[FD] Reflected XSS – HRworks Login (v1.16.1)
# Exploit Title: Reflected XSS – HRworks Login (v1.16.1) # Vendor Homepage: https://www.hrworks.de # Exploit Author: Georg Philipp Erasmus Heise / Lufthansa Industry Solutions # Contact: https://twitter.com/gpheheise # Website: https://www.lufthansa-industry-solutions.com # Category: webapps # CVE: CVE-2019-11559 Timeline 26.04.2019 Disclosure to Vendor 29.04.2019 Vendor informed that the issue was remediated 17.09.2019 Publication 1. Description: The URL parameter of the login page accepts unfiltered parameters that lead to several version of reflected XSS https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11559 2. Proof of Concept: Vulnerable Source http://login.hrworks.de PoC GET /?re44h"-alert(1)-"bb8rf=1 HTTP/1.1 Host: login.hrworks.de Accept-Encoding: gzip, deflate Accept: */* 3. Solution: As date of publication all versions above 1.16.3 are save to use ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-19912
codeBeamer – Stored Cross-Site Scripting === Identifiers - * CVE-2019-19912 CVSSv3 score - 6.4 (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H) Vendor - Intland – Codebeamer (https://codebeamer.com) Product - codeBeamer ALM is a holistically integrated, collaborative Application Lifecycle Management platform with capabilities that cover your entire product development lifecycle. Affected versions - - codebeamer 9.5 and below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Intland Software has a stored XSS vulnerability in file attachment section. Technical details The upload section is vulnerable to accept malicious crafted SWF file. . Proof of concept - To exploit this vulnerability standard male formatted SWF file like the ones available on github · https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection` Solution - Contact vendor for a solution Timeline - Date| Status |- 20-DEZ-2019 | Reported to vendor 03-JAN-2020 | Acknowledged by vendor 09-MAR-2020 | Patch available 26-MAR-2020 | Public disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] CVE-2019-19913
codeBeamer – Stored Cross-Site Scripting === Identifiers - * CVE-2019-19913 CVSSv3 score - 6.4 ([AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:H&version=3.1)) Vendor - Intland – Codebeamer (https://codebeamer.com) Product - codeBeamer ALM is a holistically integrated, collaborative Application Lifecycle Management platform with capabilities that cover your entire product development lifecycle. Affected versions - - codebeamer 9.5 and below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Intland Software has a stored XSS vulnerability in their CodeBeamer 9.5 ALM Tackers Title parameter. Technical details The Tackers Heading is vulnerable to a stored cross site scripting (XSS) attack An Attacker has to create or modify a Tracker Heading with a direct XSS to exploit any project user who's viewing the Tracker or the Tracker notes. Proof of concept - The following evidence is provided to illustrate the existence and exploitation: Create a release with the heading similar to this alert(‘hacked’) ` Solution - Contact vendor for a solution Timeline - Date| Status |- 20-DEZ-2019 | Reported to vendor 03-JAN-2020 | Acknowledged by vendor 09-MAR-2020 | Patch available 26-MAR-2020 | Public disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Workspace Management 9.1.2.2765 - Stored Cross-Site Scripting
Matrix42 Workspace Management 9.1.2.2765 – Stored Cross-Site Scripting === Identifiers - CVE-2019-19500 CVSSv3 score - 9.1 [AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L&version=3.1)) Vendor - Matrix42 ([https://www.matrix42.com](https://www.matrix42.com/)) Product - Matrix42 combines the disciplines of Unified Endpoint Management (UEM), Software Asset Management (SAM), Automated Endpoint Security (AES) and Service Management (ITSM). With MyWorkspace, one can use the browser to access data and applications securely regardless of the device. With MX42 Workspace Management, one actively manage devices, applications, processes, and services simple, secure, and compliant. The innovative software seamlessly integrates physical, virtual, mobile and cloud-based workspaces into existing infrastructures. Affected versions - - Workspace Management 9.1.2.2765 and below Credit - Christian Pappas, Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Workspace Management 9.1.2.2765 and below have a stored XSS vulnerability in the comment field for special order. A user can use this to exploit other privileged users eg managers or admins who are viewing excepting the order. Technical details The custom field when placing orders is vulnerable to a persistent cross site scripting (XSS) attack. An Attacker has to intercept the request made by the web application and modify it before submitting it to server. Proof of concept - The following evidence is provided to illustrate the existence and exploitation: Modify the the custom field for special order similar to this: "Kali Linux "},"_type" POST /m42Services/api/WidgetDialog/UpdateData/88b223a6-0686-c617-1445-08d6df7de1cf HTTP/1.1 Host: foo.bar.de Connection: close Content-Length: 1629 Origin: https:/foo.bar.de mx-application-id: MX_APPLICATION_ID Accept-Language: de-DE Authorization: Bearer beARerTokenHere Content-Type: application/json;charset=UTF-8 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 DNT: 1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Referer: https://foo.bar.de/wm/app-SelfServicePortal/search-page/subpage Accept-Encoding: gzip, deflate Cookie: ASP.NET_SessionId=SESSION_ID '{"Sys-Entity":"Ud_LHIND_Service_Form_IndividualSoftwareRequestType","ID”:”REQUEST_ID,”Sys-IsNew":false,"Sys-TimeStamp”:”TIMESTA”MP,”Sys-DisplayName":"Formular individuelle Softwareanfrage","Ud_LHIND_Service_Form_IndividualSoftwareRequestClassBase":{"Sys-TimeStamp”:”TIMESTAMP”,”ID":"fIDIDID”,”Software":"test","Description":"Kali Linux "},"_type":"Ud_LHIND_Service_Form_IndividualSoftwareRequestType","_id”:”IDNUMMER”,”DisplayString":"Formular individuelle Softwareanfrage","_displayName":"Formular individuelle Softwareanfrage","_name":"Formular individuelle Softwareanfrage","IsNew":false,"SPSCommonClassBase":{"Representitives":{"AddedRelations":[],"RemovedRelations":[]},"WorkflowErrors":{"AddedRelations":[],"RemovedRelations":[]},"Tasks":{"AddedRelations":[],"RemovedRelations":[]},"RelatedBackupObject":{"AddedRelations":[],"RemovedRelations":[]},"RelatedDependentObject":{"AddedRelations":[],"RemovedRelations":[]},"ServiceBookings":{"AddedRelations":[],"RemovedRelations":[]},"Bookings":{"AddedRelations":[],"RemovedRelations":[]},"FormForShoppingCarts":{"AddedRelations":[],"RemovedRelations":[]},"Appointments":{"AddedRelations":[],"RemovedRelations":[]},"Memorandums":{"AddedRelations":[],"RemovedRelations":[]},"Service":{"AddedRelations":[],"RemovedRelations":[]},"Orders":{"AddedRelations":[],"RemovedRelations":[]},"ShoppingCarts":{"AddedRelations":[],"RemovedRelations":[]}}}' ` Solution - Upgrade to Matrix42 Workspace Management Version 10.0 Timeline - Date| Status |- 02-DEZ-2019 | Reported to vendor 09-DEZ-2020 | Acknowledged by vendor 31-MAR-2020 | Patch available 14-APR-2020 | Public disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Matrix42 Workspace Management 9.1.2.2765 – Reflected Cross-Site Scripting
Matrix42 Workspace Management 9.1.2.2765 – Reflected Cross-Site Scripting === Identifiers - * CVE-2019-19913 CVSSv3 score - 4.8 [AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L&version=3.1)) Vendor - Matrix42 ([https://www.matrix42.com](https://www.matrix42.com/)) Product - Matrix42 combines the disciplines of Unified Endpoint Management (UEM), Software Asset Management (SAM), Automated Endpoint Security (AES) and Service Management (ITSM). With MyWorkspace, one can use the browser to access data and applications securely regardless of the device. With MX42 Workspace Management, you actively manage devices, applications, processes, and services simple, secure, and compliant. The innovative software seamlessly integrates physical, virtual, mobile and cloud-based workspaces into existing infrastructures. Affected versions - - Workspace Management 9.1.2.2765 and below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Workspace Management 9.1.2.2765 and below have a reflected XSS vulnerability in several search fields. Technical details When searching for products or services entering modified content an attacker can trigger Reflected Cross-Site scriptings Proof of concept - To exploit this vulnerability an attacker has to enter the code similar to the following to trigger the reflected XSS '">{{7*7}} Solution - Upgrade to Matrix42 Workspace Management Version 10.0 Timeline - Date| Status |- 02-DEZ-2019 | Reported to vendor 09-DEZ-2020 | Acknowledged by vendor 31-MAR-2020 | Patch available 14-Apr-2020 | Public disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Matrix42 Workspace Management 9.1.2.2765 – Reflected Cross-Site Scripting
Matrix42 Workspace Management 9.1.2.2765 – Reflected Cross-Site Scripting === Identifiers - CVE-2019-19390 CVSSv3 score - 4.8 [AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L&version=3.1)) Vendor - Matrix42 ([https://www.matrix42.com](https://www.matrix42.com/)) Product - Matrix42 combines the disciplines of Unified Endpoint Management (UEM), Software Asset Management (SAM), Automated Endpoint Security (AES) and Service Management (ITSM). With MyWorkspace, one can use the browser to access data and applications securely regardless of the device. With MX42 Workspace Management, you actively manage devices, applications, processes, and services simple, secure, and compliant. The innovative software seamlessly integrates physical, virtual, mobile and cloud-based workspaces into existing infrastructures. Affected versions - - Workspace Management 9.1.2.2765 and below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Workspace Management 9.1.2.2765 and below have a reflected XSS vulnerability in several search fields. Technical details When searching for products or services entering modified content an attacker can trigger Reflected Cross-Site scriptings Proof of concept - To exploit this vulnerability an attacker has to enter the code similar to the following to trigger the reflected XSS '">{{7*7}} Solution - Upgrade to Matrix42 Workspace Management Version 10.0 Timeline - Date| Status |- 02-DEZ-2019 | Reported to vendor 09-DEZ-2020 | Acknowledged by vendor 31-MAR-2020 | Patch available 14-Apr-2020 | Public disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Programi Bilanc - Build 007 Release 014 31.01.2020 - Use of weak default Password - CVE-2020-11720
