HTB23147: AWS XMS path traversal vulnerability

Path traversal vulnerability has been discovered in AWS XMS version 2.5 by HTB Security Research Lab, which can be exploited to read contents of arbitrary files.

The vulnerability exists due to insufficient filtration of "what" HTTP GET parameter passed to "importer.php" script before using it in PHP "file()" function. A remote attacker can read contents of arbitrary files on the target system.

Proof of Concept /PoC/ code for this vulnerability in AWS XMS 2.5 uses wget utility to download source code of "default.php" file, which contains application configuration data and administrators credentials. See more at HTB23147 advisory.

Upgrade your AWS XMS installation to version 2.6 to stay safe, or remove "/importer.php" script from your system.

HTB23114: Corel WordPerfect X6 untrusted pointer dereference vulnerability

WordPerfect Office X6 – Standard Edition, Corel.com

High-Tech Bridge Security Research Lab discovered an untrusted pointer dereference vulnerability in Corel WordPerfect. Opening of a malicious WPD (WordPerfect Document) causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

The very beginning of the crash occurs within the WPWIN16.DLL module in the STARTAPP function when the application attempts to call the STRNICMP procedure in the MSVCR80 module.

In order to exploit the vulnerability remotely the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.

WPD-file provided by researcher as a Proof of Concept (PoC) example.

HTB23112: Corel Quattro Pro X6 NULL pointer dereference vulnerabilities

WordPerfect Office X6 – Standard Edition, Corel.com

High-Tech Bridge Security Research Lab discovered two null pointer dereference vulnerabilities in Corel Quattro Pro. Opening of a malicious QPW (Quattro Pro Spreadsheet) document causes immediate application crash, resulting in a loss of all unsaved current application data of the user.

The first crash occurs in the QPW160.dll module at the QProGetNotebookWindowHandle function when the application tries to move a value to a corrupted pointer.

The second crash occurs in the QPW160.dll module at the Ordinal132 function when the application tries to copy a buffer from ESI to EDI.

In order to exploit these vulnerabilities remotely, the attacker has to send a malicious file to the victim by email. In a web-based scenario, the attacker can host a malicious file on a website or WebDav share and trick the victim to download and open the file.

Two files provided by researcher as a Proof of Concept (PoC) examples.

HTB23145: CosCms OS Command Injection [CWE-78]

CosCms version 1.721 have high risk / 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) OS Command Injection (CWE-78) vulnerability according to HTB23145.

Vulnerability exists due to insufficient validation of user-supplied input in "$_FILES['file']['name']" variable passed to "/gallery/upload/index" URL before using it in PHP "exec()" function. A remote attacker can send a specially crafted HTTP POST request containing a malicious filename, and execute arbitrary commands on the target system with privileges of the web server.

Solution available: upgrade to CosCms 1.822.

HTB23139: Events Manager WordPress plugin multiple XSS vulnerabilities

Multiple XSS vulnerabilities in Events Manager WordPress plugin version 5.3.3 discovered by High-Tech Bridge Security Research Lab, which can be exploited to perform Cross-Site Scripting attacks.

This vulnerabilities exists due to insufficient filtration of user-supplied data in "scope" GET parameter passed to "index.php", "_wpnonce" GET parameter passed to "wp-admin/edit.php", "user_name", "dbem_phone" and "user_email" GET parameters passed to "index.php", "booking_comment" POST parameter passed to "index.php" scripts. A remote attacker can trick user or administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Solution available: Upgrade to Events Manager 5.3.4. Additional details available on advisory HTB23139 - Multiple XSS vulnerabilities in Events Manager WordPress plugin.

Events Manager is a popular WordPress plugin with fully featured event registration management including recurring events, locations management, calendar, Google map integration, booking management. It's recommended to upgrade old versions to latest.