Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-3942 PoC — HP 多款产品跨站脚本漏洞

Source
https://github.com/maikroservice/CVE-2022-3942
Associated Vulnerability
Title:HP 多款产品跨站脚本漏洞 (CVE-2022-3942)
Description:HP Color LaserJet Pro等都是美国惠普(HP)公司的产品。HP Color LaserJet Pro是一系列彩色打印机。HP PageWide Pro是一系列多功能打印机。HP LaserJet Printers是一系列打印机。 HP 多款产品存在安全漏洞,该漏洞源于在将用户提供的数据复制到固定长度的基于堆栈的缓冲区之前缺乏对长度的正确验证。攻击者可以利用此漏洞在 root 上下文中执行代码。
Readme
# CVE-2022-3942

Cross Site Scripting in Sanitization Management System

Description: A cross-site scripting (XSS) vulnerability in Sanitization Management System v1.0 allows potential attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Remarks or Address Fields of the Request Quote Form. As soon as the logged-in staff or admin user opens the quote the XSS is triggered - coupled with the fact that the cookie has no HttpOnly Flag this could be used to steal cookies of logged-in users.


How to Reproduce:
<img width="1092" alt="XSS_CVE_2022-3942" src="https://user-images.githubusercontent.com/20245897/201322144-e0e4736b-dce6-48d9-bea7-6db3b2f4d5f5.png">

<img width="358" alt="Form submission" src="https://user-images.githubusercontent.com/20245897/201322343-40c7471b-2ab5-426d-8e82-af5ef1142d8e.png">
<img width="1184" alt="request opened" src="https://user-images.githubusercontent.com/20245897/201322462-863ac592-b2bd-44ec-aba3-4bcca81acf23.png">
<img width="820" alt="cookies stolen" src="https://user-images.githubusercontent.com/20245897/201322505-a5995abc-91c8-4855-874b-1786af0b869e.png">
File Snapshot

 [4.0K]  /data/pocs/f3bece6dacda23225f94e338196ea96f70e65964
└── [1.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.