Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2.

CVE-2023-1212

A vulnerability was found in WebKit. The flaw is triggered when processing maliciously crafted web content that may lead to arbitrary code execution. Improved memory handling addresses the multiple memory corruption issues.

*   Date Reported: **October 29, 2019**
    
*   Advisory ID: **WSA-2019-0005**
    
*   CVE identifiers: CVE-2019-8625, CVE-2019-8674, CVE-2019-8707, CVE-2019-8719, CVE-2019-8720, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8763, CVE-2019-8768, CVE-2019-8769, CVE-2019-8771.
    

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

*   CVE-2019-8625
    *   Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
*   CVE-2019-8674
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
*   CVE-2019-8707
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to an anonymous researcher working with Trend Micro’s Zero Day Initiative, cc working with Trend Micro Zero Day Initiative.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8719
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management.
*   CVE-2019-8720
    *   Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0.
    *   Credit to Wen Xu of SSLab at Georgia Tech.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8726
    *   Versions affected: WebKitGTK before 2.24.3 and WPE WebKit before 2.24.3.
    *   Credit to Jihui Lu of Tencent KeenLab.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8733
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8735
    *   Versions affected: WebKitGTK before 2.24.2 and WPE WebKit before 2.24.2.
    *   Credit to G. Geshev working with Trend Micro Zero Day Initiative.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8763
    *   Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3.
    *   Credit to Sergei Glazunov of Google Project Zero.
    *   Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling.
*   CVE-2019-8768
    *   Versions affected: WebKitGTK before 2.24.0 and WPE WebKit before 2.24.0.
    *   Credit to Hugo S. Diaz (coldpointblue).
    *   Impact: A user may be unable to delete browsing history items. Description: “Clear History and Website Data” did not clear the history. The issue was addressed with improved data deletion.
*   CVE-2019-8769
    *   Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0.
    *   Credit to Piérre Reimertz (@reimertz).
    *   Impact: Visiting a maliciously crafted website may reveal browsing history. Description: An issue existed in the drawing of web page elements. The issue was addressed with improved logic.
*   CVE-2019-8771
    *   Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0.
    *   Credit to Eliya Stein of Confiant.
    *   Impact: Maliciously crafted web content may violate iframe sandboxing policy. Description: This issue was addressed with improved iframe sandbox enforcement.

We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases.

Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/.

CVE-2019-8720: WebKitGTK and WPE WebKit Security Advisory WSA-2019-0005

QlikView 12.60.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the QvsViewClient functionality.

CVE-2022-42248

Cross Site Scripting (XSS) vulnerability in the DataTables plug-in 1.9.2 for jQuery allows attackers to run arbitrary code via the sBaseName parameter to function _fnCreateCookie. NOTE: 1.9.2 is a version from 2012.

