Xib3rR4dAr

CVE-2024-57240: Cross-Site Scripting (XSS) Vulnerability in Apryse WebViewer ≤ 11.1

Date Published: Feb 24 2025

Summary

A Cross-Site Scripting (XSS) vulnerability has been identified in Apryse WebViewer versions up to and including 11.1. This vulnerability allows remote attackers to execute arbitrary JavaScript code by supplying a crafted PDF file. The issue arises due to improper sanitization of user-supplied input during PDF rendering.

Affected Product

Bug Description

There is a reentrancy vulnerability in TectonicStakingPoolV3.sol (https://cronoscan.com/address/0xE165132FdA537FA89Ca1B52A647240c2B84c8F89).

The issue arises due to the function performConversionForTokens() which is currently open for anyone to call because tcmPublicAccess is currently true. During a call to performConversionForTokens(), reentrancy can be achieved with the end result being the free minting of xTonic tokens. A brief description of the token conversion process:

The staking pool contract holds predominantly TONIC.
Other approved tokens held by the staking pool can be swapped for TONIC. For example, if the pool holds some WCRO, it can be swapped for TONIC using performConversionForTokens() which increases the contract's TONIC balance, thus increasing rewards for its stakers.
Upon successful conversion, any extra TONIC that was received during the swap (more than the oracle quote) is sent to the function caller as a reward.

The issue with the above is that a caller can

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

**1.

Configure WSA (Windows Subsystem for Android) for Pentest

Install WSA with Megisk

Follow the instructions to install WSA with Megisk and GooglePlay services. MagiskOnWSALocal

Install following Modules in Magisk

Download following modules for Magisk.

MagiskFrida: A Magisk module that automatically runs frida server at boot

Oneliners to generate formated temporary AWS STS credentials based on a preconfigured AWS profile.

For Windows (Powershell)

aws sts get-session-token --duration-seconds (Read-Host -Prompt "Session Duration") --serial-number (Read-Host -Prompt "Serial Number") --token-code (Read-Host -Prompt "MFA code") | ConvertFrom-Json | %{$_.Credentials} | %{@{aws_access_key_id=$_.AccessKeyId;aws_secret_access_key=$_.SecretAccessKey;aws_session_token=$_.SessionToken}} | ConvertTo-Json -Compress | %{$_ -replace "{","`n`n[profile-name]`n"} | %{$_ -replace "}",""} |  %{$_ -replace ":"," = "} | %{$_ -replace '"',""} |  %{$_ -replace",","`n"} | %{$_ -replace "profile-name", (Read-Host -Prompt "Profile Name")} | tee -Variable _ | Add-Content $HOME\.aws\credentials

For Linux (bash)

This script has not been checked by Spiceworks. Please understand the risks before using it.

POST /druid/indexer/v1/sampler?for=example-manifest HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/json
Content-Length: 1006
Connection: close

	To install Docker on Debian as root:

	1) apt-get update
	2) apt-get install ca-certificates curl gnupg lsb-release
	3) curl -fsSL https://download.docker.com/linux/debian/gpg \| gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
	4) echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
	$(lsb_release -cs) stable" \| tee /etc/apt/sources.list.d/docker.list > /dev/null
	5) apt-get update
	6) apt-get install docker-ce docker-ce-cli containerd.io

	<?php
	const PASSPHRASE = ''; // use 'openssl rand -hex 32' to generate key, same with python

	function encrypt(array $data): string
	{
	$data_json_64 = base64_encode(json_encode($data));
	$secret_key = hex2bin(PASSPHRASE);
	$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-gcm'));
	$tag = '';
	$encrypted_64 = openssl_encrypt($data_json_64, 'aes-256-gcm', $secret_key, 0, $iv, $tag);

	POST /druid/indexer/v1/sampler HTTP/1.1
	Host: x.x.x.x:8888
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0
	Accept: application/json, text/plain, /
	Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
	Content-Type: application/json
	Content-Length: 1045
	Connection: close