Cross-site Scripting (XSS) - DOM in GitHub repository answerdev/answer prior to 1.0.4.

CVE-2023-0741

Cross-site Scripting (XSS) - Generic in GitHub repository answerdev/answer prior to 1.0.4.

@@ -4,6 +4,7 @@ import (

"fmt"

"net/url"

"os"

"path"

"path/filepath"

"strings"

  

@@ -53,13 +54,26 @@ func (am \*AvatarMiddleware) AvatarThumb() gin.HandlerFunc {

ctx.Next()

return

}

ext := strings.ToLower(path.Ext(filePath)\[1:\])

ctx.Header("content-type", fmt.Sprintf("image/%s", ext))

\_, err \= ctx.Writer.WriteString(string(avatarfile))

if err != nil {

log.Error(err)

}

ctx.Abort()

return

  

} else {

uUrl, err := url.Parse(u)

if err != nil {

ctx.Next()

return

}

\_, urlfileName := filepath.Split(uUrl.Path)

uploadPath := am.serviceConfig.UploadPath

filePath := fmt.Sprintf("%s/%s", uploadPath, urlfileName)

ext := strings.ToLower(path.Ext(filePath)\[1:\])

ctx.Header("content-type", fmt.Sprintf("image/%s", ext))

}

ctx.Next()

}

CVE-2023-0743: update img header · answerdev/answer@860b1a3

Cross-site Scripting (XSS) - Stored in GitHub repository wallabag/wallabag prior to 2.5.4.

**Cross-site Scripting (XSS) in wallabag/wallabag**

Moderate severity GitHub Reviewed Published Feb 8, 2023 to the GitHub Advisory Database • Updated Feb 8, 2023

GHSA-3x2c-87cq-qx49: Cross-site Scripting (XSS) in wallabag/wallabag 

The Interactive Geo Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the action content parameter in versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0731: Diff [2857078:2861473] for interactive-geo-maps/trunk – WordPress Plugin Repository

Cross site scripting (XSS) vulnerability in sourcecodester oretnom23 sales management system 1.0, allows attackers to execute arbitrary code via the product_name and product_price inputs in file print.php.

CVE-2023-23026 is assigned

Cross site scripting (XSS) vulnerability in sourcecodester oretnom23 sales management system 1.0, allows attackers to execute arbitrary code via the product\_name and product\_price inputs in file print.php.

Link: https://www.sourcecodester.com/php-codeigniter-simple-sales-management-system-source-code

Mutiple XSS vulnerabilities.

The input (sources) are saved directly in the database.

// Controllers/Categories.php
$data = $this\->input\->post();
if ($insert\_id = DB::save(TABLE\_CATEGORIES, $data)) {
  //...
}

// Controllers/Orders.php
$data = $this\->input\->post();
if(DB::save(TABLE\_ORDERS, $data)){
  //...
}

// Controllers/Products.php
$data = $this\->input\->post();
if ($insert\_id = DB::save(TABLE\_PRODUCTS, $data)) {
  //...
}

// views/orders/print.php
<?php
$product\_name = DB::get\_cell(TABLE\_PRODUCTS, $where, 'product\_name');
?>
<td\><?=$product\_name ?></td\>

// views/orders/form.php
<?php foreach(DB::get(TABLE\_PRODUCTS) as $row): ?>
  <option value\="<?=$row\->product\_id ?>"\><?=ucfirst($row\->product\_name) ?> - <?=$row\->product\_price ?></option\>
<?php endforeach; ?>

CVE-2023-23026: CVE-2023-23026

Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via filter_product input to file modal_product_lookups.php.

CVE-2023-23011 is assigned

Link: https://github.com/InvoicePlane/InvoicePlane

Multiple XSS vulnerabilities.

**Vulnerability1**: In file InvoicePlane-development\\application\\modules\\products\\controllers\\Ajax.php

$filter\_product = $this\->input\->get('filter\_product');
//...
$data = array(
      'products' => $products,
      'families' => $families,
      'filter\_product' => $filter\_product,
      'filter\_family' => $filter\_family,
      'default\_item\_tax\_rate' => $default\_item\_tax\_rate,
  );
//...
$this\->layout\->load\_view('products/modal\_product\_lookups', $data);

In file InvoicePlane-development\\application\\modules\\products\\views\\modal\_product\_lookups.php

<?php echo $filter\_product ?>

**Vulnerability2**: In file InvoicePlane-development\\application\\modules\\invoices\\controllers\\Ajax.php with invoice\_id

  public function modal\_create\_recurring(){
      $data = \[
          'invoice\_id' => $this\->input\->post('invoice\_id'),
          'recur\_frequencies' => $this\->mdl\_invoices\_recurring\->recur\_frequencies,
      \];

      $this\->layout\->load\_view('invoices/modal\_create\_recurring', $data);
  }

Then, it is printed without sanitization in file InvoicePlane-development\\application\\modules\\invoices\\views\\modal\_create\_recurring.php

<?php echo $invoice\_id; ?>

Similar to that:

**Vulnerability3:** invoice\_id in InvoicePlane-development\\application\\modules\\invoices\\controllers\\Ajax.php and printed in modal\_create\_recurring.php

**Vulnerability4:** invoice\_id in InvoicePlane-development\\application\\modules\\invoices\\controllers\\Ajax.php and printed in modal\_create\_credit.php

**Vulnerability5:** quote\_id in InvoicePlane-development\\application\\modules\\quotes\\controllers\\Ajax.php and printed in modal\_copy\_quote.php

**Vulnerability6:** invoice\_id in InvoicePlane-development\\application\\modules\\invoices\\controllers\\Ajax.php and printed in modal\_copy\_invoice.php

**Vulnerability7:** quote\_id in InvoicePlane-development\\application\\modules\\quotes\\controllers\\Ajax.php and printed in modal\_change\_client.php

**Vulnerability8:** payment\_cf\_exist in InvoicePlane-development\\application\\modules\\quotes\\controllers\\Ajax.php and printed in modal\_add\_payment.php

**Vulnerability9:** quote\_id in InvoicePlane-development\\application\\modules\\quotes\\controllers\\Ajax.php and printed in the same page.

  public function change\_client(){
     //...
      $client\_id = $this\->input\->post('client\_id');
      //....
          $response = \[
              'success' => 1,
              'quote\_id' => $quote\_id,
          \];
      //...

      echo json\_encode($response);
  }

CVE-2023-23011: XSS in InvoicePlane

CVE-2023-0736

An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS exploitation was observed in the in-product tagging system.

CVE-2022-47419: Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419)

A vulnerability has been found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. Affected by this vulnerability is the function registration of the file oews/classes/Users.php of the component POST Request Handler. The manipulation of the argument firstname/middlename/lastname/email/contact leads to cross site scripting. The attack can be launched remotely. The identifier VDB-220369 was assigned to this vulnerability.

CVE-2023-0732

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could upload files with arbitrary `Content-Type` which would be served from the Zulip hostname with `Content-Disposition: inline` and no `Content-Security-Policy` header, allowing them to trick other users into executing arbitrary Javascript in the context of the Zulip application. Among other things, this enables session theft. Only deployments which use the S3 storage (not the local-disk storage) are affected, and only deployments which deployed commit 04cf68b45ebb5c03247a0d6453e35ffc175d55da, which has only been in `main`, not any numbered release. Users affected should upgrade from main again to deploy this fix. Switching from S3 storage to the local-disk storage would nominally mitigate this, but is likely more involved than upgrading to the latest `main` which addresses the issue.

Permalink

Browse files

CVE-2023-22735: Provide the Content-Disposition header from S3.

The Content-Type of user-provided uploads was provided by the browser
at initial upload time, and stored in S3; however, 04cf68b
switched to determining the Content-Disposition merely from the
filename.  This makes uploads vulnerable to a stored XSS, wherein a
file uploaded with a content-type of \`text/html\` and an extension of
\`.png\` would be served to browsers as \`Content-Disposition: inline\`,
which is unsafe.

The \`Content-Security-Policy\` headers in the previous commit mitigate
this, but only for browsers which support them.

Revert parts of 04cf68b, specifically by allowing S3 to provide
the Content-Disposition header, and using the
\`ResponseContentDisposition\` argument when necessary to override it to
\`attachment\`.  Because we expect S3 responses to vary based on this
argument, we include it in the cache key; since the query parameter
has dashes in it, we can't use use the helper \`$arg\_\` variables, and
must parse it from the query parameters manually.

Adding the disposition may decrease the cache hit rate somewhat, but
downloads are infrequent enough that it is unlikely to have a
noticeable effect.  We take care to not adjust the cache key for
requests which do not specify the disposition.

*   Loading branch information

Tag

#xss