Doctor's Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) via the admin panel. In addition, it leads to takeover the administrator account by stealing the cookie via XSS.

Submitted by hshnudr on Wednesday, June 8, 2022 - 10:13.

(Updated)

This project helps a certain medical establishment such as a clinic or a hospital clients/patients to request an appointment with a doctor online. This project can also help doctors to manage the schedules of their appointments with their patients. This doctor's appointment system will organize the schedules of each patient's appointment, which will be submitted as a request to the doctor they have selected. The system has 3 sides which are the administrator, the doctor, and the patient. The system admin will populate the list of the doctors with their specialties and along with the doctor's details and system credentials. The patients will browse the doctor's appointment system website to find a doctor that has the specialty of their needs. The patient can check the doctor's weekly schedule to help them to choose the day and time which they can comply for the appointment and they will submit their request for an appointment. After that, the doctors can view all their appointments and the appointment request of the patients for their availability.

****Admin's Side****

*   **Admin can add doctors, edit doctors, delete doctors;**
    
*   **Schedule new doctors sessions, remove sessions;**
    
*   **View patient details;**
    
*   **View booking of patients;**
    

****Doctor's Side****

*   **View their Appointment;**
*   **view their scheduled sessions;**
*   **view details of patients;**
*   **delete account;**
*   **edit account settings;**

**Patient's Side**

*   **create accounts themselves;**
*   **view their old booking;**
*   **delete account;**
*   **edit account settings;**

****HOW TO GET STARTED?****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** naming ****edoc****.
6.  **Import** the provided ****SQL**** file. The file is known as ****SQL\_Database\_edoc.sql**** located inside the **source code root** folder.
7.  **Browse** the **Doctor's Appointment System** in a **browser**. i.e. ****http://localhost/edoc-echanneling-main/****.

**DEFAULT USER ACCOUNTS OF THIS PROJECT******ADMIN****

Email: **\[email protected\]**  
Password: **123**

****Doctor****

Email: **\[email protected\]**  
Password: **123**

****Patient****

Email: **\[email protected\]**  
Password: **123**

**DEMO VIDEO**

****The Project was developed using the following:****

Apache Version: 2.4.39

PHP Version: 7.3.5

Server Software: Apache/2.4.39 (Win64) PHP/7.3.5

MySQL Version: 5.7.26

Web developer: Hashen Udara https://github.com/HashenUdara/

HashenUdara/edoc-doctor-appointment-system: Simple web project that made for e-channeling. (github.com)

****More Snapshots:****

*   3074 views

CVE-2022-36203: Doctor's Appointment System using PHP Free Source Code

Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.

The value of the /search/1940/created-monthly-list request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick a user to visit some crafted URL that is connected exactly to this system. Then he can trick the user to visit some malicious address that the victim will think is connected with the original web address it depending on the scenario. This can be dangerous for all users of this system.

GET /piwigo/index.php?/search/4863/created\-monthly\-list%22%3Ehttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcom%3CYZxWX%3E HTTP/1.1
Host: pwned\_host.com
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: en\-US,en;q\=0.5
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: pwg\_id\=hctfqtab45adhogo2suhq2mr0c; ssc\_phoneSwap\=0
Upgrade\-Insecure\-Requests: 1

CVE-2022-37183: CVE-nu11secur1ty/vendors/Piwigo/2022/12.3.0 at main · nu11secur1ty/CVE-nu11secur1ty

The WordPress Core version 6.0.2 release addresses cross site scripting and remote SQL injection vulnerabilities.

    Description: SQL Injection via Links LIMIT clauseAffected Versions: WordPress Core < 6.0.2Researcher: FVDCVE ID: PendingCVSS Score: 8.0 (High)CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HFully Patched Version: 6.0.2The WordPress Link functionality, previously known as “Bookmarks”, is no longer enabled by default on new WordPress installations. Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress. Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration. It is possible that 3rd party plugins or themes might allow this vulnerability to be used by editor-level users or below, and in these cases the Wordfence firewall will block any such exploit attempts.Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned. In a default configuration, only the Links legacy widget calls the get_bookmarks function in a way that allows this argument to be set by a user. Legacy widgets involve additional safeguards, and the injection point of the query itself poses additional difficulties, making this vulnerability nontrivial to exploit.Description: Contributor+ Stored Cross-Site Scripting via use of the_meta functionAffected Versions: WordPress Core < 6.0.2Researcher: John BlackbournCVE ID: PendingCVSS Score: 4.9 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:NFully Patched Version: 6.0.2WordPress content creators, such as Contributors, Editors, Authors, and Administrators, have the ability to add custom fields to any page and post created. The purpose of this is to make it possible for site content creators to add and associate additional data to posts and pages.WordPress has several functions available to site owners to display custom fields created and associated with posts and pages. One of these functions is the the_meta function which retrieves the supplied post’s or page’s custom field data, which is stored as post meta data, through the get_post_custom_keys and get_post_custom_values functions. Once the custom fields for a post/page are retrieved, the function outputs the post meta keys and values data as a list. Unfortunately, in versions older than 6.0.2 this data was unescaped on output making it possible for any injected scripts in post meta keys and values to be executed.Due to the fact that any user with access to the post editor can add custom meta fields, users with access to the editor such as contributors could inject malicious JavaScript that executes on any page or post where this function is called.WordPress core does not call the_meta anywhere in its codebase by default. As such this vulnerability does require a plugin or theme that calls the the_meta function, or for this function to have been programmatically added to a PHP file for execution, so the vast majority of site owners are not vulnerable to this issue. The the_meta function is considered deprecated as of 6.0.2 and get_post_meta is the recommended alternative.The Wordfence Threat Intelligence Team deployed a firewall rule to help protect Wordfence Premium, Care & Response customers today. Wordfence Free users will receive the same protection in 30 days on September 29, 2022.Description: Stored Cross-Site Scripting via Plugin Deactivation and Deletion errorsAffected Versions: WordPress Core < 6.0.2Researcher: Khalilov MoeCVE ID: PendingCVSS Score: 4.7 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NFully Patched Version: 6.0.2The final vulnerability involves the error messages displayed when a plugin has been deactivated due to an error, or when a plugin can not be deleted due to an error. As these error messages were not escaped, any JavaScript present in these error messages would execute in the browser session of an administrator visiting the plugins page. This vulnerability would require a separate malicious or vulnerable plugin or other code to be installed on the site, which would typically require an administrator to install it themselves. In almost all cases where this vulnerability might be exploitable an attacker would already have a firm foothold on the vulnerable site.Our built-in XSS rule should block any attempts to generate crafted error messages based on user input to a vulnerable plugin, and the Wordfence scanner will detect any malicious plugins uploaded by an administrator.ConclusionIn today’s article, we covered three vulnerabilities patched in the WordPress 6.0.2 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours, and any sites that remain vulnerable would only be exploitable under very specific circumstances.We have released a firewall rule to Wordfence Premium, Care, and Response users to protect against any exploits targeting the the_meta function and this rule should become available to Wordfence free users after 30 days, on on September 29, 2022.As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.Props to Khalilov Moe, John Blackbourn, & FVD for discovering and responsibly disclosing these vulnerabilities. Special thanks to Wordfence Threat Intelligence Lead Chloe Chamberland for collaborating on this post.

WordPress Core Cross Site Scripting / SQL Injection

New graph-based tool offers a better alternative to current approaches for finding vulnerabilities in JavaScript code, they note.

Researchers at Johns Hopkins University recently uncovered a startling 180 zero-day vulnerabilities across thousands of Node.js libraries using a new code analysis tool they developed specifically for the purpose, called ODGen.

Seventy of those flaws have since received common vulnerabilities and exposures (CVE) identifiers. They include command injection flaws, path traversal vulnerabilities, arbitrary code execution issues, and cross-site scripting vulnerabilities — some of them in widely used applications.

In a paper released at the Usenix Security Symposium earlier this month, the Johns Hopkins researchers — Song Li, Mingqing Kang, Jianwei Hou, and Yinzhi Cao — described ODGen as a better alternative to current code-analysis and so-called graph query-based approaches for finding Node.js vulnerabilities.

Program analysis-based approaches have proved useful in helping detect individual vulnerability types such as code-injection flaws in JavaScript. But they cannot be easily extended to detect all kind of vulnerabilities that might be present in the Node.js platform, the researchers said. Similarly, graph-based code-analysis methods — where code is first represented as a graph and then queried for specific coding errors — works well in environments such as C++ and PHP. However, graph-based approaches are not as efficient in mining for JavaScript vulnerabilities because of the programming language's extensive use of dynamic features, they noted.

**A 'Novel' Approach for Finding JavaScript Vulnerabilities**

So, the researchers instead developed what they described as a "novel" and better method called Object Dependence Graph (ODG) that can be used for detecting Node.js vulnerabilities. They implemented ODGen to generate "ODG" for Node.js programs to detect vulnerabilities, they said.

Cao, assistant professor of computer science at Johns Hopkins University and a co-author of the research report, uses a couple of analogies to describe graph-based code analysis in general and their proposed Objective Dependence Graph. "If we consider a vulnerability as a special pattern — say, a green node connected with a red node and then a black node — a graph-based code-analysis tool first converts programs to a graph with many nodes and edges," Cao says. "Then the tool looks for such patterns in the graph to locate a vulnerability."

The Object Dependence Graph that the researchers have proposed refines this approach by representing JavaScript objects as nodes and adding features — including dependencies between objects — that are specific to the programming language, and then querying for errors. Cao describes how the method works using grains in a handful of rice: If all the grains look the same before boiling but assume two different shades after boiling — one representing good grains and the other bad grains — then it becomes easier to spot and weed out the bad grains. "Abstract interpretation is kind of like the boiling process that converts rice — that is, programs — into different colored objects" so errors are easier to spot, Cao says.

**A Variety of Bugs**

To see if their approach works, the researchers first tested ODGen against a sample of 330 previously reported vulnerabilities in Node.js packages on the node package manager (npm) repository. The test showed the scanner correctly identifying 302 of the 330 vulnerabilities. Buoyed by the relatively high accuracy rate, the researchers ran ODGen against some 300,000 Java packages in npm. The scanner reported a total of 2,964 potential vulnerabilities across the packages. The researchers checked 264 of them — all with more than 1,000 downloads per week on average — and were able to confirm 180 as being legitimate vulnerabilities. Forty-three of them were at the application level, 122 were in packages that are imported by other applications or code, and the remaining 15 were present in indirect packages.

A plurality (80) of the confirmed vulnerabilities that ODGen detected were command injection flows that allow attackers to execute arbitrary code at the operating system level via a vulnerable application. Thirty were path traversal flaws; 24 enabled code tampering, and 19 involved a specific type of command injection attack called prototype pollution.

New ODGen Tool Unearths 180 Zero-Days in Node.js Libraries

PicUploader v2.6.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /master/index.php.

Hello,

I would like to report for possible XSS vulnerability.

In file https://github.com/xiebruce/PicUploader/blob/master/index.php

$data = \[
	'code' => 'success',
	'data' => \[
		'filename' => $\_FILES\['file'\]\['name'\],
		'url' => $isWeb ? $link\['formatLink'\] : $link,
              //专用于web上传，其它客户端上传该参数无用
              'notFormatUrl' => $isWeb ? $link\['notFormatLink'\] : '',
	\],
\];

header('Content-Type: application/json; charset=UTF-8');
$json = json\_encode($data, JSON\_UNESCAPED\_UNICODE);
echo $json;

It is possible to do the injection with the name of the file through $\_FILES\['file'\]\['name'\].

Thank you for reporting, I add a htmlspecialchars() to convert something like <script>alert('sdfds')</script> to html entities.

htmlspecialchars($\_FILES\['file'\]\['name'\])

Don't know if this can solve the issue?

