Multiple cross-site scripting (XSS) vulnerabilities in Parking Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via crafted payloads injected into the user name, password, and verification code text boxes.

**Parking-management-systemXSS-**

XSS vulnerability details Vulnerability Title: There are multiple cross site script attack vulnerabilities in the intelligent parking lot management system of Hongmen Intelligent Technology Co., Ltd

Manufacturer information: Company information: Hongmen Intelligent Technology Co., Ltd

Registered capital: RMB 61.99 million

Date of establishment: 2007-07-04

Registered address: Floor 4, building 1, Hongmen Industrial Park, Jihua Road, Shuijing, Buji, Longgang District, Shenzhen

Business scope: General business items include: intelligent parking lot management system, access control and traffic management system, security management system, mechatronics products, electric telescopic doors, industrial and commercial electric doors and windows, sliding doors, revolving doors, road gates, flagpoles, traffic facilities, security products, social and public security equipment (metal safety doors and windows, prison bed, interrogation chair, intelligent high-voltage power grid) R & D, production, processing, sales, installation, after-sales service and maintenance of hardware products, and technical development of computer hardware and software (excluding restricted items); Setting up industry (specific projects will be reported separately); Domestic trade (excluding monopoly, exclusive control and monopoly commodities); Import and export of goods and technology; Construction of construction works; House leasing (excluding financial leasing business). (except for the items prohibited by laws, administrative regulations and decisions of the State Council, the restricted items can be operated only after obtaining permission).

Official website of the company: http://www.hongmen.com/index.html

The vulnerable products are:

![图片](https://user-images.githubusercontent.com/64825932/154642732-0d4e0866-551a-4cec-bf57-e57d3d5bb0ba.png)

contact information: Address: Hongmen Science Park, Hongmen Road, Jihua street, Longgang District, Shenzhen, Guangdong, China Postal Code: 518129 Tel: + 86 755 28770313 Fax: + 86 755 28770153 Purchase service hotline: electric door, gate, fence, etc. 400-8844-668 Purchase service hotline: parking lot system, access gate, access control, etc. 400-7009-008 Vulnerability Description:

Founded in 1997, Hongmen is a national high-tech enterprise integrating R & D, production, sales, installation and service of electromechanical integrated products such as electric telescopic door, intelligent access management system, translation door, gate, balcony guardrail and fence. It is committed to providing intelligent, safe and fashionable products and overall solutions for access management. There is a vulnerability in the Red Gate intelligent parking lot management system. An attacker can use this vulnerability to obtain sensitive information, and can also use this vulnerability to obtain sensitive information such as administrator cookies. 1.Enterprise vulnerability URL: http://218.104.69.170:9001/

![图片](https://user-images.githubusercontent.com/64825932/154642891-35914488-a806-4a01-b5f9-d69d334b83eb.png)

The home page is shown in the figure above. There are three vulnerabilities. XSS statements can be inserted into the boxes of user name, password and verification code, resulting in the disclosure of users' cookies. After testing, three different places can be determined to be represented by parameters user, PWD and ident respectively. Direct get request can cause attack. ①http://218.104.69.170:9001/?user=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

![图片](https://user-images.githubusercontent.com/64825932/154643057-2f2b3b20-bb4a-4a30-9c50-f9940f957d9b.png)

Clicking directly on the browser can cause the disclosure of user cookies, as shown in the figure above. ②在密码框处插入的情况： http://218.104.69.170:9001/?pwd=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

![图片](https://user-images.githubusercontent.com/64825932/154643141-e8a64689-3fa3-470f-a71b-a0412fe50a12.png)

The page successfully returned the user cookie value ③： http://218.104.69.170:9001/?ident=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

![图片](https://user-images.githubusercontent.com/64825932/154643329-a391e103-0422-45f4-bf79-2b5408c84e5d.png)

CVE-2022-25575: Parking-management-systemXSS-/README.md at main · zangcc/Parking-management-systemXSS-

A Cross Site Scripting (XSS) vulnerability exists in Yogesh Ojha reNgine v1.0 via the Scan Engine name file in the Scan Engine deletion confirmation modal box . .

**Issue Summary**

In reNgine v1.0, there is Stored Cross-site Scripting while deleting a Scan Engine in the Scan Engine deletion confirmation modal box!

**Steps to Reproduce**

1.  Visit your reNgine instance, and login to your account.
2.  Head over to the **`/scanEngine/`** endpoint.
3.  Click on "Add New Engine" and write `<img src=binit onerror=alert(document.location)>` in the **Engine name** field.
4.  Now, click on the "Add Engine" button to save the changes.
5.  Click on the cross icon under the **Action** column, which is used for deleting the scan engine.

