Skip to content

Instantly share code, notes, and snippets.

CVE-2019-19129 - Remote Stored XSS in attachment’s name
------------------------------------------
Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name.
Afterlogic blog post:
https://auroramail.wordpress.com/2019/11/25/vulnerability-closed-in-webmail-and-aurora-remote-stored-xss-in-attachments-name/
Mariusz Popłwski / AFINE.com team
CVE-2020-13443
------------------------------------------
[Suggested description]
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions.
A user with low privileges (member) is able to upload such a file on a server.
It is possible to bypass the checks of MIME type and file-extension while uploading new files.
Short aliases are not used for an attachment; instead, uploaded files can be accessed directly. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must be able to (at least) send and compose messages.
------------------------------------------
CVE-2020-13483
------------------------------------------
The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
------------------------------------------
[Additional Information]
Vulnerability exists in:
http://192.168.1.30/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.location)%3B%7D%3B//%3C/div%3E
CVE-2020-13484
------------------------------------------
Bitrix24 up to 20.0.975 allows SSRF via intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter. If the destination URL hosts an HTML document containing '<meta name="og:image" content="', Bitrix core follows content URL of metatag.
------------------------------------------
[Additional Information]
First vulnerability allows to trigger server-side request forgery to remote addresses. Second vulnerability in this functionality let us bypass restrictions and generate another request that bypassed policy of local IP block. We were able to generate requests in internal infrastructure.
CVE-2020-13700
------------------------------------------
[Suggested description]
An issue was discovered in the acf-to-rest-api WordPress plugin up to version 3.1.0. It allowed insecure direct object reference via permalinks manipulation, as demonstrated in a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as login and pass values.
------------------------------------------
[Additional Information]
During penetration test we have found that the logic of ACF can be abused by sending crafted URI and overriding parameters in permalinks using $_GET parameter. There is a possibility to read Wordpress settings saved in "wp_options" table.
CVE-2020-25139
------------------------------------------
Cross Site Scripting in delete_alert_checker
------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. ------------------------------------------
[Additional Information]
CVE-2020-25138
------------------------------------------
Cross Site Scripting in delete_alert_checker
------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. ------------------------------------------
[Additional Information]
CVE-2020-25137
------------------------------------------
Cross Site Scripting in alert_check
------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. ------------------------------------------
[Additional Information]
CVE-2020-25136
------------------------------------------
Authenticated Local File Inclusion in device/proto
------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to local file inclusion due to the fact that there is an unrestricted possibility of loading any file with inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution in the further analysis and opens further attack vectors.
------------------------------------------
CVE-2020-25135
------------------------------------------
Cross Site Scripting in graphs
------------------------------------------
[Description]
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. ------------------------------------------
[Additional Information]