Thank you for your response.

Yes exactly that solve the issue.

I would like also to mention to security issue in https://github.com/xiebruce/PicUploader/blob/master/settings/SettingController.php

public function getStorageParams($params){
		$key = $params\['key'\];
		$jsonFile = $this\->storagesDir.'/storage-'.$key.'.json';
		if(is\_file($jsonFile)){
			$columns = json\_decode(file\_get\_contents($jsonFile), true);
			$code = 0;
		}else{
			//....
		}
		unset($columns\['name'\]);
		
		$returnArr = \[
			'code' => $code,
			'data' => $columns,
		\];
		//....
		return json\_encode($returnArr);
	}
	
	public function setStorageParams($params){
		//...
               $config = json\_encode($\_POST, JSON\_UNESCAPED\_SLASHES);
                //...
                $config = str\_replace('\\u202a', '', $config);
		file\_put\_contents($jsonFile, $config);
		//....
	}

You are saving the $\_POST in a file through the function getStorageParams without sanitization. Then you use the function getStorageParams to retrieve the information. Are you using this file in your project ? if yes, we need to sanitize the input.

Thank you so much, now I update the code as below

$post = \[\];
foreach($\_POST as $key\=>$val){
	$post\[$key\] = htmlspecialchars($val);
}
$config = json\_encode($post, JSON\_UNESCAPED\_SLASHES);

CVE-2022-36748: XX vulnerability in index.php · Issue #80 · xiebruce/PicUploader

RPi-Jukebox-RFID v2.3.0 was discovered to contain a command injection vulnerability via the component /htdocs/utils/Files.php. This vulnerability is exploited via a crafted payload injected into the file name of an uploaded file.

I would like to report for possible vulnerability.

//line 136
if(isset($\_GET\['folder'\]) && $\_GET\['folder'\] != "") { 
    $post\['folder'\] = $\_GET\['folder'\];
} else {
    if(isset($\_POST\['folder'\]) && $\_POST\['folder'\] != "") { 
        $post\['folder'\] = $\_POST\['folder'\];
    }
}
if(isset($\_GET\['filename'\]) && $\_GET\['filename'\] != "") { 
    $post\['filename'\] = $\_GET\['filename'\];
} else {
    if(isset($\_POST\['filename'\]) && $\_POST\['filename'\] != "") { 
        $post\['filename'\] = $\_POST\['filename'\];
    }
}
//line 249
$fileName = Files::buildPath($post\['folder'\], $post\['filename'\]);
$exec = "mid3v2 -l '" .$fileName ."'" ;

public static function buildPath(...$pieces) {
        return implode(DIRECTORY\_SEPARATOR, $pieces);
    }

So the attacker can control the command injection through the filename.  
The attacker can add ';' and add another command like (echo <script>alert(document.cookie)<\\script>.  
The output pf the command will be printed through this path.

//line 252
// note: the output of the command is in $res
$lines = explode(PHP\_EOL, $res);
foreach($lines as $line) {
    $parts = explode("\=",$line);
    $key = trim(array\_shift($parts)); // take the first
    $val = trim(implode("\=",$parts)); // put the rest back together
    if (in\_array($key, $trackDat\['metaKeys'\]\['mp3'\])) {
        $trackDat\['existingTags'\]\[$key\] = $val;
    }
}
//line 496
if (isset($trackDat\['existingTags'\]\['TCOM'\]) && trim($trackDat\['existingTags'\]\['TCOM'\]) != "") {
              echo trim($trackDat\['existingTags'\]\['TCOM'\]);
}

Finally, I recommend using escapeshellarg function with the $\_GET\['folder'\], $\_POST\['folder'\], $\_GET\['filename'\] and $\_POST\['filename'\]

CVE-2022-36749: 🐛 | Command Injection and XSS vulnerabilities reports · Issue #1859 · MiczFlor/RPi-Jukebox-RFID

Razor v0.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the function uploadchannel().

Hello,

I would like to report for XSS vulnerability.

