Skip to content

Instantly share code, notes, and snippets.

CVE-2020-13483
------------------------------------------
The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
------------------------------------------
[Additional Information]
Vulnerability exists in:
http://192.168.1.30/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.location)%3B%7D%3B//%3C/div%3E
CVE-2020-13484
------------------------------------------
Bitrix24 up to 20.0.975 allows SSRF via intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter. If the destination URL hosts an HTML document containing '<meta name="og:image" content="', Bitrix core follows content URL of metatag.
------------------------------------------
[Additional Information]
First vulnerability allows to trigger server-side request forgery to remote addresses. Second vulnerability in this functionality let us bypass restrictions and generate another request that bypassed policy of local IP block. We were able to generate requests in internal infrastructure.
CVE-2020-13700
------------------------------------------
[Suggested description]
An issue was discovered in the acf-to-rest-api WordPress plugin up to version 3.1.0. It allowed insecure direct object reference via permalinks manipulation, as demonstrated in a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as login and pass values.
------------------------------------------
[Additional Information]
During penetration test we have found that the logic of ACF can be abused by sending crafted URI and overriding parameters in permalinks using $_GET parameter. There is a possibility to read Wordpress settings saved in "wp_options" table.
CVE-2020-13443
------------------------------------------
[Suggested description]
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions.
A user with low privileges (member) is able to upload such a file on a server.
It is possible to bypass the checks of MIME type and file-extension while uploading new files.
Short aliases are not used for an attachment; instead, uploaded files can be accessed directly. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must be able to (at least) send and compose messages.
------------------------------------------
CVE-2019-19129 - Remote Stored XSS in attachment’s name
------------------------------------------
Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name.
Afterlogic blog post:
https://auroramail.wordpress.com/2019/11/25/vulnerability-closed-in-webmail-and-aurora-remote-stored-xss-in-attachments-name/
Mariusz Popłwski / AFINE.com team
CVE-2020-11976 - Apache wicket LFI / markup source file read vulnerability
------------------------------------------
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering.
Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
For example if there are credentials in the markup which are never supposed to be visible to the client:
<wicket:remove>
CVE- IN Progress
------------------------------------------
Local file read from web root via crafted URI in commandbox <= 5.1.1 allows remote attackers to fetch sensitive files from WEB-INF/ containing for example database connection strings, smtp credentials. Fetched encrypted connection strings can be easily decrypted due to hardcoded secret KEY for all instances of commandbox.
------------------------------------------
[Additional Information]
Example payload:
http://192.168.1.22:50100/lucee//WEB-INF/lucee-server/context/lucee-server.xml
CVE-2020-25139
------------------------------------------
Cross Site Scripting in delete_alert_checker
------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. ------------------------------------------
[Additional Information]
CVE-2020-25138
------------------------------------------
Cross Site Scripting in delete_alert_checker
------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. ------------------------------------------
[Additional Information]
CVE-2020-25137
------------------------------------------
Cross Site Scripting in alert_check
------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. ------------------------------------------
[Additional Information]