Headline
CVE-2023-23012: XSS in classroombookings
Cross Site Scripting (XSS) vulnerability in craigrodway classroombookings 2.6.4 allows attackers to execute arbitrary code or other unspecified impacts via the input bgcol in file Weeks.php.
Link: https://github.com/craigrodway/classroombookings
XSS vulnerability.
In file classroombookings-master\application\controllers\Weeks.php in function save_week
the input ‘bgcol’ will be saved in the DB and passed to the view when it will be printed without sanitization.
$data = array( ‘name’ => $this->input->post(‘name’), ‘bgcol’ => $this->input->post(‘bgcol’), ); if ($week_id = $this->weeks_model->insert($data)) { //… }
In file classroombookings-master\application\models\Weeks_model.php
public function insert($data){ $data = $this->sleep_values($data);
$insert = $this->db->insert($this->table, $data);
return $insert ? $this->db->insert_id() : FALSE; }
In file classroombookings-master\application\controllers\Weeks.php in function save_week
public function index(){ $this->data[‘weeks’] = $this->weeks_model->get_all(); $this->data[‘title’] = $this->data[‘showtitle’] = 'Timetable Weeks’;
$body = $this->load->view('weeks/index’, $this->data, TRUE);
$this->data[‘body’] = $body;
return $this->render(); }
In file classroombookings-master\application\models\Weeks_model.php
public function get_all(){ $query = $this->db->from($this->table) ->order_by('name’, ‘ASC’) ->get();
if ($query->num_rows() > 0) { $result = $query->result(); //… return $result; } }
The In file C:\transfer_projects\classroombooking\classroombookings-master\application\views\weeks\index.php
<?php foreach ($weeks as $week) { //… $dot = week_dot($week); echo "<td style=’text-align:center’>{$dot}</td>"; //… } ?>
In file classroombookings-master\application\helpers\week_helper.php
function week_dot($week, $size = ‘md’) { $col = $week->bgcol; $col = str_replace('#’, '’, $col); $col = ‘#’ . $col;
$out = "<span class='dot dot-week dot-size-{$size}' style='background-color:{$col}'></span>";
return $out;
}