In file https://github.com/cobub/razor/blob/2c991aff4a9c83f99e77a03e26056715706f15c0/web/application/controllers/manage/product.php

//line 98
function uploadchannel()
    {
        $platform = $\_POST\['platform'\];
        $channel = $this\->channel\->getchanbyplat($platform);
        echo json\_encode($channel);
    }

In file

function getchanbyplat($platform)

//line 421
function getchanbyplat($platform)
    {
        $userid\=$this\->common\->getUserId();    
        $sql\="select \* from  ".$this\->db\->dbprefix('channel')."  where active=1 and platform='$platform' and type='system' union 
        select \* from  ".$this\->db\->dbprefix('channel')."  where active=1 and platform='$platform' and type='user'and user\_id=$userid"; 
        $query = $this\->db\->query($sql);
        if ($query!=null&&$query\->num\_rows()>0) {
                return $query\->result\_array();
        }
          return null; 
    }

We can see that the $platform variable is used inside the the sql query without sanitization.  
So the attacker can use the UNION command inside the platform to join a harmful input to the results of the query.  
For example: $platform = 'something' UNION select '<script>alert(document.cookie)<\\script>' AS '.

Thus the XSS will happen at echo json_encode($channel);

I recommend to have a check and delete for the character (') in the platform variable.

CVE-2022-36747: XSS vulnerability · Issue #176 · cobub/razor

LibreNMS v22.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component oxidized-cfg-check.inc.php.

Signed-off-by: AL-KASSAR feras.al-kassar@sap.com

Security fixes

XSS in oxidized-cfg-check.inc.php: sanitize the output

XSS in print-customoid.php: cast the value to integer

**Please note**

> Please read this information carefully. You can run ./lnms dev:check to check your code before submitting.

*   Have you followed our code guidelines?
*   If my Pull Request does some changes/fixes/enhancements in the WebUI, I have inserted a screenshot of it.
*   If my Pull Request makes discovery/polling/yaml changes, I have added/updated test data.

**Testers**

If you would like to test this pull request then please run: ./scripts/github-apply <pr_id>, i.e ./scripts/github-apply 5926  
After you are done testing, you can remove the changes with ./scripts/github-remove. If there are schema changes, you can ask on discord how to revert.

CVE-2022-36746: Security fixes XSS in oxidized-cfg-check.inc.php and print-customoid.php by enferas · Pull Request #14126 · librenms/librenms

Dell EMC Data Protection Advisor versions 19.6 and earlier, contains a Stored Cross Site Scripting, an attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

**Vaikutus**

Medium

**Tiedot**

**Proprietary Code CVE**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-33935

Dell Data Protection Advisor versions 19.6 and earlier contains a Stored Cross Site Scripting vulnerability. An attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets run by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

**Proprietary Code CVE**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-33935

Dell Data Protection Advisor versions 19.6 and earlier contains a Stored Cross Site Scripting vulnerability. An attacker may potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets run by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen****Versiohistoria**

**Revision** 

**Date** 

**Description** 

1.0

2022-07-25

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

25 heinäk. 2022

CVE-2022-33935: DSA-2022-107: Dell Data Protection Advisor Security Update for Stored Cross Site Scripting Vulnerability

Library Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /librarian/edit_book_details.php.

Permalink

Cannot retrieve contributors at this time

**Library Management System v1.0 by kingbhob02 has Stored Cross-Site Scripting****BUG\_Author: z1pwn****Date: 07.22.2022**

Login account: admin/admin (Super Admin account)

**Software:**

https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html

#Description： #The Line 278 of edit\_book\_details.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.

#echo $edit\_book\_details->Author;

#PoC：

POST /LMS/librarian/edit\_book\_details.php?id\=192 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/LMS/librarian/edit\_book\_details.php?id=192
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=7v8p4p3goshl3b4fkncu3bh9ui
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 161
Section=Filipiniana&Subject=1&book=1&Copyright=1&Title=1&availability=1&Author=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&ISBN=1&status=DAMAGE&submit=

Tag

#xss