Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.



**Description**

Multiple Self-XSS Vulnerabilities are triggered at multiple endpoints.

**http://localhost:8083/edit/server/**

There is a bug in web/templates/pages/edit_server.php file. Attacker can control $v_timezone.

    <form
            x-data="{
                timezone: '<?= $v_timezone ?? "" ?>',
                theme: '<?= $_SESSION["THEME"] ?>',
                language: '<?= $_SESSION["LANGUAGE"] ?>',
                hasSmtpRelay: <?= $v_smtp_relay == "true" ? "true" : "false" ?>,
                remoteBackupEnabled: <?= !empty($v_backup_remote_adv) ? "true" : "false" ?>,
                backupType: '<?= !empty($v_backup_type) ? trim($v_backup_type, "'") : "" ?>',
                webmailAlias: '<?= $_SESSION["WEBMAIL_ALIAS"] ?? "" ?>',
                apiSystem: '<?= $_SESSION["API_SYSTEM"] ?>',
                legacyApi: '<?= $_SESSION["API"] ?>',
                showSystemOptions: false,
                showProtectionOptions: false,
                showPolicyOptions: false,
            }"
            id="main-form"
            name="v_configure_server"
            method="post"
        >
    
    

**Proof of Concept**

    1. Intercept request with Burpsuite 
    2. Replace $v_timezone with '}"><img+src%3d""+onerror%3d"alert(1)"><for+x-data%3d"{timezone%3a'
    

https://drive.google.com/file/d/1VcvdGdSXVDcAoDd1YbW5pWd8IqVKVuiE/view?usp=sharing

**http://localhost:8083/add/package/**

There is a bug in web/templates/pages/add_package.php file. Attacker can control $v_backend_template.

        <?php
                                    foreach ($backend_templates as $key => $value) {
                                    echo $v_backend_template;
                                        echo "\t\t\t\t<option value=\"".$value."\"";
                                        if ((!empty($v_backend_template)) && ( $value == trim($v_backend_template, "'"))){
                                            echo ' selected' ;
                                        }
                                        echo ">".htmlentities($value)."</option>\n";
                                    }
    ?>
    

**Proof of Concept**

    1. Intercept request with Burpsuite 
    2. Replace $v_backend_template with '</select><img+src%3d""+onerror%3d"alert(1)">
    

https://drive.google.com/file/d/1nALSSZ3uUUa9fCC3Xhn1Zz0IJ-ZKYjjV/view?usp=sharing

**Impact**

The impact is low. Because the successful attack requires some conditions

**Occurrences**

CVE-2023-5084: Multiple Self-XSS Vulnerabilites in hestiacp

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.

Expand Up

@@ -9,7 +9,7 @@

NOTIFICATIONS\_EMPTY: '<?= \_("No notifications") ?>',

NOTIFICATIONS\_DELETE\_ALL: '<?= \_("Delete all notifications") ?>',

CONFIRM\_LEAVE\_PAGE: '<?= \_("Are you sure you want to leave the page?") ?>',

ERROR\_MESSAGE: '<?= !empty($\_SESSION\["error\_msg"\]) ? htmlentities($\_SESSION\["error\_msg"\]) : "" ?>',

ERROR\_MESSAGE: '<?= !empty($\_SESSION\["error\_msg"\]) ? htmlentities($\_SESSION\["error\_msg"\],ENT\_QUOTES) : "" ?>',

BLACKLIST: '<?= \_("BLACKLIST") ?>',

IPVERSE: '<?= \_("IPVERSE") ?>'

});

Expand Down

CVE-2023-5084: Fix XSS in edit server and add package · hestiacp/hestiacp@5131f5a

Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

**Cross Site Scripting vulnerability in Dolibarr ERP CRM**

Moderate severity GitHub Reviewed Published Sep 20, 2023 to the GitHub Advisory Database • Updated Sep 21, 2023

GHSA-62wf-h26v-5m57: Cross Site Scripting vulnerability in Dolibarr ERP CRM

The WordPress Charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wp_charts' shortcode in versions up to, and including, 0.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

