Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

usd AG Security Advisories 11/2021

Related Vulnerabilities: CVE-2021-25273   CVE-2021-32718  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="2"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#3">By Date</a>
<a href="4"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="2"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#3">By Thread</a>
<a href="4"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">usd AG Security Advisories 11/2021</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Responsible Disclosure via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Fri, 3 Dec 2021 15:15:40 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Hi all,

 

this week usd AG disclosed the following advisories at
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/">https://herolab.usd.de/security-advisories/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/:">https://herolab.usd.de/security-advisories/:</a>

 

* usd-2021-0032 | XSS in SUSE CVE Database (suse.com):
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0032/">https://herolab.usd.de/security-advisories/usd-2021-0032/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0032/">https://herolab.usd.de/security-advisories/usd-2021-0032/</a>

* usd-2021-0006 | LFI &amp; Path Traversal in ChronoEngine ChronoForms v7:
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0006/">https://herolab.usd.de/security-advisories/usd-2021-0006/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0006/">https://herolab.usd.de/security-advisories/usd-2021-0006/</a>

* usd-2021-0007 | LFI &amp; Path Traversal  in ChronoEngine ChronoForums:
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0007/">https://herolab.usd.de/security-advisories/usd-2021-0007/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0007/">https://herolab.usd.de/security-advisories/usd-2021-0007/</a>

* usd-2020-0106 (CVE-2021-25273) | XSS in Sophos UTM:
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2020-0106/">https://herolab.usd.de/security-advisories/usd-2020-0106/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2020-0106/">https://herolab.usd.de/security-advisories/usd-2020-0106/</a>

 

 

--------------------------------------------------------------------------

--------------------------------------------------------------------------

usd-2021-0032 | SUSE CVE Database (suse.com)

============================================

Advisory ID: usd-2021-0032

Affected Product: SUSE CVE database 

Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page
Generation (,Cross-site Scripting')

Security Risk: High

Vendor URL:  &lt;<a rel="nofollow" href="https://www.suse.com/security/cve/">https://www.suse.com/security/cve/</a>&gt;
<a rel="nofollow" href="https://www.suse.com/security/cve/">https://www.suse.com/security/cve/</a>  

Vendor Status: Fixed

 

Suse's CVE database embedded third-party contents without sufficient
filtering and/or encoding. Multiple incidents have been identified where
Suse embedded untrusted &lt;script&gt; tags, resulting in stored
Cross-Site-Scripting (XSS).

 

Proof of Concept (PoC)

======================

In order to exploit the vulnerability, a new CVE record must be published
officially. This CVE record can contain arbitrary text as a "description".
Here, JavaScript code can injected. The SUSE CVE database imports this data
automatically and displays the information on a website. The injected code
will be executed automatically.

 

An example CVE containing an HTML &lt;script&gt; tag is CVE-2021-32718 (
&lt;<a rel="nofollow" href="https://www.suse.com/security/cve/CVE-2021-32718.html">https://www.suse.com/security/cve/CVE-2021-32718.html</a>&gt;
<a rel="nofollow" href="https://www.suse.com/security/cve/CVE-2021-32718.html">https://www.suse.com/security/cve/CVE-2021-32718.html</a>). Here, the HTML tag
was interpreted and potentially malicious JavaScript code which could follow
here would have been executed. 

 

The following screenshots illustrate that the &lt;script&gt; tag was embedded
without any encoding or filtering and interpreted as markup by the browser
accordingly: 

 &lt;<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/suse_xss1.png">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/suse_xss1.png</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/suse_xss1.png">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/suse_xss1.png</a>

 &lt;<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/suse_xss4.png">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/suse_xss4.png</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/suse_xss4.png">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/suse_xss4.png</a>

 

 

Credits

=======

This security vulnerability was found by Christian Rellmann of usd AG.