You will notice that, while displaying "Are you sure you want to delete {Scan\_Engine\_Name}?", it will render our Scan Engine Name as it is without performing any sort of sanitization, which results in our JavaScript code inside the XSS payload being executed.

This is how this vulnerability can be reproduced.

![Stored Cross-site Scripting while deleting a scan engine in the Scan Engine deletion confirmation modal box!](https://user-images.githubusercontent.com/20013689/130176153-7a268389-efad-4934-a123-7e2c3948ad33.png)

*   I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: **yes**

**Technical details**

*   Debian 4.19.181-1

CVE-2021-39491: [SECURITY] - Stored Cross-site Scripting while deleting a scan engine in the Scan Engine deletion confirmation modal box! · Issue #460 · yogeshojha/rengine

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/data-hub prior to 1.2.4.

Permalink

Browse files

follow up to #462

*   Loading branch information

![@dvesh3](https://avatars.githubusercontent.com/u/5137917?s=40&v=4)

1 parent 1561fa5 commit 15d5b57af2466eebd3bbc531ead5dafa35d0a36e

Showing with **1 addition** and **1 deletion**.

1.  +1 −1 src/Controller/ConfigController.php

@@ -50,7 +50,7 @@ private function buildItem($configuration): array

  

return \[

'id' => $name,

'text' => $name,

'text' => htmlspecialchars($name),

'type' => 'config',

'iconCls' => 'plugin\_pimcore\_datahub\_icon\_' . $type,

'expandable' => false,

**0 comments on commit `15d5b57`**

Please sign in to comment.

CVE-2022-0955: follow up to https://github.com/pimcore/data-hub/pull/462 · pimcore/data-hub@15d5b57

In halo 1.4.14, the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.

**What is version of Halo has the issue?**

1.4.13

**What database are you using?**

Other

**What is your deployment method?**

Fat Jar

**Your site address.**

_No response_

**What happened?**

At the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.

the file upload function points.

![image](https://user-images.githubusercontent.com/24983597/140877494-781922ee-d1a7-4c51-afa3-de6e55bbbc17.png)

upload HTML file, show success.

![image](https://user-images.githubusercontent.com/24983597/140877668-45aa7fa3-0ceb-4144-a79c-4b4080b60046.png)

access the HTML file, you can see that it is parsed by the browser.

![image](https://user-images.githubusercontent.com/24983597/140877908-7e50fb3d-7673-4ff5-999c-9f868d036d90.png)

If you upload malicious XSS code, you will get the user's token, like this

Payload

<script\>
	document.write(localStorage.getItem("halo\_\_Access-Token"));
	document.write("</br></br>")
	document.write(localStorage.getItem("halo\_\_USER"));
</script\>

![image](https://user-images.githubusercontent.com/24983597/140878341-f16a567d-2225-4b12-abd8-dc81ea8597d5.png)

![image](https://user-images.githubusercontent.com/24983597/140878445-9e41fa9c-6292-4ff6-b293-c59fc9fce694.png)

Analyzing the code, it can be seen that all suffixes can be uploaded, and there is no restriction on the suffix name of the file

![image](https://user-images.githubusercontent.com/24983597/140878939-e0f20b8d-ad31-47a1-abb9-a268c68c69e2.png)

Its recommended to only allow the parameter `extension` to be png.jpeg.jpg.gif.bmp or other image suffixes

![图片](https://user-images.githubusercontent.com/24983597/140879209-00872904-4453-49d0-800d-f15a2d0ff168.png)

**Relevant log output**

_No response_

**Additional information**

_No response_

CVE-2021-43659: Arbitrary file upload in the backend could cause a stored XSS vulnerability. · Issue #1522 · halo-dev/halo

Cross-site Scripting (XSS) - Stored in GitHub repository forkcms/forkcms prior to 5.11.1.

@@ -839,7 +839,7 @@ public static function processModuleXml(\\SimpleXMLElement $xml): array $information\['name'\] = (string) $module\->name; $information\['version'\] = (string) $module\->version; $information\['requirements'\] = (array) $module\->requirements; $information\['description'\] = (string) $module\->description; $information\['description'\] = strip\_tags((string) $module\->description, '<h1><h2><h3><h4><h5><h6><p><li><a>'); $information\['cronjobs'\] = \[\];  
// authors @@ -900,7 +900,7 @@ public static function processThemeXml(\\SimpleXMLElement $xml): array $information\['version'\] = (string) $theme\->version; $information\['requirements'\] = (array) $theme\->requirements; $information\['thumbnail'\] = (string) $theme\->thumbnail; $information\['description'\] = (string) $theme\->description; $information\['description'\] = strip\_tags((string) $theme\->description, '<h1><h2><h3><h4><h5><h6><p><li><a>');  
// authors foreach ($xml\->xpath('/theme/authors/author') as $author) {

CVE-2022-0145: Fix xss though the description in the info.xml file of a theme or module · forkcms/forkcms@981730f

Passwork On-Premise Edition before 4.6.13 has multiple XSS issues.

