lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 9 May 2019 11:40:56 -0400 From: John Martinelli <john@...ureli.com> To: bugtraq@...urityfocus.com, advisories@...ketstormsecurity.com, "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] dotCMS v5.1.1 HTML Injection & XSS Vulnerability Read full vulnerability report @ https://secureli.com/dotcms-v5-1-1-open-redirect-vulnerability/ dotCMS v5.1.1 suffers from an Open Redirect Vulnerability, in addition to many other vulnerabilities that I am still verifying. The following URL is a proof-of-concept that requires a user to be logged in. Simply login to the demo before visiting the supplied POC. Logging into the demo requires you to go to https://demo.dotcms.com/dotAdmin <https://demo.dotcms.com/dotAdmin/> and log in with the demo credentials (username: admin@...cms.com password: admin). POC link: https://demo.dotcms.com/html/portlet/ext/common/page_preview_popup.jsp?hostname=google.com/test.html On 5/9/19 11:29 AM, John Martinelli wrote: > > Read full vulnerability report @ > https://secureli.com/dotcms-v5-1-1-html-injection-xss-vulnerability/ > > dotCMS v5.1.1 suffers from an HTML injection and XSS vulnerability, in > addition to many other vulnerabilities that I am still verifying. > > There's a screenshot available on my blog link above. > > To reproduce this vulnerability, simply go to > https://dotcms.com/dotAdmin/ and login with their demo credentials > (username: admin@...cms.com password: admin) and then visit the > following URL: > > https://demo.dotcms.com/html/portlet/ext/files/edit_text_inc.jsp?referer=%22%3EHTML%20Code%20Injection%20Here%20and%20XSS%20Vulnerability%20%3Cbr%3E%3Cbr%3E > > There are more unconfirmed vulnerabilities in dotCMS. > > > On 5/9/19 9:11 AM, John Martinelli wrote: >> Hello, >> >> I identified several vulnerabilities in dotCMS v5.1.1 due to vulnerable >> open source dependencies. >> >> Full security write up: >> http://secureli.com/dotcms-v5-1-1-vulnerable-open-source-dependencies/ >> >> The details: >> >> ---- >> >> /ROOT/html/js/scriptaculous/prototype.js >> >> ↳ prototypejs 1.5.0 >> prototypejs 1.5.0 has known vulnerabilities: severity: high; CVE: >> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/ >> http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/ >> >> >> ROOT/assets/3/6/36c22c5d-c813-4869-a4b7-fcc10a74e8b6/fileAsset/jquery.min.js >> >> >> ↳ jquery 1.9.1 >> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, >> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; >> https://github.com/jquery/jquery/issues/2432 >> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ >> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 >> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: >> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in >> event handlers; https://bugs.jquery.com/ticket/11974 >> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 >> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: >> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, >> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) >> because of Object.prototype pollution; >> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ >> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 >> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b >> >> >> ROOT/assets/5/1/515cba4e-ac64-4523-b683-8e38329e7f46/fileAsset/bootstrap.min.js >> >> ↳ bootstrap 3.2.0 >> bootstrap 3.2.0 has known vulnerabilities: severity: high; issue: 28236, >> summary: XSS in data-template, data-content and data-title properties of >> tooltip/popover, CVE: CVE-2019-8331; >> https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: >> 20184, summary: XSS in data-target property of scrollspy, CVE: >> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: >> medium; issue: 20184, summary: XSS in collapse data-parent attribute, >> CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 >> severity: medium; issue: 20184, summary: XSS in data-container property >> of tooltip, CVE: CVE-2018-14042; >> https://github.com/twbs/bootstrap/issues/20184 >> >> ROOT/assets/9/9/99c7ffe7-e1c2-407f-85b7-ec483dbcf6f1/fileAsset/jquery.min.js >> >> ↳ jquery 3.3.1 >> jquery 3.3.1 has known vulnerabilities: severity: low; CVE: >> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, >> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) >> because of Object.prototype pollution; >> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ >> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 >> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b >> >> >> ROOT/assets/f/6/f6fa6b13-3a96-4cbf-9a75-19a40137f05a/fileAsset/jquery.min.js >> >> >> ↳ jquery 1.9.1 >> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, >> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; >> https://github.com/jquery/jquery/issues/2432 >> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ >> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 >> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: >> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in >> event handlers; https://bugs.jquery.com/ticket/11974 >> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 >> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: >> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, >> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) >> because of Object.prototype pollution; >> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ >> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 >> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b >> >> >> ROOT/assets/4/a/4a5a727f-369b-49e0-bff5-42d9efb4ba90/fileAsset/jquery-2.1.1.min.js >> >> >> ↳ jquery 2.1.1.min >> jquery 2.1.1.min has known vulnerabilities: severity: medium; issue: >> 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; >> https://github.com/jquery/jquery/issues/2432 >> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ >> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 >> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: >> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in >> event handlers; https://bugs.jquery.com/ticket/11974 >> https://nvd.nist.gov/vuln/detail/CVE-2015-9251 >> http://research.insecurelabs.org/jquery/test/ severity: low; CVE: >> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, >> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) >> because of Object.prototype pollution; >> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ >> https://nvd.nist.gov/vuln/detail/CVE-2019-11358 >> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b >> >> >> ROOT/html/js/dojo/custom-build/dojo/dojo.js >> >> ↳ dojo 1.8.6 >> dojo 1.8.6 has known vulnerabilities: severity: medium; PR: 307; >> https://github.com/dojo/dojo/pull/307 >> https://dojotoolkit.org/blog/dojo-1-14-released >> >> ROOT/html/js/tinymce/js/tinymce/tinymce.min.js >> >> ↳ tinyMCE 4.1.6 >> tinyMCE 4.1.6 has known vulnerabilities: severity: medium; summary: xss >> issues with media plugin not properly filtering out some script >> attributes.; https://www.tinymce.com/docs/changelog/ severity: medium; >> summary: FIXED so script elements gets removed by default to prevent >> possible XSS issues in default config implementations; >> https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED >> so links with xlink:href attributes are filtered correctly to prevent >> XSS.; https://www.tinymce.com/docs/changelog/ >> > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists