Code Projects Hospital Information System 1.0 is vulnerable to Cross Site Scripting (XSS)

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37070: Offensive-Payloads/Cross-Site-Scripting-XSS-Payloads.txt at main · InfoSecWarrior/Offensive-Payloads

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit 2.6.2 and prior. A patch is available at commit 34ab31ee9362da51b9709e178469dbffd7717249.

**Cockpit Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Aug 14, 2023 to the GitHub Advisory Database • Updated Aug 14, 2023

GHSA-3vf5-xm2p-6mh5: Cockpit Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.

Expand Up @@ -68,8 +68,11 @@ $allowed = $allowed == '\*' ? true : str\_replace(\[' ', ','\], \['', '|'\], preg\_quote(is\_array($allowed) ? implode(',', $allowed) : $allowed)); $max\_size = $this\->app\->retrieve('assets/max\_upload\_size', 0);  
$forbiddenExtension = \['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'htaccess'\]; $forbiddenMime = \['application/x-httpd-php', 'text/html'\]; $forbiddenExtension = \['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'xhtml', 'htaccess'\]; $forbiddenMime = \[ 'application/x-httpd-php', 'application/x-php', 'text/x-php', 'text/html', 'application/xhtml+xml' \];  
if (isset($files\['name'\]) && is\_array($files\['name'\])) {  
Expand Down

CVE-2023-4321: prevent xhtml files from being uploaded in the assets manager · Cockpit-HQ/Cockpit@34ab31e

Genesys Administrator Extension (GAX) before 9.0.105.15 is vulnerable to Cross Site Scripting (XSS) via the Business Structure page of the iWD plugin, aka GAX-11261.

Jump to: navigation, search

**9.0.105.15**

Genesys Administrator Extension Release Notes

**Genesys Administrator Extension** is part of 9.x starting in 9.0.000.15.

**Release Date**

**Release Type**

**Restrictions**

**AIX**

**Linux**

**Mac**

**Solaris**

**Windows**

03/29/23

General

X

X

**Helpful Links**

**What's New**

This release includes only resolved issues.

**Resolved Issues**

This release contains the following resolved issues:

GAX now prevents the Cross-site scripting vulnerability in the **Business Structure** page of iWD plugin. (GAX-11261)

GAX now accepts the equal sign ('=') as the **keystore-password value** in the **transport** parameter. (GAX-11305)

GAX now recognizes the value of the **maxFormContentSize** option. (GAX-11341)

GAX now correctly displays the history details in the **History Details** panel when **Parameter Groups** are modified. Previously, when **Parameter Groups** were modified, the **History Details** panel does not show the modified data. (GAX-11343)

GAX now indicates the status of the export process performed from the **Persons** menu with the **progress indicator**. (GAX-11367)

GAX now displays the suggestions for section names under application options without any issues. (GAX-11373)

GAX logs no longer display a warning message regarding incorrect installation path. Previously, GAX displayed the **Invalid input file path.** warning message in the log files. (GAX-11393)

The users of a group can only see the import activity of the users belonging to their group. Previously, the users of one group were able to see the import activity of another group. (GAX-11411)

GAX no longer displays an error when synching a **Parameter Group** and also allows the user to manually select the value from **Parameter Group**. Previously, an **exception error (NullPointerException)** occurred when attempting to sync a **Parameter Group** that contained a value that is not part of the **Parameter Group** template. (GAX-11418)

When cloning a Person, GAX now correctly copies the values of the **Member of** section from the original **Person** to the cloned **Person**. Previously, the **Member of** section values were not copied if the user don’t go into the **Member of** section before saving the new person. (GAX-11452)

GAX now returns **400 Bad Request** when a partial value is given in the **Host header**. Previously, GAX returned a **200 OK** response when a part of the value in the **acceptable\_domains** list of the **gax.properties** file was given in the **Host header** of the request. (GAX-11470)

Spring version for GAX is upgraded to 5.3.23. (GAX-11483)

Jetty version is upgraded to 9.4.49 to resolve vulnerabilities found in older versions. (GAX-11497)

GAX no longer displays an error when moving Agents in bulk. Previously, GAX displayed an error when a folder name was repeated in the folder structure during bulk movement of Agents. (GAX-11501)

The **Route Type** drop-down now displays the **CFGX Default** and **CFGX Direct** options along with the other **Default** and **Direct** options. Previously, the **Route Type** drop-down displayed two **Default** and **Direct** options which misled the users. (GAX-11502)

The **Tooltip** module from GAX is now removed to fix the XSS vulnerability in the **jQuery.ui** library. (GAX-11509)

GAX no longer displays an **exception error (NullPointerException)** when logging from a third party SSO application. (GAX-11532)

**Upgrade Notes**

No special procedure is required to upgrade to release 9.0.105.15.

This page was last edited on March 30, 2023, at 14:31.

CVE-2023-23208: Documentation:RN:gax90rn:gax9010515:9.0.x - Genesys Documentation

By Deeba Ahmed
MoustachedBouncer is a Belarusian government-backed hacking group that has been active since 2014.
This is a post from HackRead.com Read the original post: MoustachedBouncer Hackers Caught Spying on Embassies

*   **Belarusian MoustachedBouncer hacking group exposed for state-sponsored espionage on foreign embassies.**

*   **ESET Research reveals a years-long campaign targeting diplomats in South Asia, Africa, and Europe.**

*   **Hackers employ diverse techniques, including C++ backdoors and ISP-level attacks.**

*   **MoustachedBouncer tampered with victims’ internet access, tricking Windows with fake captive portals.**

*   **Researchers recommend encrypted VPNs for enhanced security against this sophisticated spying.**

According to ESET Research’s cybersecurity researchers, the Belarusian government had been spying upon foreign diplomats in the country for years through the MoustachedBouncer hacking group.

The research has confirmed that at least one embassy from South Asia, one from Africa, and two from Europe have been the targets of a state-sponsored espionage campaign, active since 2014.

The hackers utilized a wide range of attack techniques, including C++ modular backdoors, adversary-in-the-middle attacks, and email-based C&C protocols and performed attacks at the ISP level from within the country for spying.

“To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal,” ESET’s report read.

For your information, adversary-in-the-middle attacks rely on ‘lawful interception’ espionage infrastructure e.g. SORM. In Russia and many other countries, it is deployed by security services on ISP premises.

****Campaign Active Since 2014****

The espionage activity started in 2014, which is surprising considering that this is the first time it has been disclosed. Since 2014, the group has used numerous malware families to achieve network intervention.

Initially, MoustachedBouncer used email protocols (SMTP and MAP) based malware frameworks and later switched to droppers that could steal files, take screenshots, and record conversations.

****Hackers Backed by the State** **

Researchers suspect that MoustachedBouncer had full backing from the Belarusian government and probably ties with other hacking groups. This view is strengthened by the fact that MoustachedBouncer has a close affiliation with another highly active hacking group, Winter Vivern.

The Winter Vivern group was discovered in 2021 and is known for targeting European diplomats. Their attack techniques resonate with two different threat actors called StrongPity and Turla. Both trojanized software installers at the ISP level.

****Attack Tactic Analysis****

Per ESET’s report, authored by malware researcher Matthieu Faou, the hackers fiddled with their target’s traffic to display genuine-looking but fake Windows Update URLs. This page promised them critical system security updates they needed to install urgently.

Fake Windows update website and fake Windows update on the Microsoft Edge browser are both part of the MoustachedBouncer attack. (Screenshot: ESET)

Per ESET telemetry this page delivered a fake update file containing the malicious executable, and two local ISP networks contributed to this campaign, including Beltelecom and Unitary Enterprise A1.

“We strongly recommend that foreign organizations in Belarus use an end-to-end encrypted VPN tunnel, ideally out-of-band (i.e., not from the endpoint), providing internet connectivity from a trusted network,” Faou wrote.

There is evidence that since June 2017, diplomats from four countries were targeted by MoustachedBouncer, two from Europe, one from Northeast Africa and one from South Asia. One of the two European diplomats was targeted twice between Nov 2020 and July 2022.

Timeline of MoustachedBouncer’s malicious activities (Screenshot: ESET)

****About MoustachedBouncer****

This previously undocumented cyberespionage group only targets foreign embassies in Belarus and has most likely been performing ISP-level adversary-in-the-middle attacks since 2020. This hacking group prefers using NightClub and Disco toolsets and used them in this campaign as well. 

Researchers have documented MoustachedBouncer as an independent group, but believe it works in collaboration with Winter Vivern. It was discovered in 2021. Proofpoint reported that the group used the Zimbra mail portal’s XSS vulnerability to steal the webmail credentials of diplomats from European countries.

**RELATED ARTICLES**

1.  Fake Tor Browser Installers Distributing Clipper Malware
2.  Big Head Ransomware Found in Fake Windows Updates
3.  SmugX: Chinese Hackers Targeting Embassies in Europe
4.  Hackers targeting embassies with trojanized TeamViewer
5.  Cyber-Partisans hit Belarus railroad system with ransomware

MoustachedBouncer Hackers Caught Spying on Embassies

### Impact
Critters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) bug.

### Patches
The bug has been fixed in `v0.0.20`.

### Workarounds
Upgrading Critters version to `>0.0.20` is the easiest fix. This is a non breaking version upgrade so we recommend all users to use `v0.0.20`.

**Critters Cross-site Scripting Vulnerability**

High severity GitHub Reviewed Published Aug 9, 2023 in GoogleChromeLabs/critters • Updated Aug 11, 2023

GHSA-cx3j-qqxj-9597: Critters Cross-site Scripting Vulnerability

Cross Site Scripting (XSS) vulnerability in `UserController.php` in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted `user_login`.

**ThinkCMF Cross-site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

GHSA-4847-gqxx-v9xp: ThinkCMF Cross-site Scripting Vulnerability

Cross Site Scripting (XSS) vulnerability in margox braft-editor version 2.3.8, allows remote attackers to execute arbitrary code via the embed media feature.

**Margox Braft-Editor Cross-site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

GHSA-jfrf-vv54-j2jg: Margox Braft-Editor Cross-site Scripting Vulnerability

Cross Site Scripting (XSS) vulnerability in `adm_user` parameter in Gila CMS version 1.11.3, allows remote attackers to execute arbitrary code during the Gila CMS installation.

**Gila CMS Cross-site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

GHSA-rvjp-j5j4-c9j5: Gila CMS Cross-site Scripting Vulnerability

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

Tag

#xss