CVE-2022-25266

Passwork On-Premise Edition before 4.6.13 allows migration/downloadExportFile Directory Traversal (to read files).

After authorization with the Owner account, it will be possible to read files located outside the web directory on the server

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25267

Passwork On-Premise Edition before 4.6.13 allows migration/uploadExportFile Directory Traversal (to upload files).

After logging in with the Owner account, an intruder has the ability to upload arbitrary files by sending specially generated HTTP requests

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25268

Passwork On-Premise Edition before 4.6.13 allows CSRF via the groups, password, and history subsystems.

CSRF token value does not change during the session and can be obtained by an attacker as a result of exploitation of the "Cross-site scripting" vulnerability.

Discoverer: Positive technologies, Arian Rakhimi

CVE-2022-25269

Passwork On-Premise Edition before 4.6.13 has multiple XSS issues.

An attacker can inject arbitrary HTML tags, including JavaScript scripts, into a page processed by a user's browser

Discoverer: Positive technologies, Roman Poneev

CVE-2022-25269: Description of CVE-2022-25266, CVE-2022-25267, CVE-2022-25268, CVE-2022-25269

The Photoswipe Masonry Gallery WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the thumbnail_width, thumbnail_height, max_image_width, and max_image_height parameters  found in the ~/photoswipe-masonry.php file which allows authenticated attackers to inject arbitrary web scripts into galleries created by the plugin and on the PhotoSwipe Options page. This affects versions up to and including 1.2.14.

On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to inject malicious JavaScript that executes whenever a site administrator accesses the PhotoSwipe Options page or a user accesses a page with a gallery created by the plugin.

All Wordfence users, including users of our Free, Premium, Care, and Response products are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting (XSS) protection.

We attempted to reach out to the developer day on November 11, 2021, the same day we discovered the vulnerability. We never received a response after a couple of follow-ups so we sent the full details to the WordPres.org plugins team on November 20, 2021. The plugin was fully patched on January 14, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Photoswipe Masonry Gallery”, which is version 1.2.18 at the time of this publication.

**Description:** Authenticated Stored Cross-Site Scripting  
**Affected Plugin:** Photoswipe Masonry Gallery  
**Plugin Slug:** photoswipe-masonry  
**Plugin Developer:** Web Design Gold Coast  
**Affected Versions:** <= 1.2.14  
**CVE ID:** CVE-2022-0750  
**CVSS Score:** 6.4 (Medium)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** 1.2.15

Photoswipe Masonry Gallery is a plugin designed to enhance gallery creation using the default WordPress gallery builder which can be added to WordPress pages and posts. As with many other plugins available in the WordPress repository, this plugin has the ability to set general options for the plugin. These settings translate over to any gallery that a site owner chooses to create and includes things like thumbnail width and height for images along with many other settings. Unfortunately, this plugin had a vulnerability that made it possible for attackers to modify these settings.

Diving deeper, the plugin registered an admin_menu action that hooked to the update function that controlled saving the plugins settings.

add\_action('admin\_menu', array('photoswipe\_plugin\_options', 'update'));

As with several other admin style hooks in WordPress, like wp_ajax, admin_post, and admin_init, the admin_menu hook checks to see if a user is accessing the administrative area of a site prior to loading the hooked function. It does not, however, validate that the user accessing the administrative area is an admin user. The admin_menu action does this to add additional menu pages to the administrative area of a WordPress site. This means that an authenticated user accessing the /wp-admin area of a vulnerable site will trigger the hook and ultimately execute the function associated with the hook. In this case that is the update function.

