Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30210: OURPHP <=v7.2.0 ourphp_tz.php Reflection xss

OURPHP <= 7.2.0 is vulnerable to Cross Site Scripting (XSS) via ourphp_tz.php.

CVE
Open in Source
#xss#vulnerability#web#php

This file appears to be a test file. If the website administrator does not delete it, there may be an xss vulnerability and some information leakage.
Later, I found that this file was also referenced in the background, so it is not a test file.

By looking at line 619 of the code in the /client/manage/ourphp_tz.phpfile, we can see that.

If the get method passes in two parameters, an atc parameter with a value of rt and a parameter named callback, the page will directly echo the contents of our callback parameter.

So payload is simple, as follows

1

/client/manage/ourphp_tz.php?act=rt&callback=<script>alert(`xss`)</script>

Vulnerability recurrence

Let’s download the code through the following link and install it directly in PHP Study.

1

https://down.chinaz.com/api/index/download?id=51308&type=code

After installation, directly access the following path

1

/client/manage/ourphp_tz.php?act=rt&callback=<script>alert(`xss`)</script>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE