By Waqas
Firmware Vulnerability Found in Bosch Thermostat Model BCC100: Patch Now or Freeze.
This is a post from HackRead.com Read the original post: Hackers can hijack your Bosch Thermostat and Install Malware

Bitdefender Labs has discovered that the popular Bosch thermostat model BCC100 is vulnerable to cybersecurity threats. This vulnerability could allow a remote attacker to manipulate settings and install malware on the device.

Researchers have discovered vulnerabilities in the Bosch BCC100 thermostat, which could compromise users’ privacy and comfort. The vulnerabilities, discovered by Bitdefender Labs, allow attackers to access thermostat settings and data, manipulate settings remotely, and install malware.

The latest revelations regarding the vulnerable state of IoT devices should not be surprising. From electronic skateboards to coffee machines, from treadmills to security cameras in your room, everything connected to the internet is susceptible to potential threats.

As for the latest development, Bitdefender Labs, creator of the first smart home cybersecurity hub, regularly audits popular IoT hardware for vulnerabilities. Its latest research has revealed vulnerabilities in the Bosch BCC100 thermostat, affecting versions 1.7.0 – HD Version 4.13.22.

Bitdefender researchers discovered the vulnerability on August 29, 2023, but the details of it were only published on January 11, 2024. The vulnerability allows attackers to replace device firmware with a rogue version (CVE-2023-49722). The vulnerability was confirmed and triaged in October 2023, and Bosch started working on a fix immediately. Bitdefender responsibly disclosed the flaw on January 11, 2024.

To understand the flaw, it is essential to know how the BCC100 thermostat works. The thermostat uses two microcontrollers: a Hi-Flying chip (HF-LPT230) for Wi-Fi functionality and an STMicroelectronics chip (STM32F103) for implementing the main logic.

The STM chip lacks networking capabilities and relies on the Wi-Fi chip for communication. The Wi-Fi chip listens on TCP port 8899 on the LAN and, via the UART data bus, it mirrors any message received directly to the main microcontroller.

However, if properly formatted, the microcontroller cannot differentiate between malicious and genuine messages sent by the cloud server. An attacker can exploit this to send commands to the thermostat, including malicious updates.

The thermostat communicates with the connect.boschconnectedcontrol.com server via JSON-encoded payloads over a WebSocket, which are unmasked, and easy to imitate. The device initiates the “device/update” command on port 8899, triggering the thermostat to request details from the cloud server.

Despite an error code, the device accepts a forged response with the firmware update details, including the URL, size, MD5 checksum, and version. The device then requests the cloud server to download the firmware and send it through the WebSocket, ensuring the URL is accessible. Once the device receives the file, it performs the upgrade, finalizing the compromise.

According to Bitdefender Labs’ blog post, users are advised to follow necessary security practices. This includes updating the thermostat firmware, changing the default administrative password, avoiding connecting the thermostat to the internet unnecessarily, and using a firewall to restrict access from unauthorized devices.

Bitdefender Labs has stressed the significance of selecting secure smart home devices and ensuring their timely updates with the latest security patches. For specific details, refer to Bosch’s security advisory published on January 9, 2023.

Nevertheless, this research highlights that even seemingly innocuous smart devices can pose security risks. As the smart home market continues to grow, manufacturers must prioritize security and ensure a safe and reliable connected environment.

1.  **The Pros and Cons of Smart Homes**
2.  **Are Smart Home Devices Invading Your Privacy?**
3.  **White hat hacker infects smart coffee machine with ransowmare**
4.  **AXIS A1001 Network Door Controller Flaw Exposes Secure Facilities**
5.  **Controller-level flaws can let hackers physically damage moving bridges**
6.  **Power Grids to Airports: TETRA Radio Hacking Risks Global Infrastructure**

Hackers can hijack your Bosch Thermostat and Install Malware

GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction.
Tracked as CVE-2023-7028, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address.
The

DevSecOps / Software security

GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction.

Tracked as **CVE-2023-7028**, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address.

The DevSecOps platform said the vulnerability is the result of a bug in the email verification process, which allowed users to reset their password through a secondary email address.

It affects all self-managed instances of GitLab Community Edition (CE) and Enterprise Edition (EE) using the below versions -

*   16.1 prior to 16.1.6
*   16.2 prior to 16.2.9
*   16.3 prior to 16.3.7
*   16.4 prior to 16.4.5
*   16.5 prior to 16.5.6
*   16.6 prior to 16.6.4
*   16.7 prior to 16.7.2

GitLab said it addressed the issue in GitLab versions 16.5.6, 16.6.4, and 16.7.2, in addition to backporting the fix to versions 16.1.6, 16.2.9, 16.3.7, and 16.4.5. The company further noted the bug was introduced in 16.1.0 on May 1, 2023.

"Within these versions, all authentication mechanisms are impacted," GitLab said. "Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login."

Also patched by GitLab as part of the latest update is another critical flaw (CVE-2023-5356, CVSS score: 9.6), which permits a user to abuse Slack/Mattermost integrations to execute slash commands as another user.

To mitigate any potential threats, it's advised to upgrade the instances to a patched version as soon as possible and enable 2FA, if not already, particularly for users with elevated privileges.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Urgent: GitLab Releases Patch for Critical Vulnerabilities - Update ASAP

Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments.
"This attack is particularly intriguing due to the attacker's use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier

Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments.

"This attack is particularly intriguing due to the attacker's use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier this week. "The malware deletes contents of specific directories and modifies system configurations to evade detection."

The infection chain targeting Hadoop leverages a misconfiguration in the YARN's (Yet Another Resource Negotiator) ResourceManager, which is responsible for tracking resources in a cluster and scheduling applications.

Specifically, the misconfiguration can be exploited by an unauthenticated, remote threat actor to execute arbitrary code by means of a crafted HTTP request, subject to the privileges of the user on the node where the code is executed.

The attacks aimed at Apache Flink, likewise, take aim at a misconfiguration that permits a remote attacker to achieve code execution sans any authentication.

These misconfigurations are not novel and have been exploited in the past by financially motivated groups like TeamTNT, which is known for its history of targeting Docker and Kubernetes environments for the purpose of cryptojacking and other malicious activities.

But what makes the latest set of attacks noteworthy is the use of rootkits to hide crypto mining processes after obtaining an initial foothold into Hadoop and Flink applications.

"The attacker sends an unauthenticated request to deploy a new application," the researchers explained. "The attacker is able to run a remote code by sending a POST request to the YARN, requesting to launch the new application with the attacker's command."

The command is purpose-built to clear the /tmp directory of all existing content, fetch a file called "dca" from a remote server, and execute it, followed by deleting all files in the /tmp directory once again.

The executed payload is a packed ELF binary that acts as a downloader to retrieve two rootkits and a Monero cryptocurrency miner binary. It's worth pointing out that various adversaries, including Kinsing, have resorted to employing rootkits to conceal the presence of the mining process.

To achieve persistence, a cron job is created to download and execute a shell script that deploys the 'dca' binary. Further analysis of the threat actor's infrastructure reveals that the staging server used to fetch the downloader was registered on October 31, 2023.

As mitigations, it's recommended that organizations deploy agent-based security solutions to detect cryptominers, rootkits, obfuscated or packed binaries, as well as other suspicious runtime behaviors.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The issue, tracked as CVE-2023-29357 (CVSS score: 9.8), is a privilege escalation flaw that could be exploited by an attacker to gain

Cyber Attack / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The issue, tracked as **CVE-2023-29357** (CVSS score: 9.8), is a privilege escalation flaw that could be exploited by an attacker to gain administrator privileges. Microsoft released patches for the bug as part of its June 2023 Patch Tuesday updates.

"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Redmond said. "The attacker needs no privileges nor does the user need to perform any action."

Security researcher Nguyễn Tiến Giang (Jang) of StarLabs SG demonstrated an exploit for the flaw at the Pwn2Own Vancouver hacking contest, earning a $100,000 prize.

The pre-authenticated remote code execution chain combines authentication bypass (CVE-2023–29357) with a code injection bug (CVE-2023-24955, CVSS score: 7.2), the latter of which was patched by Microsoft in May 2023.

"The process of discovering and crafting the exploit chain consumed nearly a year of meticulous effort and research to complete the full exploit chain," Tiến Giang noted in a technical report published in September 2023.

Additional specifics of the real-world exploitation of CVE-2023–29357 and the identity of the threat actors that may be abusing them are presently unknown. That said, federal agencies are recommended to apply the patches by January 31, 2024, to secure against the active threat.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Act Now: CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability 

Ubuntu Security Notice 6578-1 - Vishal Mishra and Anita Gaud discovered that .NET did not properly validate X.509 certificates with malformed signatures. An attacker could possibly use this issue to bypass an application's typical authentication logic. Morgan Brown discovered that .NET did not properly handle requests from unauthenticated clients. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6578-1  
January 11, 2024

dotnet6, dotnet7, dotnet8 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 23.04  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in dotnet6, dotnet7, and dotnet8.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime  
- dotnet8: dotNET CLI tools and runtime

Details:

Vishal Mishra and Anita Gaud discovered that .NET did not properly  
validate X.509 certificates with malformed signatures. An attacker  
could possibly use this issue to bypass an application's typical  
authentication logic. (CVE-2024-0057)

Morgan Brown discovered that .NET did not properly handle requests from  
unauthenticated clients. An attacker could possibly use this issue to  
cause a denial of service. (CVE-2024-21319)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   aspnetcore-runtime-6.0          6.0.126-0ubuntu1~23.10.1  
   aspnetcore-runtime-7.0          7.0.115-0ubuntu1~23.10.1  
   aspnetcore-runtime-8.0          8.0.1-0ubuntu1~23.10.1  
   dotnet-host                     6.0.126-0ubuntu1~23.10.1  
   dotnet-host-7.0                 7.0.115-0ubuntu1~23.10.1  
   dotnet-host-8.0                 8.0.1-0ubuntu1~23.10.1  
   dotnet-hostfxr-6.0              6.0.126-0ubuntu1~23.10.1  
   dotnet-hostfxr-7.0              7.0.115-0ubuntu1~23.10.1  
   dotnet-hostfxr-8.0              8.0.1-0ubuntu1~23.10.1  
   dotnet-runtime-6.0              6.0.126-0ubuntu1~23.10.1  
   dotnet-runtime-7.0              7.0.115-0ubuntu1~23.10.1  
   dotnet-runtime-8.0              8.0.1-0ubuntu1~23.10.1  
   dotnet-sdk-6.0                  6.0.126-0ubuntu1~23.10.1  
   dotnet-sdk-7.0                  7.0.115-0ubuntu1~23.10.1  
   dotnet-sdk-8.0                  8.0.101-0ubuntu1~23.10.1  
   dotnet6                         6.0.126-0ubuntu1~23.10.1  
   dotnet7                         7.0.115-0ubuntu1~23.10.1  
   dotnet8                         8.0.101-8.0.1-0ubuntu1~23.10.1

Ubuntu 23.04:  
   aspnetcore-runtime-6.0          6.0.126-0ubuntu1~23.04.1  
   aspnetcore-runtime-7.0          7.0.115-0ubuntu1~23.04.1  
   dotnet-host                     6.0.126-0ubuntu1~23.04.1  
   dotnet-host-7.0                 7.0.115-0ubuntu1~23.04.1  
   dotnet-hostfxr-6.0              6.0.126-0ubuntu1~23.04.1  
   dotnet-hostfxr-7.0              7.0.115-0ubuntu1~23.04.1  
   dotnet-runtime-6.0              6.0.126-0ubuntu1~23.04.1  
   dotnet-runtime-7.0              7.0.115-0ubuntu1~23.04.1  
   dotnet-sdk-6.0                  6.0.126-0ubuntu1~23.04.1  
   dotnet-sdk-7.0                  7.0.115-0ubuntu1~23.04.1  
   dotnet6                         6.0.126-0ubuntu1~23.04.1  
   dotnet7                         7.0.115-0ubuntu1~23.04.1

Ubuntu 22.04 LTS:  
   aspnetcore-runtime-6.0          6.0.126-0ubuntu1~22.04.1  
   aspnetcore-runtime-7.0          7.0.115-0ubuntu1~22.04.1  
   dotnet-host                     6.0.126-0ubuntu1~22.04.1  
   dotnet-host-7.0                 7.0.115-0ubuntu1~22.04.1  
   dotnet-hostfxr-6.0              6.0.126-0ubuntu1~22.04.1  
   dotnet-hostfxr-7.0              7.0.115-0ubuntu1~22.04.1  
   dotnet-runtime-6.0              6.0.126-0ubuntu1~22.04.1  
   dotnet-runtime-7.0              7.0.115-0ubuntu1~22.04.1  
   dotnet-sdk-6.0                  6.0.126-0ubuntu1~22.04.1  
   dotnet-sdk-7.0                  7.0.115-0ubuntu1~22.04.1  
   dotnet6                         6.0.126-0ubuntu1~22.04.1  
   dotnet7                         7.0.115-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6578-1  
   CVE-2024-0057, CVE-2024-21319

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.126-0ubuntu1~23.10.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.115-0ubuntu1~23.10.1  
https://launchpad.net/ubuntu/+source/dotnet8/8.0.101-8.0.1-0ubuntu1~23.10.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.126-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.115-0ubuntu1~23.04.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.126-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.115-0ubuntu1~22.04.1

Ubuntu Security Notice USN-6578-1

WordPress POST SMTP Mailer plugin versions 2.8.7 and below suffer from authorization bypass and cross site scripting vulnerabilities.

Vulnerability Summary from Wordfence Intelligence

Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API 

Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress

Plugin Slug: post-smtp

Affected Versions: <= 2.8.7

CVE ID: CVE-2023-6875

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Ulyses Saicha 

Fully Patched Version: 2.8.8

Bounty Awarded: $4,125.00

The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.

Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device 

Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress

Plugin Slug: post-smtp

Affected Versions: <= 2.8.7

CVE ID: CVE-2023-7027

CVSS Score: 7.2 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Sean Murphy 

Fully Patched Version: 2.8.8

Bounty Awarded: $825.00

The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Technical Analysis #1: Authorization Bypass via type connect-app API

The POST SMTP Mailer plugin helps configure an SMTP mailer in WordPress, replacing the default PHP mail function to improve email delivery. In addition, a mobile application can be connected to the plugin using a generated auth key. Examining the code reveals that the plugin uses the connect_app() function in the Post_SMTP_Mobile_Rest_API class to save the mobile application connection settings.

[View this code snippet on the blog] 

Knowledge of a randomly generated authentication nonce is required in order to set the value of the FCM token. However, the plugin deletes the auth token in all cases. This means that after sending the request, the auth nonce is always empty. This made it possible for the attacker to set the FCM token in the next request, providing a zero value for the auth key which would successfully validate as true.

With the connected application, it is possible to access and view all emails, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.

Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Technical Analysis #2: Unauthenticated Stored Cross-Site Scripting via device

In the same connect_app() function of the plugin, the mobile application connection settings include the device value. Examining the code reveals that a sanitization function is missing at the device value input in the connect_app() function, and escaping is also missing at the output in the section() function.

[View this code snippet on the blog] 

This makes it possible for unauthenticated attackers to inject arbitrary web scripts, which will execute whenever an administrator opens the mobile application settings page. As with all Cross-Site Scripting vulnerabilities, this can be leveraged by an attacker to achieve remote code execution.

Wordfence Firewall

The following graphic illustrates how the Wordfence firewall prevents an attacker from successfully exploiting the authorization bypass vulnerability.

post-smtp-mailer-authorization-bypass-howto-wordfence-firewall 

Disclosure Timeline

December 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion for a separate vulnerability in the plugin.

December 14, 2023 – We receive the submission of the Authorization Bypass vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.

December 15, 2023 – We validate the report and confirm the proof-of-concept exploit.

December 15, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.

December 19, 2023 – We receive the submission of the Stored Cross-Site Scripting vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.

December 20, 2023 – We validate the report and confirm the proof-of-concept exploit. We send over the full disclosure details for the unauthenticated XSS.

January 1, 2024 – The fully patched version, 2.8.8, is released.

January 3, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.

February 2, 2024 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed an Authorization Bypass and a Stored Cross-Site Scripting vulnerabilities within the POST SMTP Mailer plugin  affecting versions 2.8.7 and earlier. The Authorization Bypass vulnerability allows unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails, resulting in a full site compromise. The Stored Cross-Site Scripting vulnerability allows unauthenticated threat actors to inject malicious web scripts into pages. The vulnerabilities have been fully addressed in version 2.8.8 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of POST SMTP Mailer.

Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response  have been protected against these vulnerabilities as of January 3, 2024. Users still using the free version of Wordfence will receive the same protection on February 2, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

WordPress POST SMTP Mailer 2.8.7 Authorization Bypass / Cross Site Scripting

PHPJabbers Event Ticketing System version 1.0 suffers from a missing rate limiting vulnerability.

    # Exploit Title: PHPJabbers Event Ticketing System v1.0 - No Rate Limit# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51339Descriptions:A lack of rate limiting in the "Forgot Email" feature of PHPJabbersEvent Ticketing System v1.0 allows attackers to send an excessiveamount of reset requests for a legitimate user, leading to a possibleDenial of Service (DoS) via a large amount of generated e-mailmessages.Steps to Reproduce:1. Visit this URLhttps://demo.phpjabbers.com/1704798072_893/index.php?controller=pjAdmin&action=pjActionIndex2. Now use the account mail that is already registered on this website.3. Capture request data using burp suite and send it to Intruder Tab4. Configure Intruder and Start Attack5. Check your email.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51339)

PHPJabbers Event Ticketing System 1.0 Missing Rate Limiting

PHPJabbers Meeting Room Booking System version 1.0 suffers from a CSV injection vulnerability.

    # Exploit Title: PHPJabbers Meeting Room Booking System v1.0 - CSV Injection# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11# CVE-2023-51336Descriptions:PHPJabbers Meeting Room Booking System v1.0 is vulnerable to CSVinjection vulnerability which allows an attacker to execute remotecode. The vulnerability exists due to insufficient input validation onthe Unique ID field in the Reservations list that is used to constructa CSV file.Steps to Reproduce:1. Login your panel.2. Go to Options Menu then click Language then click Labels section.3. Now use CSV Injection Payload in any field and go to Import/Export.4. Now click export and open your system.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51336)

PHPJabbers Meeting Room Booking System 1.0 CSV Injection

PHPJabbers Meeting Room Booking System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Exploit Title: PHPJabbers Meeting Room Booking System v1.0 -Multiple Stored XSS# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link:https://www.phpjabbers.com/meeting-room-booking-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51338Descriptions:PHPJabbers Meeting Room Booking System v1.0 is vulnerable to MultipleStored Cross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "title, name".3. Go to System Users Menu then click add user.4. Then use any XSS Payload in "Name" input field and Save.5. You will see xss popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51338)

PHPJabbers Meeting Room Booking System 1.0 Cross Site Scripting

PHPJabbers Event Ticketing System version 1.0 suffers from cross site scripting and html injection vulnerabilities.

    # Exploit Title: PHPJabbers Event Ticketing System v1.0 - Multiple HTML Injection# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51303Descriptions:PHPJabbers Event Ticketing System v1.0 is vulnerable to Multiple HTMLInjection. HTML injection, also known as HTML code injection orcross-site scripting (XSS), is a web security vulnerability thatallows an attacker to inject malicious code into a web page that isthen viewed by other users. This can lead to various attacks, such asstealing sensitive information, session hijacking, defacement ofwebsites, or delivering malware to users.Parameters: "lid, name, plugin_sms_api_key, plugin_sms_country_code,title, plugin_sms_api_key, title".Steps to Reproduce:1. Login your panel.2. Go to System Menu then click SMS Settings.3. Then use any HTML Tag in "SMS API Key", "Default Country Code"input field and Save.4. You will see HTML code working here.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51303)# Exploit Title: PHPJabbers Event Ticketing System v1.0 - Multiple Stored XSS# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51306Descriptions:PHPJabbers Event Ticketing System v1.0 is vulnerable to MultipleStored Cross-Site Scripting. Multiple Stored XSS is a type of securityvulnerability that occurs when an application or website allows anattacker to inject malicious scripts into the content that ispermanently stored on the server.Steps to Reproduce:1. Login your panel.2. Vulnerable parameters are "name, title".3. Go to System Users then click Add User.4. Then use any XSS Payload in "Name" input field and Save.5. You will see xss popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51306)# Exploit Title: PHPJabbers Event Ticketing System v1.0 - Reflected XSS# Date: 19/12/2023# Exploit Author: BugsBD Limited# Discover by: Rahad Chowdhury# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo# Version: v1.0# Tested on: Windows 10, Windows 11, Linux# CVE-2023-51337Descriptions:Reflected cross-site scripting (XSS) vulnerability exists in indexpage "lid" parameter of PHPJabbers Event Ticketing System v1.0 thatallows attackers to execute arbitrary web scripts or HTML via acrafted payload injected into the Website login page parameter.Steps to Reproduce:1. Visit main url2. Now use XSS Payload in "lid" parameter.3. You will see xss popup.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51337)

Tag

#auth