{"id":16538,"date":"2021-07-07T12:59:49","date_gmt":"2021-07-07T10:59:49","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2018-0002\/"},"modified":"2021-07-19T14:06:58","modified_gmt":"2021-07-19T12:06:58","slug":"usd-2018-0002","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2018-0002\/","title":{"rendered":"usd-2018-0002"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n

usd-2018-0002 | Starface\/6.4.3.34<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2018-0002<\/span>
CVE Number<\/strong>: N\/A<\/span>
Affected Product<\/strong>: Starface<\/span>
Affected Version<\/strong>: 6.4.3.34<\/span>
Vulnerability Type<\/strong>: Language Expression Injection<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.starface.com<\/a>
Vendor Status<\/strong>: Not fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

In a Language Expression Injection attack the user input is evaluated by the Language Expression Interpreter. The attacker has access to the Java objects which are currently in scope. The impact can be leaking sensitive information up to code execution.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The \u201aitems\u2018 parameter is evaluated by the Java Language Expression Interpreter which may lead to code execution. Vulnerable Requests:
\u2013 \/config\/voicebox\/display\/group.do
\u2013 \/config\/voicebox\/display\/user.do
\u2013 \/template\/list.do
The Language Expression Injection can also be used as xss.<\/p>\n

=> PoC will be published when all issues are fixed.<\/p>\n

<\/h3>\n

Fix<\/h3>\n

Make sure to validate the user input before putting it into the expression language interpreter.<\/span><\/p>\n

<\/h3>\n

Credits<\/h3>\n

These security vulnerabilities were found by Sebastian Puttkammer of usd AG.<\/span><\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

usd-2018-0002 | Starface\/6.4.3.34 Advisory ID: usd-2018-0002CVE Number: N\/AAffected Product: StarfaceAffected Version: 6.4.3.34Vulnerability Type: Language Expression InjectionSecurity Risk: HighVendor URL: https:\/\/www.starface.comVendor Status: Not fixed Description In a Language Expression Injection attack the user input is evaluated by the Language Expression Interpreter. The attacker has access to the Java objects which are currently in scope. The impact […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16538","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16538","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16538"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16538\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}