CVE-2023-23012 is assigned
Link: https://github.com/craigrodway/classroombookings
XSS vulnerability.
In file classroombookings-master\application\controllers\Weeks.php in function save_week
the input 'bgcol' will be saved in the DB and passed to the view when it will be printed without sanitization.
$data = array(
'name' => $this->input->post('name'),
'bgcol' => $this->input->post('bgcol'),
);
if ($week_id = $this->weeks_model->insert($data)) {
//...
}
In file classroombookings-master\application\models\Weeks_model.php
public function insert($data){
$data = $this->sleep_values($data);
$insert = $this->db->insert($this->table, $data);
return $insert ? $this->db->insert_id() : FALSE;
}
In file classroombookings-master\application\controllers\Weeks.php in function save_week
public function index(){
$this->data['weeks'] = $this->weeks_model->get_all();
$this->data['title'] = $this->data['showtitle'] = 'Timetable Weeks';
$body = $this->load->view('weeks/index', $this->data, TRUE);
$this->data['body'] = $body;
return $this->render();
}
In file classroombookings-master\application\models\Weeks_model.php
public function get_all(){
$query = $this->db->from($this->table)
->order_by('name', 'ASC')
->get();
if ($query->num_rows() > 0) {
$result = $query->result();
//..
return $result;
}
}
The In file C:\transfer_projects\classroombooking\classroombookings-master\application\views\weeks\index.php
<?php
foreach ($weeks as $week) {
//...
$dot = week_dot($week);
echo "<td style='text-align:center'>{$dot}</td>";
//...
}
?>
In file classroombookings-master\application\helpers\week_helper.php
function week_dot($week, $size = 'md')
{
$col = $week->bgcol;
$col = str_replace('#', '', $col);
$col = '#' . $col;
$out = "<span class='dot dot-week dot-size-{$size}' style='background-color:{$col}'></span>";
return $out;
}