 

Please find the full advisory here:
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0032/">https://herolab.usd.de/security-advisories/usd-2021-0032/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0032/">https://herolab.usd.de/security-advisories/usd-2021-0032/</a>

 

 

--------------------------------------------------------------------------

--------------------------------------------------------------------------

usd-2021-0006 | ChronoEngine ChronoForms v7

===========================================

Advisory ID: usd20210006

Affected Product: ChronoEngine ChronoForms v7

Affected Version: v7.0.7

Vulnerability Type: CWE-22: Improper Limitation of a Pathname to a
Restricted Directory (,Path Traversal')

Security Risk: Medium

Vendor URL:  &lt;<a rel="nofollow" href="https://www.chronoengine.com/chronoforms">https://www.chronoengine.com/chronoforms</a>&gt;
<a rel="nofollow" href="https://www.chronoengine.com/chronoforms">https://www.chronoengine.com/chronoforms</a>

Vendor Status: Unknown

 

The ChronoForms function to download form input logs is vulnerable through
path traversal attacks. This allows an attacker with administration
permissions to download arbitrary files from web servers filesystem.

 

The parameter `fname` passed to the log script in the Joomla administration
interface is not filtered for path traversal. This allows an attacker with
administration permissions to download arbitrary files from the web servers
filesystem, like for instance Joomla's configuration file containing secret
credentials.

 

Proof of Concept (PoC)

======================

Open the vulnerable file in a Webbrowser:
&lt;<a rel="nofollow" href="https://%3cJoomlaInstallation%3e/administrator/index.php?option=com_chronof">https://%3cJoomlaInstallation%3e/administrator/index.php?option=com_chronof</a>
orms7&amp;cont=logs&amp;act=file&amp;fname=%3clocal_file&gt;
https://&lt;JoomlaInstallation&gt;/administrator/index.php?option=com_chronoforms7
&amp;cont=logs&amp;act=file&amp;fname=&lt;local_file&gt; 

 

Examples:

* /etc/passwd:
&lt;<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210006-1-red">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210006-1-red</a>
acted.png&gt;
<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210006-1-reda">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210006-1-reda</a>
cted.png

* Joomla Configuration:
&lt;<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210006-2-red">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210006-2-red</a>
acted.png&gt;
<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210006-2-reda">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210006-2-reda</a>
cted.png

 

 

Credits

=======

This security vulnerability was found by Nicolas Schickert and Tim Kranz of
usd AG.

 

Please find the full advisory here:
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0006/">https://herolab.usd.de/security-advisories/usd-2021-0006/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0006/">https://herolab.usd.de/security-advisories/usd-2021-0006/</a>

 

 

--------------------------------------------------------------------------

--------------------------------------------------------------------------

usd-2021-0007 | ChronoEngine ChronoForums

=========================================

Advisory ID: usd20210007

Affected Product: ChronoEngine ChronoForums

Affected Version: v2.0.11

Vulnerability Type: CWE-22: Improper Limitation of a Pathname to a
Restricted Directory (,Path Traversal')

Security Risk: High

Vendor URL:  &lt;<a rel="nofollow" href="https://www.chronoengine.com/chronoforums">https://www.chronoengine.com/chronoforums</a>&gt;
<a rel="nofollow" href="https://www.chronoengine.com/chronoforums">https://www.chronoengine.com/chronoforums</a>   

Vendor Status: Unknown

 

The ChronoForums avatar function is vulnerable through unauthenticated path
traversal attacks. This enables unauthenticated attackers to read arbitrary
files, like for instance Joomla's configuration file containing secret
credentials.

 

The ChronoForums avatar function is vulnerable through path traversal
attacks. An attacker can pass arbitrary local file paths as 'av' parameter.
The content of the file is returned. Unauthenticated attackers could use
this vulnerability to read arbitrary files, like for instance Joomla's
configuration file containing secret credentials.

 

 

Proof of Concept (PoC)

======================

Open the vulnerable file in a webbrowser:
&lt;<a rel="nofollow" href="https://%3cJoomlaInstallation%3e/index.php/component/chronoforums2/profiles">https://%3cJoomlaInstallation%3e/index.php/component/chronoforums2/profiles</a>
/avatar/u1?tvout=file&amp;av=%3clocal_file&gt;
https://&lt;JoomlaInstallation&gt;/index.php/component/chronoforums2/profiles/avat
ar/u1?tvout=file&amp;av=&lt;local_file&gt; 

 

Examples: 

* `../../../../../../../etc/passwd`:
&lt;<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210007-1.png">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210007-1.png</a>
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">
</pre></blockquote><pre style="margin: 0em;"><a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210007-1.png">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210007-1.png</a>

* `../../../../configuration.php`:
&lt;<a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210007-2.png">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210007-2.png</a>
</pre><blockquote style="border-left: #5555EE solid 0.2em; margin: 0em; padding-left: 0.85em"><pre style="margin: 0em;">
</pre></blockquote><pre style="margin: 0em;"><a rel="nofollow" href="https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210007-2.png">https://herolab.usd.de/wp-content/uploads/sites/9/2021/11/usd20210007-2.png</a>

 

 

Credits

=======

This security vulnerability was found by Nicolas Schickert and Tim Kranz of
usd AG.

 

Please find the full advisory here:
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0006/">https://herolab.usd.de/security-advisories/usd-2021-0006/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2021-0006/">https://herolab.usd.de/security-advisories/usd-2021-0006/</a>

 

 

--------------------------------------------------------------------------

--------------------------------------------------------------------------

usd-2020-0106 (CVE-2021-25273) | Sophos UTM

===========================================

Advisory ID: usd-2020-0106

CWE ID: CVE-2021-25273

Affected Product: Sophos UTM

Affected Version: &lt; UTM 9.706

Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page
Generation (,Cross-site Scripting')

Security Risk: Medium

Vendor URL:  &lt;<a rel="nofollow" href="https://sophos.com">https://sophos.com</a>&gt; <a rel="nofollow" href="https://sophos.com">https://sophos.com</a>

Vendor Status: Fixed

 

Sophos UTM offers a web interface to manage quarantined mails. The web-based
interface did not filter user controlled inputs sufficiently, resulting in
multiple Cross-Site Scripting (XSS) vulnerabilities. Sophos UTM is a
firewall solution by Sophos. It implements a web interface that allows
authenticated users to manage quarantined mails. Additionally, users can
inspect the contents of mails.

 

Sophos UTM failed to sanitize the following contents of mails before
reflecting them within the web interface:

* subject

* filename(s) of attached file(s)

* sender's name

* mail body (actual contents)

 

 

Proof of Concept (PoC)

======================

1. Send an e-mail that purposely is sent to quarantine by Sophos UTM. This
can be for instance achieved by including the "Generic Test for Unsolicited
Bulk Email" (GTUBE) test string. Additionally, include the following markup:

```

&lt;iframe src="asd"&gt;

&lt;img src="x:gif" onerror="alert('asd')"&gt;&lt;/img&gt;

```

2. Access the SMTP quarantine interface and display the detail view of the
previously sent e-mail.

3. Observe that the XSS payload is executed within Sophos UTM's origin.

 

 

Credits

=======

This security vulnerability was found by Daniel Hoffmann of usd AG.

 

Please find the full advisory here:
&lt;<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2020-0106/">https://herolab.usd.de/security-advisories/usd-2020-0106/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/security-advisories/usd-2020-0106/">https://herolab.usd.de/security-advisories/usd-2020-0106/</a>

 

 

--------------------------------------------------------------------------

--------------------------------------------------------------------------

 

In accordance with usd AG's Responsible Disclosure Policy (
&lt;<a rel="nofollow" href="https://herolab.usd.de/en/responsible-disclosure/">https://herolab.usd.de/en/responsible-disclosure/</a>&gt;
<a rel="nofollow" href="https://herolab.usd.de/en/responsible-disclosure/">https://herolab.usd.de/en/responsible-disclosure/</a>), all vendors have been
notified of the existence of these vulnerabilities.

 

The information provided in these security advisories is provided "as is"
and without warranty of any kind. Details of the security advisories at our
website may be updated in order to provide as accurate information as
possible.

</pre><p><strong>Attachment:
<a href="att-3/smime_p7s.bin"><tt>smime.p7s</tt></a></strong>

<em>Description:</em> </p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="2"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#3">By Date</a>
<a href="4"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="2"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#3">By Thread</a>
<a href="4"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>usd AG Security Advisories 11/2021</strong> <em>Responsible Disclosure via Fulldisclosure (Dec 03)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started