English

A few days ago some researchers discovered an HTML Injection vulnerability in Signal Desktop and they wrote a public disclosure. The Signal team quickly released an update on May 11th, the problem was in the file /js/views/message_view.js. Reading the changes to message_view.js, it seemed that the Signal team had only fixed the “problem of the URL". So, maybe, I could still inject HTML code somehow. In Signal Desktop there are not many features, so I have tried to write me a basic message: <b>PROVA</b>. Obviously nothing happened. So I have tried to use the feature Reply to message, and BINGO! My original message <b>PROVA</b> has become PROVA. So, it was still possible to inject HTML code in Signal Desktop. I have tried to run javascript code, but it was blocked from the Content Security Policy, like in the first report. To run javascript code in the victim’s Signal Dekstop, first the victim must download a malicious HTML / js file, then the attacker can run it with the src attribute. Obviously the attacker must know the file path on the victim’s computer. Another interesting attack, without javascript, is to use ping attribute to find the IP address of the victim (thanks to Fabrizio Carimati (@clodo76) for this idea). ...

Info Product: GD bbPress Attachments Version: 2.5 Active installations: 10,000+ Product page: https://it.wordpress.org/plugins/gd-bbpress-attachments/ Description An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker. The variable $error['file'] in **/code/**attachments/front.php (line 349) is not escaped. Proof of Concept ...

After many unsuccessful attempts to find an XSS in Yahoo’s domains, I decided to move my attention to Microsoft Bing. If you have a Microsoft account, Bing allows you to save online content (images, videos and places) on the page My saves, and allows to create collections to better manage your own content. The titles of these collections were not properly filtered, so it was possible to break the code and inject persistent arbitrary code. The code could be injected easily, all it took was the wrong image added to My saves. I was lucky with Bing, now I can go back to fail with Yahoo 🙂 ...

Info Product: WP Live Chat Support Version: 8.0.05 Active installations: 50,000+ Product page: https://wordpress.org/plugins/wp-live-chat-support/ CVE: 2018-9864 1. Description An unauthenticated user could inject arbitrary javascript code in the admin panel by using the text field Name of WP Live Chat Support. Using a single input point it was possible to inject javascript code into two different output points of the admin panel. There were two issues in the external javascript file bleeper-agent-dev.js: the function bleeper_strip_tags filtered closed tags only, so it could be bypassed with an unclosed tag the variable chatInfoArea-Name was not escaped This vulnerability has been fixed in all versions of the plugin without an update because bleeper-agent-dev.js is an external file and the developer has updated it. ...

Info Product: Events Manager Version: 5.8.1.1 Active installations: 100,000+ Product page: https://it.wordpress.org/plugins/events-manager/ CVE: 2018-9020 Description An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event. The problem is in the file events-manager.js, the variable mapTitle is not escaped. Proof of Concept ...