A vulnerability was found in MotoPress Timetable and Event Schedule. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /wp-admin/admin-ajax.php of the component Quick Edit. The manipulation of the argument post_title with the input <img src=x onerror=alert`2`> leads to cross site scripting. The attack may be launched remotely. VDB-206486 is the identifier assigned to this vulnerability.

CVE-2022-2843

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5, 6.1.0.0 through 6.1.0.4, and 6.1.1.0 through 6.1.1.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 213965.

CVE-2021-39035: IBM Sterling B2B Integrator cross-site scripting CVE-2021-39035 Vulnerability Report

An issue was discovered in rageframe2 2.6.37. There is a XSS vulnerability in the user agent related parameters of the info.php page.

**RageFrame 2.0**

重量级全栖框架，为二次开发而生

**前言**

这是一款现代化、快速、高效、便捷、灵活、方便扩展的应用开发骨架。

RageFrame 创建于 2016 年 4 月 16 日，一个基于 Yii2 高级框架的快速开发引擎，目前正在成长中，目的是为了集成更多的基础功能，不再为相同的基础功能重复制造轮子，开箱即用，让开发变得更加简单。  
2018 年 9 月 10 日 2.0 版本正式上线，经过 1.0 版本一年多的开源反馈磨合，以更加优秀的形态出现。对 1.0 的版本进行了重构优化完善，更好的面向开发者进行二次开发。2.3.x 版本更是优化了底层突出了服务层，分离业务逻辑，支持多商户。

**特色**

*   极强的可扩展性，应用化，模块化，插件化机制敏捷开发。
*   极致的插件机制，微核架构，良好的功能延伸性，功能之间是隔离，可定制性高，可以渐进式地开发，逐步增加功能，安装和卸载不会对原来的系统产生影响,强大的功能完全满足各阶段的需求，支持用户多端访问(后台、微信、Api、前台等)。
*   极完善的 RBAC 权限控制管理、无限父子级权限分组、可自由分配子级权限，且按钮/链接/自定义内容/插件等都可加入权限控制。
*   只做基础底层内容，不会在上面开发过多的业务内容，满足绝大多数的系统二次开发。
*   多入口模式，多入口分为 Backend (后台)、Merchant (商户端)、Frontend (PC前端)、Html5 (手机端)、Console (控制台)、Api (对内接口)、OAuth2 Server (对外接口)、MerApi (商户接口)、Storage (静态资源)，不同的业务，不同的设备，进入不同的入口。
*   对接微信公众号且支持小程序，使用了一款优秀的微信非官方 SDK Easywechat 4.x，开箱即用，预置了绝大部分功能，大幅度的提升了微信开发效率。
*   整合了第三方登录，目前有 QQ、微信、微博、GitHub 等等。
*   整合了第三方支付，目前有微信支付、支付宝支付、银联支付，二次封装为网关多个支付一个入口一个出口。
*   整合了 RESTful API，支持前后端分离接口开发和 App 接口开发，可直接上手开发业务。
*   一键切换云存储，本地存储、腾讯 COS、阿里云 OSS、七牛云存储都可一键切换，且增加其他第三方存储也非常方便。
*   全面监控系统报错，报错日志写入数据库，方便定位错误信息。支持直接钉钉提醒。
*   快速高效的 Servises (服务层)，遵循 Yii2 的懒加载方式，只初始化使用到的组件服务。
*   丰富的表单控件(时间、日期、时间日期、日期范围选择、颜色选择器、省市区三级联动、省市区勾选、单图上传、多图上传、单文件上传、多文件上传、百度编辑器、百度图表、多文本编辑框、地图经纬度选择器、图片裁剪上传、TreeGrid、JsTree、Markdown 编辑器)和组件(二维码生成、Curl、IP地址转地区)，快速开发，不必再为基础组件而担忧。
*   快速生成 CURD ,无需编写代码，只需创建表设置路径就能出现一个完善的 CURD ,其中所需表单控件也是勾选即可直接生成。
*   正常开发只需要开发商户端，没有 Saas 的时候商户端就是总后台，有了 Saas，商户端就是子后台
*   完善的文档和辅助类，方便二次开发与集成。

**思维导图**

**应用架构流程**

**系统快照**

【系统 - 首页】  【系统 - 配置管理】  【系统 - 角色编辑】  【系统 - 日志统计】  【会员 - 信息】  【微信 - 自定义菜单】  【插件模块 - 列表】  【插件模块 - 文章模块】  【插件模块 - 系统监控】 

**开始之前**

*   具备 PHP 基础知识
*   具备 Yii2 基础开发知识
*   具备 开发环境的搭建
*   仔细阅读文档，一般常见的报错可以自行先解决，解决不了再来提问
*   如果要做小程序或微信开发需要明白微信接口的组成，自有服务器、微信服务器、公众号（还有其它各种号）、测试号、以及通信原理（交互过程）
*   如果需要做接口开发(RESTful API)了解基本的 HTTP 协议，Header 头、请求方式（GET\POST\PUT\PATCH\DELETE）等
*   能查看日志和 Debug 技能
*   一定要仔细走一遍文档

