CVE-2023-30256
published 2023-05-11CVE-2023-30256: Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create…
PriorityP341medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
8.73%
94.5th percentile
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| maradns | maradns | >= 0 < 2.0.13-1.4+deb11u1build0.20.04.1 | 2.0.13-1.4+deb11u1build0.20.04.1 |
| maradns | maradns | >= 0 < 2.0.13-1.4+deb11u1build0.22.04.1 | 2.0.13-1.4+deb11u1build0.22.04.1 |
| maradns | maradns | >= 0 < 2.0.13-1ubuntu0.1~esm1 | 2.0.13-1ubuntu0.1~esm1 |
| maradns | maradns | >= 0 < 2.0.13-1.2ubuntu0.1~esm1 | 2.0.13-1.2ubuntu0.1~esm1 |
| webkul | qloapps | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d↗
commandcontroller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d↗
- →Detect XSS exploitation attempts against the `back` GET parameter on the QloApps authentication controller endpoint by looking for onfocus/autofocus injection patterns in the URL. ↗
- →Detect XSS exploitation attempts against the `email_create` POST parameter by looking for `<img src=a onerror=` payloads in POST body to the authentication controller. ↗
- →Match HTTP response body containing both `xss onfocus=alert(document.domain) autofocus= xss` and `hasConfirmation` as indicators of successful XSS reflection. ↗
- →Flag requests to `controller=authentication` with `SubmitCreate=1&ajax=true` combined with XSS payloads in `back` or `email_create` parameters. ↗
- ·The static token value `6c62b773f1b284ac4743871b300a0c4d` appears in all PoC requests; however, this may be a fixed demo token specific to the test instance and may differ in real deployments. ↗
- ·The `email_create` XSS payload only works via POST request, while the `back` parameter XSS is exploitable via both GET and POST requests. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
maradns vulnerabilities
osv·2023-08-03·CVSS 7.5
CVE-2022-30256 maradns vulnerabilities
maradns vulnerabilities
Xiang Li discovered that MaraDNS incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2022-30256)
Huascar Tejeda discovered that MaraDNS incorrectly handled certain inputs. If
a user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a denial
of service. (CVE-2023-31137)
GHSA
GHSA-45cr-xqhm-p6r9: Cross Site Scripting vulnerability found in Webkil QloApps v
ghsa_unreviewed·2023-05-11
CVE-2023-30256 [MEDIUM] CWE-79 GHSA-45cr-xqhm-p6r9: Cross Site Scripting vulnerability found in Webkil QloApps v
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
No detection rules found.
Exploit-DB
Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
exploitdb·2023-05-23·CVSS 6.1
CVE-2023-30256 [MEDIUM] Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
---
# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
# Date: 15 May 2023
# Exploit Author: Astik Rawat (ahrixia)
# Vendor Homepage: https://qloapps.com/
# Software Link: https://github.com/webkul/hotelcommerce
# Version: 1.5.2
# Tested on: Kali Linux 2022.4
# CVE : CVE-2023-30256
Description:
A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.
Steps to exploit:
1) Go to Signin page on the system.
2) There are two parameters which can be exploited via XSS
- back
- email_create
2.1) Insert your payload in the "back"- GET and POST Request
Proof of concept (Poc):
The following p
Nuclei
Webkul QloApps 1.5.2 - Cross-site Scripting
nuclei·CVSS 6.1
CVE-2023-30256 [MEDIUM] Webkul QloApps 1.5.2 - Cross-site Scripting
Webkul QloApps 1.5.2 - Cross-site Scripting
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
Template:
id: CVE-2023-30256
info:
name: Webkul QloApps 1.5.2 - Cross-site Scripting
author: theamanrawat
severity: medium
description: |
Cross Site Scripting vulnerability found in Webkil QloApps v.1.5.2 allows a remote attacker to obtain sensitive information via the back and email_create parameters in the AuthController.php file.
impact: |
Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement.
remediation:
No writeups or analysis indexed.
http://packetstormsecurity.com/files/172542/Webkul-Qloapps-1.5.2-Cross-Site-Scripting.htmlhttps://github.com/ahrixia/CVE-2023-30256https://github.com/webkul/hotelcommercehttps://qloapps.com/http://packetstormsecurity.com/files/172542/Webkul-Qloapps-1.5.2-Cross-Site-Scripting.htmlhttps://github.com/ahrixia/CVE-2023-30256https://github.com/webkul/hotelcommercehttps://qloapps.com/
2023-05-11
Published