Multiple stored cross-site scripting (XSS) vulnerabilities in Usermin 2.000 allow remote attackers to inject arbitrary web script or HTML via the folder name parameter while creating the folder to manage the folder tab, filter tab, and forward mail tab.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-41157: Usermin-2.000/CVE-2023-41157 at main · shindeanik/Usermin-2.000

The Horizontal scrolling announcement for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'horizontal-scrolling' shortcode in versions up to, and including, 9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-5001: horizontal-scrolling-announcement.php in horizontal-scrolling-announcement/trunk – WordPress Plugin Repository

A cross-site scripting (XSS) vulnerability in FileBrowser before v2.23.0 allows an authenticated attacker to escalate privileges to Administrator via user interaction with a crafted HTML file or URL.

**Description**

A Cross-Site Scripting vulnerability is discovered in FileBrowser in which an attacker with a non-admin user account inside the FileBrowser instance can create malicious HTML & JS files, craft them in a specific way and send the HTML file's link to the Admin to achieve Account takeover via XSS bypassing the Content-Security-Policy.  
Proof of Concept

// xss.js

// xss.htm

    <script src="/api/raw/poc/xss.js?auth=[jwt_token of the Low Privileged user]"></script>"
    

1.  Create a folder named "poc" as the non-admin user.
2.  Create the 2 files as above (xss.htm and xss.js) under the poc folder.
3.  Craft the XSS URL as below and open it as the Admin user to verify the XSS.

    http://your_filebrowser_ip:port//api/raw/poc/xss.htm?auth=[non-admin user's jwt token]&inline=true
    

It will trigger an alert pop-up with Admin's Cookie.

**Explanation**

*   The parameter "?auth=\[non-admin token\]" is added in the URL so that when the Admin opens the URL it will fetch those html/js files that are created by the non-admin user, otherwise FileBrowser will use the Admin's original jwt token that's been stored as Cookie thus leading to a "404 Not Found" Error. This is because those files are created by the non-admin user, so if the API tries to fetch them with Admin's token it will lead to an error, the API also accepts the jwt token inside a URL get parameter "?auth=". So, the non-admin user can deliberately supply his own JWT token in the malicious URL for a successful exploitation
    
*   The "?inline=true" parameter is included in the crafted URL because without that parameter FileBrowser will treat the HTML file as an attachment and will download it as a file, so by having "inline=true" the HTML file will be treated as a webpage, and execute the javascript.
    
*   Content-Security-Policy(CSP) is bypassed because of the fact that FileBrowser sets CSP "default-src" to 'self'. As the malicious JS is also loaded from the same site, it will get executed.
    

**Impact**

This vulnerability is capable of Admin account takeover. Admin can even run system shell commands and access filesystem, thus leads to Arbitrary Command execution.

CVE-2023-39612: Potential XSS in FileBrowser leads to Admin account takeover in Filebrowser · Issue #2570 · filebrowser/filebrowser

A cross-site scripting (XSS) vulnerability in the Admin Control Panel of vBulletin 5.7.5 and 6.0.0 allows attackers to execute arbitrary web scripts or HTML via the /login.php?do=login url parameter.

\[Summary\]

I have discovered a Cross-Site Scripting (XSS) vulnerability in vBulletin latest version 6.0.0, which also impacts lower versions. The vulnerability allows an attacker to inject malicious scripts into the Admin Control Panel, potentially leading to unauthorized access, data theft, or further exploitation.

\[Description\]

The XSS vulnerability can be triggered when an authenticated user accesses to path \`/admincp\` and try to login to the Admin Control Panel. The vulnerability is due to inadequate input sanitization, allowing an attacker to inject malicious scripts that will execute in the context of the targeted administrator's session so as to hijack admin's credential.

\[Steps to Reproduce\]

1\. Log in /admincp in vBulletin Admin Control Panel.

2\. Through the 'url' parameter, it is possible to inject JS code to escape, bypass white space then trigger XSS.

\[Malicious Payload\]

Save the changes or perform a relevant action to trigger the execution of the injected script.

The malicious script executes, proving the existence of the XSS vulnerability.

\[Affected Versions\]

The vulnerability has been confirmed in vBulletin 6 Connect latest version 6.0.0. However, it is likely that the XSS issue also affects lower versions of the software.

\[Impact\]

An attacker exploiting this vulnerability could gain unauthorized access to the Admin Control Panel and potentially compromise the site's sensitive data, modify site content, and carry out other malicious actions using the administrator's privileges.

\[Recommendation\]

\[\*\] I recommend the following steps to mitigate the XSS vulnerability:

1.Update the vBulletin software to the latest version (if available) to ensure the fix for this vulnerability is applied.

2.Implement proper input validation and output encoding to prevent XSS attacks in various sections of the Admin Control Panel.

3.Conduct a comprehensive security review to identify and address other potential security flaws in the software.

\# Shout out to \[TP Cyber Security\]

CVE-2023-39777: [POC] [CVE-2023-39777]

Cross Site Scripting vulnerability in CSZCMS v.1.3.0 allows a local attacker to execute arbitrary code via a crafted script to the Additional Meta Tag parameter in the Pages Content Menu component.

CVE-2023-41436: CSZ-CMS-Stored-XSS---Pages-Content/README.md at main · sromanhu/CSZ-CMS-Stored-XSS---Pages-Content

A vulnerability was found in app1pro Shopicial up to 20230830. It has been declared as problematic. This vulnerability affects unknown code of the file search. The manipulation of the argument from with the input comments</script>'"><img src=x onerror=alert(document.cookie)> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239794 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-4983

Academy LMS version 6.2 suffers from a cross site scripting vulnerability.

    # Exploit Title: Academy LMS 6.2 - Reflected XSS# Exploit Author: CraCkEr# Date: 29/08/2023# Vendor: Creativeitem# Vendor Homepage: https://creativeitem.com/# Software Link: https://demo.creativeitem.com/academy/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4973# CWE: CWE-79 - CWE-74 - CWE-707## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /academy/tutor/filterGET parameter 'searched_word' is vulnerable to XSSGET parameter 'searched_tution_class_type[]' is vulnerable to XSSGET parameter 'searched_price_type[]' is vulnerable to XSSGET parameter 'searched_duration[]' is vulnerable to XSShttps://website/academy/tutor/filter?searched_word=[XSS]&searched_tution_class_type%5B%5D=[XSS]&price_min=1&price_max=9&searched_price_type%5B%5D=[XSS]&searched_duration%5B%5D=[XSS]XSS Payload:acoa5"><script>alert(1)</script>dyzs0[-] Done

Academy LMS 6.2 Cross Site Scripting

Italia Mediasky CMS version 2.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : İtalia Mediasky CMS v2.0 XSS Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.bereewineshop.com/admin/                                                                                |  | # Dork      : Mediasky - Lato Amministrativo                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : /admin/visimmagine.php?imgname=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E[+] http://www.127.0.0.9bereewineshopcom/admin/visimmagine.php?imgname=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Italia Mediasky CMS 2.0 Cross Site Scripting

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Saphira Saphira Connect allows Reflected XSS.This issue affects Saphira Connect: before 9.



CVE-2023-4663

Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.9.0.

**LibreNMS Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Sep 15, 2023 to the GitHub Advisory Database • Updated Sep 15, 2023

Tag

#xss