Uploaded image for project: 'Shell OneHub'
  1. Shell OneHub
  2. SO-2523

2. Out-of-date Version (Moment.js)

    XMLWordPrintable

    Details

      Description

      Invicti Enterprise identified that the target web site is using Moment.js and detected that it is out of date.
      Impact
      Since this is an old version of the software, it may be vulnerable to attacks.
      Moment.js Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability
      Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability
      impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly
      used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a
      workaround, sanitize the user-provided locale name before passing it to Moment.js.
      Affected Versions
      1.0.1 to 2.29.1
      External References
      CVE-2022-24785
      Exploits
      Vulnerabilities
      2.1. https://sfs.turkiyeshell.com/
      Identified Version
      2.29.1
      Latest Version
      2.29.4
      Vulnerability Database
      Result is based on 06/27/2023 15:00:00 vulnerability database content.

      Request
      GET / HTTP/1.1
      Host: sfs.turkiyeshell.com
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
      Accept-Language: en-us,en;q=0.5
      Cache-Control: no-cache
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
      Chrome/108.0.5359.71 Safari/537.36
      8/43
      Response
      Response Time (ms) : 1007.3124
      Total Bytes Received : 874
      Body Length : 0
      Is Compressed : No

      HTTP/1.1 200 OK
      Set-Cookie: .AspNetCore.Antiforgery.IOH2qP4C9lk=CfDJ8I4hPoQOtxJNkFdlxKdQaaj61YWL07fDpF-ClCDhm_pPgj67UZX3w2uryZeXKR60HZMGynGssWi2luhrYfHAfcWHsRTa05TQKE8z2Idgvlgxkc9jNi6X22oqjJCv68RzFXOJ2p3NAe3AlBLw06
      LPIE; path=/; secure; samesite=strict; httponly
      Set-Cookie:
      .AspNetCore.Session=CfDJ8I4hPoQOtxJNkFdlxKdQaahdraxoML2YikJMr5CtJegWDjJBB4cc7DLrVuZbE1SQ47e%2Bp2rv3A
      6QidMg6Qpd4ExEJ2QwFKjm8Lus2I%2Ft3WUvje5SqvKtsGb5dMAIoAtHXJsYsqgSX5V2XPdaNKDY9ghWS6payV%2BcBIOSr2dOFV
      qP; path=/; secure; samesite=lax; httponly
      Referrer-Policy: no-referrer
      X-Content-Type-Options: nosniff
      Expires: -1
      Pragma: no-cache
      X-XSS-Protection: 1
      X-Frame-Options: SAMEORIGIN
      Strict-Transport-Security: max-age=2592000
      Vary: Accept-Encoding
      Content-Type: text/html; charset=utf-8
      Transfer-Encoding: chunked
      Date: Fri, 30 Jun 2023 22:37:53 GMT
      Cache-Control: no-store, no-cache
      <!DOCTYPE html>
      <html lang="en">
      <head>
      <base href="">
      <meta charset="utf-8" />
      <title>Giriş | SFS Portalı</title>
      <meta name="description" content="Shell Filo Çözümleri SFS Portalı" />
      <meta property="og:title" content="Shell Filo Çözümleri Portalı" />
      <meta name="description" content="Filo yönetiminde ihtiyaç duyduğunuz Shell TTS, Partner Card,
      Kurumsal HGS ve Pratik Kart ürünlerine buradan ulaşabilir, filonuzu ofisinizden çıkmadan tek
      merkezden kolayca yönetebilirsiniz.">
      <meta property="og:description" content="Filo yönetiminde ihtiyaç duyduğunuz Shell TTS, Partner
      Card, Kurumsal HGS ve Pratik Kart ürünlerine buradan ulaşabilir, filonuzu ofisinizden çıkmadan tek
      merkezden kolayca yönetebilirsiniz." />
      <meta property="og:site_name" content="Shell Filo Çözümleri Portalı">
      <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no" />
      <meta property="og:image" content="~/assets/shell-ographimg.png">
      <meta property="og:type" content="website" />
      <script>
      var tim

        Attachments

          Activity

            People

            Assignee:
            mehmet Mehmet Gülenç
            Reporter:
            Seher Seher Bayar (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: