Vulnerability(JavaScript) on the self-service portal , WebADM

70 views

Skip to first unread message

Ильяс Утельбаев

unread,

Apr 26, 2023, 6:41:59 AM4/26/23

to RCDevs Security Solutions - Technical

Hello!

Vulnerability was detected on our self service portal. Our version is :

WebAdm v2.1.13, Self-Service Desk(SelfDesk) v1.2.10

Could you please share the way how we can fix this?

Impact

Attackers could potentially exploit the vulnerability in the JavaScript library. The impact of a successful exploit depends on the nature of the vulnerability and how the web application makes use of the library.

Solution

Please refer to the information provided in the response section. Also check the vendor's security advisories related to the vulnerable version of the library.

Detection Information

Parameter:No param has been required for detecting the information.Access Path:Here is the path followed by the scanner to reach the exploitable URL:

https://ss.dnapayments.com/
https://ss.dnapayments.com/selfdesk/index.php

Vulnerable javascript library: jQuery.ui.dialog
version: 1.12.1
script uri: https://ss.dnapayments.com/jquery-ui.js

Details:
CVE-2021-41182 : jQuery-UI versions before 1.13.0 are vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (jQuery UI 1.13.0 released ) for latest security updates.

----------------------------------------------

CVE-2021-41183 : jQuery-UI versions before 1.13.0 are vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (jQuery UI 1.13.0 released ) for latest security updates.

----------------------------------------------

CVE-2021-41184 : jQuery-UI versions before 1.13.0 are vulnerable to Cross-Site Scripting(XSS) attacks. Please refer to vendor documentation (jQuery UI 1.13.0 released ) for latest security updates.

----------------------------------------------

CVE-2022-31160 : jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery.

Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling ".checkboxradio( "refresh" )" on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code.

The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the "label" in a "span".

Found on the following pages (only first 10 pages are reported):
https://ss.dnapayments.com/selfdesk/login_uid.php

Tarik Rachdani

unread,

Apr 28, 2023, 11:51:39 AM4/28/23

to RCDevs Security Solutions - Technical

Hello,

Last stable versions should solve your problems.

https://repos.rcdevs.com/redhat/stable/

Regards

Reply all

Reply to author

Forward

0 new messages