This could lead to a privilege escalation event due via an account takeover. NodeBB before version 1.14.3 has a bug introduced in version 1.12.2 in the validation logic that makes it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript\:alert(1). The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation.
This affects the package hellojs before 1.18.6. With this, the attacker is able to read and modify all system files and also impact system availability. SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an attacker to modify a cookie in a way that OS commands can be executed and potentially gain control over the host running the CA Introscope Enterprise Manager,leading to Code Injection.
0 kommentar(er)
