Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehelperchat prior to 3.99v. Attacker can execute malicious JS on Application :)

@@ -214,38 +214,68 @@ class NodeTriggerActionCommand extends Component { <input className\="form-control form-control-sm" type\="text" onChange\={(e) \=> this.onchangeAttr({'path':\['payload'\],'value':e.target.value})} defaultValue\={this.props.action.getIn(\['content','payload'\])} /\> </div\> </div\> <div className\="col-6"\>  
{this.props.action.getIn(\['content','payload\_arg\_type'\]) != 'count\_filter' && this.props.action.getIn(\['content','payload\_arg\_type'\]) != 'count' && this.props.action.getIn(\['content','payload\_arg\_type'\]) != 'ratio' && <div className\="col-6"\> <div className\="form-group"\> <label\>Chat variable value from group method</label\> <label\>Calculated value from group method</label\> <input className\="form-control form-control-sm" type\="text" onChange\={(e) \=> this.onchangeAttr({'path':\['payload\_cond\_field'\],'value':e.target.value})} defaultValue\={this.props.action.getIn(\['content','payload\_cond\_field'\])} /\> </div\> </div\> <div className\="col-4"\> </div\>}  
<div className\="col-12"\> <div className\="form-group"\> <label\>Group field (sentiment)</label\> <input className\="form-control form-control-sm" type\="text" onChange\={(e) \=> this.onchangeAttr({'path':\['payload\_arg\_field'\],'value':e.target.value})} defaultValue\={this.props.action.getIn(\['content','payload\_arg\_field'\])} /\> <label\>Group method</label\> <select className\="form-control form-control-sm" onChange\={(e) \=> this.onchangeAttr({'path' : \['payload\_arg\_type'\], 'value' : e.target.value})} defaultValue\={this.props.action.getIn(\['content','payload\_arg\_type'\])}\> <option value\=""\>Select group logic</option\> <optgroup label\="Grouping"\> <option value\="avg"\>AVG</option\> <option value\="sum"\>SUM</option\> <option value\="sum\_avg"\>SUM as comparator and AVG as value</option\> <option value\="max"\>MAX</option\> <option value\="min"\>MIN</option\> <option value\="count\_max"\>COUNT MAX (maximum number of grouped record)</option\> </optgroup\> <optgroup label\="Counting"\> <option value\="count"\>COUNT (total number of messages)</option\> <option value\="count\_filter"\>COUNT FILTER (filtered by group value field)</option\> <option value\="ratio"\>RATIO in comparison with all messages</option\> </optgroup\> </select\> </div\> </div\> <div className\="col-4"\> <label\>Group method</label\> <select className\="form-control form-control-sm" onChange\={(e) \=> this.onchangeAttr({'path' : \['payload\_arg\_type'\], 'value' : e.target.value})} defaultValue\={this.props.action.getIn(\['content','payload\_arg\_type'\])}\> <option value\=""\>Select group logic</option\> <option value\="count"\>COUNT (total number of messages)</option\> <option value\="avg"\>AVG</option\> <option value\="sum"\>SUM</option\> <option value\="sum\_avg"\>SUM as comparator and AVG as value</option\> <option value\="max"\>MAX</option\> <option value\="min"\>MIN</option\> <option value\="count\_max"\>COUNT MAX (maximum number of grouped record)</option\> <option value\="count\_filter"\>COUNT FILTER (filtered by group value field)</option\> </select\> </div\> <div className\="col-4"\>  
{this.props.action.getIn(\['content', 'payload\_arg\_type'\]) != 'count' && <div className\="col-6"\> <div className\="form-group"\> <label\>Group field (sentiment)</label\> <input className\="form-control form-control-sm" type\="text" onChange\={(e) \=> this.onchangeAttr({ 'path': \['payload\_arg\_field'\], 'value': e.target.value })} defaultValue\={this.props.action.getIn(\['content', 'payload\_arg\_field'\])}/\> </div\> </div\> }  
{this.props.action.getIn(\['content','payload\_arg\_type'\]) != 'count' && <div className\="col-6"\> <div className\="form-group"\> <label\>Group value field (sentiment\_value)</label\> {(this.props.action.getIn(\['content','payload\_arg\_type'\]) \== 'count\_filter' || this.props.action.getIn(\['content','payload\_arg\_type'\]) \== 'ratio') && <label\>Filter value</label\>} {this.props.action.getIn(\['content','payload\_arg\_type'\]) != 'count\_filter' && this.props.action.getIn(\['content','payload\_arg\_type'\]) != 'ratio' && <label\>Group value field. Eg (score field of the sentiment)</label\>} <input className\="form-control form-control-sm" type\="text" onChange\={(e) \=> this.onchangeAttr({'path':\['payload\_arg\_val'\],'value':e.target.value})} defaultValue\={this.props.action.getIn(\['content','payload\_arg\_val'\])} /\> </div\> </div\> </div\>}  
{ \['ratio','avg','sum\_avg','max','min','count\_max'\].indexOf(this.props.action.getIn(\['content','payload\_arg\_type'\])) !== \-1 && <div className\="col-12"\> <div className\="form-group"\> <label\>Use only if value is one of. If not defined all possible values will be used.</label\> <input className\="form-control form-control-sm" placeholder\="negative,positive" type\="text" onChange\={(e) \=> this.onchangeAttr({'path':\['payload\_arg\_val\_sum'\],'value':e.target.value})} defaultValue\={this.props.action.getIn(\['content','payload\_arg\_val\_sum'\])} /\> </div\> </div\>}  
<div className\="col-12"\> <label\>Messages to include</label\> <div className\="form-group"\>

CVE-2022-1530: 3.99v · LiveHelperChat/livehelperchat@edef7a8

A vulnerability, which was classified as problematic, was found in Emlog Pro up to 1.2.2. This POST parameter handling of articles. The manipulation with the input <script>alert(1);</script> leads to cross site scripting. It is possible to initiate the attack remotely but it requires a signup and login by the attacker. The exploit has been disclosed to the public and may be used.

