WHAT IS HTML INJECTION?
HTML injection is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. It can be used to deface a web page or redirect the user to a malicious website. It can also be chained with other vulnerabilities to increase the impact for it.
Responsible Vulnerability Disclosure Formula Injection CVE-2020-2782: – Formula Injection Vulnerability in Oracle PeopleSoft Enterprise PeopleTools (Affected Versions 8.56, 8.57 and 8.58)
PeopleSoft is an e-business software product line owned by Oracle®. Oracle PeopleSoft originally offered human resources and finance applications. Over the years, it has added tools and applications for general business processes, such as materials management, and applications for specific industries, such as the automotive, communications, and higher-education fields. PeopleSoft provides users with an integrated ERP software package that assists in the day-to-day execution of various business operations. PeopleSoft applications are used by human resource departments in large corporations. These applications include human resource management systems (HRMS), customer relationship management (CRM), financials, and supply chain management (FSCM), and enterprise performance management (EPM).
Responsible Vulnerability Disclosure CVE-2019-15510: ManageEngine DesktopCentral v 10 – Vulnerable to HTML Injection
Responsible Vulnerability Disclosure CVE-2019-13285: – CoSoSys Endpoint Protector DLP 220.127.116.11 allows Host Header Injection
CoSoSys is a leading developer of endpoint centric Data Loss Prevention (DLP) solutions and security software. Its flagship product, Endpoint Protector, is an advanced all-in-one DLP solution for Windows, macOS, and Linux computers. The solution puts an end to unintentional data leaks, protects from malicious data theft, offers seamless control of portable storage devices, and helps to reach compliance with data protection regulations such as GDPR, HIPAA, CCPA, or PCI DSS. It provides a short learning curve and flexible modules that can be mixed and matched to a customer’s needs. The solution has functionalities such as Device Control, Content and Context Aware Protection, eDiscovery, and Enforced Encryption.
Responsible Vulnerability Disclosure CVE-2019-12864: – Vulnerable to Information Leakage, because of improper error handling in Stack traces in SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, Netpath 1.1.4)
SolarWinds® Network Performance Monitor (NPM) is a powerful and affordable network monitoring software that enables you to quickly detect, diagnose, and resolve network performance problems and outages. Network Performance Monitor is a Multi-vendor network monitoring that scales and expands with the needs of your network, Key Features includes Multi-vendor network monitoring, Network Insights for deeper visibility, Intelligent maps, NetPath and PerfStack for easy troubleshooting, Smarter scalability for large environments and Advanced alerting.
CORS (Cross-Origin Resource Sharing) provides a mechanism to share resources outside the original domain to other domains purposefully but in a controlled manner, If CORS policy is not strongly implemented or enforced it may lead to a cross domain based attacks such as leaking sensitive information to an outside domain such as credentials, API Keys etc.
Responsible Vulnerability Disclosure CVE-2019-12954 Solarwinds Network Performance Monitor Orion platform-2018 npm 12-3 netpath 1-1-3 vulnerable for stored xss
Network Performance Monitor – Introduction
Network Performance Monitor is a powerful network monitoring software that enables you to quickly detect, diagnose, and resolve network performance problems and outages. NPM uses to identify network elements. During Discovery, NPM scans the network for nodes, and when a node and associated elements are found, you can add them to the SolarWinds database for monitoring.
Responsible Vulnerability Disclosure CVE-2019-12863: – Stored HTML Injection vulnerability in SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4)
SSL pinning allows the application to only trust the valid or pre-defined certificate or Public Key. The application developer uses SSL pinning technique as an additional security layer for application traffic. As normally, application trusts custom certificate and allows application to intercept the traffic. But in the SSL Pinning implementation, application does not trust custom certificates and does not allow proxy tools to intercept the traffic.