#xss

# Unauthenticated DOM Based XSS in YesWiki <= 4.4.5 ### Summary It is possible for any end-user to craft a DOM based XSS on all of YesWiki's pages which will be triggered when a user clicks on a malicious link. This Proof of Concept has been performed using the followings: - YesWiki v4.4.5 (`doryphore-dev` branch, latest) - Docker environnment (`docker/docker-compose.yml`) - Docker v27.5.0 - Default installation ### Details The vulnerability makes use of the search by tag feature. When a tag doesn't exist, the tag is reflected on the page and isn't properly sanitized on the server side which allows a malicious user to generate a link that will trigger an XSS on the client's side when clicked. This part of the code is managed by `tools/tags/handlers/page/listpages.php`, and **[this piece of code](https://github.com/YesWiki/yeswiki/blob/doryphore-dev/tools/tags/handlers/page/listpages.php#L84)** is responsible for the vulnerability: ```php $output .= '<div class="alert alert-info">...

### Impact Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components. ### Patches Will be patched in 14.3.2 and 15.1.2. Note: This issue was reported by Pratik Patil from NetSPI @Nexusss-ppatil

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) ### Workarounds No workaround available ### References - https://access.redhat.com/security/cve/CVE-2025-23366 - https://bugzilla.redhat.com/show_bug.cgi?id=2337619

XSS on the parameters:`/addhost` -> param: community of Librenms versions 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. **Proof of Concept:** 1. Navigate to the /addhost path. 2. Fill in all required fields. 3. In the Community field, enter the following payload: `"><img src=a onerror="alert(1)">`.  4. Submit the form to save changes. 5 The script will execute when the error alert "No reply with community + payload" appears.  **Impact:** Execution of Malicious Code

# StoredXSS-LibreNMS-MiscSection **Description:** Stored XSS on the parameter: `ajax_form.php` -> param: state Request: ```http POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> ``` of Librenms version 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. The vulnerability in the line: ```php $attrib_val = get_dev_attrib($device, $name); ``` within the `dynamic_override_config` function arises because the value of `$attrib_val is` retrieved from untrusted data without any sanitiz...

# StoredXSS-LibreNMS-Ports **Description:** Stored XSS on the parameter: `/ajax_form.php` -> param: descr Request: ```http POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=update-ifalias&descr=%22%3E%3Cimg+src+onerror%3D%22alert(1)%22%3E&ifName=lo&port_id=1&device_id=1 ``` of Librenms version 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. **Proof of Concept:** 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device and select the "ports" section. 3. In the "Description" field, enter the following payload: `"><img src onerror="alert(1)">`. ...

**Description:** XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display of Librenms versions 24.9.0, 24.10.0, and 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. **Proof of Concept:** 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device by going to the "Device Settings" section. 3. In the "Display Name" field, enter the following payload: `"><script>alert(1)</script>`.  4. Save the changes. 5. The XSS payload triggers when accessing the "/apps" path (if an application was previously added). ![Screenshot from...

# StoredXSS-LibreNMS-Display Name 2 **Description:** XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display of Librenms versions 24.11.0 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. **Proof of Concept:** 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device by going to the "Device Settings" section. 3. In the "Display Name" field, enter the following payload: `"><img src onerror="alert(document.cookie)">`.  4. Save the changes. 5. The XSS payload is triggered when navigating to the path /device/$DEVICE_ID/logs and hovering over a type contai...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 2.1 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: Industrial Edge Management Vulnerability: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to extract sensitive information by tricking users into accessing a malicious link. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: Siemens Industrial Edge Management OS (IEM-OS): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE...

> [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. > See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. ## References - https://www.silverstripe.org/download/security-releases/ss-2024-002 ## Reported by Gaurav Nayak from [Chaleit](https://chaleit.com/)