{"id":6975,"date":"2017-03-14T14:20:35","date_gmt":"2017-03-14T22:20:35","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/14\/news-766\/"},"modified":"2017-03-14T14:20:35","modified_gmt":"2017-03-14T22:20:35","slug":"news-766","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/14\/news-766\/","title":{"rendered":"SSD Advisory \u2013 SolarWinds Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Tue, 14 Mar 2017 07:15:01 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> SolarWinds Server and Application Monitor version 6.1.1 has been found to contain multiple vulnerabilities:<\/p>\n<ol>\n<li>Node Custom Properties Persistent XSS<\/li>\n<li>Audit Events Module Persistent XSS<\/li>\n<li>Custom &#8220;Data Source&#8221; and &#8216;Where Clause&#8217; Persistent XSS<\/li>\n<li>&#8220;Build Dynamic Query Name&#8221; Persistent XSS<\/li>\n<li>Multiple Persistent XSS Vulnerabilities Via &#8216;Title&#8217; field<\/li>\n<li>Application Monitor Template Persistent XSS<\/li>\n<li>NOC View Name Persistent XSS<\/li>\n<\/ol>\n<p><strong>Credit<\/strong><br \/> An independent security researcher has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> We notified SolarWinds about the vulnerabilities back in August 2015, repeated attempts to re-establish contact and get some answers on the status of the patches for these vulnerabilities went unanswered. We have also contacted CERT in August 2015, but they were unable to get them to addresses these issues. At this time there is no solution or workaround for these vulnerabilities.<\/p>\n<p><span id=\"more-2933\"><\/span><\/p>\n<p><u><strong>Vulnerabilities Details<\/strong><\/u><br \/> <u>Node Custom Properties Persistent XSS<\/u><br \/> The vulnerability can be found in &#8216;<em>Add Custom Property<\/em>&#8216;<\/p>\n<ol>\n<li>From the Settings, click &#8216;<em>Manage Nodes<\/em>&#8216; in the &#8216;<em>Node &#038; Group Management module<\/em>&#8216;<\/li>\n<li>Click &#8216;<em>Add Node<\/em>&#8216;, enter valid ip and then select &#8216;<em>No Status<\/em>&#8216;, click Next<\/li>\n<li>Click Next, this should bring you to the &#8216;<em>Change Properties<\/em>&#8216; section<\/li>\n<li>Click the &#8216;<em>Manage Custom Properties<\/em>&#8216; link.<\/li>\n<li>Click &#8216;<em>Add Custom Property<\/em>&#8216;, then click Next.<\/li>\n<\/ol>\n<p>The &#8216;<em>Name<\/em>&#8216; and the &#8216;<em>description<\/em>&#8216; fields do not sanitize user input, allowing HTML and Javascript code injection. The injected code is then visible (once saved) when the attached node is edited.<\/p>\n<p>Sample code used:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58c86cb1e58d7705183202\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;script&gt;alert(1)&lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0021 seconds] -->  <\/p>\n<p><u>Audit Events Module Persistent XSS<\/u><br \/> The <em>Audit Events Module<\/em> (from the summary page) does not properly sanitize user generated input. If unauthorized code is injected into values that will be displayed when an event is generated, the <em>Audit Events Module<\/em> will display the code in it&#8217;s entirety.<\/p>\n<p><u>Custom &#8220;Data Source&#8221; and &#8216;Where Clause&#8217; Persistent XSS<\/u><br \/> When creating a custom data source, it is possible to enter data such that one field will break the code, and the other field will then execute the injected code. This has been identified in two locations, as follows:<\/p>\n<p>Option 1:<\/p>\n<ol>\n<li>From the home screen, click &#8216;<em>Custom Summary<\/em>&#8216;, and then edit the &#8216;<em>Custom Table<\/em>&#8216; module<\/li>\n<li>Click &#8216;<em>select datasource<\/em>&#8216;<\/li>\n<li>Click add condition, change field to &#8216;<em>description<\/em>&#8216; and enter &#8220;<em>&gt;&lt;script&gt;alert(1)&lt;\/script&gt;&#8221;<\/em><\/li>\n<li>Under Selection name, enter <em>&#8220;&gt;&lt;script&gt;alert(2);&lt;\/script&gt;&#8221;<\/em><\/li>\n<\/ol>\n<p>Option 2:<\/p>\n<ol>\n<li>From the home screen, click &#8216;<em>Custom Summary<\/em>&#8216;, and then edit the &#8216;<em>Custom Chart<\/em>&#8216; module<\/li>\n<li>Click &#8216;<em>select datasource<\/em>&#8216;<\/li>\n<li>Click add condition, change field to &#8216;<em>description<\/em>&#8216; and enter &#8220;<em>&gt;&lt;script&gt;alert(1)&lt;\/script&gt;<\/em>&#8220;<\/li>\n<li>Under Selection name, enter &#8220;<em>&gt;&lt;script&gt;alert(2);&lt;\/script&gt;<\/em>&#8220;<\/li>\n<\/ol>\n<p>Breaking out of one entry point allows for the execution of the other. The injected code is then visible when the table\/chart is edited.<\/p>\n<p><u>&#8220;Build Dynamic Query Name&#8221; Persistent XSS<\/u><br \/> The vulnerability can be found in &#8216;<em>add dynamic query<\/em>&#8216;<\/p>\n<ol>\n<li>From the home screen, click &#8216;<em>groups<\/em>&#8216;, and then &#8216;<em>manage groups<\/em>&#8216; in the &#8216;<em>all groups<\/em>&#8216; module<\/li>\n<li>Click &#8216;<em>add new group<\/em>&#8216;<\/li>\n<li>Enter a name and description and then click next<\/li>\n<li>Now you should be at the &#8216;<em>add orion objects<\/em>&#8216; screen<\/li>\n<li>Click &#8216;<em>add dynamic query<\/em>&#8216;<\/li>\n<\/ol>\n<p>The &#8216;dynamic query object name&#8217; field does not properly sanitize user input, allowing for code injection. The injected code is then visible (once saved) by editing the query again.<\/p>\n<p><u>Multiple Persistent XSS Vulnerabilities Via &#8216;<em>Title<\/em>&#8216; field<\/u><br \/> Several modules contain the ability to edit them and modify the title of the displayed module. This title field does not properly sanitize user input, and is thus subject to XSS attacks that are triggered when the module is edited again. Some of these modules will trigger an event that then displays the attack on the main summary screen. <\/p>\n<p>Option 1:<\/p>\n<ul>\n<li>From the home screen, click &#8216;<em>groups<\/em>&#8216;, and then edit the &#8216;<em>all groups<\/em>&#8216; module<\/li>\n<\/ul>\n<p>Option 2:<\/p>\n<ul>\n<li>From the home screen, click &#8216;<em>groups<\/em>&#8216;, and then edit the &#8216;<em>Groups With Problems<\/em>&#8216; module<\/li>\n<\/ul>\n<p>Option 3:<\/p>\n<ul>\n<li>From the home screen, click &#8216;<em>groups<\/em>&#8216;, and then edit the &#8216;<em>Map<\/em>&#8216; module<\/li>\n<\/ul>\n<p>Option 4:<\/p>\n<ul>\n<li>From the home screen, click &#8216;groups&#8217;, and then edit the &#8216;Last 25 Group Events&#8217; module<\/li>\n<\/ul>\n<p>Option 5:<\/p>\n<ul>\n<li>From the home screen, click &#8216;Virtualization&#8217;, and then edit the &#8216;Virtualization Assets&#8217; module<\/li>\n<\/ul>\n<p>Option 6:<\/p>\n<ul>\n<li>From the home screen, click &#8216;Virtualization&#8217;, and then edit the &#8216;Virtualization Assets Summary&#8217; module<\/li>\n<\/ul>\n<p>All modules are affected for Groups, Virtualization, Applications\/Exchange, Applications\/SQL Server, Applications\/IIS, Applications\/Windows, Applications\/Linux, and Applications\/Active Directory<\/p>\n<p>Sample code used:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58c86cb1e58e3852921771\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;script&gt;alert(1)&lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58c86cb1e58e3852921771-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58c86cb1e58e3852921771-1\"><span class=\"crayon-ta\">&lt;script&gt;<\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p><u>Application Monitor Template Persistent XSS<\/u><br \/> The vulnerability can be found in &#8216;<em>Create New Template<\/em>&#8216;<\/p>\n<ol>\n<li>From the home screen, click &#8216;<em>Applications<\/em>&#8216; tab, and then click &#8216;<em>Active Directory<\/em>&#8216;<\/li>\n<li>Click &#8216;<em>Manage Applications<\/em>&#8216; in the &#8216;<em>All Applications<\/em>&#8216; Module<\/li>\n<li>Click &#8216;<em>Application Monitor Templates<\/em>&#8216;<\/li>\n<li>Click &#8216;<em>Create New Template<\/em>&#8216;<\/li>\n<\/ol>\n<p>Sample code used:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58c86cb1e58e7486799432\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;script&gt;alert(1)&lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58c86cb1e58e7486799432-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58c86cb1e58e7486799432-1\"><span class=\"crayon-ta\">&lt;script&gt;<\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p><u>NOC View Name Persistent XSS<\/u><br \/> The vulnerability can be found in &#8216;<em>Create New Template<\/em>&#8216;<\/p>\n<ol>\n<li>From the home screen, click &#8216;<em>Virtualization<\/em>&#8216;, and then click &#8216;<em>Customize Page<\/em>&#8216;<\/li>\n<li>Scroll down and click &#8216;<em>list of related NOC views<\/em>&#8216;<\/li>\n<li>Add or edit a NOC view. The name field does not sanitize user input, allowing for code injection<\/li>\n<\/ol>\n<p>The injected code is then visible (once saved) either by editing the view again or when editing limitation page<\/p>\n<p>Sample code used:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58c86cb1e58ea912669941\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;script&gt;alert(1)&lt;\/script&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58c86cb1e58ea912669941-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58c86cb1e58ea912669941-1\"><span class=\"crayon-ta\">&lt;script&gt;<\/span><span class=\"crayon-r\">alert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-ta\">&lt;\/script&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2933\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Tue, 14 Mar 2017 07:15:01 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary SolarWinds Server and Application Monitor version 6.1.1 has been found to contain multiple vulnerabilities: Node Custom Properties Persistent XSS Audit Events Module Persistent XSS Custom &#8220;Data Source&#8221; and &#8216;Where Clause&#8217; Persistent XSS &#8220;Build Dynamic Query Name&#8221; Persistent XSS Multiple Persistent XSS Vulnerabilities Via &#8216;Title&#8217; field Application Monitor Template Persistent XSS NOC View Name &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2933\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 SolarWinds Multiple Vulnerabilities<\/span> <span class=\"meta-nav\">&#8594;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11640,10757],"class_list":["post-6975","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-cross-site-scripting","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6975"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6975\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6975"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}