pb-nsi/gist:4d0a1ede76d4e97083b3435f820bf560

## gistfile1.txt
> [Suggested description]
> A reflected cross-site scripting (XSS) vulnerability in forms
> generated by JQueryForm.com before 2022-02-05 allows remote attackers
> to inject arbitrary web script or HTML via the redirect parameter to
> admin.php.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> JQueryForm.com
>
> ------------------------------------------
>
> [Affected Product Code Base]
> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
>
> ------------------------------------------
>
> [Affected Component]
> admin.php -- the admin login page for a JQueryForm.com form.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [CVE Impact Other]
> Injection of arbitrary HTML or web script content via an unsanitized GET parameter.
>
> ------------------------------------------
>
> [Attack Vectors]
> This is a reflected XSS vulnerability. In order to be exploited, someone must click a malicious link containing the arbitrary HTML or web script.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Paul Bisso at nou Systems, Inc.
>
> ------------------------------------------
>
> [Reference]
> https://JQueryForm.com
> https://www.nou-systems.com/cyber-security

Use CVE-2022-24981.


> [Suggested description]
> Forms generated by JQueryForm.com before 2022-02-05 allows a remote
> authenticated attacker to access the cleartext credentials of all
> other form users. admin.php contains a hidden base64-encoded string
> with these credentials.
>
> ------------------------------------------
>
> [Additional Information]
> The admin.php page, post-authentication, contains a hidden base64-encoded string in the HTML source that contains the usernames and passwords for all authorized users of the form.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> JQueryForm.com
>
> ------------------------------------------
>
> [Affected Product Code Base]
> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
>
> ------------------------------------------
>
> [Affected Component]
> admin.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit vulnerability, an attacker must be logged in to the administrative section of the form.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Paul Bisso at nou Systems, Inc.
>
> ------------------------------------------
>
> [Reference]
> https://JQueryForm.com
> https://www.nou-systems.com/cyber-security

Use CVE-2022-24982.


> [Suggested description]
> Forms generated by JQueryForm.com before 2022-02-05 allow remote
> attackers to obtain the URI to any uploaded file by capturing the POST
> response. When chained with CVE-2022-24984, this could lead to
> unauthenticated remote code execution on the underlying web server.
> This occurs because the Unique ID field is contained in the POST
> response upon submitting a form.
>
> ------------------------------------------
>
> [Additional Information]
> Four pieces of information are required to know the URI -- the
> directory, the field number, the filename, and the unique ID. The
> directory defaults to /data/; the field number can be known by
> inspecting the form's HTML or intercepting the POST request when
> submitting a form; and the filename is under the attacker's control.
> The unique ID is the key. In all forms before 2022-02-05, the unique
> ID is contained in the POST response upon submitting a form, allowing
> an attacker knowledge of the exact URI at which to access an uploaded
> file.
>
> No authentication is required to upload a file and obtain its URI.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Path Disclosure
>
> ------------------------------------------
>
> [Vendor of Product]
> JQueryForm.com
>
> ------------------------------------------
>
> [Affected Product Code Base]
> All forms with file upload capability generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
>
> ------------------------------------------
>
> [Affected Component]
> form.html
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit vulnerability, someone must submit a vulnerable form and capture the POST response.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Paul Bisso at nou Systems, Inc.
>
> ------------------------------------------
>
> [Reference]
> https://JQueryForm.com
> https://www.nou-systems.com/cyber-security

Use CVE-2022-24983.


> [Suggested description]
> Forms generated by JQueryForm.com before 2022-02-05 (if file-upload
> capability is enabled) allow remote unauthenticated attackers to
> upload executable files and achieve remote code execution. This occurs
> because file-extension checks occur on the client side, and because
> not all executable content (e.g., .phtml or .php.bak) is blocked.
>
> ------------------------------------------
>
> [Additional Information]
> The reason for this vulnerability is that file extension checking on
> the upload occurs client-side, and is thus easily bypassed by
> intercepting the POST request and tampering with the uploaded file.
> Server-side, forms generated prior to June 2019 (at least) will append
> a .bak extension to some filetypes often interpreted as PHP code by
> web servers (e.g. .php). However, there are two problems with this
> approach: (1) if .bak files are not blacklisted from executing PHP
> code, appending a .bak extension does not prevent PHP code from being
> executed. We have observed this behavior in the wild. Also, users of
> the form software are not notified that they must blacklist .bak
> extensions in order to use the forms safely. (2) not all filetypes
> known to execute valid PHP code have .bak appended. .phtml files, for
> instance, do not have .bak appended.
>
> Forms generated between sometime after June 2019 (we're not sure when)
> and Feb. 5, 2022 append .bak extensions to all file uploads,
> regardless of extension. This still faces problem (1), where web
> servers that do not blacklist .bak files may interpret those files as
> valid PHP (or other code), enabling unauthenticated RCE.
>
> In order to fully exploit this RCE vulnerability, it must be chained
> together with the path disclosure vulnerability for forms with file
> upload capability. That vulnerability is also disclosed in this
> submission.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> File Upload
>
> ------------------------------------------
>
> [Vendor of Product]
> JQueryForm.com
>
> ------------------------------------------
>
> [Affected Product Code Base]
> All forms with file upload capability generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
>
> ------------------------------------------
>
> [Affected Component]
> Forms generated by JQueryForm.com with file upload capability.
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit this vulnerability, an unauthenticated attacker must do the
> following: fill out a vulnerable form containing file upload
> capability, submit the form and intercept the POST request, alter the
> uploaded file to be a malicious file that the web server will execute,
> submit the POST request, and capture the POST response (to know the
> path to the uploaded file). At that point, the attacker will have been
> able to (1) upload a malicious file and (2) know its path. At that
> point, the attacker must only browse to that path to cause execution
> of the malicious file.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Paul Bisso at nou Systems, Inc.
>
> ------------------------------------------
>
> [Reference]
> https://JQueryForm.com
> https://www.nou-systems.com/cyber-security

Use CVE-2022-24984.


> [Suggested description]
> Forms generated by JQueryForm.com before 2022-02-05 allows a remote
> authenticated attacker to bypass authentication and access the
> administrative section of other forms hosted on the same web server.
> This is relevant only when an organization hosts more than one of
> these forms on their server.
>
> ------------------------------------------
>
> [Additional Information]
> This vulnerability only applies when an organization hosts more than 1
> JQueryForm.com form on their server. Authentication status is stored
> in the $_SESSION['authenticated'] variable, which is checked prior to
> checking authentication credentials. An attacker can thus ride the
> successful authentication on 1 form to bypass authentication on all
> other forms hosted on the same server.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Incorrect Access Control
>
> ------------------------------------------
>
> [Vendor of Product]
> JQueryForm.com
>
> ------------------------------------------
>
> [Affected Product Code Base]
> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
>
> ------------------------------------------
>
> [Affected Component]
> admin.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> To exploit the vulnerability, an attacker must be able to log in to the administrative section of a separate form hosted on the same server.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?] true
>
> ------------------------------------------
>
> [Discoverer]
> Paul Bisso at nou Systems, Inc.
>
> ------------------------------------------
>
> [Reference]
> https://JQueryForm.com
> https://www.nou-systems.com/cyber-security

Use CVE-2022-24985.
	> [Suggested description]
	> A reflected cross-site scripting (XSS) vulnerability in forms
	> generated by JQueryForm.com before 2022-02-05 allows remote attackers
	> to inject arbitrary web script or HTML via the redirect parameter to
	> admin.php.
	>
	> ------------------------------------------
	>
	> [Vulnerability Type]
	> Cross Site Scripting (XSS)
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> JQueryForm.com
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> admin.php -- the admin login page for a JQueryForm.com form.
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Remote
	>
	> ------------------------------------------
	>
	> [CVE Impact Other]
	> Injection of arbitrary HTML or web script content via an unsanitized GET parameter.
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> This is a reflected XSS vulnerability. In order to be exploited, someone must click a malicious link containing the arbitrary HTML or web script.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?] true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Paul Bisso at nou Systems, Inc.
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://JQueryForm.com
	> https://www.nou-systems.com/cyber-security

	Use CVE-2022-24981.


	> [Suggested description]
	> Forms generated by JQueryForm.com before 2022-02-05 allows a remote
	> authenticated attacker to access the cleartext credentials of all
	> other form users. admin.php contains a hidden base64-encoded string
	> with these credentials.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> The admin.php page, post-authentication, contains a hidden base64-encoded string in the HTML source that contains the usernames and passwords for all authorized users of the form.
	>
	> ------------------------------------------
	>
	> [Vulnerability Type]
	> Incorrect Access Control
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> JQueryForm.com
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> admin.php
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Remote
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> To exploit vulnerability, an attacker must be logged in to the administrative section of the form.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?] true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Paul Bisso at nou Systems, Inc.
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://JQueryForm.com
	> https://www.nou-systems.com/cyber-security

	Use CVE-2022-24982.


	> [Suggested description]
	> Forms generated by JQueryForm.com before 2022-02-05 allow remote
	> attackers to obtain the URI to any uploaded file by capturing the POST
	> response. When chained with CVE-2022-24984, this could lead to
	> unauthenticated remote code execution on the underlying web server.
	> This occurs because the Unique ID field is contained in the POST
	> response upon submitting a form.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> Four pieces of information are required to know the URI -- the
	> directory, the field number, the filename, and the unique ID. The
	> directory defaults to /data/; the field number can be known by
	> inspecting the form's HTML or intercepting the POST request when
	> submitting a form; and the filename is under the attacker's control.
	> The unique ID is the key. In all forms before 2022-02-05, the unique
	> ID is contained in the POST response upon submitting a form, allowing
	> an attacker knowledge of the exact URI at which to access an uploaded
	> file.
	>
	> No authentication is required to upload a file and obtain its URI.
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> Path Disclosure
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> JQueryForm.com
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> All forms with file upload capability generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> form.html
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Remote
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> To exploit vulnerability, someone must submit a vulnerable form and capture the POST response.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?] true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Paul Bisso at nou Systems, Inc.
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://JQueryForm.com
	> https://www.nou-systems.com/cyber-security

	Use CVE-2022-24983.


	> [Suggested description]
	> Forms generated by JQueryForm.com before 2022-02-05 (if file-upload
	> capability is enabled) allow remote unauthenticated attackers to
	> upload executable files and achieve remote code execution. This occurs
	> because file-extension checks occur on the client side, and because
	> not all executable content (e.g., .phtml or .php.bak) is blocked.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> The reason for this vulnerability is that file extension checking on
	> the upload occurs client-side, and is thus easily bypassed by
	> intercepting the POST request and tampering with the uploaded file.
	> Server-side, forms generated prior to June 2019 (at least) will append
	> a .bak extension to some filetypes often interpreted as PHP code by
	> web servers (e.g. .php). However, there are two problems with this
	> approach: (1) if .bak files are not blacklisted from executing PHP
	> code, appending a .bak extension does not prevent PHP code from being
	> executed. We have observed this behavior in the wild. Also, users of
	> the form software are not notified that they must blacklist .bak
	> extensions in order to use the forms safely. (2) not all filetypes
	> known to execute valid PHP code have .bak appended. .phtml files, for
	> instance, do not have .bak appended.
	>
	> Forms generated between sometime after June 2019 (we're not sure when)
	> and Feb. 5, 2022 append .bak extensions to all file uploads,
	> regardless of extension. This still faces problem (1), where web
	> servers that do not blacklist .bak files may interpret those files as
	> valid PHP (or other code), enabling unauthenticated RCE.
	>
	> In order to fully exploit this RCE vulnerability, it must be chained
	> together with the path disclosure vulnerability for forms with file
	> upload capability. That vulnerability is also disclosed in this
	> submission.
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> File Upload
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> JQueryForm.com
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> All forms with file upload capability generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> Forms generated by JQueryForm.com with file upload capability.
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Remote
	>
	> ------------------------------------------
	>
	> [Impact Code execution]
	> true
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> To exploit this vulnerability, an unauthenticated attacker must do the
	> following: fill out a vulnerable form containing file upload
	> capability, submit the form and intercept the POST request, alter the
	> uploaded file to be a malicious file that the web server will execute,
	> submit the POST request, and capture the POST response (to know the
	> path to the uploaded file). At that point, the attacker will have been
	> able to (1) upload a malicious file and (2) know its path. At that
	> point, the attacker must only browse to that path to cause execution
	> of the malicious file.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?] true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Paul Bisso at nou Systems, Inc.
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://JQueryForm.com
	> https://www.nou-systems.com/cyber-security

	Use CVE-2022-24984.


	> [Suggested description]
	> Forms generated by JQueryForm.com before 2022-02-05 allows a remote
	> authenticated attacker to bypass authentication and access the
	> administrative section of other forms hosted on the same web server.
	> This is relevant only when an organization hosts more than one of
	> these forms on their server.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> This vulnerability only applies when an organization hosts more than 1
	> JQueryForm.com form on their server. Authentication status is stored
	> in the $_SESSION['authenticated'] variable, which is checked prior to
	> checking authentication credentials. An attacker can thus ride the
	> successful authentication on 1 form to bypass authentication on all
	> other forms hosted on the same server.
	>
	> ------------------------------------------
	>
	> [Vulnerability Type]
	> Incorrect Access Control
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> JQueryForm.com
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> All forms generated by JQueryForm.com before 2022-02-05 - Vendor sent an email on Feb. 6, 2022 indicating that the issue was fixed. We confirmed the issue was fixed on Feb. 11, 2022.
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> admin.php
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Remote
	>
	> ------------------------------------------
	>
	> [Impact Escalation of Privileges]
	> true
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> To exploit the vulnerability, an attacker must be able to log in to the administrative section of a separate form hosted on the same server.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?] true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Paul Bisso at nou Systems, Inc.
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://JQueryForm.com
	> https://www.nou-systems.com/cyber-security

	Use CVE-2022-24985.