A vulnerability classified as problematic has been found in Fast Food Ordering System 1.0. Affected is the file Master.php of the Master List. The manipulation of the argument Description with the input foo "><img src="" onerror="alert(document.cookie)"> leads to cross site scripting. It is possible to launch the attack remotely but it requires authentication. Exploit details have been disclosed to the public.

Vulnerable Parameters: Body.

Create a New List

**Attack Vector:**  
This vulnerability can results attacker to inject the XSS payload into the Description box and each time  
any user will go to that LIST, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload.

**POC :**

1

Enter the payload and save it

2

Payload trigger and it pops up the PHP cookie as shown in the evidence

**Steps-To-Reproduce:**  
1\. Login into Fast Food Ordering System CMS admin panel.  
2\. Now go to the Master List > Category List> Create New.  
3\. Now paste the below payload in the Description field.  
Ashish “><img src=”” onerror=”alert(document.cookie)”>  
4\. Now click on the save button.  
5\. The XSS will be triggered.

**Stored Cross-site scripting(XSS):**  
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.

CVE-2022-1991: Fast Food Ordering System 1.0 Cross-Site Scripting - CYBERTHOTH - Medium

A reflected cross-site scripting (XSS) vulnerability in the login portal of Avantune Genialcloud ProJ - 10 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

\# Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting) # Date: 2022-06-01 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.avantune.com # Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com # Version: 10 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39) # CVE: CVE-2022-29296 Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject and execute arbitrary web scripts or HTML via a crafted payload. Request parameters affected is "msg". PoC Request: GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1 Host: \[REDACTED\] Cookie: ASP.NET\_SessionId=3recnmmlpo1glzzyejdoezk2 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept: \*/\* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Connection: close Cache-Control: max-age=0 PoC Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 11 May 2022 10:51:10 GMT Connection: close Content-Length: 8162 var Msg = 'Invalid username or password';alert("y0! XSS here :)")//'; ...\[SNIP\]... Timeline: 2022-01-05: Vulnerability discovered. 2022-01-06: Vendor contacted. 2022-02-07: No reply, vendor contacted for 2nd time. 2022-02-10: Request for CVE reservation. 2022-04-16: Assigned CVE number CVE-2022-29296. 2022-05-07: No reply, vendor contacted for 3rd time. 2022-06-01: Public disclosure. PoC Screenshots: https://imagebin.ca/v/6j86ekMqKZD8 https://postimg.cc/XXv6YbK9

CVE-2022-29296

SeedDMS versions 6.0.18 and 5.1.25 and below are vulnerable to stored XSS. An attacker with admin privileges can inject the payload inside the "Role management" menu and then trigger the payload by loading the "Users management" menu

**Description**

SeedDMS versions 6.0.18 and 5.1.25 are prone to stored XSS. It is possible to inject javascript code inside the "Role management" menu, inside the name field, and then trigger the payload by loading the "Users management" menu

**POC**

Injecting the payload

Triggering the payload

**Remediation**

Sanitize user input using "htmlspecialchars" php function

**Reference**

https://sourceforge.net/p/seeddms/code/ci/9e92524fdbd1e7c3e6771d669f140c62389ec375/

**Timeline**

*   \[28/03/2022\] Vulnerability evidence sent to the vendor
*   \[28/03/2022\] Vulnerability confirmed by the vendor
*   \[28/03/2022\] Vulnerability fixed by the vendor

**Notes**

Thanks to the main developer of SeedDMS, Uwe Steinmann, that immediately acknowledged the vulnerability and fixed it.

CVE-2022-28479: Responsible-Vulnerability-Disclosure/CVE-2022-28479 at main · looCiprian/Responsible-Vulnerability-Disclosure

The "Add category" functionality inside the "Global Keywords" menu in "SeedDMS" version 6.0.18 and 5.1.25, is prone to stored XSS which allows an attacker to inject malicious javascript code.

**CVE****Description**

SeedDMS versions 6.0.18 and 5.1.25 are prone to stored XSS. The "Add category" functionality inside the "Global keywords" menu does not sanitize user input allowing javascript injection.

**POC**

Injecting the payload

By pressing the "Add category" button the malicious payload is saved and triggered by the application

**Remediation**

Escape user input by using "htmlspecialchars" php function

**Reference**

https://sourceforge.net/p/seeddms/code/ci/6fc17be5d95e8f00fbe5c124c4acd377fa2ce69d/

**Timeline**

*   \[22/03/2022\] Vulnerability evidence sent to the vendor
*   \[23/03/2022\] Vulnerability confirmed by the vendor
*   \[23/03/2022\] Vulnerability fixed by the vendor

**Notes**

Thanks to the main developer of SeedDMS, Uwe Steinmann, that immediately acknowledged the vulnerability and fixed it.

CVE-2022-28051: Responsible-Vulnerability-Disclosure/README.md at main · looCiprian/Responsible-Vulnerability-Disclosure

BI Launchpad and CMC in SAP Business Objects Business Intelligence Platform, versions 4.1, 4.2, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Exploit is possible only when the bttoken in victim’s session is active.

CVE-2020-6220

LibreHealth EHR Base 2.0.0 allows gacl/admin/acl_admin.php acl_id XSS.

Tags give the ability to mark specific points in history as being important

CVE-2022-31493: Tags · LibreHealth / LibreHealth EHR / LibreHealth EHR Base · GitLab

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

CVE-2022-23712: Security issues

A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues

CVE-2022-1940

FUDforum 3.1.2 is vulnerable to Stored XSS via Forum Name field in Forum Manager Feature.

**What is XSS**  
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Affected Version- 3.1.2

Demo installation: https://localhost/Fudforum-3.1.2/

**Reproduce bug:**  
Step 1 : Login with admin account and go to the Admin Control Panel.  
Step 2: In Categories & Forums, use Forum Manager to add new Forum to Private Forums.  
Step 3: Inject XSS payload to Forum Name field and complete Add Forum  
XSS payload : a<img src=x onerror=alert('xss')>  
Step 4: Go back to http://localhost/FUDforum-3.1.2/index.php  
Or Go to http://localhost/FUDforum-3.1.2/adm/admgroups.php?&SQ=1da883e1cc4e8df02d59bcf5fc8edf54  
\-> XSS bug trigger

**Impact of XSS:**

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

Perform any action within the application that the user can perform.  
View any information that the user is able to view.  
Modify any information that the user is able to modify.  
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.  
With the help of XSS a hacker or attacker can perform social engineering on users by redirecting them from real website to fake one. hacker can steal their cookies and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

CVE-2022-30861: Cross Site Scripting · Issue #24 · fudforum/FUDforum

FlatCore-CMS 2.0.9 has a cross-site scripting (XSS) vulnerability in pages.edit.php through meta tags and content sections.

**Describe the bug**  
Meta etiketlere ve içeriğe yazılan xss yükünü filtrelememek

https://owasp.org/www-community/attacks/xss/

**To Reproduce**  
Steps to reproduce the behavior:  
1-) press create new page from home page

2-) Enter the meta tags and content e xss payload

3-) go to admin panel and press go to home page button and xss pop-up

**Expected behavior**  
A clear and concise description of what you expected to happen.

**Screenshots**  
If applicable, add screenshots to help explain your problem.

**Additional context**  
POC : https://www.youtube.com/watch?v=wmQf0B3Sa6c

Tag

#xss