CVE-2022-40365 XSS vulnerability in ouqiang gocron through 1.5.3 allows attackers to execute arbitrary code.

XSS exists in function.
/admin/task.php via the value of the name parameter. Attackers can inject arbitrary code in the client-side language via scope. XSS exists in function.//admin/task.php via the value of theparameter. Attackers can inject arbitrary code in the client-side language via scope. https://github.com/googlesamples/vue/tree/master/src/router/fetch/fetchData.js#L8 XSS exists in function./admin/task.php via the value of theparameter. Attackers can inject arbitrary code in the client-side language via scope. https://github.com/googlesamples/vue/tree/master/src/router/fetch/fetchData.js#L9 XSS exists in function./admin/task.php via the value of theparameter. Attackers can inject arbitrary code in the client-side language via scope. https://github.com/googlesamples/vue/tree/master/src/router/fetch/fetchData.js#L10 XSS exists in function./admin/task.php via the value of theparameter. Attackers can inject arbitrary code in the client-side language via scope. https://github.com/googlesamples/vue/tree/master/src/router

Summary

XSS exists in function.

SQL Injection

SQL injection exists in function.
/admin/task.php via the value of the name parameter. Attackers can manipulate SQL queries to exfiltrate sensitive information from the database server. SQL injection exists in function./admin/task.php via the value of theparameter. Attackers can manipulate SQL queries to exfiltrate sensitive information from the database server. https://github.com/googlesamples/vue/tree/master/src/router/fetch/fetchData.js#L17

Bypass authentication to get access to admin functions

Bypass authentication to get access to admin functions.
A cross-site scripting vulnerability exists in the Vue.js library, which allows attackers to bypass the authentication mechanism in order to run queries on an admin page. The vulnerability is due to a flaw that allows an attacker to insert script into the page via the client-side language and execute it within a browser session without any authorization or privilege escalation required.

Timeline

Published on: 09/14/2022 21:15:00 UTC
Last modified on: 09/16/2022 19:27:00 UTC

References

• https://github.com/ouqiang/gocron
• https://github.com/ouqiang/gocron/issues/362
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40365