Due to the fact that the update function had no capability checks or nonce checks of it’s own, any authenticated user accessing the /wp-admin area of a vulnerable site could send a POST request with photoswipe_save set to true and update the settings of the plugin.

	public static function update() {

		if(isset($\_POST\['photoswipe\_save'\])) {

			$options = photoswipe\_plugin\_options::pSwipe\_getOptions();

			$options\['thumbnail\_width'\] = stripslashes($\_POST\['thumbnail\_width'\]);
			$options\['thumbnail\_height'\] = stripslashes($\_POST\['thumbnail\_height'\]);

			$options\['max\_image\_width'\] = stripslashes($\_POST\['max\_image\_width'\]);
			$options\['max\_image\_height'\] = stripslashes($\_POST\['max\_image\_height'\]);

Considering the thumbnail_width, thumbnail_height, max_image_width, and max_image_height parameters had no sanitization or validation, attackers could inject malicious JavaScript into the plugin’s settings which would result in the malicious JavaScript executing anytime an administrator accessed the plugins setting page or a user accessed a gallery that was created with the plugin. This malicious JavaScript could be used to redirect site visitors accessing a gallery to malicious domains for further infection or inject new administrative user accounts if an administrator accessed a page containing the malicious payload. As such, it is important to verify that your site has been updated to the latest version as soon as possible.

**Timeline**

**November 11, 2021** – Conclusion of the plugin analysis that led to the discovery of a Stored Cross-Site Scripting Vulnerability in the “Photoswipe Masonry Gallery” plugin. We verify that the Wordfence Firewall provides sufficient protection. We attempt to initiate contact with the developer.  
**November 30, 2021** – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer.  
**January 4, 2022** – We follow-up with the plugins team asking about a missing capability check on the vulnerable function. They inform us that they have let the developer know and they will have a release out by the end of the month.  
**January 14, 2022** – A fully patched version of the plugin is released as version 1.2.15.

**Conclusion**

In today’s post, we detailed a flaw in the “Photoswipe Masonry Gallery” plugin that made it possible for authenticated attackers to inject malicious web scripts that will execute whenever a site owner accesses the PhotoSwipe Options page or a gallery created with the plugin, which could lead to complete site compromise. This flaw has been fully patched in version 1.2.15.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 1.2.18 at the time of this publication.

All Wordfence users, including users of our Free, Premium, Care, and Response products are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting (XSS) protection.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

CVE-2022-0750: Stored Cross-Site Scripting Vulnerability Patched in a WordPress Photo Gallery Plugin

Stored Cross-Site Scripting (XSS) in Yoo Slider – Image Slider & Video Slider (WordPress plugin) allows attackers with contributor or higher user role to inject the malicious code.

**yoo-slider**

**Software**

**Yoo Slider**

**Vulnerable Versions**

**<= 2.0.0**

**Fixed in version**

**2.1.0**

**CVE**

**CVE-2022-25609**

**References**

**Credits**

**Classification**

**Cross Site Scripting (XSS)**

**OWASP Top 10**

**A7: Cross-Site Scripting (XSS)**

**Disclosure Date**

**2022-03-21**

**CVSS 3.0 score**

**Requires contributor or higher role user authentication.**

**Are your websites subject to this vulnerability?**

**Details**

**Stored Cross-Site Scripting (XSS) vulnerability discovered by Ngo Van Thien (Patchstack Alliance) in WordPress Yoo Slider plugin (versions <= 2.0.0).**

**Solution**

**Update the WordPress Yoo Slider plugin to the latest available version (at least 2.1.0).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-25609: WordPress Yoo Slider plugin <= 2.0.0 - Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Money Transfer Management System Version 1.0 allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code.

**Summary**

**Name**

Money Transfer Management System - DOM-Based XSS

**Code name**

Charles

**Product**

Money Transfer Management System

**Affected versions**

Version 1.0

**State**

Public

**Release date**

2022-03-15

**Vulnerability**

**Kind**

DOM-Based Cross-Site Scripting (XSS)

**Rule**

371\. DOM-Based Cross-Site Scripting (XSS)

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

**CVSSv3 Base Score**

4.3

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25221

**Description**

Money Transfer Management System **Version 1.0** allows an attacker to inject JavaScript code in the URL and then trick a user into visit the link in order to execute JavaScript code.

**Proof of Concept**

Steps to reproduce

1.  Send the following URL to a victim `http://127.0.0.1/mtms/admin/?page=xss';alert('XSS');//`
    
2.  If a victim visits the link the JavaScript code will be triggered.
    

System Information

*   Version: Money Transfer Management System version 1.0.
*   Operating System: Linux.
*   Web Server: Apache
*   PHP Version: 7.4
*   Database and version: MySQL

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

By 2022-03-15 there is not a patch resolving the issue.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of `Fluid Attacks`.

**References**

**Vendor page**

https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html

**Timeline**

*   2022-02-15: Vulnerability discovered.
    
*   2022-02-15: Vendor contacted.
    
*   2022-03-15: Public Disclosure.

CVE-2022-25221: Money Transfer Management System 1.0 - DOM-Based XSS | Fluid Attacks

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12.

Tag

#xss