Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-25395: CVE-nu11secur1ty/vendors/oretnom23/2022/Cosmetics-and-Beauty-Product-Online-Store at main · nu11secur1ty/CVE-nu11secur1ty

Cosmetics and Beauty Product Online Store v1.0 was discovered to contain multiple reflected cross-site scripting (XSS) attacks via the search parameter under the /cbpos/ app.

CVE
Open in Source
#xss#vulnerability#git

Cosmetics-and-Beauty-Product-Online-Store****Vendor

Description:

The search parameter from /cbpos/ app on Cosmetics and Beauty Product Online Store v1.0 appears to be vulnerable to multiple XSS-Reflected attacks. The attacker can take very sensitive information from the system and even he can prepare a very dangerous RCE by using this XSS vulnerability.

Status: CRITICAL

[+] Payloads:

<a href="https://www.malicious_site.com/">Please visit our beauty store!</a>
<a href="https://www.nu11secur1ty.com/"><img src=https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif">

  • RCE example:

    <a href="http://192.168.1.8/cbpos/uploads/product_4/banner.3.jpg"><img src=https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif">

Reproduce:

href

Proof and Exploit:

href

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE