Headline
CVE-2022-48327: XSS_in_mapos
Multiple Cross Site Scripting (XSS) vulnerabilities in Mapos 4.39.0 allow attackers to execute arbitrary code. Affects the following parameters: (1) dataInicial, (2) dataFinal, (3) tipocliente, (4) format, (5) precoInicial, (6) precoFinal, (7) estoqueInicial, (8) estoqueFinal, (9) de_id, (10) ate_id, (11) clientes_id, (12) origem, (13) cliente, (14) responsavel, (15) status, (16) tipo, (17) situacao in file application/controllers/Relatorios.php; (18) preco, (19) nome, (20) descricao, (21) idServicos, (22) id in file application/controllers/Servicos.php; (23) senha, (24) permissoes_id, (25) idUsuarios, (26) situacao, (27) nome, (28) rg, (29) cpf, (30) cep, (31) rua, (32) numero, (33) bairro, (34) cidade, (35) estado, (36) email, (37) telefone, (38) celular in file application/controllers/Usuarios.php; (39) dataVenda, (40) observacoes, (41) observacoes_cliente, (42) clientes_id, (43) usuarios_id, (44) idVendas, (45) id, (46) idVendasProduto, (47) preco, (48) quantidade, (49) idProduto, (50) produto, (51) desconto, (52) tipoDesconto, (53) resultado, (54) vendas_id, (55) vencimento, (56) recebimento, (57) valor, (58) recebido, (59) formaPgto, (60) tipo in file application/controllers/Vendas.php; (61) situacao, (62) periodo, (63) vencimento_de, (64) vencimento_ate, (65) tipo, (66) status, (67) cliente in file application/views/financeiro/lancamentos.php; (68) year in file application/views/mapos/painel.php; (69) pesquisa in file application/views/os/os.php; (70) etiquetaCode in file application/views/relatorios/imprimir/imprimirEtiquetas.php.
Link: https://github.com/RamonSilva20/mapos
Multiple XSS vulnerabilities.
For example,
‘telefone’ is saved in the DB, then it is retrieved and printed in the view.
In file mapos-master\application\controllers\Clientes.php
$data = [ //… ‘telefone’ => $this->input->post(‘telefone’), //… ]; if ($this->clientes_model->edit('clientes’, $data, 'idClientes’, $this->input->post(‘idClientes’)) == true) { //… }
public function edit($table, $data, $fieldID, $ID)
{
$this\->db\->where($fieldID, $ID);
$this\->db\->update($table, $data);
if ($this\->db\->affected\_rows() >= 0) {
return true;
}
return false;
}
In file mapos-master\application\controllers\Relatorios.php
$data[‘clientes’] = $this->Relatorios_model->clientesCustom($dataInicial, $dataFinal, $this->input->get(‘tipocliente’)); //… $data[‘topo’] = $this->load->view('relatorios/imprimir/imprimirTopo’, $data, true);
public function clientesCustom($dataInicial = null, $dataFinal = null, $tipo = null) { $whereData = '’; if ($dataInicial != null) { $whereData .= "AND dataCadastro >= " . $this->db->escape($dataInicial); } if ($dataFinal != null) { $whereData .= "AND dataCadastro <= " . $this->db->escape($dataFinal); } if ($tipo != null) { $whereData .= "AND fornecedor = " . $this->db->escape($tipo); } $query = "SELECT * FROM clientes WHERE dataCadastro $whereData ORDER BY nomeCliente";
return $this\->db\->query($query, \[$dataInicial, $dataFinal\])->result();
}
In file
<?php foreach ($clientes as $c) : ?> <td align="center"><?= $c->telefone ?></td>
Another example,
In file mapos-master\application\views\arquivos\arquivos.php
<input type="text" name="pesquisa" id="pesquisa" placeholder="Digite o nome do documento para pesquisar" class="span12" value="<?= $this->input->get(‘pesquisa’) ?>">
If you agree with the vulnerabilities, I will report the other vulnerabilities.