**Demo**

地址：http://demo2.rageframe.com/backend  
账号：demo  
密码：123456

**官网**

http://www.rageframe.com

**文档**

安装文档 · 本地文档 · 更新历史 · 常见问题

**插件**

*   微商城：https://github.com/jianyan74/TinyShop
*   微信公众号：https://github.com/jianyan74/Wechat
*   商家管理：https://github.com/jianyan74/Merchants
*   在线文档：https://github.com/jianyan74/RfOnlineDoc

**问题反馈**

在使用中有任何问题，欢迎反馈给我，可以用以下联系方式跟我交流

QQ群1：655084090 (2000人快满)  
QQ群2：1148015133 (新群)

GitHub：https://github.com/jianyan74/rageframe2/issues

**特别鸣谢**

感谢以下的项目，排名不分先后

Yii：http://www.yiiframework.com

EasyWechat：https://www.easywechat.com

Bootstrap：http://getbootstrap.com

AdminLTE：https://adminlte.io

...

**版权信息**

RageFrame 遵循 Apache2 开源协议发布，并提供免费使用。

本项目包含的第三方源码和二进制文件之版权信息另行标注。

版权所有Copyright © 2016-2020 by RageFrame www.rageframe.com

All rights reserved。

CVE-2022-36530: GitHub - jianyan74/rageframe2: 一个基于Yii2高级框架的快速开发应用引擎

Airspan AirVelocity 1500 prior to software version 15.18.00.2511 is vulnerable to injection leading to XSS in the SNMP community field in the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models.

You must log in to access this page.

If you think you shouldn't get this message, please contact your Jira administrators.

CVE-2022-36311: Log in - Airspan JIRA

There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.

Esri has released the Portal for ArcGIS Security 2022 Update 1 Patch that resolves two high priority security vulnerabilities and seven medium priority security vulnerabilities across versions 10.9.1, 10.8.1, and 10.7.1.

As with all security patches, we encourage all system administrators to install security updates on relevant systems at your earliest opportunity.

This patch addresses two high severity vulnerability and seven medium severity vulnerabilities. This patch is available _here__._

We provide Common Vulnerability Scoring System (CVSS) scores to allow our customers to better assess risk of these vulnerabilities to their operations.

Both the base score and a modified temporal score is provided for each issue to reflect the availability of an official patch.  Please see Common Vulnerability Scoring System for more information on how these metrics are defined.

**Vulnerabilities fixed in this patch include:**

There is an **improper access control vulnerability** in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.5 Base Score, 6.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C/MPR:L

**Mitigations**

Disable anonymous access to Portal for ArcGIS

**Vulnerability Details**

**Esri Bug ID:** BUG-000143640

CVE-2022-38184 – Improper Access Control CWE-284 – CVSS 6.2

There is an **improper access control vulnerability** in Portal for ArcGIS versions 10.8.1 and below which could allow a remote, unauthenticated attacker to access an API that may induce Esri Portal for ArcGIS to read arbitrary URLs.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.5 Base Score, 6.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/RL:O/RC:C/MPR:L

**Mitigations**

Disable anonymous access to Portal for ArcGIS

**Vulnerability Details**

**Esri Bug ID:** BUG-000143638

CVE: CVE-2022-38184 – Improper Access Control CWE-284 – CVSS 6.2

There is **a reflected XSS vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.1 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L

**Mitigations:**

Disable Anonymous Access to Portal for ArcGIS

**Vulnerability Details:**

**Esri Bug ID:** BUG-000143642

CVE: CVE-2022-38186 – Cross-site Scripting (XSS) CWE-79  – CVSS 6.2

**Acknowledgements:**

Simone La Porta

There is **a reflected XSS vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.1 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L

**Mitigations:**

Disable Anonymous Access to Portal for ArcGIS

**Vulnerability Details:**

**Esri Bug ID:** BUG-000137733

CVE: CVE-2022-38186- Cross-site Scripting (XSS) CWE-79  – CVSS 6.2

There is **a reflected XSS vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   7.1 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/RL:O/MPR:L

**Mitigations:**

Disable Anonymous Access to Portal for ArcGIS

**Vulnerability Details:**

**Esri Bug ID:** BUG-000136544

CVE: CVE-2022-38188 – Cross-site Scripting (XSS) CWE-79  – CVSS 6.2

In Esri Portal for ArcGIS versions 10.8.1, **a system property is not properly encrypted**. This may lead to a local user reading sensitive information from a properties file.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   6.7 Base Score, 6.4 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N/RL:O/RC:C

**Mitigations:**

**Vulnerability Details:**

**Impacts Portal for ArcGIS 10.8.1 ONLY**

**Esri Bug ID:** BUG-000133255

CVE: CVE-2022-38194 –   Missing Encryption of Sensitive Data  CWE-311 – CVSS 5.2

There is **a code injection vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victims browser.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   6.1 Base Score, 5.8 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID:** BUG-000135726

CVE: CVE-2022-38193 – Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) CWE-95 – CVSS 5.8

There is a **stored Cross Site Scripting (XSS) vulnerability** in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser

Common Vulnerability Scoring System (CVSS v3.1) Details

*   5.7 Base Score, 5.5 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/RL:O

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID:** BUG-000149597

CVE: CVE-2022-38192 – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2

There is a **stored Cross Site Scripting (XSS) vulnerability** in Esri Portal for ArcGIS configurable apps versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser

Common Vulnerability Scoring System (CVSS v3.1) Details

*   5.4 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID:** BUG-000143643

CVE: Coming soon – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2

**Acknowledgements:**

Fredrik Ljung

There is **an HTML injection issue** in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   5.4 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID**: BUG-000138486

CVE: CVE-2022-38191 – Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) CWE-74  – CVSS 5.2

There is a **stored Cross Site Scripting (XSS) vulnerability** in Esri Portal for ArcGIS which may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser. This is a separate fix than BUG-000149597.

Common Vulnerability Scoring System (CVSS v3.1) Details

*   5.4 Base Score, 5.2 Temporal Score
*   Remediation Level: Official Fix Available
*   Report Confidence: Confirmed by Esri

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C/

**Mitigations:**

**Vulnerability Details:**

**Esri Bug ID:** BUG-000133257

CVE: CVE-2022-38189 – Cross-site Scripting (XSS) CWE-79 – CVSS 5.2

**Acknowledgements:**

Gustavo Silva

**Additional Notes:**

This patch is highly recommended and encouraged for all customers running on versions of ArcGIS Enterprise in mainstream and extended support status. (10.7.1, 10.8.1, and 10.9.1). Customers on older versions of ArcGIS Enterprise are encouraged to upgrade.

CVE-2022-38191: Portal for ArcGIS Security 2022 Update 1 Patch

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

Authenticated stored cross-site scripting (XSS) vulnerability in "Field Server Address" field in INTELBRAS ATA 200 Firmware 74.19.10.21 allows attackers to inject JavaScript code through a crafted payload.

Change Mirror Download

    # Exploit Title: Intelbras ATA 200 Authenticated Stored XSS# Date: 17/01/2022# Exploit Author: Leonardo Goncalves# Vendor Homepage: https://www.intelbras.com/pt-br/adaptador-ip-para-telefones-analogicos-ata-200# Version: Firmware 74.19.10.211) Log in the equipment via your web browser2) Go to Management > Syslog3) In the "Field Server Address" inject the payload "-prompt("XSS")-"4) Click Save5) Exploit

CVE-2022-24654: Intelbras ATA 200 Cross Site Scripting ≈ Packet Storm

Inout SiteSearch version 2.0.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                        │ │                                         :│  Website  : inoutscripts.com               │ │                                         ││  Vendor   : Inout Scripts                  │ │                                         ││  Software : Inout SiteSearch 2.0.1         │ │ Inout SiteSearch is a premium script    ││  Vuln Type: Cross Site Scripting Reflected │ │ that allows you to add a site           ││  Method   : GET                            │ │ search feature                          ││  Impact   : Manipulate the content of      │ │                                         ││             the site                       │ │                                         ││────────────────────────────────────────────┘ └─────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, Sad, His0k4, Hussin X, Mr. SQL     Phr33k , NK, GoldenX, Wehla, Cap, DarkCatSpace, R0ot, KnG, Centerk, chamanwal  loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y, ix7         CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'searchkeyword' is vulnerable to XSShttp://inout-sitesearch.demo.inoutscripts.net/index.php/search/result?searchkeyword=[XSS]Some XSS Payloads Reflectedjavascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'><IMG """><SCRIPT>alert("XSS")</SCRIPT>"\></TITLE><SCRIPT>alert("XSS");</SCRIPT>[-] Done

Inout SiteSearch 2.0.1 Cross Site Scripting

Ubuntu Security Notice 5568-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-5568-1August 15, 2022webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.6-0ubuntu0.22.04.1  libwebkit2gtk-4.0-37            2.36.6-0ubuntu0.22.04.1  libwebkit2gtk-4.1-0             2.36.6-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.6-0ubuntu0.20.04.1  libwebkit2gtk-4.0-37            2.36.6-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5568-1  CVE-2022-2294, CVE-2022-32792, CVE-2022-32816Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.6-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.6-0ubuntu0.20.04.1

Ubuntu Security Notice USN-5568-1

The Duplicate Page and Post Plugin WordPress plugin through 2.7 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Tag

#xss