Programi Bilanc - Build 007 Release 014 31.01.2020 - Use of weak default Password === Identifiers - CVE-2020-11720 Vendor - Balanc Shpk (https://bilanc.com) Product - Programi Bilanc Affected versions - Programi Bilanc - Build 007 Release 014 31.01.2020 and possibly below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - The installation sets up admin accounts with weak default credentials Technical details During the installation, it sets up administrative access by default with the account admin and password . After the installation, users/admins are not prompted to change this password. Proof of concept - Withheld Solution - Don’t use the software in its current version & contact vendor for a solution Timeline - Date| Status |- 01–APR-2020 | Reported to vendor 30-JUN-2020 | End of 90 Days Full Disclosure Time 17-DEZ-2020 | Full disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Programi Bilanc - Build 007 Release 014 31.01.2020 - Broken encryption with guessable static encryption key [CVE-2020-11719]
Programi Bilanc - Build 007 Release 014 31.01.2020 - Broken encryption with guessable static encryption key === Identifiers - CVE-2020-11719 Vendor - Balanc Shpk (https://bilanc.com) Product - Programi Bilanc Affected versions - Programi Bilanc - Build 007 Release 014 31.01.2020 and possibly below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Remote attacker can decrypt data with minimal effort while local attackers can obtain the static key from the source code. Technical details Remote attacker can decrypt data with minimal effort as the encryption used is outdated and broken. Local attackers with access to the software can obtain the static key from the source code. Proof of concept - Withheld Solution - Don’t use the software in its current version & contact vendor for a solution Timeline - Date| Status | 01–APR-2020 | Reported to vendor 30-JUN-2020 | End of 90 days Full Disclosure Time 17-DEZ-2020 | FULL disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Programi Bilanc - Build 007 Release 014 31.01.2020 - Multiple SQL Injections [CVE-2020-11717]
Programi Bilanc - Build 007 Release 014 31.01.2020 - Multiple SQL Injections = Identifiers - CVE-2020-11717 Vendor - Balanc Shpk (https://bilanc.com) Product - Programi Bilanc Affected versions - Programi Bilanc - Build 007 Release 014 31.01.2020 and probably below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Christian Pappas / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Programi Bilanc - Build 007 Release 014 31.01.2020 and below suffers from multiple SQL Injection vulnerabilities due to unprepared statements . Technical details When searching for products or services entering modified content an attacker can trigger Reflected Cross-Site scriptings Proof of concept - Witheld Solution - Don’t use the software in its current version & contact vendor for a solution Timeline - Date| Status | 01–APR-2020 | Reported to vendor 30-JUN-2020 | End of 90 days Full Disclosure Time 17-DEZ-2020 | FULL disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Programi Bilanc - Build 007 Release 014 31.01.2020 - Broken encryption with guessable static encryption key [CVE-2020-8995]
Programi Bilanc - Build 007 Release 014 31.01.2020 - Broken encryption with guessable static encryption key === Identifiers - CVE-2020-8995 Vendor - Balanc Shpk (https://bilanc.com) Product - Programi Bilanc Affected versions - - Programi Bilanc - Build 007 Release 014 31.01.2020 and possibly below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Programi Bilanc Build 007 Release 014 31.01.2020 supplies a .exe file containing several hardcoded credentials to different servers that allow remote attackers to gain access to the complete infrastructure including the website, update server, and external issue tracking tools. Technical details To exploit this vulnerability an attack has to gain access to the Windows .exe Proof of concept - Withheld Solution - Don’t use the software in its current version & contact vendor for a solution Timeline - Date| Status | 01–APR-2020 | Reported to vendor 30-JUN-2020 | End of 90 days Full Disclosure Time 17-DEZ-2020 | FULL disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Programi Bilanc - Build 007 Release 014 31.01.2020 - Software-update packages are downloaded via unencrypted HTTP [CVE-2020-11718]
Programi Bilanc - Build 007 Release 014 31.01.2020 - Software-update packages are downloaded via unencrypted HTTP === Identifiers - CVE-2020-11718 Vendor - Balanc Shpk (https://bilanc.com) Product - Programi Bilanc Affected versions - Programi Bilanc - Build 007 Release 014 31.01.2020 and below Credit - Georg Ph E Heise (@gpheheise) / Lufthansa Industry Solutions (@LHIND_DLH) Vulnerability summary - Programi Bilanc - Build 007 Release 014 31.01.2020 and downloads software updates via unencrypted channels and allows attackers to manipulate this process. Technical details An attacker is able to intercept the process of downloading software updates and replace it with their own manipulated software as it is not protected agains manipulation (unsigned code) Proof of concept - Withheld Solution - Don’t use the software in its current version & contact vendor for a solution Timeline - Date| Status | 01–APR-2020 | Reported to vendor 30-JUN-2020 | End of 90 days Full Disclosure Time 17-DEZ-2020 | FULL disclosure ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/