lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 9 May 2019 11:40:56 -0400
From: John Martinelli <john@...ureli.com>
To: bugtraq@...urityfocus.com, advisories@...ketstormsecurity.com,
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] dotCMS v5.1.1 HTML Injection & XSS Vulnerability

Read full vulnerability report @ 
https://secureli.com/dotcms-v5-1-1-open-redirect-vulnerability/

dotCMS v5.1.1 suffers from an Open Redirect Vulnerability, in addition 
to many other vulnerabilities that I am still verifying.

The following URL is a proof-of-concept that requires a user to be 
logged in. Simply login to the demo before visiting the supplied POC.

Logging into the demo requires you to go to 
https://demo.dotcms.com/dotAdmin <https://demo.dotcms.com/dotAdmin/> and 
log in with the demo credentials (username: admin@...cms.com password: 
admin).

POC link: 
https://demo.dotcms.com/html/portlet/ext/common/page_preview_popup.jsp?hostname=google.com/test.html


On 5/9/19 11:29 AM, John Martinelli wrote:
>
> Read full vulnerability report @ 
> https://secureli.com/dotcms-v5-1-1-html-injection-xss-vulnerability/
>
> dotCMS v5.1.1 suffers from an HTML injection and XSS vulnerability, in 
> addition to many other vulnerabilities that I am still verifying.
>
> There's a screenshot available on my blog link above.
>
> To reproduce this vulnerability, simply go to 
> https://dotcms.com/dotAdmin/ and login with their demo credentials 
> (username: admin@...cms.com password: admin) and then visit the 
> following URL:
>
> https://demo.dotcms.com/html/portlet/ext/files/edit_text_inc.jsp?referer=%22%3EHTML%20Code%20Injection%20Here%20and%20XSS%20Vulnerability%20%3Cbr%3E%3Cbr%3E
>
> There are more unconfirmed vulnerabilities in dotCMS.
>
>
> On 5/9/19 9:11 AM, John Martinelli wrote:
>> Hello,
>>
>> I identified several vulnerabilities in dotCMS v5.1.1 due to vulnerable
>> open source dependencies.
>>
>> Full security write up:
>> http://secureli.com/dotcms-v5-1-1-vulnerable-open-source-dependencies/
>>
>> The details:
>>
>> ----
>>
>>  /ROOT/html/js/scriptaculous/prototype.js
>>
>> ↳ prototypejs 1.5.0
>> prototypejs 1.5.0 has known vulnerabilities: severity: high; CVE:
>> CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/
>> http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/ 
>>
>>
>> ROOT/assets/3/6/36c22c5d-c813-4869-a4b7-fcc10a74e8b6/fileAsset/jquery.min.js 
>>
>>
>> ↳ jquery 1.9.1
>> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
>> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
>> https://github.com/jquery/jquery/issues/2432
>> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
>> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
>> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
>> event handlers; https://bugs.jquery.com/ticket/11974
>> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
>> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
>> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
>> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
>> because of Object.prototype pollution;
>> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
>> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
>> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b 
>>
>>
>> ROOT/assets/5/1/515cba4e-ac64-4523-b683-8e38329e7f46/fileAsset/bootstrap.min.js 
>>
>> ↳ bootstrap 3.2.0
>> bootstrap 3.2.0 has known vulnerabilities: severity: high; issue: 28236,
>> summary: XSS in data-template, data-content and data-title properties of
>> tooltip/popover, CVE: CVE-2019-8331;
>> https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue:
>> 20184, summary: XSS in data-target property of scrollspy, CVE:
>> CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity:
>> medium; issue: 20184, summary: XSS in collapse data-parent attribute,
>> CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184
>> severity: medium; issue: 20184, summary: XSS in data-container property
>> of tooltip, CVE: CVE-2018-14042;
>> https://github.com/twbs/bootstrap/issues/20184
>>
>> ROOT/assets/9/9/99c7ffe7-e1c2-407f-85b7-ec483dbcf6f1/fileAsset/jquery.min.js 
>>
>> ↳ jquery 3.3.1
>> jquery 3.3.1 has known vulnerabilities: severity: low; CVE:
>> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
>> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
>> because of Object.prototype pollution;
>> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
>> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
>> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b 
>>
>>
>> ROOT/assets/f/6/f6fa6b13-3a96-4cbf-9a75-19a40137f05a/fileAsset/jquery.min.js 
>>
>>
>> ↳ jquery 1.9.1
>> jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432,
>> summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
>> https://github.com/jquery/jquery/issues/2432
>> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
>> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
>> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
>> event handlers; https://bugs.jquery.com/ticket/11974
>> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
>> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
>> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
>> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
>> because of Object.prototype pollution;
>> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
>> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
>> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b 
>>
>>
>> ROOT/assets/4/a/4a5a727f-369b-49e0-bff5-42d9efb4ba90/fileAsset/jquery-2.1.1.min.js 
>>
>>
>> ↳ jquery 2.1.1.min
>> jquery 2.1.1.min has known vulnerabilities: severity: medium; issue:
>> 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251;
>> https://github.com/jquery/jquery/issues/2432
>> http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
>> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
>> http://research.insecurelabs.org/jquery/test/ severity: medium; CVE:
>> CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in
>> event handlers; https://bugs.jquery.com/ticket/11974
>> https://nvd.nist.gov/vuln/detail/CVE-2015-9251
>> http://research.insecurelabs.org/jquery/test/ severity: low; CVE:
>> CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal,
>> Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …)
>> because of Object.prototype pollution;
>> https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
>> https://nvd.nist.gov/vuln/detail/CVE-2019-11358
>> https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b 
>>
>>
>> ROOT/html/js/dojo/custom-build/dojo/dojo.js
>>
>> ↳ dojo 1.8.6
>> dojo 1.8.6 has known vulnerabilities: severity: medium; PR: 307;
>> https://github.com/dojo/dojo/pull/307
>> https://dojotoolkit.org/blog/dojo-1-14-released
>>
>> ROOT/html/js/tinymce/js/tinymce/tinymce.min.js
>>
>> ↳ tinyMCE 4.1.6
>> tinyMCE 4.1.6 has known vulnerabilities: severity: medium; summary: xss
>> issues with media plugin not properly filtering out some script
>> attributes.; https://www.tinymce.com/docs/changelog/ severity: medium;
>> summary: FIXED so script elements gets removed by default to prevent
>> possible XSS issues in default config implementations;
>> https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED
>> so links with xlink:href attributes are filtered correctly to prevent
>> XSS.; https://www.tinymce.com/docs/changelog/
>>
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists