Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-4655: Fix file field xss · instantsoft/icms2@a6a30e7

Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

Expand Up

@@ -285,15 +285,16 @@ private function uploadPackage(){

  

files\_clear\_directory(cmsConfig::get('upload\_path') . $this\->installer\_upload\_path);

  

$result = $this\->cms\_uploader\->upload($this\->upload\_name, $this\->upload\_exts, 0, $this\->installer\_upload\_path);

$result = $this\->cms\_uploader\->setAllowedMime(\[

'application/zip'

\])->upload($this\->upload\_name, $this\->upload\_exts, 0, $this\->installer\_upload\_path);

  

if (!$result\['success'\]){

cmsUser::addSessionMessage($result\['error'\], 'error');

return false;

}

  

return $result\['name'\];

  

}

  

}

CVE-2023-4652: Fixed upload XSS with wrong extension · instantsoft/icms2@7a7e57e

Cross Site Scripting vulnerabiltiy in Badaso v.0.0.1 thru v.2.9.7 allows a remote attacker to execute arbitrary code via a crafted payload to the Name of member parameter in the add new member function.

**Badaso vulnerable to cross-site scripting**

Moderate severity GitHub Reviewed Published Aug 31, 2023 to the GitHub Advisory Database • Updated Aug 31, 2023

GHSA-7422-7rq6-j4qv: Badaso vulnerable to cross-site scripting

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To exploit this vulnerability, an attacker would need write access to the repository. This vulnerability was reported via the  GitHub Bug Bounty Program https://bounty.github.com/ .


CVE-2023-23765: Release notes - GitHub Enterprise Server 3.8 Docs

****Vendor Homepage:****

**Badaso - Open Collective**

****Version:****

2.9.7

****Tested On:****

Marcos, review source code

****Affected Page:****

https://badaso-demo.uatech.co.id/dashboard/general/borrowing/add

https://badaso-demo.uatech.co.id/dashboard/general/borrowing/1/edit

https://badaso-demo.uatech.co.id/dashboard/general/members/1/edit

https://badaso-demo.uatech.co.id/dashboard/general/members/add

****Description:****

A vulnerability XSS injection was found in Badaso v2.9.7. Cross-site scripting (XSS) is a type of security vulnerability that occurs when a web application includes untrusted data in its output to a web browser. This can allow malicious scripts to be executed by a user's browser, potentially compromising their data and interactions with the website. XSS attacks can have various impacts, including stealing sensitive information, session hijacking, defacement of websites, and more

****Proof of Concept:****

1.  **Login and Access to function add new member or edit member.**
    
2.  **Inject payload XSS alert 1 to the name of the member parameter and submit it.**
    
          "' test <img src="" onerror="alert(2)">
        
    
3.  Go to Borrowing and add a new Borrowing or edit Borrowing then malicious is executed.

CVE-2023-38970: Badaso version 2.9.7 has an XSS vulnerability in  new member

In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.

**Reflected Cross-site Scripting (XSS) on "/app/search/table" web endpoint**

**Advisory ID:** SVD-2023-0801

**Published:** 2023-08-30

**Last Update:** 2023-08-30

**CVSSv3.1 Score:** 8.4, High

**Description**

In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint, which presents as the “Create Table View” page in Splunk Web. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance. A JavaScript file within this web endpoint does not properly validate input which lets an attacker insert a payload into a function.

**Solution**

Upgrade Splunk Enterprise to versions 8.2.12, 9.0.6, or 9.1.1. Splunk is actively monitoring and patching Splunk Cloud Platform instances.

**Product Status**

Product

Version

Component

Affected Version

Fix Version

Splunk Enterprise

8.2

Splunk Web

8.2.0 to 8.2.11

8.2.12

Splunk Enterprise

9.0

Splunk Web

9.0.0 to 9.0.5

9.0.6

Splunk Enterprise

9.1

Splunk Web

9.1.0

9.1.1

Splunk Cloud

\-

Splunk Web

9.0.2305.100 and below

9.0.2305.200

**Mitigations and Workarounds**

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.

**Detections**

None

**Severity**

Splunk rated this vulnerability as 8.4, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

**Acknowledgments**

Danylo Dmytriiev (DDV\_UA)

CVE-2023-40592: Reflected Cross-site Scripting (XSS) on

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Abhay Yadav Breadcrumb simple plugin <= 1.3 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress breadcrumb simple Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-35092: WordPress breadcrumb simple plugin <= 1.3 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Didier Sampaolo SpamReferrerBlock plugin <= 2.22 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Download SpamReferrerBlock Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 0 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-34372: WordPress SpamReferrerBlock plugin <= 2.22 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Radical Web Design GDPR Cookie Consent Notice Box plugin <= 1.1.6 versions.

**Solution**

 Fixed

Update the WordPress GDPR Cookie Consent Notice Box plugin to the latest available version (at least 1.1.7).

Emili Castells discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress GDPR Cookie Consent Notice Box Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.1.7.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-32294: WordPress GDPR Cookie Consent Notice Box plugin <= 1.1.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Kevon Adonis WP Abstracts plugin <= 2.6.3 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

qilin\_99 discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Abstracts Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 2 present

 1 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#xss