/\*\* \* @summary DataTables \* @description Paginate, search and sort HTML tables \* @version 1.9.2 \* @file jquery.dataTables.js \* @author Allan Jardine (www.sprymedia.co.uk) \* @contact www.sprymedia.co.uk/contact \* \* @copyright Copyright 2008-2012 Allan Jardine, all rights reserved. \* \* This source file is free software, under either the GPL v2 license or a \* BSD style license, available at: \* http://datatables.net/license\_gpl2 \* http://datatables.net/license\_bsd \* \* This source file is distributed in the hope that it will be useful, but \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY \* or FITNESS FOR A PARTICULAR PURPOSE. See the license files for details. \* \* For details please refer to: http://www.datatables.net \*/ /\*jslint evil: true, undef: true, browser: true \*/ /\*globals $, jQuery,\_fnExternApiFunc,\_fnInitialise,\_fnInitComplete,\_fnLanguageCompat,\_fnAddColumn,\_fnColumnOptions,\_fnAddData,\_fnCreateTr,\_fnGatherData,\_fnBuildHead,\_fnDrawHead,\_fnDraw,\_fnReDraw,\_fnAjaxUpdate,\_fnAjaxParameters,\_fnAjaxUpdateDraw,\_fnServerParams,\_fnAddOptionsHtml,\_fnFeatureHtmlTable,\_fnScrollDraw,\_fnAdjustColumnSizing,\_fnFeatureHtmlFilter,\_fnFilterComplete,\_fnFilterCustom,\_fnFilterColumn,\_fnFilter,\_fnBuildSearchArray,\_fnBuildSearchRow,\_fnFilterCreateSearch,\_fnDataToSearch,\_fnSort,\_fnSortAttachListener,\_fnSortingClasses,\_fnFeatureHtmlPaginate,\_fnPageChange,\_fnFeatureHtmlInfo,\_fnUpdateInfo,\_fnFeatureHtmlLength,\_fnFeatureHtmlProcessing,\_fnProcessingDisplay,\_fnVisibleToColumnIndex,\_fnColumnIndexToVisible,\_fnNodeToDataIndex,\_fnVisbleColumns,\_fnCalculateEnd,\_fnConvertToWidth,\_fnCalculateColumnWidths,\_fnScrollingWidthAdjust,\_fnGetWidestNode,\_fnGetMaxLenString,\_fnStringToCss,\_fnDetectType,\_fnSettingsFromNode,\_fnGetDataMaster,\_fnGetTrNodes,\_fnGetTdNodes,\_fnEscapeRegex,\_fnDeleteIndex,\_fnReOrderIndex,\_fnColumnOrdering,\_fnLog,\_fnClearTable,\_fnSaveState,\_fnLoadState,\_fnCreateCookie,\_fnReadCookie,\_fnDetectHeader,\_fnGetUniqueThs,\_fnScrollBarWidth,\_fnApplyToChildren,\_fnMap,\_fnGetRowData,\_fnGetCellData,\_fnSetCellData,\_fnGetObjectDataFn,\_fnSetObjectDataFn,\_fnApplyColumnDefs,\_fnBindAction,\_fnCallbackReg,\_fnCallbackFire,\_fnJsonString,\_fnRender,\_fnNodeToColumnIndex,\_fnInfoMacros\*/ (/\*\* @lends \*/function($, window, document, undefined) { /\*\* \* DataTables is a plug-in for the jQuery Javascript library. It is a \* highly flexible tool, based upon the foundations of progressive \* enhancement, which will add advanced interaction controls to any \* HTML table. For a full list of features please refer to \* DataTables.net. \* \* Note that the _DataTable_ object is not a global variable but is \* aliased to _jQuery.fn.DataTable_ and _jQuery.fn.dataTable_ through which \* it may be accessed. \* \* @class \* @param {object} \[oInit={}\] Configuration object for DataTables. Options \* are defined by {@link DataTable.defaults} \* @requires jQuery 1.3+ \* \* @example \* // Basic initialisation \* $(document).ready( function { \* $('#example').dataTable(); \* } ); \* \* @example \* // Initialisation with configuration options - in this case, disable \* // pagination and sorting. \* $(document).ready( function { \* $('#example').dataTable( { \* "bPaginate": false, \* "bSort": false \* } ); \* } ); \*/ var DataTable = function( oInit ) { /\*\* \* Add a column to the list used for the table with default values \* @param {object} oSettings dataTables settings object \* @param {node} nTh The th element for this column \* @memberof DataTable#oApi \*/ function \_fnAddColumn( oSettings, nTh ) { var oDefaults = DataTable.defaults.columns; var iCol = oSettings.aoColumns.length; var oCol = $.extend( {}, DataTable.models.oColumn, oDefaults, { "sSortingClass": oSettings.oClasses.sSortable, "sSortingClassJUI": oSettings.oClasses.sSortJUI, "nTh": nTh ? nTh : document.createElement('th'), "sTitle": oDefaults.sTitle ? oDefaults.sTitle : nTh ? nTh.innerHTML : '', "aDataSort": oDefaults.aDataSort ? oDefaults.aDataSort : \[iCol\], "mDataProp": oDefaults.mDataProp ? oDefaults.oDefaults : iCol } ); oSettings.aoColumns.push( oCol ); /\* Add a column specific filter \*/ if ( oSettings.aoPreSearchCols\[ iCol \] === undefined || oSettings.aoPreSearchCols\[ iCol \] === null ) { oSettings.aoPreSearchCols\[ iCol \] = $.extend( {}, DataTable.models.oSearch ); } else { var oPre = oSettings.aoPreSearchCols\[ iCol \]; /\* Don't require that the user must specify bRegex, bSmart or bCaseInsensitive \*/ if ( oPre.bRegex === undefined ) { oPre.bRegex = true; } if ( oPre.bSmart === undefined ) { oPre.bSmart = true; } if ( oPre.bCaseInsensitive === undefined ) { oPre.bCaseInsensitive = true; } } /\* Use the column options function to initialise classes etc \*/ \_fnColumnOptions( oSettings, iCol, null ); } /\*\* \* Apply options for a column \* @param {object} oSettings dataTables settings object \* @param {int} iCol column index to consider \* @param {object} oOptions object with sType, bVisible and bSearchable \* @memberof DataTable#oApi \*/ function \_fnColumnOptions( oSettings, iCol, oOptions ) { var oCol = oSettings.aoColumns\[ iCol \]; /\* User specified column options \*/ if ( oOptions !== undefined && oOptions !== null ) { if ( oOptions.sType !== undefined ) { oCol.sType = oOptions.sType; oCol.\_bAutoType = false; } $.extend( oCol, oOptions ); \_fnMap( oCol, oOptions, "sWidth", "sWidthOrig" ); /\* iDataSort to be applied (backwards compatibility), but aDataSort will take \* priority if defined \*/ if ( oOptions.iDataSort !== undefined ) { oCol.aDataSort = \[ oOptions.iDataSort \]; } \_fnMap( oCol, oOptions, "aDataSort" ); } /\* Cache the data get and set functions for speed \*/ oCol.fnGetData = \_fnGetObjectDataFn( oCol.mDataProp ); oCol.fnSetData = \_fnSetObjectDataFn( oCol.mDataProp ); /\* Feature sorting overrides column specific when off \*/ if ( !oSettings.oFeatures.bSort ) { oCol.bSortable = false; } /\* Check that the class assignment is correct for sorting \*/ if ( !oCol.bSortable || ($.inArray('asc', oCol.asSorting) == -1 && $.inArray('desc', oCol.asSorting) == -1) ) { oCol.sSortingClass = oSettings.oClasses.sSortableNone; oCol.sSortingClassJUI = ""; } else if ( oCol.bSortable || ($.inArray('asc', oCol.asSorting) == -1 && $.inArray('desc', oCol.asSorting) == -1) ) { oCol.sSortingClass = oSettings.oClasses.sSortable; oCol.sSortingClassJUI = oSettings.oClasses.sSortJUI; } else if ( $.inArray('asc', oCol.asSorting) != -1 && $.inArray('desc', oCol.asSorting) == -1 ) { oCol.sSortingClass = oSettings.oClasses.sSortableAsc; oCol.sSortingClassJUI = oSettings.oClasses.sSortJUIAscAllowed; } else if ( $.inArray('asc', oCol.asSorting) == -1 && $.inArray('desc', oCol.asSorting) != -1 ) { oCol.sSortingClass = oSettings.oClasses.sSortableDesc; oCol.sSortingClassJUI = oSettings.oClasses.sSortJUIDescAllowed; } } /\*\* \* Adjust the table column widths for new data. Note: you would probably want to \* do a redraw after calling this function! \* @param {object} oSettings dataTables settings object \* @memberof DataTable#oApi \*/ function \_fnAdjustColumnSizing ( oSettings ) { /\* Not interested in doing column width calculation if autowidth is disabled \*/ if ( oSettings.oFeatures.bAutoWidth === false ) { return false; } \_fnCalculateColumnWidths( oSettings ); for ( var i=0 , iLen=oSettings.aoColumns.length ; i

CVE-2021-36713

In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.

CVE-2021-36398

In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.

CVE-2021-36401

In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.

CVE-2021-36399

PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php.

To search these vulnerabilities, I use the docker https://github.com/jperon/pmb/ and I simply change the URL in the Dockerfile to match the latest version (7.4.6).

**PMB 7.4.6 - Reflected XSS - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : XSS Reflected (Unauthenticated)
*   CWE-79

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in output. This allows an attacker to make a Reflected XSS on /pmb/admin/convert/export_z3950_new.php and /pmb/admin/convert/export_z3950.php endpoint via the same query parameter.

**Exploitation**

1.  Go to http://website.com/pmb/admin/convert/export_z3950_new.php or http://website.com/pmb/admin/convert/export_z3950.php
2.  Set parameter command to search and query to a JavaScript payload that end by =or (needed to bypass filter).
3.  Trigger your Reflected XSS: http://website.com/pmb/admin/convert/export_z3950.php?command=search&query=%3Cscript%3Ealert(document.domain);%3C/script%3E=or

**PoC**

Here is an example with an alert box :

**Remediation**

Sanitize the query parameter with htlmentities function.

**PMB 7.4.6 - SQL Injection - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : SQL Injection (Unauthenticated)
*   CWE-89

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in an SQL Query. This allows an attacker to make a SQL Injection on /pmb/edit.php endpoint via the user parameter. This SQL Injection can lead to an account takeover if the SESSID cookie of the admin account is extracted.

**Exploitation**

1.  Go to http://website.com/pmb/edit.php
2.  Set parameter action=whatever&dest=TABLEAUCSV and user to your SQL payload %27%20OR%201=1;%23&password=password
3.  Trigger your SQL Injection: http://website.com/pmb/edit.php?action=whatever&dest=TABLEAUCSV&user=%27%20OR%201=1;%23&password=password

**PoC**

Here is an example of a simple bypass :

**Remediation**

Use prepared SQL query.

**PMB 7.4.6 - Unrestricted File Upload - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : Unrestricted File Upload (Authenticated)
*   CWE-434

**Description**

The web app allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment or overwrite configuration files. An attacker can host malicious files (ending with #data-section to make simple the exploitation of the RCE, see the next section).

**Exploitation**

1.  Go to http://website.com/pmb/camera_upload.php
2.  Send a POST request with the parameters upload_filename that is the name of the file you want to upload and imgBase64 the file content to upload.
3.  To bypass the filter in place (image checking), your file need to starts with GIF89a.

**PoC**

Here is an example of a file upload :

**Remediation**

Check the extension of each file. DO NOT trust user input, and generate a random name for each file uploaded.

**PMB 7.4.6 - Remote Code Execution - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : XSS Reflected (Authenticated)
*   CWE-94

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in exec function. This allows an attacker to execute a shell command through the parameter decompress.

**Exploitation**

1.  Go to http://website.com/pmb/admin/sauvegarde/restaure_act.php
2.  filename parameter need to point to a file that ends with #data-section. The web app use fopen so it's possible to pass a URL to this parameter.
3.  compress parameter need to be 1.
4.  decompress_type need to be external.
5.  decompress it's your shell command. That can the id command.

**PoC**

Here is an example of a blind RCE :

**Remediation**

Never trust user input and if possible do not decompress file with any external command that are controlled by user input.

**PMB 7.4.6 - Open Redirect - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : Open Redirect (Unauthenticated)
*   CWE-601

**Description**

The web app accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

**Exploitation**

1.  Go to http://website.com/pmb/opac_css/pmb.php
2.  Set from parameter to empty.
3.  url parameter to the URL you want to redirect to.
4.  hash parameter to the md5 of your url parameter.

**PoC**

Here is an example of an Open Redirect :

**Remediation**

Check the domain with a whitelist.

**PMB 7.4.6 - SQL Injection - CVE-XXXX**

*   Affected version : 7.4.6
*   Vulnerability Type : SQL Injection (Unauthenticated)
*   CWE-89

**Description**

The web app incorrectly neutralizes user-controllable input before it is placed in an SQL Query. This allows an attacker to make a SQL Injection on /pmb/opac_css/export.php endpoint via the notice_id parameter. This SQL Injection can lead to an account takeover if the SESSID cookie of the admin account can be extracted.

**Exploitation**

1.  Go to http://website.com/pmb/opac_css/export.php
2.  Set action parameter to export.
3.  notice_id parameter need to start by es after that you can add your SQL payload.

**PoC**

Here is an example of an SQL Injection :

**Remediation**

Use prepared SQL Query or add simple quote in this specific SQL query.

CVE-2023-24737: CVE/PMB at main · AetherBlack/CVE

A vulnerability classified as problematic has been found in woo-popup Plugin up to 1.2.2. This affects an unknown part of the file admin/class-woo-popup-admin.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.3.0 is able to address this issue. The name of the patch is 7c76ac78f3e16015991b612ff4fa616af4ce9292. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222327.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2015-10095: Release 1.3.0: New version 1.3 fixing prettyPhoto XSS issue and video rendering · wp-plugins/woo-popup

Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.

**The Most Popular Open-Source Contact Center Solution in the World**

**Excellent Customer Satisfaction!**

 See what our customers have to say about VICIdial! ... Read More ...

**Award Winning**

With awards from CIO Review, Sourceforge, ITexpo and others, VICIdial is acknowledged as a best-in-class solution for contact centers.  ... Read More ...

**VICIdial Hosting with Dedicated Hardware**

If you don’t want to have to manage your own VICIdial equipment, then let the experts do it for you! The Vicidial Group’s VICIhost service can get you up and running today on your own dedicated server in our custom built server cloud. ... Read More ...

  

**VIDEO: What is the VICIdial Open-Source Contact Center Solution?**

This video explains what VICIdial is, how Open-Source Software works, why thousands of companies have chosen to use it, who the Vicidial Group is and what services we can offer to you. Would you like to read more about VICIdial? Click here to take a look at our Whitepaper. If you would like to ask us some questions about VICIdial,Read the Rest…

  

**VICIdial is used in many different industries and organizations**

You can find VICIdial in use at thousands of different companies and organizations all over the world. From a bank in Japan to a social club in the United States, all sorts of organizations trust VICIdial to communicate with their customers and members. Here is a small list of how organizations are using VICIdial on a daily basis to helpRead the Rest…

  

**VICIdial is the Most Popular Open-Source Contact Center**

VICIdial is the most popular Open-Source Contact Center Solution in the world. With over 14,000 installations in over 100 countries around the world. The agent screen is available in 16 different languages, with options to easily create your own custom translations as well. We have clients running VICIdial at call centers from 5 to 500 agents, handling over a millionRead the Rest…

  

**Inbound Calls, Outbound Calls, Email and Customer Website Chat**

Let your agents handle inbound and outbound phone calls as well as inbound email and customer website chat all together in the same web-based agent interface. With Skills-based routing and Queue Prioritization, you can have calls and emails go to the agents that can handle them the most efficiently. You can also have those agents handling outbound calls when theRead the Rest…

  

**VICIdial Dedicated Hosting**

You get your own physical servers in one of our hosting facilities. We have hundreds of servers in our private hosted clusters that we maintain just for our hosted call center services. We only use Tier-3 datacenters with multiple internet backbone connections and redundant power solutions, so you know your service is going to work. For more information about VICIhostRead the Rest…

Tag

#xss