1<?php2/\*3Plugin Name: WordPress Charts4Plugin URI: http://wordpress.org/plugins/wp-charts/5Description: Create amazing HTML5 charts easily in WordPress. A flexible and lightweight WordPress chart plugin including 6 customizable chart types (line, bar, pie, radar, polar area and doughnut types) as well as a fallback to provide support for older IE.  Incorporates the fantastic chart.js script : http://www.chartjs.org/6Version: 0.7.07Author: OzTheGreat (WPArtisan)8Author URI: https://wpartisan.me9\*/1011/\*\*12 \* Copyright (c) 2019- WPArtisan. All rights reserved.13 \* Copyright (c) 2013-2018 WebFactory Ltd. All rights reserved.14 \* Copyright (c) 2013 WebFactory Ltd. All rights reserved.15 \*16 \* Released under the GPLv2 license17 \* http://www.gnu.org/licenses/gpl-2.0.html18 \*19 \* This is an add-on for WordPress20 \* http://wordpress.org/21 \*22 \*23 \* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*24 \* This program is free software; you can redistribute it and/or modify25 \* it under the terms of the GNU General Public License as published by26 \* the Free Software Foundation; either version 2 of the License, or27 \* (at your option) any later version.28 \*29 \* This program is distributed in the hope that it will be useful,30 \* but WITHOUT ANY WARRANTY; without even the implied warranty of31 \* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the32 \* GNU General Public License for more details.33 \* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*34 \*35 \*36 \*/3738define( 'WP\_CHARTS\_URL',  trailingslashit( plugins\_url('', \_\_FILE\_\_) ));39define( 'WP\_CHARTS\_PATH', trailingslashit( plugin\_dir\_path( \_\_FILE\_\_) ) );40define( 'WP\_CHARTS\_BASENAME', plugin\_basename( \_\_FILE\_\_) );4142include WP\_CHARTS\_PATH.'inc/charts-widget.php';43if ( is\_admin() ) {44    include WP\_CHARTS\_PATH.'inc/admin/admin.php';45}46474849/\*\*50 \* Add IE Fallback for HTML5 and canvas51 \* @since Unknown52 \*/53function wp\_charts\_html5\_support () {54    echo '';57    echo '      <style>58                        /\*wp\_charts\_js responsive canvas CSS override\*/59                        .wp\_charts\_canvas {60                                width:100%!important;61                                max-width:100%;62                        }6364                        @media screen and (max-width:480px) {65                                div.wp-chart-wrap {66                                        width:100%!important;67                                        float: none!important;68                                                margin-left: auto!important;69                                                margin-right: auto!important;70                                                text-align: center;71                                }72                        }73                </style>';74}7576/\*\*77 \* Register Script78 \*79 \* @since Unknown80 \*/81function wp\_charts\_load\_scripts( $force \=  false ) {8283        if ( ! is\_admin() || $force ) {84                // WP Scripts85                wp\_enqueue\_script( 'jquery' );8687                // Register plugin Scripts88                wp\_register\_script( 'charts-js', WP\_CHARTS\_URL.'js/Chart.min.js' );89                wp\_register\_script( 'wp-chart-functions', WP\_CHARTS\_URL.'/js/functions.js', array( 'jquery' ) ,'', true );9091                // Enqueue those suckers92                wp\_enqueue\_script( 'charts-js' );93                wp\_enqueue\_script( 'wp-chart-functions' );94        }9596}9798if ( !function\_exists('wp\_charts\_compare\_fill') ) {99    /\*\*100     \* Make sure there are the right number of colors in the colour array101     \* @since Unknown102     \*103     \* @param $measure104     \* @param $fill105     \*/106        function wp\_charts\_compare\_fill(&$measure,&$fill) {107                // only if the two arrays don't hold the same number of elements108                if (count($measure) != count($fill)) {109                    // handle if $fill is less than $measure110                    while (count($fill) < count($measure) ) {111                        $fill \= array\_merge( $fill, array\_values($fill) );112                    }113                    // handle if $fill has more than $measure114                    $fill \= array\_slice($fill, 0, count($measure));115                }116        }117}118119120if (!function\_exists( "wp\_charts\_hex2rgb" )) {121    /\*\*122     \* Color conversion function123     \*124     \* @since Unknown125     \* @param $hex126     \* @return string127     \*/128        function wp\_charts\_hex2rgb($hex) {129           $hex \= str\_replace("#", "", $hex);130131           if(strlen($hex) \== 3) {132              $r \= hexdec(substr($hex,0,1).substr($hex,0,1));133              $g \= hexdec(substr($hex,1,1).substr($hex,1,1));134              $b \= hexdec(substr($hex,2,1).substr($hex,2,1));135           } else {136              $r \= hexdec(substr($hex,0,2));137              $g \= hexdec(substr($hex,2,2));138              $b \= hexdec(substr($hex,4,2));139           }140141           $rgb \= array($r, $g, $b);142           return implode(",", $rgb); // returns the rgb values separated by commas143        }144}145146147if (!function\_exists('wp\_charts\_trailing\_comma')) {148    /\*\*149     \* wp\_charts\_trailing\_comma150     \*151     \* @param $incrementor152     \* @param $count153     \* @param $subject154     \* @return string155     \*/156        function wp\_charts\_trailing\_comma($incrementor, $count, &$subject) {157                $stopper \= $count \- 1;158                if ($incrementor !== $stopper) {159                        return $subject .