Description
GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.
Remediation
References
Related Vulnerabilities
WordPress Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-5731)
SharePoint CVE-2022-41060 Vulnerability (CVE-2022-41060)
WordPress Plugin Spotlight Social Feeds [Block, Shortcode, and Widget] Cross-Site Scripting (1.4.2)
WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-17671)