lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <099bbc1d-f558-5117-7bea-df97f9830825@secureli.com>
Date: Thu, 9 May 2019 11:29:58 -0400
From: John Martinelli <john@...ureli.com>
To: bugtraq@...urityfocus.com, advisories@...ketstormsecurity.com,
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] dotCMS v5.1.1 HTML Injection & XSS Vulnerability

Read full vulnerability report @ 
https://secureli.com/dotcms-v5-1-1-html-injection-xss-vulnerability/

dotCMS v5.1.1 suffers from an HTML injection and XSS vulnerability, in 
addition to many other vulnerabilities that I am still verifying.

There's a screenshot available on my blog link above.

To reproduce this vulnerability, simply go to 
https://dotcms.com/dotAdmin/ and login with their demo credentials 
(username: admin@...cms.com password: admin) and then visit the 
following URL:

https://demo.dotcms.com/html/portlet/ext/files/edit_text_inc.jsp?referer=%22%3EHTML%20Code%20Injection%20Here%20and%20XSS%20Vulnerability%20%3Cbr%3E%3Cbr%3E

There are more unconfirmed vulnerabilities in dotCMS.


On 5/9/19 9:11 AM, John Martinelli wrote:
> Hello,
>
> I identified several vulnerabilities in dotCMS v5.1.1 due to vulnerable
> open source dependencies.
>
> Full security write up:
> http://secureli.com/dotcms-v5-1-1-vulnerable-open-source-dependencies/
>
> The details:
>
> ----
>
>  /ROOT/html/js/scriptaculous/prototype.js
>
> ↳ prototypejs 1.5.0
> prototypejs 1.5.0 has known vulnerabilities: severity: high; CVE:
> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
> http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/ 
>
>
> ROOT/assets/3/6/36c22c5d-c813-4869-a4b7-fcc10a74e8b6/fileAsset/jquery.min.js 
>
>
> ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
> event handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
> because of Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b 
>
>
> ROOT/assets/5/1/515cba4e-ac64-4523-b683-8e38329e7f46/fileAsset/bootstrap.min.js 
>
> ↳ bootstrap 3.2.0
> bootstrap 3.2.0 has known vulnerabilities: severity: high; issue: 28236,
> summary: XSS in data-template, data-content and data-title properties of
> tooltip/popover, CVE: CVE-2019-8331;
> https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue:
> 20184, summary: XSS in data-target property of scrollspy, CVE:
> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
> medium; issue: 20184, summary: XSS in collapse data-parent attribute,
> CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184
> severity: medium; issue: 20184, summary: XSS in data-container property
> of tooltip, CVE: CVE-2018-14042;
> https://github.com/twbs/bootstrap/issues/20184
>
> ROOT/assets/9/9/99c7ffe7-e1c2-407f-85b7-ec483dbcf6f1/fileAsset/jquery.min.js 
>
> ↳ jquery 3.3.1
> jquery 3.3.1 has known vulnerabilities: severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
> because of Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b 
>
>
> ROOT/assets/f/6/f6fa6b13-3a96-4cbf-9a75-19a40137f05a/fileAsset/jquery.min.js 
>
>
> ↳ jquery 1.9.1
> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
> event handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
> because of Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b 
>
>
> ROOT/assets/4/a/4a5a727f-369b-49e0-bff5-42d9efb4ba90/fileAsset/jquery-2.1.1.min.js 
>
>
> ↳ jquery 2.1.1.min
> jquery 2.1.1.min has known vulnerabilities: severity: medium; issue:
> 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
> https://github.com/jquery/jquery/issues/2432
> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
> event handlers; https://bugs.jquery.com/ticket/11974
> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
> because of Object.prototype pollution;
> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b 
>
>
> ROOT/html/js/dojo/custom-build/dojo/dojo.js
>
> ↳ dojo 1.8.6
> dojo 1.8.6 has known vulnerabilities: severity: medium; PR: 307;
> https://github.com/dojo/dojo/pull/307
> https://dojotoolkit.org/blog/dojo-1-14-released
>
> ROOT/html/js/tinymce/js/tinymce/tinymce.min.js
>
> ↳ tinyMCE 4.1.6
> tinyMCE 4.1.6 has known vulnerabilities: severity: medium; summary: xss
> issues with media plugin not properly filtering out some script
> attributes.; https://www.tinymce.com/docs/changelog/ severity: medium;
> summary: FIXED so script elements gets removed by default to prevent
> possible XSS issues in default config implementations;
> https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED
> so links with xlink:href attributes are filtered correctly to prevent
> XSS.; https://www.tinymce.com/docs/changelog/
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