CVE-2022-1526

The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2022-29907

FacturaScripts prior to version 2022.06 is vulnerable to stored cross-site scripting via upload plugin functionality in zip format.

**Cross site scripting in FacturaScripts**

Critical severity GitHub Reviewed Published Apr 29, 2022 • Updated Apr 29, 2022

GHSA-p3w3-4ppm-c3f6: Cross site scripting in FacturaScripts

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser.

### Acknowledgement

Keycloak would like to thank Quentin TEXIER (Pentester at Opencyber) for reporting this issue.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-m98g-63qj-fp8j

**Reflected XSS on clients-registrations endpoint**

Moderate severity GitHub Reviewed Published Apr 28, 2022 in keycloak/keycloak • Updated Apr 28, 2022

**Package**

maven org.keycloak:keycloak-parent (Maven )

**Affected versions**

\>= 10.0.0, < 18.0.0

**Description**

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser.

**Acknowledgement**

Keycloak would like to thank Quentin TEXIER (Pentester at Opencyber) for reporting this issue.

**References**

*   GHSA-m98g-63qj-fp8j

**Weaknesses**

**GHSA ID**

GHSA-m98g-63qj-fp8j

**Source code**

GHSA-m98g-63qj-fp8j: Reflected XSS on clients-registrations endpoint

### Impact
Not-stored XSS in storefront.
Request parameter were directly assigned to the template, so that malicious code could be send via an URL.

### Patches
We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/en/changelog-sw5/#5-7-9

For older versions you can use the Security Plugin:
https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html


### References
https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

**Reflected Cross-site Scripting in Shopware storefront**

Moderate severity GitHub Reviewed Published Apr 28, 2022 in shopware/shopware • Updated Apr 29, 2022

GHSA-4g29-fccr-p59w: Reflected Cross-site Scripting in Shopware storefront

Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS).

Like Access, from basic features such as table management, form and report generator as well as charting and workflow features it can be dynamically modeled with one another to any product solution. Limbas is based on PHP.

**Features**

*   quickly create webbased applications
*   completly webbased for allmost all browsers
*   easy to use graphical userinterface
*   graphical wizzards for building views, forms and reports
*   support of many databases like maxdb, postgresql, ingres, mssql
*   Administration tools for backup and export, rulemanagement, triggers and more
*   integrated filemanager with DMS functionality
*   integrated ajax-based calendar
*   reminder functionality with sending reminders to users or groups
*   recursiv versioning of datasets and files
*   support SOAP and WEBDAV interfaces
*   YII-Framework connection class for limbas

**License**GNU General Public License version 2.0 (GPLv2)

Other Useful Business Software

Discover HPCC Systems - the truly open source big data solution that allows you to quickly process, analyze and understand large data sets, even data stored in massive, mixed-schema data lakes. Designed by data scientists, HPCC systems is a complete integrated solution from data ingestion and data processing to data delivery. The free online introductory courses and a robust developer community allow you to get started quickly.

**User Ratings**

5.0 out of 5 stars

★★★★★

★★★★

★★★

★★

★

ease 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5 0 / 5

features 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5 0 / 5

design 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5 0 / 5

support 1 of 5 2 of 5 3 of 5 4 of 5 5 of 5 0 / 5

**User Reviews**

*   All
*   ★★★★★
*   ★★★★
*   ★★★
*   ★★
*   ★

*   1 user found this review helpful.
    
*   A powerful system very flexible and easy to handle. Using a browser to access LIMBAS gives you the possibility to work from any location and device. No license fees.
    
*   looks like the answer of my prayers :-)
    

Read more reviews >

**Additional Project Details**

**Languages**French, English, German

**Intended Audience**Information Technology, Developers, End Users/Desktop

**User Interface**Web-based

**Programming Language**PHP

**Database Environment**Other network-based DBMS, ODBC

**Registered**

2006-01-04

CVE-2022-28454: Limbas

WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS).

**Latest commit**

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

CVE-2022-28477: GitHub - APTX-4879/CVE

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress via &title parameter.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of April 25, 2022 and is not available for download. This closure is temporary, pending a full review.

知道该插件已经是好几年前了，之后很少有机会在网上写博客了，所以可能就不会再用到这个插件了，直到前几天又要做个小东西，我想到了这个插件，发现作者还在更新，百感交集，先不谈插件好不好，单单作者这份坚持和用心，就已经打动了我，当然，作者写的插件易用小巧，适用多环境下，这也是我第一次给WordPress widget评价，对作者的坚持表示敬佩和感谢。 PS：如果能支持一下微信小程序就更好了，现在我是通过Webview来使用的，经过简单的模板适配，依然适用！

用了两年了，作者一直有在不断更新！这是目前能用的到的最简洁、美观、实用的音乐播放插件，支持网易和虾米。虽然还有一部分音乐版权在QQ音乐手上，但是已经知足了，毕竟同类可以调用三者的插件UI简直辣眼睛。

Read all 4 reviews

“Hermit 音乐播放器” is open source software. The following people have contributed to this plugin.

Contributors

*    mu feng

Tag

#xss