CVE-2021-3002
published 2021-01-01CVE-2021-3002: Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.
PriorityP340medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
4.28%
89.9th percentile
Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.11.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_curl_7.86.0-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_curl_7.86.0-1_on_cbl_mariner_1.0 | — | — |
| saltstack | salt | >= 0 < 2015.8.13 | 2015.8.13 |
| saltstack | salt | >= 0 < 3002.2 | 3002.2 |
| saltstack | salt | >= 2016.11.0 < 3003rc1 | 3003rc1 |
| saltstack | salt | >= 2016.11.7 < 2016.11.10 | 2016.11.10 |
| saltstack | salt | >= 2016.3.0 < 2016.11.5 | 2016.11.5 |
| saltstack | salt | >= 2017.5.0 < 2017.7.8 | 2017.7.8 |
| saltstack | salt | 2018.2.0 – 2018.3.5 | — |
| saltstack | salt | >= 2019.2.0 < 2019.2.8 | 2019.2.8 |
| saltstack | salt | >= 3000 < 3000.7 | 3000.7 |
| saltstack | salt | >= 3001 < 3001.5 | 3001.5 |
| saltstack | salt | >= 3002 < 3002.3 | 3002.3 |
| saltstack | salt | >= 3002 < 3002.5 | 3002.5 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat9.8CRITICAL
vendor_msrc7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8g5p-w4wh-f5fj: Seo Panel 4
ghsa_unreviewed·2022-05-24
CVE-2021-3002 [MEDIUM] CWE-79 GHSA-8g5p-w4wh-f5fj: Seo Panel 4
Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.
GHSA
Command Injection in SaltStack Salt
ghsa·2022-05-24
CVE-2021-31607 [HIGH] CWE-77 Command Injection in SaltStack Salt
Command Injection in SaltStack Salt
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
GHSA
SaltStack Salt Improper Authentication vulnerability
ghsa·2022-05-24
CVE-2021-25281 [CRITICAL] CWE-287 SaltStack Salt Improper Authentication vulnerability
SaltStack Salt Improper Authentication vulnerability
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
GHSA
SaltStack Salt is vulnerable to shell injection via ProxyCommand argument
ghsa·2022-05-24
CVE-2021-3197 [CRITICAL] CWE-74 SaltStack Salt is vulnerable to shell injection via ProxyCommand argument
SaltStack Salt is vulnerable to shell injection via ProxyCommand argument
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
GHSA
SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
ghsa·2022-05-24
CVE-2021-3148 [CRITICAL] CWE-77 SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
SaltStack Salt command injection in the Salt-API when using the Salt-SSH client
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in `salt.utils.thin.gen_thin()` command injection because of different handling of single versus double quotes. This is related to `salt/utils/thin.py`.
GHSA
SaltStack Salt eauth tokens can be used once after expiration
ghsa·2022-05-24
CVE-2021-3144 [CRITICAL] CWE-613 SaltStack Salt eauth tokens can be used once after expiration
SaltStack Salt eauth tokens can be used once after expiration
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
GHSA
SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
ghsa·2022-05-24
CVE-2021-25284 [MEDIUM] CWE-312 SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
SaltStack Salt Cleartext Storage of Sensitive Information via cmdmod
An issue was discovered in through SaltStack Salt before 3002.5. `salt.modules.cmdmod` can log credentials to the info or error log level.
GHSA
SaltStack Salt Directory Traversal vulnerability
ghsa·2022-05-24
CVE-2021-25282 [HIGH] CWE-22 SaltStack Salt Directory Traversal vulnerability
SaltStack Salt Directory Traversal vulnerability
An issue was discovered in through SaltStack Salt before 3002.5. The `salt.wheel.pillar_roots.write` method is vulnerable to directory traversal.
GHSA
SaltStack Salt Server Side Template Injection
ghsa·2022-05-24
CVE-2021-25283 [CRITICAL] CWE-94 SaltStack Salt Server Side Template Injection
SaltStack Salt Server Side Template Injection
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.
GHSA
Saltstack Salt Unauthenticated Arbitrary Code Execution
ghsa·2022-05-24
CVE-2021-25315 [HIGH] CWE-287 Saltstack Salt Unauthenticated Arbitrary Code Execution
Saltstack Salt Unauthenticated Arbitrary Code Execution
A Incorrect Implementation of Authentication Algorithm vulnerability in of SUSE SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
Red Hat
curl: HSTS bypass via IDN
vendor_redhat·2022-10-26·CVSS 7.5
CVE-2022-42916 [HIGH] CWE-319 curl: HSTS bypass via IDN
curl: HSTS bypass via IDN
In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly
Microsoft
In curl before 7.86.0 the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support curl can be instructed to use HTTPS directly (instead of using an insecure cleartext H
vendor_msrc·2022-10-11·CVSS 7.5
CVE-2022-42916 [HIGH] CWE-319 In curl before 7.86.0 the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support curl can be instructed to use HTTPS directly (instead of using an insecure cleartext H
In curl before 7.86.0 the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion e.g. using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux d
Red Hat
salt: Command injection in the snapper module
vendor_redhat·2021-04-23·CVSS 7.8
CVE-2021-31607 [HIGH] CWE-77 salt: Command injection in the snapper module
salt: Command injection in the snapper module
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function (which executes popen unsafely).
A flaw was found in Salt. A command injection vulnerability occurs in the snapper module that allows local privilege escalation on a minion. This attack requires the creation of a file with a pathname that is backed up by snapper, with the master calling the snapper.diff function. Snapper.diff executes the popen unsafely. The highest threat from this vulnerability is to confidentiality, integrity, as well as system
Red Hat
salt: API does not honor eAuth credentials for the wheel_async client
vendor_redhat·2021-02-25·CVSS 9.8
CVE-2021-25281 [CRITICAL] CWE-287 salt: API does not honor eAuth credentials for the wheel_async client
salt: API does not honor eAuth credentials for the wheel_async client
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.
A flaw was found in Salt. The Salt-API does not have eAuth credentials for the wheel_async client. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Salt has been deprecated as of Red Hat Ceph Storage 2.5, as Salt was used to install RHSCON-2 and RHSCON-2 has reached End Of Life.
Package: salt (Red Hat Ceph Storage 2) - Will not fix
Red Hat
salt: Command injection in salt.utils.thin.gen_thin()
vendor_redhat·2021-02-25·CVSS 9.8
CVE-2021-3148 [CRITICAL] CWE-77 salt: Command injection in salt.utils.thin.gen_thin()
salt: Command injection in salt.utils.thin.gen_thin()
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
A flaw was found in salt. Command injection using the SaltAPI, is possible due to json.dumps() escaping double quotes while leaving the single quotes untouched. The highest threat from this vulnerability is to data confidentiality and integrity.
Package: salt (Red Hat Ceph Storage 2) - Out of support scope
Red Hat
salt: Directory traversal in wheel.pillar_roots.write
vendor_redhat·2021-02-25·CVSS 9.1
CVE-2021-25282 [CRITICAL] CWE-22 salt: Directory traversal in wheel.pillar_roots.write
salt: Directory traversal in wheel.pillar_roots.write
An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
A flaw was found in salt. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
Package: salt (Red Hat Ceph Storage 2) - Out of support scope
Red Hat
salt: webutils write passwords in cleartext to /var/log/salt/minion
vendor_redhat·2021-02-25·CVSS 4.4
CVE-2021-25284 [MEDIUM] CWE-312 salt: webutils write passwords in cleartext to /var/log/salt/minion
salt: webutils write passwords in cleartext to /var/log/salt/minion
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
A flaw was found in salt. Webutils write passwords in cleartext to /var/log/salt/minion.
Package: salt (Red Hat Ceph Storage 2) - Out of support scope
Red Hat
salt: Shell injection by including ProxyCommand in an argument
vendor_redhat·2021-02-25·CVSS 9.8
CVE-2021-3197 [CRITICAL] CWE-88 salt: Shell injection by including ProxyCommand in an argument
salt: Shell injection by including ProxyCommand in an argument
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
A flaw was found in Salt. The Salt-API’s SSH client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Salt has been deprecated as of Red Hat Ceph Storage 2.5, as Salt was used to install RHSCON-2 and RHSCON-2 has reached End Of Life.
Package: salt (Red Hat Ceph Storage 2) - Will not fix
Red Hat
salt: eauth tokens can be used once after expiration
vendor_redhat·2021-02-25·CVSS 9.1
CVE-2021-3144 [CRITICAL] CWE-613 salt: eauth tokens can be used once after expiration
salt: eauth tokens can be used once after expiration
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
A flaw was found in Salt where tokens can be used once after expiration. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Salt has been deprecated as of Red Hat Ceph Storage 2.5, as Salt was used to install RHSCON-2 and RHSCON-2 has reached End Of Life.
Package: salt (Red Hat Ceph Storage 2) - Will not fix
Red Hat
salt: Jinja renderer does not protect against server-side template injection attacks
vendor_redhat·2021-02-25·CVSS 9.8
CVE-2021-25283 [CRITICAL] CWE-94 salt: Jinja renderer does not protect against server-side template injection attacks
salt: Jinja renderer does not protect against server-side template injection attacks
An issue was discovered in through SaltStack Salt before 3002.5. The jinja renderer does not protect against server side template injection attacks.
A flaw was found in Salt. The jinja renderer does not protect against server-side template injection attacks. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Salt has been deprecated as of Red Hat Ceph Storage 2.5, as Salt was used to install RHSCON-2 and RHSCON-2 has reached End Of Life.
Package: salt (Red Hat Ceph Storage 2) - Will not fix
Red Hat
salt: salt-api unauthenticated remote code exec
vendor_redhat·2021-02-17·CVSS 9.8
CVE-2021-25315 [CRITICAL] CWE-94 salt: salt-api unauthenticated remote code exec
salt: salt-api unauthenticated remote code exec
CWE - CWE-287: Improper Authentication vulnerability in SUSE Linux Enterprise Server 15 SP 3; openSUSE Tumbleweed allows local attackers to execute arbitrary code via salt without the need to specify valid credentials. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions. This issue affects: SUSE Linux Enterprise Server 15 SP 3 salt versions prior to 3002.2-3. openSUSE Tumbleweed salt version 3002.2-2.1 and prior versions.
A flaw was found in Salt. This issue is caused by an incorrect implementation of the authentication algorithm, where openSUSE Tumbleweed allows local attackers to execute arbitrary code via Salt without the need to specify
No detection rules found.
Nuclei
Seo Panel 4.8.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-3002 [MEDIUM] Seo Panel 4.8.0 - Cross-Site Scripting
Seo Panel 4.8.0 - Cross-Site Scripting
Seo Panel 4.8.0 contains a reflected cross-site scripting vulnerability via the seo/seopanel/login.php?sec=forgot email parameter.
Template:
id: CVE-2021-3002
info:
name: Seo Panel 4.8.0 - Cross-Site Scripting
author: edoardottt
severity: medium
description: Seo Panel 4.8.0 contains a reflected cross-site scripting vulnerability via the seo/seopanel/login.php?sec=forgot email parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website.
remediation: |
Upgrade to a patched version of Seo Panel or apply the necessary security patches provided by the vendor.
reference:
- ht
Nuclei
SaltStack Salt <3002.5 - Auth Bypass
nuclei·CVSS 9.8
CVE-2021-25281 [CRITICAL] SaltStack Salt <3002.5 - Auth Bypass
SaltStack Salt <3002.5 - Auth Bypass
SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.
Template:
id: CVE-2021-25281
info:
name: SaltStack Salt <3002.5 - Auth Bypass
author: madrobot
severity: critical
description: SaltStack Salt before 3002.5 does not honor eauth credentials for the wheel_async client, allowing attackers to remotely run any wheel modules on the master.
impact: |
Unauthenticated attackers can remotely execute any wheel modules on the Salt master by bypassing eauth credentials, leading to complete infrastructure compromise and control over all managed systems.
remediation: |
Upgrade to SaltStack Salt version 3002.5 or later to mitigate this vulnerability.
reference
2021-01-01
Published