Mariusz Popławski mariuszpoplawski

## gist:1e7893bcd6ee58637150c8bb72137742
CVE- IN Progress
------------------------------------------

Local file read from web root via crafted URI in commandbox  <= 5.1.1   allows remote attackers to fetch sensitive files from WEB-INF/ containing for example database connection strings, smtp credentials. Fetched encrypted connection strings can be easily decrypted due to hardcoded secret KEY for all instances of commandbox.

 ------------------------------------------

 [Additional Information]
 Example payload:
     http://192.168.1.22:50100/lucee//WEB-INF/lucee-server/context/lucee-server.xml

## CVE-2020-11976
CVE-2020-11976 - Apache wicket LFI / markup source file read vulnerability
------------------------------------------

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering.
Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5

For example if there are credentials in the markup which are never supposed to be visible to the client:

  <wicket:remove>

## CVE-2019-19129
CVE-2019-19129 - Remote Stored XSS in attachment’s name
------------------------------------------
Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name.

Afterlogic blog post:
https://auroramail.wordpress.com/2019/11/25/vulnerability-closed-in-webmail-and-aurora-remote-stored-xss-in-attachments-name/


Mariusz Popłwski / AFINE.com team

## CVE-2020-13443
CVE-2020-13443
------------------------------------------

[Suggested description]
 ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions.
 A user with low privileges (member) is able to upload such a file on a server.
 It is possible to bypass the checks of MIME type and file-extension while uploading new files.
 Short aliases are not used for an attachment; instead, uploaded files can be accessed directly. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must be able to (at least) send and compose messages.

 ------------------------------------------

## CVE-2020-13700
CVE-2020-13700
------------------------------------------

[Suggested description]
 An issue was discovered in the acf-to-rest-api WordPress plugin up to version 3.1.0. It allowed insecure direct object reference via permalinks manipulation, as demonstrated in a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as login and pass values.

 ------------------------------------------

 [Additional Information]
 During penetration test we have found that the logic of ACF can be abused by sending crafted URI and overriding parameters in permalinks using $_GET parameter. There is a possibility to read Wordpress settings saved in "wp_options" table.

## CVE-2020-13484
CVE-2020-13484
------------------------------------------

 Bitrix24 up to 20.0.975 allows SSRF via intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter. If the destination URL hosts an HTML document containing '<meta name="og:image" content="', Bitrix core follows content URL of metatag.

 ------------------------------------------

 [Additional Information]
 First vulnerability allows to trigger server-side request forgery to remote addresses. Second vulnerability in this functionality let us bypass restrictions and generate another request that bypassed policy of local IP block. We were able to generate requests in internal infrastructure.


## CVE-2020-13483
CVE-2020-13483
------------------------------------------

 The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.

 ------------------------------------------

 [Additional Information]
 Vulnerability exists in:
 http://192.168.1.30/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.location)%3B%7D%3B//%3C/div%3E
	CVE- IN Progress
	------------------------------------------

	Local file read from web root via crafted URI in commandbox <= 5.1.1 allows remote attackers to fetch sensitive files from WEB-INF/ containing for example database connection strings, smtp credentials. Fetched encrypted connection strings can be easily decrypted due to hardcoded secret KEY for all instances of commandbox.

	------------------------------------------

	[Additional Information]
	Example payload:
	http://192.168.1.22:50100/lucee//WEB-INF/lucee-server/context/lucee-server.xml
	CVE-2020-11976 - Apache wicket LFI / markup source file read vulnerability
	------------------------------------------

	By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates.
	This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering.
	Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5

	For example if there are credentials in the markup which are never supposed to be visible to the client:

	<wicket:remove>
	CVE-2019-19129 - Remote Stored XSS in attachment’s name
	------------------------------------------
	Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name.

	Afterlogic blog post:
	https://auroramail.wordpress.com/2019/11/25/vulnerability-closed-in-webmail-and-aurora-remote-stored-xss-in-attachments-name/


	Mariusz Popłwski / AFINE.com team
	CVE-2020-13443
	------------------------------------------

	[Suggested description]
	ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions.
	A user with low privileges (member) is able to upload such a file on a server.
	It is possible to bypass the checks of MIME type and file-extension while uploading new files.
	Short aliases are not used for an attachment; instead, uploaded files can be accessed directly. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must be able to (at least) send and compose messages.

	------------------------------------------
	CVE-2020-13700
	------------------------------------------

	[Suggested description]
	An issue was discovered in the acf-to-rest-api WordPress plugin up to version 3.1.0. It allowed insecure direct object reference via permalinks manipulation, as demonstrated in a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as login and pass values.

	------------------------------------------

	[Additional Information]
	During penetration test we have found that the logic of ACF can be abused by sending crafted URI and overriding parameters in permalinks using $_GET parameter. There is a possibility to read Wordpress settings saved in "wp_options" table.
	CVE-2020-13484
	------------------------------------------

	Bitrix24 up to 20.0.975 allows SSRF via intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter. If the destination URL hosts an HTML document containing '<meta name="og:image" content="', Bitrix core follows content URL of metatag.

	------------------------------------------

	[Additional Information]
	First vulnerability allows to trigger server-side request forgery to remote addresses. Second vulnerability in this functionality let us bypass restrictions and generate another request that bypassed policy of local IP block. We were able to generate requests in internal infrastructure.
	CVE-2020-13483
	------------------------------------------

	The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.

	------------------------------------------

	[Additional Information]
	Vulnerability exists in:
	http://192.168.1.30/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.location)%3B%7D%3B//%3C/div%3E