent examples:  1   2 ).

I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

Comment Actions

This should just be a simple s/text/escaped/ here and here, correct?

> I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.

I think the Security-Team is fine rating many of these msg issues (including this issue) as **low risk** if a patch can go through gerrit on a Monday just prior to the train cut.

Comment Actions

> This should just be a simple s/text/escaped/ here and here, correct?
> 
> > I think it's much more practical, and not very risky, to resolve them in public. Or if there's a good reason not to do that, please let me know and I'll keep similar issues private in the future too.
> 
> I think the Security-Team is fine rating many of these msg issues (including this issue) as **low risk** if a patch can go through gerrit on a Monday just prior to the train cut.

The return value of ImageHandler::getDimensionsString is escaped by the caller (at least in ImageHistoryList) and should be wrapped with htmlspecialchars in the Gallery here

The second part in RevDelFileItem is okay with /text/escaped/ replace.

Comment Actions

First attempt at a patch per @Umherirrender's advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

Comment Actions

> First attempt at a patch per @Umherirrender's advice above. Per my previous comment, this can be sent up and merged via gerrit next Monday if it looks decent.

That works and looks very good. +2

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed Risk Rating from N/A to Low.

Reedy added a parent task: Restricted Task.Sun, Mar 20, 2:51 PM

Reedy renamed this task from Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete to CVE-2022-: Messages widthheight/widthheightpage/nbytes not escaped when used in galleries or Special:RevisionDelete.Mon, Mar 28, 1:53 PM

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL

Archer 6.x through 6.10 (6.10.0.0) contains a reflected XSS vulnerability. A remote SAML-unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and gets executed by the web browser in the context of the vulnerable web application.

**Archer Identifier**

SA-1

**CVE Identifier**

CVE-2021-41594, CVE-2021-33616, CVE-2021-38362, CVE-2022-26948, CVE-2022-26949, CVE-2022-26950, CVE-2022-26947, CVE-2022-2695

**Severity**

Medium

**Severity Rating**

See below for scores of individual CVEs

**Affected Products**

Archer versions greater than 6.x

**Summary**

Archer contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.

**Details**

Archer has been updated for the following vulnerabilities:

• Improper Access Control Vulnerability CVE-2021-41594

Archer 6.x through 6.9 SP3 P2 (6.9.3.2) contains an improper access control vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to gain access to API information that should only be allowed by extra privileges.

CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

  
• Stored Cross-Site Scripting Vulnerability CVE-2021-33616

Archer 6.x through 6.9 SP1 P4 (6.9.1.4) contains a stored XSS vulnerability. A remote authenticated administrative Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When application users access the corrupted data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.

CVSSv3 Base Score: 6.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N)

  
• REST API Authorization Bypass Vulnerability - CVE-2021-38362

The REST API in Archer 6.x through 6.9 SP3 (6.9.3.0) contains an authorization bypass vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to view sensitive information.

CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

  
• Insecure Credential Storage Vulnerability with RSS feed – CVE-2021-26948

The Archer RSS feed integration for Archer 6.x through 6.9 SP1 (6.9.1.0) is affected by an insecure credential storage vulnerability. A malicious attacker may obtain access to credential information to use it in further attacks.

CVSSv3.1 Base Score: 5.8 (AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:H)

  
• Improper Access Control Vulnerability – CVE-2022-26949

Archer 6.x through 6.9 SP2 P1 (6.9.2.1) contains an improper access control vulnerability on attachments. A remote authenticated malicious user could potentially exploit this vulnerability to gain access to files that should only be allowed by extra privileges.

CVSSv3 Base Score: 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

  
• Open Redirect Vulnerability – CVE-2022-26950

Archer 6.x through 6.9 P2 (6.9.0.2) are affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims’ credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred.

CVSSv3 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

  
• Cross-site Scripting Vulnerability CVE-2022-26947

Archer 6.x through 6.9 SP3 (6.9.3.0) contains a reflected XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and gets executed by the web browser in the context of the vulnerable web application.

CVSSv3 Base Score: 6.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N)

  
• Cross-site Scripting Vulnerability CVE-2022-26951

Archer 6.x through 6.10 (6.10.0.0) contain a reflected XSS vulnerability. A remote SAML unauthenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or JavaScript code to the vulnerable web application, the malicious code is then reflected back to the victim and gets executed by the web browser in the context of the vulnerable web application.

CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

**Recommendation**

For CVE-2021-41594, the following Archer releases contain a resolution to this vulnerability:  
     • Archer version 6.9 SP3 P3 (6.9.3.3) or higher

For CVE-2021-33616, the following Archer releases contain a resolution to this vulnerability:  
     • Archer version 6.9 SP2 (6.9.2) or higher

For CVE-2021-38362, the following Archer releases contain a resolution to this vulnerability:  
     • Archer version 6.9 SP3 HF1 (6.9.3.0.1) or higher

For CVE-2022-26948 (CE-5808), the following Archer releases contain a resolution to this vulnerability:  
     • Archer version 6.9 SP1 P1 (6.9.1.1) or higher  
Note: This security issue was fixed in 6.9 SP1 P1 but introduced a product regression fixed in 6.9 SP2 P1 (CE-9723), so we recommend installing 6.9 SP2 P1 or higher if you utilize the impacted functionality.

For CVE-2022-26949, the following Archer releases contain a resolution to this vulnerability:  
     • Archer version 6.9 SP2 P2 (6.9.2.2) or higher

For CVE-2022-26950, the following Archer releases contain a resolution to this vulnerability:  
     • Archer version 6.9 P3 (6.9.0.3) or higher

For CVE-2022-26947, the following Archer releases contain a resolution to this vulnerability:  
     • Archer version 6.9 SP3 P1 (6.9.3.1) or higher

For CVE-2022-26951, the following Archer releases contain a resolution to this vulnerability:  
     • Archer version 6.10 P1 (6.10.0.1) or higher

Archer recommends all customers upgrade at the earliest opportunity.

**Credit**

Archer would like to thank Mariani Francesco for reporting CVE-2021-41594.  
Archer would like to thank Mandiant, Angelo Alviar, Michael Maturi, and Troy Knutson for reporting CVE-2021-38362.  
Archer would like to thank Mandiant, Angelo Alviar, Michael Maturi, and Troy Knutson for reporting CVE-2021-38616.

**Severity Rating**

For an explanation of Severity Ratings, refer to the Archer Vulnerability Disclosure Policy. Archer recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

**EOPS Policy**

Archer has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

**Legal Information**

Read and use the information in this Archer Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact Archer Customer Support. Archer distributes Archer Security Advisories in order to bring to the attention of users of the affected Archer products, important security information.

Archer recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Archer disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.

In no event shall Archer, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Archer, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

CVE-2022-26951: Archer, An RSA Business, Update for Multiple Vulnerabilities

A stored cross-site scripting (XSS) vulnerability in Hospital Patient Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "special" field.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-26244: Persistent cross-site scripting (XSS) in targeted towards web admin through /admin-panel1.php at via the parameter "special". · Issue #23 · kishan0725/Hospital-Management-System

Tag

#xss