= ',';160                }161        }162}163164/\*\*165 \* Chart Shortcode 1 - Core Shortcode with all options166 \*167 \* @param $atts168 \* @return string169 \*/170function wp\_charts\_shortcode( $atts ) {171172    // Default Attributes173    // - - - - - - - - - - - - - - - - - - - - - - -174    extract( shortcode\_atts(175            array(176                'type'             \=> 'pie',177                'title'            \=> 'chart',178                'canvaswidth'      \=> '625',179                'canvasheight'     \=> '625',180                'width'                    \=> '48%',181                'height'                   \=> 'auto',182                'margin'                   \=> '5px',183                'relativewidth'    \=> '1',184                'align'            \=> '',185                'class'                    \=> '',186                'labels'           \=> '',187                'data'             \=> '30,50,100',188                'datasets'         \=> '30,50,100 next 20,90,75',189                'colors'           \=> '#69D2E7,#E0E4CC,#F38630,#96CE7F,#CEBC17,#CE4264',190                'fillopacity'      \=> '0.7',191                'pointstrokecolor' \=> '#FFFFFF',192                'animation'                \=> 'true',193                'scalefontsize'    \=> '12',194                'scalefontcolor'   \=> '#666',195                'scaleoverride'    \=> 'false',196                'scalesteps'       \=> 'null',197                'scalestepwidth'   \=> 'null',198                'scalestartvalue'  \=> 'null'199            ), $atts )200    );201202    // prepare data203    // - - - - - - - - - - - - - - - - - - - - - - -204    $title    \= str\_replace(' ', '', $title);205    $data     \= explode(',', str\_replace(' ', '', $data));206    $datasets \= explode("next", str\_replace(' ', '', $datasets));207208    if ( ! $title || ( empty( $data ) && empty( $datasets ) ) ) {209        return '';210    }211212    // check that the colors are not an empty string213    if ($colors != "") {214        $colors   \= explode(',', str\_replace(' ','',$colors));215    } else {216        $colors \= array('#69D2E7','#E0E4CC','#F38630','#96CE7F','#CEBC17','#CE4264');217    }218219    (strpos($type, 'lar') !== false ) ? $type \= 'PolarArea' : $type \= ucwords($type);220221    // output - covers Pie, Doughnut, and PolarArea222    // - - - - - - - - - - - - - - - - - - - - - - -223    $currentchart \= '<div class="'.$align.' '.$class.' wp-chart-wrap" style="max-width: 100%; width:'.$width.'; height:'.$height.';margin:'.$margin.';" data-proportion="'.$relativewidth.'">';224    $currentchart .= '<canvas id="'.$title.'" height="'.$canvasheight.'" width="'.$canvaswidth.'" class="wp\_charts\_canvas" data-proportion="'.$relativewidth.'"></canvas></div>225        <script type="text/javascript">';226227    // output Options228    $currentchart .= 'var '.$title.'Ops = {229                animation: '.$animation.',';230231    if ($type \== 'Line' || $type \== 'Radar' || $type \== 'Bar' || $type \== 'PolarArea') {232        $currentchart .=        'scaleFontSize: '.$scalefontsize.',';233        $currentchart .=        'scaleFontColor: "'.$scalefontcolor.'",';234        $currentchart .=    'scaleOverride:'   .$scaleoverride.',';235        $currentchart .=    'scaleSteps:'          .$scalesteps.',';236        $currentchart .=    'scaleStepWidth:'  .$scalestepwidth.',';237        $currentchart .=    'scaleStartValue:' .$scalestartvalue;238    }239240    // end options array241    $currentchart .= '}; ';242243    // start the js arrays correctly depending on type244    if ($type \== 'Line' || $type \== 'Radar' || $type \== 'Bar' ) {245246        wp\_charts\_compare\_fill($datasets, $colors);247        $total    \= count($datasets);248249        // output labels250        $currentchart .= 'var '.$title.'Data = {';251        $currentchart .= 'labels : \[';252        $labelstrings \= explode(',',$labels);253        for ($j \= 0; $j < count($labelstrings); $j++ ) {254            $currentchart .= '"'.$labelstrings\[$j\].'"';255            wp\_charts\_trailing\_comma($j, count($labelstrings), $currentchart);256        }257        $currentchart .=        '\],';258        $currentchart .= 'datasets : \[';259    } else {260        wp\_charts\_compare\_fill($data, $colors);261        $total \= count($data);262        $currentchart .= 'var '.$title.'Data = \[';263    }264265    // create the javascript array of data and attr correctly depending on type266    for ($i \= 0; $i < $total; $i++) {267268        if ($type \=== 'Pie' || $type \=== 'Doughnut' || $type \=== 'PolarArea') {269            $currentchart .= '{270                                        value   : '. $data\[$i\] .',271                                        color   : '.'"'. $colors\[$i\].'"'.'272                                }';273274        } else if ($type \=== 'Bar') {275            $currentchart .= '{276                                        fillColor       : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .','.$fillopacity.')",277                                        strokeColor : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .',1)",278                                        data            : \['.$datasets\[$i\].'\]279                                }';280281        } else if ($type \=== 'Line' || $type \=== 'Radar') {282            $currentchart .= '{283                                        fillColor       : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .','.$fillopacity.')",284                                        strokeColor : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .',1)",285                                        pointColor      : "rgba('. wp\_charts\_hex2rgb( $colors\[$i\] ) .',1)",286                                        pointStrokeColor : "'.$pointstrokecolor.'",287                                        data            : \['.$datasets\[$i\].'\]288                                }';289290        }  // end type conditional291        wp\_charts\_trailing\_comma($i, $total, $currentchart);292    }293294    // end the js arrays correctly depending on type295    if ($type \== 'Line' || $type \== 'Radar' || $type \== 'Bar') {296        $currentchart .=        '\]};';297    } else {298        $currentchart .=        '\];';299    }300301    //var wpChart'.$title.$type.' = new Chart(document.getElementById("'.$title.'").getContext("2d")).'.$type.'('.$title.'Data,'.$title.'Ops);302303    $currentchart .= '304         window.wp\_charts = window.wp\_charts || {};305             window.wp\_charts\["'.$title.'"\] = { options: '.$title.'Ops, data: '.$title.'Data, type: "'.$type.'" };306307        </script>';308309    // return the final result310    // - - - - - - - - - - - - - - - - - - - - - - -311    return $currentchart;312}313314/\*\*315 \* wp\_charts\_kickoff316 \*317 \* @since Unknown318 \*/319function wp\_charts\_kickoff() {320        add\_action( "wp\_enqueue\_scripts", "wp\_charts\_load\_scripts" );321        add\_action('wp\_head', 'wp\_charts\_html5\_support');322        add\_shortcode( 'wp\_charts', 'wp\_charts\_shortcode' );323}324325add\_action('init', 'wp\_charts\_kickoff');

CVE-2023-5062: wordpress_charts_js.php in wp-charts/tags/0.7.0 – WordPress Plugin Repository

The Widget Responsive for Youtube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube' shortcode in versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5063: Widget Responsive for Youtube <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Wordfence Intelligence

%PDF-1.7 %���� 1 0 obj <> endobj 2 0 obj <> endobj 3 0 obj <> endobj 4 0 obj <>/ExtGState<>/XObject<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 5 0 R/Group<>/Tabs/S>> endobj 5 0 obj <> stream x��\[�n7}���n 1� E}Q��Zn� �j+��jd�E�~p���J�l-K� \`e�K����H�c�'���;\`��\`���k�A�٤������v�����

CVE-2023-38888

A reflected cross-site scripting (XSS) vulnerability in the url_str URL parameter of ISL ARP Guard v4.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2023-39575

A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings.

During some standard research as part of the Outpost24 Ghost Labs Vulnerability Research department, I discovered four different vulnerabilities in Nagios XI (version 5.11.1 and lower). Three of these vulnerabilities (CVE-2023-40931, CVE-2023-40933 and CVE-2023-40934) allow users, with various levels of privileges, to access database fields via SQL Injections. The data obtained from these vulnerabilities may be used to further escalate privileges in the product and obtain sensitive user data such as password hashes and API tokens.

The fourth vulnerability (CVE-2023-40932) allows Cross-Site Scripting via the Custom Logo component, which will render on every page, including the login page. This may be used to read and modify page data, such as plain-text passwords from login forms.

All these vulnerabilities have been resolved as of 2023.09.11 and users are advised to upgrade to 5.11.2 or later.

**What is Nagios XI**

Nagios XI is a popular and widely used commercial monitoring solution for IT infrastructure and network monitoring. It is the commercial version of the open-source Nagios Core monitoring platform, and provides added features to simplify the process of managing complex IT environments.

Due to the access required by Nagios XI, it is often deployed in high-privileged environments, which makes it an interesting asset for an attacker to target.

**The four vulnerabilities**

Nagios XI features “Announcement Banners”, which can optionally be acknowledged by users. The endpoint for this feature is vulnerable to a SQL Injection attack.

When a user acknowledges a banner, a POST request is sent to \`/nagiosxi/admin/banner\_message-ajaxhelper.php\` with the POST data consisting of the intended action and message ID – \`action=acknowledge banner message&id=3\`.

The ID parameter is assumed to be trusted but comes directly from the client without sanitization. This leads to a SQL Injection where an authenticated user with low or no privileges can retrieve sensitive data, such as from the \`xi\_session\` and \`xi\_users\` table containing data such as emails, usernames, hashed passwords, API tokens, and backend tickets.

This vulnerability does not require the existence of a valid announcement banner ID, meaning it can be exploited by an attacker at any time.

**2\. SQL Injection in Host/Service Escalation in CCM (CVE-2023-40934)**

The Core Configuration Manager in Nagios XI allows an authenticated user with privilege to manage host escalations to perform arbitrary database queries through the \`/nagiosxi/includes/components/ccm/index.php\` endpoint.

The parameters \`tfFirstNotif\`, \`tfLastNotif\`, and \`tfNotifInterval\` are assumed to be trusted despite coming directly from the client through a POST request.

This vulnerability results in the same access to the database as the other SQL Injection vulnerabilities, but requires additional privileges compared to CVE-2023-40931.

**3\. SQL Injection in Announcement Banner Settings (CVE-2023-40933)**

Nagios XI has an administrative page for Announcement Banner settings, which contains a SQL Injection vulnerability in the \`/nagiosxi/admin/banner message-ajaxhelper.php\` endpoint.

When performing the \`update\_banner\_message\_settings\` action on the affected endpoint, the \`id\` parameter is assumed to be trusted and is concatenated into a database query with no sanitization. This allows an attacker to modify the query.

Successful exploitation grants the same database access as the other two SQL Injection Vulnerabilities, but requires additional privileges compared to CVE-2023-40931.

**4\. Cross-Site Scripting in Custom Logo Component (CVE-2023-40932)**

Nagios XI can be customized with a custom company logo, which will be displayed across the entire product. This includes the landing page, various administrative pages, and the login page.

Due to a cross-site scripting vulnerability in this feature, an attacker can inject arbitrary JavaScript which will evaluate in any users’ browser. This can be used to read and modify page data, as well as perform actions on behalf on the affected user. Furthermore, as this renders on the login page, plain-text credentials can be stolen from users’ browsers as they enter them.

**Disclosure timeline**

We found and disclosed the vulnerabilities to Nagios in August 2023. Here’s what happened next:

*   2023-08-04 – Contacted vendor and submitted report
*   2023-08-04 – Vendor acknowledged report, started reviewing
*   2023-08-11 – Vendor confirmed all 4 vulnerabilities
*   2023-08-11 – Contacted MITRE for CVE allocation
*   2023-09-01 – CVEs reserved by MITRE
*   2923-09-07 – Coordinated disclosure for 2023-09-19
*   2023-09-11 – Nagios XI 5.11.2 released with security fixes applied
*   2023-09-19 – Vulnerabilities fully disclosed

**The importance of application security testing**

In a targeted attack, these types of vulnerabilities are relatively easy to exploit. As recent attacks have demonstrated (most notably the SolarWinds hack), IT management platforms are also likely targets. Without continuous application security testing in place, critical business data is at risk. Outpost24 provides security solutions and pen testing services with direct access to our security experts for remediation guidance and validation. Test your applications in real-time for the latest vulnerabilities with Outpost24.

**About Ghost Labs**

Ghost Labs is the specialist security unit within Outpost24 working in partnership with our clients to meet their penetration testing needs and objectives. Our experienced Offensive Security team offers enhanced and bespoke penetration testing security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation to help organizations have a true picture of their cyber risk. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure program.

Ghost Labs performs hundreds of successful penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies. To help businesses drive security maturity and mitigate risks posed by the evolving threat and techniques of the modern-day hacker.

CVE-2023-40934: Nagios XI vulnerabilities resulting in privilege escalation (& more)

The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-4376

The Leyka WordPress plugin through 3.30.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Tag

#xss